Fault Tolerant Flight Control
Fault Tolerant Flight Control
Fault Tolerant Flight Control
A Benchmark Challenge
ABC
Series Advisory Board
P. Fleming, P. Kokotovic,
A.B. Kurzhanski, H. Kwakernaak,
A. Rantzer, J.N. Tsitsiklis
Editors
Christopher Edwards Hafid Smaili
University of Leicester National Aerospace Laboratory NLR
University Road Anthony Fokkerweg 2
Leicester LE1 7RH 1059 CM
United Kingdom Amsterdam
E-mail: chris.edwards@le.ac.uk The Netherlands
E-mail: smaili@nlr.nl
Thomas Lombaerts
Delft University of Technology
Kluyverweg 1
P.O. Box 5058
2600 GB Delft
The Netherlands
E-mail: T.J.J.Lombaerts@tudelft.nl
DOI 10.1007/978-3-642-11690-2
c 2010 Springer-Verlag Berlin Heidelberg
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting,
reproduction on microfilm or in any other way, and storage in data banks. Duplication of this publication
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9,
1965, in its current version, and permission for use must always be obtained from Springer. Violations
are liable for prosecution under the German Copyright Law.
The use of general descriptive names, registered names, trademarks, etc. in this publication does not
imply, even in the absence of a specific statement, that such names are exempt from the relevant protective
laws and regulations and therefore free for general use.
Typeset & Cover Design: Scientific Publishing Services Pvt. Ltd., Chennai, India.
Printed on acid-free paper
543210
springer.com
Preface
The European Flight Mechanics Action Group FM-AG(16) on Fault Tolerant Con-
trol, established in 2004 and concluded in 2008, represented a collaboration involv-
ing thirteen European partners from industry, universities and research establish-
ments under the auspices of the Group for Aeronautical Research and Technology
in Europe (GARTEUR) program1. In FM-AG(16) the following organizations par-
ticipated:
• Research Establishments
– Centro Italiano Ricerche Aerospaziali (CIRA, Capua, Italy)
– Deutsches Zentrum fur Luft-und Raumfahrt (DLR, Oberpfaffenhofen)
– Defence Science and Technology Laboratory (DSTL, United Kingdom)
– Netherlands National Aerospace Laboratory (NLR, Amsterdam)
• Industry
– QinetiQ (Bedford, United Kingdom)
– Airbus (Toulouse, France)
• Universities
– Bordeaux University (LAPS, Bordeaux, France)
– Delft University of Technology (DUT, Delft, the Netherlands)
· Faculty of Aerospace Engineering (DUT-AE)
· Delft Center of Systems and Control (DUT-DCSC)
– Lille University (USTL, Lille, France)
– University of Cambridge (UCAM, Cambridge, United Kingdom)
1
The Group for Aeronautical Research and Technology in EURope (GARTEUR) was
formed in 1973 and has as member countries: France, Germany, the Netherlands, Spain,
Sweden and the United Kingdom. According to its Memorandum of Understanding, the
mission of GARTEUR is to mobilize, for the mutual benefit of the GARTEUR member
countries, their scientific and technical skills, human resources, and facilities in the field
of aeronautical research and technology.
VI Preface
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Thomas Lombaerts, Hafid Smaili, Jan Breeman
1.1 Towards More Resilient Flight Control . . . . . . . . . . . . . . . . . . . . . . 3
1.2 History of Flight Control Systems, Source: [40] . . . . . . . . . . . . . . . 4
1.2.1 Mechanical [33], [35] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.2 Hydro-mechanical [33], [35] . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.3 Fly-By-Wire Flight Control [33], [35], [34] . . . . . . . . . . . 7
1.2.4 Fault Tolerant Control in Fly-By-Wire Systems,
Sources: [40] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2.5 Airbus Philosophy, Sources: [22], [30] . . . . . . . . . . . . . . . 11
1.2.6 Boeing Philosophy, Sources: [24], [42] . . . . . . . . . . . . . . 12
1.2.7 Short Case Study of Other Fault Tolerant Systems,
Source: [24] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.2.8 A Final Note on Fault Tolerance Properties
Incorporated in Current Fly by Wire Flight Control
Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.3 Rationale of Damage Tolerant Control - Aircraft Accident
Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.3.1 American Airlines Flight AA191, Source: [27] . . . . . . . . 22
1.3.2 Japan Airlines Flight JL123, Source: [27] . . . . . . . . . . . . 26
1.3.3 United Airlines Flight UA232, Source: [27] . . . . . . . . . . . 28
1.3.4 EL AL Cargo Flight LY1862, Source: [40] . . . . . . . . . . . 30
1.3.5 USAir Flight 427 and United Airlines Flight 585,
Sources: [4], [9], [5] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
1.3.6 DHL Cargo Flight above Baghdad, Sources:
[31], [32] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
1.3.7 Final Note on Accident Analysis . . . . . . . . . . . . . . . . . . . . 38
1.4 Earlier Accomplishments in This Field, Source: [40] . . . . . . . . . . . 40
X Contents
Part V Conclusions
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
List of Contributors
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 3–45.
springerlink.com
c Springer-Verlag Berlin Heidelberg 2010
4 T. Lombaerts, H. Smaili, and J. Breeman
and associated upsets. This can be achieved by ‘intelligent’ utilisation of the con-
trol authority of the remaining control effectors in all axes consisting of the control
surfaces and engines or a combination of both. In this technique, control strategies
are applied to restore stability and manoeuvrability of the vehicle for continued safe
operation and a survivable recovery. The aim of the GARTEUR Flight Mechanics
Action Group FM-AG(16) on Fault Tolerant Flight Control, of which this book is
the culmination, was to facilitate the proliferation of new developments in fault tol-
erant control design within the European aerospace research community in practical
and real-time operational applications. This addresses the need to improve the re-
silience and safety of future aircraft and aiding the pilot to recover from adverse
conditions induced by (multiple) system failures and damage that would otherwise
be potentially catastrophic. Up until now, faults or damage on board aircraft have
been accommodated by hardware design using duplex, triplex or even quadruplex
redundancy of critical components. However, the approach of the research presented
in this book is to focus on new control law design methods to accommodate (unan-
ticipated) faults and/or damage that dramatically change the configuration of the
aircraft. These methods take into account a unique combination of robustness, re-
configuration and (real-time) adaptation of the control laws.
Following the first successful motorised flight of the Wright Brothers in 1903,
the first artificially controlled flight was demonstrated in 1914 by Lawrence Sperry
(1892-1923), the third son of the gyrocompass co-inventor Elmer Ambrose Sperry,
by flying his Curtiss-C-2 airplane hands-free in front of a speechless crowd. The
1 Introduction 5
Fig. 1.2 Commercial and military aircraft that include modern fly-by-wire technologies (Air-
bus A380, Dassault Falcon 7X, Eurofighter Typhoon, Joint Strike Fighter, Boeing 777),
sources: Creative Commons Attribution License, Kevin Koske, Naddsy, Keta
(a) roll, pitch and yaw channel of an early (b) roll channel of a transport aircraft
military jet c BAE Systems, Reproduced
with permission
Fig. 1.3 Illustrations of mechanical flight control systems, source: ref. [37]
In larger aircraft, the control loads due to the aerodynamic forces acting on the
control surfaces are too excessive for simple mechanical control. Therefore, two
mechanical solutions have been developed. One option is to attempt to extract the
maximum possible mechanical advantage through the levers and pulleys, however
the maximum reduction in forces is limited by the inherent strength of the mechan-
ical components in this system. One example of this type of application can be
found in the Fokker 50. The alternative is to rely on so-called control tabs or servo
tabs that provide aerodynamic assistance to reduce complexity. These are small sur-
faces hinged at the end of the control surfaces which reduce the required control
force exerted by the pilot by exploiting the aerodynamic forces which act on the
tabs themselves. The pilot controls are directly linked to these control tabs, and the
aerodynamic force generated by the tab then in turn moves the main control surface
itself. The Boeing 707 used the concept of control tabs in its flight control system.
Compared to the mechanical flight control system, the hydraulic part takes over
the interface between the conventional mechanical circuit and the control surfaces.
More precisely, the hydraulic system generates the forces for the actuators which
move the aerodynamic surfaces, but it still receives its signals from the mechanical
circuit which is steered by the pilot. The Boeing 727 and 737, Trident, Caravelle and
the Airbus A300, used such a flight control system, including a mechanical backup,
despite the fact that a total loss of the flight control system is extremely improbable.
The Boeing 747 was the first aircraft in the Boeing series to have a fully powered
actuation system, because the control forces required for any flight condition would
have been too large to be generated by the pilot.
The benefits of the hydro-mechanical flight control system compared to the
purely mechanical one are the reduction in drag and the increase of control sur-
face effectiveness due to the omission of the servo tabs. Moreover, the higher
mechanical stiffness of the hydraulics leads to better flutter characteristics of the
control surfaces. The main drawbacks of the hydro-mechanical control systems are
its structural complexity and weight.
Fig. 1.4 Illustration of the Fly-By-Wire principle on the F-16, source: ref. [23]
8 T. Lombaerts, H. Smaili, and J. Breeman
Fig. 1.5 Flight Control System architecture of the Eurofighter Typhoon, source: ref. [37]
c BAE Systems, Reproduced with permission
(such as flaperons, rudder and canards) on the other. Based upon the pilot control
inputs and the available measured signals, the computer calculates independently
the required surface deflections and gives the appropriate commands to the servos.
Note the quadruplex implemented FCC. This is the fail safety principle and the ap-
proach adopts a vote by majority principle. The same procedure is applied for the
most essential components.
lower maintenance costs as well as passenger comfort and carefree handling. In both
categories, the provision of flight envelope protection is another important benefit
of fly-by-wire flight control systems.
Fig. 1.7 Modern fly-by-wire system architecture including redundancy components and re-
configuration scheme (A340), source: [30]
guards against any faults in the control channel and ensures permanent monitoring
of all the components in the flight control system (sensors, actuators, other comput-
ers, etc. ...). The monitoring (MON) channel is designed to detect failure cases and to
trigger reconfiguration by pointing out the failure detection to the command (COM)
channel and to the other computers. Fault mitigation is achieved by means of redun-
dancy and software and hardware dissimilarities. In the case of the Airbus A340,
the redundancy components include five FBW computers and three power sources
for surface actuation. Dissimilarity is achieved through the use of two completely
different types of computers and two independently developed software packages
designed by different teams. It should be noted that these numbers vary for other
aircraft as well as for other manufacturers. Reconfiguration, for instance in pitch,
consists of switching from the Primary computer (P1) to the second Primary com-
puter (P2). In this situation, elevator actuation switches from the green system for
both elevators to the blue system for the left elevator and the yellow system for the
right elevator. Following a possible failure of P2, reconfiguration can be performed
up to the second Secondary computer (S2).
electric and hydraulic power to the communication path. The 777 FBW design phi-
losophy for safety considers the following constraints:
1. Common mode/common area faults: by designing the systems to both component
and functional separation requirements.
2. Separation of FBW (line replaceable unit LRU) components: isolation and sepa-
ration of redundant flight control elements to the greatest extent possible in order
to minimize the possibility of loss of function.
3. FBW functional separation: allocation of electrical power to the primary flight
computer (PFC) and the actuator control electronics (ACE) LRUs to provide
maximum physical and electrical separation between the flight control electrical
buses. The ACE functional actuator control is distributed to maximize control-
lability in all axes after loss of function of any ACE or supporting subsystem.
The hydraulic systems are also aligned with the actuator functions to provide
maximum controllability after the loss of hydraulics in one or two systems.
4. Dissimilarity: various combinations of dissimilar hardware, different component
manufacturers, dissimilar control/monitor functions, different hardware and soft-
ware design teams, and different compilers are considered at the level of PFCs,
ACEs, inertial data, the Autopilot Flight Director Computer (AFDC) and ARINC
bus.
5. The FBW effect on the structure: FBW component failures can result in oscilla-
tory or hardover control surface motion. Structural requirements are analyzed and
apportioned to all FBW components. (This constraint is a safety consideration in
the Airbus philosophy too.)
The system is designed to provide unin-
terrupted control following any two failures.
Although the flight control function is nec-
essary for safe flight and landing of the air-
craft, the system includes a direct backup mode
that allows the pilot to electrically position
flight control surfaces without using the flight
control computers. The flight control comput-
ers are configured as a Triple Modular Re-
dundancy (TMR) system. Because of concerns
about generic hardware or software failures,
Fig. 1.8 KLM Boeing 777-206/ER
each of the three computers is itself a TMR
PH-BQD, Tommy
c Desmet, via air-
unit. These TMR computers use three inter- liners.net
nal channels that use different processor hard-
ware from different manufacturers. Within each
TMR computer, the choice of which output is to be the output of the computer is
determined using the so-called principle of median value select.
Each PFC lane operates in two roles: a command role or monitor role. Only one
lane in each channel is allowed to be in the command role. The command lane will
send the proposed surface commands, its own, together with those received from
two other PFC channels, to its ARINC 629 bus. The hardware device residing in the
14 T. Lombaerts, H. Smaili, and J. Breeman
Fig. 1.9 Boeing 777 PFC Lane Redundancy Management (Output Signal Monitoring),
source: [42]
PFC lane will perform a median select of these three inputs of each variable. The
output of the median select hardware is sent in the same wordstring as the ‘selected’
surface commands. The PFC lanes in the monitor role perform a ‘selected output’
monitoring of their command lane. The PFC command lane, meanwhile, performs
‘selected output’ monitoring of the other two PFC channels. The median value select
provides fault blocking against PFC faults until the completion of the fault detection
and identification and reconfiguration via PFC cross-lane monitoring.
Should any of the three dissimilar processors produce an output different from
the other two, it will not be selected. The three dissimilar processors are kept tightly
synchronized and receive bit identical input data from the system data buses. The
three channels of computers at the next level of TMR are also kept in synchroniza-
tion and exchange data to keep state data consistent between the channels. The 777
actuators rely on the vote by majority principle.
Table 1.1 Survey of typical in-service fault-tolerant systems, source: ref. [24]
Application Vehicle Impact of Impact of Fault-Tolerant System Description
& System Loss of Malfunc-
Type Function tion
Military F-16 FBW loss of loss of 4-channel analog computer NMR iden-
Aircraft flight con- aircraft aircraft tical hardware, approx. agreement MVS
trol, analog control control computer selection, MVS on computer
inputs, voting hydraulic actuators, ana-
log integrator states held consistent
Military F-16 FBW loss of loss of 4-channel digital computer NMR iden-
Aircraft flight con- aircraft aircraft tical hardware and software, simple
trol, digital control control analog backup control, voted computer
selection, voted computer inputs, voting
hydraulic actuators, digital state data
exchanged and kept consistent
Commercial B-757, shutdown mechanical Dual standby system
Aircraft Pratt & engine, overspeed
Whitney land using protection,
PW2037 one engine shutdown
jet engine engine
control
Manned Space loss of loss of 4-channel NMR, identical hardware
Space Shuttle vehicle and vehicle and and software, 5th channel backup using
crew crew same hardware but dissimilar software,
identical inputs by data bus monitoring,
computer outputs compared for crew
annunciation only, computer selection
by external voters (hydraulic voting ac-
tuators, pyro fire electronic discrete vot-
ing), exchange and vote of some state
data
Commercial B-777, Limp home potentially Two separate units, one for pilot and
aircraft AIMS on backup hazardous one for copilot displays, each unit uses
instruments faulty 3 sets of selfchecking dual processors,
display Arinc-659 Safebus to distribute identi-
data cal inputs, select output from a healthy
pair, exchange state data, identical hard-
ware and software in all processing
pairs
Unmanned Inertial destruction destruction Dual self-checking pair processing, no
space upper of vehicle of vehicle dissimilar hardware or software, both
stage, flight by range by range pairs must send same critical actuation
controller safety safety signals
Manned X-33 destruction destruction TMR 3 identical COTS hardware and
space Ex- Reusable of vehicle of vehicle software channels, RMS provides same
perimental Launch by range by range inputs by exchange and MVS, voting of
Vehicle safety safety outputs and some state data, dual actua-
tion, transient fault recovery
Manned X-38 Crew loss of ve- loss of ve- NMR 4 identical hardware and soft-
space Ex- Return Ve- hicle hicle ware channels, identical inputs by ex-
perimental hicle change and voting, voting of outputs
transient fault and state data recovery,
any 2 FCCs can control single fault tol-
erant actuation.
1 Introduction 17
Boeing Inertial Upper Stage (IUS) Guidance and Control System [12]
The IUS is an example of a typical high-value unmanned space launch vehi-
cle guidance and control system. This IUS has been used to launch the space-
craft Ulysses, Galileo and Magellan in the right orbit for interplanetary missions
1 Introduction 19
after they have been brought to space in the cargo bay of the
Space Shuttle. Space launch vehicles must provide a high
level of reliability to be economical and must not malfunc-
tion in a manner that endangers human safety or property. In
the event of a malfunction, ground crews can monitor the ve-
hicle and command destruction thanks to the incorporation
of a vehicle self-destruct system and range safety systems.
The control system for the IUS uses four processors con-
figured as a dual self-checking pair. The switchover from
the primary processor pair to the backup pair will occur if Fig. 1.14 Boeing Iner-
there is disagreement between the processor pairs. A form tial Upper Stage (IUS),
of electronic voting is used for critical pyrotechnic signals, source: Boeing Multi-
requiring both processor pairs produce the same command media Gallery
to these actuators.
accident cases in which the control and performance capabilities of the aircraft
were compromised due to the failure of one or more critical systems and structural
damage.
in this chapter formed the basis for the reconstruction of realistic and validated air-
craft accident scenarios as part of the FM-AG(16) simulation benchmark. This was
partly based on available flight data of the accident cases, simulation models and
results from earlier studies. Although the accident survey in this chapter shows that
the aircraft propulsion system can be used as the only effective means of control-
ling and landing a damaged aircraft when the complete flight control system is lost,
within FM-AG(16) this control strategy has not been investigated (despite having
evaluated some control options using differential thrust for stabilisation). This is
mainly due to the additional design requirements on engine performance (e.g. re-
sponse time) and health monitoring to allow them to be used as an integrated part
of the flight control system. This subject is currently the topic of other proposed
research initiatives in the area of damage tolerant flight control [7]. The majority
of documentation and supporting graphics of the aircraft accidents cases, described
in this chapter, are based on reference [27]. Selected graphics and diagrams used
in this book have been reproduced from the original artwork created by Matthew
Tesch for the Air Disaster series of books published by the-then Aerospace Publica-
tions (Canberra) and appear here by kind permission of the artist and the publisher.
To distinguish these from other graphic material used in this document, the shorter
acknowledgement (MT/AA) appears at the end of each caption.
Fig. 1.18 Main developments in the DC-10’s disastrous takeoff, from engine separation to
impact, (MT/AA)
to maintain equilibrium and it seemed that, despite the loss of its port engine, the
DC-10 was responding well to control. But 10 seconds later, when the DC-10 had
climbed to about 300 feet, the speed decreased to 159 knots and it began to roll to
the left at an increasing rate, despite the crew’s application of right aileron. The roll
quickly steepened alarmingly, even though increasing amounts of opposite rudder
and aileron were being applied, and it began yawing to the left as well. Simultane-
ously, the nose lowered and the aircraft began to loose height, despite increasing the
up elevator. At the same time, the bank increased still further. Finally, the DC-10’s
wings were past the vertical in a 112 degree left roll and a 21 degree nosedown atti-
tude, with full opposite aileron and rudder, and almost full up elevator being applied.
At this point the wingtip struck the ground, pivoting the DC-10 into the ground, nose
first, with enormous impact. The aircraft exploded in an enormous flash of flames
and a cloud of black smoke. The DC-10 had been airborne for only 31 seconds, and
none of the occupants survived. The trajectory of this ill-fated flight is illustrated in
fig. 1.18.
During the subsequent investigation by the National Transportation Safety Board
NTSB, two key questions dominated the investigators’ minds: What had caused the
engine pylon to break away so unexpectedly from the aircraft’s wing under perfectly
normal operating conditions? And why had this led to such a complete loss of con-
trol? In theory, the DC-10 should certainly have been aerodynamically capable of
climbing away successfully after the physical loss of the engine, and returning for
24 T. Lombaerts, H. Smaili, and J. Breeman
(a) Artist impression of the dam- (b) Picture of the dam- (c) Picture of the dam-
aged aircraft during its 31 second aged aircraft just before aged aircraft just after
flight, note the retracted outboard impact, source: [3] impact, source: airdis-
slats on the port wing, (MT/AA) asters.com
no warning to the pilot of the onset of the stall on the outboard section of the port
wing. The loss of control of the DC-10 was thus the result of a combination of
three events: the retraction of the port wing’s outboard leading edge slats, the loss
of the slat disagreement warning system, and the loss of the stall warning sys-
tem. All were consequences of the separation of the engine and pylon assembly.
Each on its own would not have resulted in the crew losing control. But together,
during a highly critical phase of flight, they posed a problem that gave the crew
insufficient time to recognize and correct.
The National Transportation Safety Board finally determined the cause of the
accident to be the asymmetric stall and ensuing roll of the aircraft because of the
retraction of the port wing outboard leading edge slats, and the loss of stall warning
and slat disagreement indicator systems resulting from the separation of the No 1
engine and pylon assembly, at a critical point during takeoff. The separation resulted
from damage inflicted by improper maintenance procedures which led to the failure
of the pylon structure.
Contributing to the cause were:
• The vulnerability of pylon attachment points to maintenance damage and of the
leading edge slat system to the damage which produced asymmetry;
• Deficiencies in the FAA’s surveillance and reporting systems in failing to detect
improper maintenance procedures;
• Deficiencies in communication between the aircraft operators, the manufacturer
and the FAA in failing to disseminate details of previous maintenance damage;
• The inadequacy of prescribed engine failure crew procedures to cope with unique
emergencies.
Post accident analysis has indicated that the pilot had about 15 seconds to react
to the failure before control was completely lost. If corrective action had been taken,
the plane could have been saved [26]. Obviously, under such emergency conditions,
an automatic fault-tolerant control system could have been extremely useful to assist
26 T. Lombaerts, H. Smaili, and J. Breeman
the pilots, and on-line generated diagnostic information could have been useful to
recover the plane. However, it should be noted that once the pilot let the speed
decrease to V2, the angle of attack of the affected left wing exceeded its stall limit
thus causing a non recoverable loss of control. It is important to realize that the main
contribution fault tolerant control could most probably provide in this situation, was
to improve the reaction time of the pilot to recover and stabilize the aircraft and to
prevent the speed to decay by taking into account the minimum speed limit. Once
the stall limit was exceeded, fault tolerant control could not recover from this fatal
condition anymore as there would not be enough control authority by the remaining
effectors to recover from the loss of control. From an operational standpoint, a too
low airspeed combined with a very low altitude leads to a lack of sufficient energy
to escape from this catastrophic situation.
Fig. 1.21 Illustrations of heavy damage to JAL Boeing 747 JA8119, (MT/AA)
1 Introduction 27
the fuselage hull. Unfortunately, the repair work on the bulkhead involved rivet
numbers and placement which was not optimized for long term fatigue, as explained
in [27]. The repaired pressure dome held for seven years. Unfortunately, on flight
JL123 the repaired dome joint broke and resulted in an explosive decompression,
as illustrated by fig. 21(a). The volume of air escaping violently from the passenger
cabin through the ruptured bulkhead, the failure of which in itself did not destroy the
aircraft, had the same impact on the tailcone and tail surfaces as an explosion. Al-
most the complete vertical fin was blown off, together with components of all four
independent hydraulic systems powering the primary flight controls. This meant
28 T. Lombaerts, H. Smaili, and J. Breeman
that all hydraulics were lost and the crew was left with no means to control the air-
craft except for the engines. An amateur photographer took a picture of the crippled
tailless aircraft, as seen in fig. 21(b).
The loss of the vertical tail rendered the heavy aircraft de facto laterally unsta-
ble and led to a hopeless situation for the crew. The loss of hydraulics halted the
functioning of all stability augmentation equipment, resulting in the appearance of
phugoid as well as Dutch roll behaviour3. The only way for the crew to stabilize
the aircraft, was to apply differential thrust by handling the four throttle levers sepa-
rately. In this way the experienced crew succeeded in stabilizing the aircraft for half
an hour, and almost managed to bring the aircraft back to Haneda’s airport. Unfortu-
nately, they did not make it to the airport and crashed on Mount Osutaka. According
to [27], it is widely accepted that the aircraft crashed because of crew fatigue and
experts believe they would never have succeeded in performing a successful landing
even if they had managed to bring the crippled aircraft back to the airport. A sketch
of the aircraft trajectory can be found in fig. 1.22.
From the flown trajectory shown in fig. 1.22, the aircraft was still controllable to
some degree through differential thrust from its engines: the only problem is that
this was not an efficient way to do so by the crew. With the available controls, they
did not have the necessary capabilities to bring the aircraft and the passengers back
to safety.
(a) Bad quality picture of the aircraft with arrows (b) Picture of re-assembled
indicating the damage locations on elevator and tail- stabilizer wreckage after crash,
cone, source: NTSB source: [3]
JAL jumbo jet four years before. This event is illustrated by some pictures. Figure
24(a) is a picture of the aircraft, where the small arrows indicate the punctured areas
on the right elevator. Note the large hole in the elevator leading edge, and the miss-
ing tailcone. Note that the major damage is clearly situated in the plane of the No.
2 fan disk. Finally, fig. 24(b) shows a picture of the stabilizer on the re-assembled
wreckage after the crash. This is a top view, the structure on the top left is the tail
engine housing. It is clear where the No. 2 fan disk is located in that housing, since
the skin is completely missing there. With regard to the stabilizer, it is clear that the
inner part was damaged to a significantly larger extent than the outer one.
Since the aircraft was swinging through a gradual right turn at the airway in-
tersection at the moment the tail-mounted engine disintegrated, its ‘frozen’ control
surfaces left it with the tendency to continue the turn. Figure 1.25 shows a map of
the aircraft’s radar-plotted track. The post failure ground track clearly shows the
right hand turn tendency. In their fight to retain control with engine power alone,
the DC-10 crew had small but crucial advantages over the hapless Japanese Boe-
ing 747 crew in a similar predicament four years before, as described above. The
undamaged fin gave the aircraft some measure of directional stability, moreover a
‘dead-heading’ check pilot joined the United crew on the flight deck. The check
pilot’s remarkable skills in handling the power levers undoubtedly allowed the op-
erating crew to concentrate more closely on their crucial individual tasks. Thanks to
the joint efforts of the highly experienced crew, they managed to divert the aircraft
to the airport closest in the vicinity, namely the Sioux Gateway Airport. As can be
clearly seen in fig. 1.25, they succeeded only once to make a left turn, but this was
sufficient to line the crippled DC-10 up with one of the airport’s runways.
Unfortunately, since the flaps were stuck at their ‘in’-position, the crew was
forced to make their approach at high speed. Moreover, the sluggish aircraft re-
sponses to the throttle setting changes made it particularly difficult to make changes
in the aircraft final approach path and speed close to the runway. This resulted in the
final seconds of flight being in a nearly unsurvivable situation. Any throttle change
induced some very badly damped phugoid oscillations, which are extremely danger-
ous at this altitude. Moreover it was impossible to set the throttles to idle at finals,
30 T. Lombaerts, H. Smaili, and J. Breeman
because this would result again in the natural tendency of the aircraft to make a grad-
ual right hand turn. All this resulted in the situation whereby the aircraft made ex-
tremely hard and rough contact with the ground, rolling and tumbling upside down
as it broke up. Despite this dramatic end, and although 111 people died in the valiant
landing attempt, the superb airmanship of the crew to nurse the aircraft back to the
closest airport led to the survival of 185 passengers, including all the four crew on
the flight deck. It is clear that the survival of a considerable number of the passen-
gers depended entirely on the magnificent skills of the crew. Without these highly
experienced pilots, this situation would have been definitely unsurvivable.
and a significant drag increase. Due to this extensive damage, the aircraft was ren-
dered considerably asymmetric. Moreover, this damage resulted in a partial loss of
the hydraulics, and hydraulic systems 3 and 4 became unavailable. As illustrated in
fig. 1.27, a significant number of control surfaces were paralysed after the engine
separation. The outboard (low speed) ailerons, outboard flaps, spoilers No. 1, 4, 5,
6, 7, 8, 9, 12 as well as the inner left and outer right elevator were lost completely,
while the inner (high speed) ailerons suffered a 50% hinge moment loss and the
functionality of the horizontal stabilizer was reduced to half trim rate.
After experiencing the limping behaviour of the crippled aircraft, the crew de-
cided to return to the airport. In an attempt to make an emergency landing, the
aircraft flew several right-hand circuits in order to lose altitude and to line up with
runway 27. During the second line-up, the aircraft entered an unrecoverable roll-
dive. As a result, the aircraft crashed, 13 km east of the airport, into an eleven-floor
apartment building in the Bijlmermeer, a suburb of Amsterdam. The trajectory of
the aircraft is shown in fig. 1.28. Since the crew was not aware of the actual scale
of the damage, they decided to return to the airport as quickly as possible. However,
this resulted in the fact that they attempted to make an emergency landing with the
heavy take off weight of 317 tons. This would have required such a high approach
speed of 133.8m/s, that no safe landing would have been possible. Jettisoning fuel
in order to reduce the aircraft weight to a more acceptable 263 tons would have re-
sulted in a lower minimum speed of 108m/s that possibly would have led to a more
survivable emergency landing, even with the flaps stuck at position 1.
The official analysis from this investigation concluded that given the performance
and controllability of the aircraft after the separation of the engines, a successful
landing was highly improbable. In 1997, the division of Control and Simulation in
32 T. Lombaerts, H. Smaili, and J. Breeman
1.3.5 USAir Flight 427 and United Airlines Flight 585, Sources:
[4], [9], [5]
On March 3, 1991, a United Airlines (UAL) Boeing 737-200, registration number
N999UA, operating as flight 585, was on a scheduled passenger flight from Denver,
Colorado, to Colorado Springs, Colorado. Visual meteorological conditions (VMC)
prevailed at the time, and the flight was on an instrument flight rules (IFR) flight
1 Introduction 33
FDR only recorded five parameters4. The flightpath, pitch and roll angles were de-
termined by calculations using the heading and normal acceleration (G-loads) data.
The direct availability of roll attitude data would have provided direct information
about sideslip angles when the roll angle and heading data were compared, thus
permitting a more accurate analysis to determine the nature of the airplane’s final
manoeuvre. Had rudder, aileron and spoiler deflection data been available, investi-
gators would have been able to compare the airplane’s theoretical performance with
other data that described the airplane’s flight profile to determine with a high level
of confidence the effect of external (atmospheric) forces. The direct evidence pro-
vided by the parameters would also have permitted an analysis of the flight control
system and engine function. Consequently, the data proved insufficient to establish
why the plane suddenly went into the fatal dive. The NTSB did not rule out the
possibilities of a malfunction of the rudder PCU servo (possibly causing a rudder
reverse) and the effect that powerful rotor winds coming off the Rocky Mountains
might have had, but there simply was not enough evidence to judge the expected
cause. In the first NTSB report (issued on December 8, 1992) no ‘probable cause’
could be given. Instead, it said ‘The National Transportation Safety Board, after an
exhaustive investigation effort, could not identify conclusive evidence to explain the
loss of United Airlines flight 585.’
On September 8, 1994, at about 1903 local time, USAir flight 427, a Boeing 737-
3B7 (737-300), N513AU, crashed while manoeuvring to land at Pittsburgh Inter-
national Airport, Pittsburgh, Pennsylvania. Flight 427 was operating as a scheduled
domestic passenger flight from Chicago-O’Hare International Airport, Chicago, Illi-
nois, to Pittsburgh. The flight departed at about 1810, with 2 pilots, 3 flight atten-
dants, and 127 passengers on board. FDR data indicated that the accident airplane
was rolling out of a left bank to its assigned
heading of 100◦, after which it began to
yaw and roll; the airplane’s heading moved
left past 100◦ at an increasing rate. There-
after, the airplane’s heading moved left at
a rate of at least 5◦ per second. The air-
plane’s heading continued to move left at
least at this rate until the stickshaker ac-
tivated5 . The airplane’s left roll angle was
also increasing rapidly during this time: the
airplane’s left roll angle was about 28◦ and
5 seconds later the airplane’s left roll angle Fig. 1.31 USAir B737-300 N513AU,
exceeded 70◦ . All this happened in less than Werner
c Fischdick Collection
15 seconds. The airplane kept rolling to the
4 Since 1994, FDRs are required to have more parameters, including those to provide roll
and pitch attitude data, as well as thrust data.
5 This system warns the pilot when the aircraft is critically close to stalling.
1 Introduction 35
(a) Drawing of the Boeing 737 main rud- (b) Drawing of the Boeing 737 main rud-
der power control unit (PCA) der PCU servo valve
Fig. 1.32 Drawings of the faulty rudder PCU equipment on both Boeing 737s, source: [5].
left and finally entered an uncontrolled descent and impacted terrain near Aliquippa,
Pennsylvania, about 6 miles northwest of the destination airport. All 132 people on
board were killed, and the airplane was destroyed by impact forces and fire. The
Safety Board therefore considered various scenarios that could have resulted in such
an abrupt heading change, including asymmetric engine thrust reverser deployment,
asymmetrical spoiler/aileron activation, transient electronic signals causing uncom-
manded flight control movements, yaw damper malfunctions, and a rudder cable
break or pull. At the end, the Safety Board ruled out each of these scenarios as a
possible factor or cause of the left yaw/roll and heading change for various reasons.
After this second accident, similar to the USAir Flight 427, the NTSB reopened
the investigation of Flight 585, discussed earlier6 , and came up with the following
identical conclusion for both accidents: ‘The National Transportation Safety Board
determines that the probable cause of the United Airlines flight 585 and USAir
Flight 427 accidents was a loss of control of the airplane resulting from the move-
ment of the rudder surface to its blowdown limit. The rudder surface most likely
deflected in a direction opposite to that commanded by the pilots as a result of a
jam of the main rudder power control unit servo valve secondary slide to the servo
valve housing offset from its neutral position and overtravel of the primary slide’,
see fig.1.32.
Comparing this aircraft accident analysis with the previous ones, shows that not
only a (partial) loss of hydraulics can lead to disastrous situations. Here, all hy-
draulics were still operational, but the rudder actuator suffered from a malfunction,
leading to an extreme deflection up to its blowdown limits. Since all other control ef-
fectors, surfaces and engines, were still operative, their control authority could have
been exploited by a form of unconventional control in order to bring the aircraft
back to safety. In this scenario of a rudder hardover, the ailerons and differential
thrust on both engines would be the steering channels par excellence to compensate
for the failure.
6 And even another related accident with the same type of aircraft, namely Eastwind Flight
517.
36 T. Lombaerts, H. Smaili, and J. Breeman
Finally, flight tests conducted in a Boeing 737-300 aircraft, following the acci-
dent, demonstrated that an airspeed of 190 KIAS was close to the crossover speed
for the weight and configuration of USAir Flight 427. At this speed, it was found that
the ailerons and spoilers were sometimes unable to stop the roll induced by a (faulty)
full rudder deflection. Moreover, the investigation by NTSB showed that if a B-737-
300 aircraft cruising at an airspeed of 190 knots with flaps 1 encountered a rudder
hardover, recovery was impossible if altitude was maintained by the pilot. In these
conditions, aircraft recovery was only possible if the pilot descended to gain air-
speed, which decreases the effectiveness of the rudder and increases aileron/spoiler
authority enough to compensate for the rolling moment. However, the natural re-
action of the pilot would be to maintain altitude while analyzing a control problem
as was the case for this accident. Simulations have shown that a roll/yaw upset is
almost likely to be unrecoverable due to the surprise reaction of the pilot and the
aircraft being below the crossover speed and/or close to the ground. However, a rud-
der hardover of a Northwest Airlines Boeing 747-400 aircraft (Flight 85) in 2002
showed that the remaining control capabilities of the aircraft, including the engines,
could be used to recover the aircraft and reduce speed to conduct a successful land-
ing. Also for these scenarios, fault tolerant control could assist to recover correctly
and timely from a fault induced upset and stabilize the aircraft for an emergency
landing.
(a) Picture of the flying (b) Picture of damaged trail- (c) Picture of missile hole in
aircraft with the left wing ing edge wing structure lower skin of wing structure
on fire, the flames eating
slowly their way through
the wing structure
a 50m flame, see fig.34(a). They also knew that if a part of the wingtip separated
they would lose all control of the aircraft. Despite the fact that the leading edge of
the wing was complete along almost its entire length, unknown to the crew, the fire
was gradually destroying the outer wing, creeping forward from the trailing edge.
At some stage before they landed, the rear wing spar separated and the remaining
structure was held together by the forward spar only, see fig.34(b). The impact hole
where the surface to air missile (SAM) entered the wing box is visible in fig.34(c).
Within a few seconds after impact, the aircraft lost all pressure in the three sepa-
rate hydraulic systems. Consequently, the primary flight control surfaces (ailerons,
rudder, elevators) and the spoilers were no longer powered and went limp as their ac-
tuators drained, trailing in the slipstream. The aircraft was rendered uncontrollable
by conventional means and adopted a rapid phugoid motion. The horizontal stabi-
lizer setting was frozen at the trim position for 215 KIAS, while flaps and slats were
unavailable. Fortunately, it was a short flight with a light load, the total weight being
only 220 klb, well below maximum landing weight. This was a clear and essential
advantage compared with the EL AL scenario described earlier, since the aircraft
was in an acceptable configuration in order to perform immediately a relatively safe
landing with acceptable approach speed. Because of the expanding left wing dam-
age, the only way to control the aircraft, namely by applying differential thrust, had
also a time critical issue which ruled out any option of fuel jettison before switching
over to the landing. If they had taken too long to return to the airport, the no 1 engine
could have fallen dry of fuel due to the leaking no 1 fuel tank, or the structural in-
tegrity of the left wing could have been compromised because of the expanding fire,
slowly ‘eating’ its way through the structure. Both would lead to unsurvivable addi-
tional damage. As the aircraft climbed towards a maximum altitude of about 12,000
feet, within 10 minutes, the crew essentially managed to apply an adaptive control
strategy’ regaining control and understanding the basic principles of the flying char-
acteristics induced by the phugoid motion. In addition to controlling pitch and roll
of the aircraft by the engine throttles only, the additional drag and lift loss due to the
damaged left wing needed to be compensated for. A welcome help was the fact that
38 T. Lombaerts, H. Smaili, and J. Breeman
deploying the gear during the descent increased the damping of the phugoid. After a
first unsuccessful attempt to land the aircraft using the engines only, the crew made
a go-around and finally made a successful landing at Baghdad International Airport,
see fig.1.35. This was a tremendous achievement, and the crew made the most of
the little chance they were given. It was a remarkable premiere.
This failure resulted in additional challenges with respect to the previous situa-
tions. This time, there was not only a sudden failure, but it was also developing and
expanding. This is an additional challenge for the identification routine, as it has to
be continuously monitoring, even after failure detection. Also some kind of indi-
cation of time critical issues to the crew could be interesting to contribute to their
situational awareness. Finally, it should be noted that this incident is an extreme
situation which only serves as one of the incidents motivating the need for a fault
tolerant flight control system. It is not our goal to discuss this failure specifically.
avoidable with this strategy, as well as the American Airlines DC-10 accident at
Chicago O’Hare International Airport, described earlier. Moreover, there have been
several other engine separation incidents on Boeing 747’s and DC-8’s, similar to the
EL AL situation. There is even the documented story of a McDonnell Douglas F-
15 performing an emergency landing with only one wing due to a mid-air collision
with another aircraft. After some attempts, the pilot succeeded in regaining control
over the aircraft, and nursed the crippled vehicle back to the airport. Key aspects
were the fact that the aircraft kept flying and even landed at high speed and that the
F-15 fuselage is quite wide, containing two engines, so that it has some lifting body
behaviour. After landing, the pilot acknowledged that he was not aware of missing
his entire right wing, and if he had been, he would certainly have ejected...
A recent worldwide civil aviation accident survey for the period 1993 to 2007,
conducted by the Civil Aviation Authority of the Netherlands (CAA-NL) and based
on data from the National Aerospace Laboratory NLR [8], indicates two major cat-
egories of accidents which can be attributed to a common initial event, ‘controlled
flight into terrain’ where an aircraft, despite being fully controllable and under con-
trol, hits terrain due to the loss of situational awareness of the crew, counting for
as much as 23% of all the accidents. This percentage is decreasing over the years
thanks to the enormous international attention given to CFIT with respect to crew re-
source management training and development and implementation of new systems
in the cockpit. The second major category is ‘loss of control in flight’, which can be
attributed to mistakes made by the pilot or a technical malfunctioning. This category
counts for 16% of all aircraft accidents and is not decreasing. Figure 1.36 shows a
table from this survey. According to the research team of this project, a reconfigur-
ing flight control system would make the success of the United Airlines and DHL
examples less dependent on the extreme skills of the pilots. Moreover, the other ex-
amples explained above, and a significant part of this 16% of aircraft accidents due
to loss of control in flight could be prevented if some form of reconfiguring control
was implemented in the aircraft. It is important to acknowledge that these accidents
40 T. Lombaerts, H. Smaili, and J. Breeman
could not have been prevented at the time when they occurred, since computer ca-
pabilities at that time were not at the level they are now. From this perspective, it is
very clear that research on fault tolerant flight control is in the interest of the civil as
well as military aviation industry.
errors were generated by comparison with a nominal model to isolate failures and
estimate the control derivatives of the failed damaged surface for use in a control
allocation scheme. The probability of the pre-defined failure cases was estimated
and used to determine the weighted average for the control inputs. The limitation of
this method is that modelling errors can be interpreted as a failure while the only
failures that can be identified ‘correctly’ are those that fall into the predetermined
fault list. The SRFCS was successfully flight tested by NASA in 1989 and 1990 on a
F-15 aircraft at the Dryden Flight Research Center [17]. Real-time control reconfig-
uration was demonstrated for fault cases that included loss of control surfaces due
to battle damage.
Fig. 1.37 A McDonnell Douglas MD-11 lands at Dryden Flight Research Center equipped
with a computer-assisted engine control landing system developed by a NASA-Industry team.
NASA Dryden Flight Research Center Photo Collection, photo by J. Ross
Fig. 1.38 NASA Drydens highly modified F-15B, tail number 837, performing Intelligent
Flight Control System (IFCS) project flights. NASA Dryden Flight Research Center Photo
Collection, photo by C. Thomas
provide estimates of the stability and control characteristics for model inversion.
The on-line learning neural networks provide on-line compensation of errors in the
estimates and from the model inversion. In addition, the adaptive neural networks
compensate for changes in the aircraft dynamics due to failures or damage. Piloted
simulation studies have been performed at NASA Ames of Integrated Neural Flight
and Propulsion Control Systems (INFPCS) in which neural flight control architec-
tures are combined with PCA technology. The evaluation successfully demonstrated
the benefits of intelligent adaptive control [28]. Subsequent evaluations are planned
to further validate the IFC technologies in a C-17 testbed [28]. Adaptive neural net-
work based technology was further investigated in the Reconfigurable Control for
Tailless Aircraft (RESTORE) program in which reconfigurable control design meth-
ods were applied to a tailless aircraft [14], [16]. Within the Active Management of
Aircraft System Failures (AMASF) project, as part of NASA’s Aviation Safety Pro-
gram, several issues in the area of FTFC technology were addressed. These include
detection and identification of failures and icing, pilot cueing strategies to cope with
failures and icing, and control reconfiguration strategies to prevent extreme flight
conditions following a failure of the aircraft. In this context, a piloted simulation
was conducted early in 2005 of a Control Upset Prevention and Recovery System
(CUPRSys). Despite a few limitations, CUPRSys provided promising fault detec-
tion, isolation and reconfiguration capabilities [21].
under the assumption of perfect information from the FDI system. Furthermore,
the group addressed the need for high-fidelity nonlinear simulation models, relying
on accurate failure modelling, to improve the prediction of reconfigurable system
performance in degraded modes.
Several realistic failure modes have been considered in this research project. The
most important scenarios are the engine separation (inspired by the El Al accident,
see 1.3.4) and the rudder hardover (inspired by the US Airways and United Airlines
accidents, see 1.3.5) cases. However, it should be noted that the scenario ‘total loss
of hydraulics’, leading to the need of ‘thrust control only’ has not been considered
explicitly in this research. An important motivation for this is the fact that this case
has been considered intensively in the PCA project of NASA, discussed in 1.4.2.
The focus of this research project is more general and not focussed on this specific
strategy.
References
1. Ammons, E.: F-16 flight control system redundancy concepts. In: Guidance and Control
Conference, Boulder, Colorado (August 1979)
2. Anderson, B., Bedos, T.: X-38 v201 avionics architecture. Technical Report
N20000086667, NASA (February 1999)
3. Anonymous. Applying lessons learned from accidents,
http://faalessons.workforceconnect.org/
4. Anonymous. Aircraft accident report united airlines flight 585 boeing 737-291, N999UA
uncontrolled collision with terrain for undetermined reasons 4 miles south of Colorado
Springs municipal airport Colorado Springs, Colorado March 3, 1991. Technical report,
National Transportation Safety Board, NTSB (1992)
5. Anonymous. Aircraft accident report uncontrolled descent and collision with terrain Us-
air flight 427 boeing 737-300, n513au near aliquippa, pennsylvania, September 8, 1994.
Technical report, National Transportation Safety Board, NTSB (1999)
6. Anonymous. Intelligent flight control: Advanced concept program. Final Report
BOEING-STL 99P0040, The Boeing Company (1999)
7. Anonymous. Integrated resilient aircraft control - stability, maneuverability and safe
landing in the presence of adverse conditions. Technical report, National Aeronautics
and Space Administration, Aeronautics Research Mission Directorate, Aviation Safety
Program (April 2007)
8. Anonymous. Civil aviation safety data 1993-2007. Technical report, Civil Aviation Au-
thority of the Netherlands, CAA-NL (2008)
9. Anonymous. Aircraft accident report: Uncontrolled descent and collision with terrain
united airlines flight 585 boeing 737-200, n999ua 4 miles south of colorado springs mu-
nicipal airport colorado springs, colorado, March 3, 1991. Technical report, National
Transportation and Safety Board (March 27, 2001)
10. Arabian, A.: Afti/f-16 digital flight control computer design. In: NAECOn 1983, Dayton,
Ohio (1983)
11. Boldue, L.: Redundancy management for the X-33 vehicle and mission computer. In:
19th Digital Avionics Systems Conference, Philadelphia, Pennsylvania (October 2000)
12. Brekke, D., Giere, N., Schlosser, R., Slavich, M., Tabor, D., Turner, B.: Next genera-
tion fault-tolerant guidance and navigation unit for the inertial upper stage. In: Rocky
Mountain Guidance and Control Conference, Keystone, Co (February 1995)
44 T. Lombaerts, H. Smaili, and J. Breeman
13. Briere, D., Traverse, P.: Airbus a320/a330/a340 electrical flight controls - a family of
fault tolerant systems. In: IEEE Conference (1993)
14. Brinker, J.S., Wise, K.A.: Nonlinear simulation analysis of a tailless advanced fighter
aircraft reconfigurable flight control law. In: AIAA Guidance, Navigation and Control
Conference and Exhibit, Portland, OR, AIAA-99-4040 (August 1999)
15. Burken, J.J., Maine, T.A., Burcham, F.W., Kahler, J.A.: Longitudinal emergency control
system using thrust modulation demonstrated on an md-11 airplane. In: AIAA, ASME,
SAE, and ASEE, Joint Propulsion Conference and Exhibit, 32nd, Lake Buena Vista, FL
(July 1996)
16. Calise, A.J., Lee, S., Sharma, M.: Development of a reconfigurable flight control law
for the x-36 tailless fighter aircraft. AIAA Journal of Guidance, Control and Dynam-
ics 24(5), 896–902 (2001)
17. Corvin, J.H., Havern, W.J., Hoy, S.E., Norat, K.F., Urnes, J.M., Wells, E.A.: Self-
repairing flight control systems, volume i: Flight test evaluation on an f-15 aircraft. Final
Report WL-TR-91-3025 (1991)
18. Driscoll, K., Hoyme, K.: The airplane information management system, an integrated
real-time flight deck control system. In: Real-Time System Symposium (December
1992)
19. EASA. Certification Specifications for Large Aeroplanes. EASA. CS-25
20. Federal Aviation Administration FAA. Airworthiness Standards: Transport Category
Airplane. Federal Aviation Administration FAA. title 14, part 25
21. Ganguli, S., Papageorgiou, G., Glavaski, S., Elgersma, M.: Piloted simulation of fault
detection, isolation and reconfiguration algorithms for a civil transport aircraft. In: AIAA
Guidance, Navigation and Control Conference and Exhibit, San Francisco, CA, AIAA-
2005-5936 (August 2005)
22. Goupil, P.: Airbus overview of fault tolerant control. In: Garteur AG-16 Workshop, April
4-5 (2006)
23. Gunston, B.: Modern Fighters. Salamander Books Ltd., London (1988)
24. Hammett, R.: Design by extrapolation: an evaluation of fault tolerant avionics. IEEE
Aerospace and Electronic Systems Magazine 17(4), 17–25 (2002)
25. Jarvis, C.R., Szalai, K.J.: Ground and flight test experience with a triple redundant digital
fly by wire control system. Technical Report 19810010480, NASA (1981)
26. Jiang, J.: Fault-tolerant Control Systems – An Introductory Overview. ACTA Automatica
Sinica 31(1), 161–174 (2005)
27. Job, M.: Air Disaster, vol. 2. Aerospace Publications Pty Ltd. (1996)
28. KrishnaKumar, K., Gundy-Burlet, K.: Intelligent control approaches for aircraft applica-
tions. Technical report, NeuroEngineering Laboratory, NASA Ames Research Center
29. Kuhlberg, J.F., Kniat, J., Newirth, D.M., Jamison, J.C., Switalski, J.R.: Transport engine
control design. In: AIAA, SAE and ASME, Joint Propulsion Conference, 18th, Cleve-
land, Ohio (June 1982)
30. Le Tron, X.: Airbus fly-by-wire: An integrated system design. In: Garteur AG-16 Work-
shop, April 4-5 (2006)
31. Learmount, D.: Missile attack, great escape. In: Flight International, pp. 34–38
(21/12/2004 - 03/01/2005)
32. Lemaignan, B.: Flying with no flight controls: Handling qualities analyses of the baghdad
event. AIAA-2005-5907 (2005)
33. Lombaerts, T.J.J., Chu, Q.P., Mulder, J.A.: Lecture Notes AE4-301, Automatic Flight
Control System Design. Delft University of Technology, Faculty of Aerospace Engi-
neering, Delft, The Netherlands (January 2005)
34. Maoui, G. (ed.): Cockpits by Airbus Industrie. Cherche midi enterprise (1998)
1 Introduction 45
35. Mulder, J.A., van Staveren, W.H.J.J., van der Vaart, J.C., de Weerdt, E.: Lecture Notes
AE3-302, Flight Dynamics. Delft University of Technology, Faculty of Aerospace Engi-
neering, Delft, The Netherlands (January 2006)
36. Patton, R.J.: Fault tolerant control systems: The 1997 situation. In: Proceedings of IFAC
Symposium on SAFEPROCESS, HULL, UK, August 1997, pp. 1033–1055 (1997)
37. Pratt, R.W.: Flight Control Systems, practical issues in design and implementation. In:
IEE/AIAA, Stevenage, UK/Reston, USA (2000)
38. Smaili, M.H.: Flight Data Reconstruction and Simulation of EL AL Flight 1862. Final
thesis, T.U. Delft (November 1997)
39. Smaili, M.H.: Flight data reconstruction and simulation of the 1992 amsterdam bijlmer-
meer airplane accident. AIAA-2000-4586 (August 2000)
40. Smaili, M.H., Breeman, J., Lombaerts, T.J.J., Joosten, D.A.: A simulation benchmark for
integrated fault tolerant flight control evaluation. In: AIAA MST (2006)
41. Williams-Hayes, P.S.: Flight test implementation of a second generation intelligent flight
control system. In: Infotech@Aerospace (2005)
42. Yeh, Y.C.: Triple-triple redundant 777 primary flight computer. In: IEEE Aerospace Ap-
plication Conference, Aspen, Colorado, pp. 293–307 (1996)
43. Zhang, Y., Jiang, J.: Bibliographical review on reconfigurable fault-tolerant control sys-
tems. In: 5th IFAC Symposium on Fault Detection, Supervision and Safety for Technical
Processes, Washington DC, USA, June 9-11, pp. 265–275 (2003)
Chapter 2
Fault Tolerant Flight Control - A Survey
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 47–89.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
48 M. Verhaegen et al.
They are constantly and inexhaustibly working, making our life more comfortable
and more efficient . . . until the system fails.
Faults in technological systems are events that happen rarely, and come mostly
unexpectedly. In [43] the following definition for a fault is made:
A fault is an unpermitted deviation of at least one charac-
teristic property or parameter of the system from the ac-
ceptable/usual/standard condition.
Faults are difficult to accurately predict in time, and to prevent. The impact of
a fault can be a small reduction in efficiency, but could also lead to overall system
failure. In safety critical systems this can lead to catastrophic events with significant
costs, both economically and in terms of human life. Several such examples are
• the explosion at the nuclear power plant at Chernobyl, Ukraine, on 26th April
1986 [67]. About 30 people were killed immediately, while another 15,000 were
killed and 50,000 left handicapped in the emergency clean-up after the accident.
It is estimated that five million people were exposed to radiation in Ukraine,
Belarus and Russia.
• the crash of the A MERICAN A IRLINES flight 191, a McDonnell-Douglas DC-10
aircraft, at Chicago O’Hare International Airport on 25 May 1979 (see Chap-
ter 1). In this incident 271 persons on board and 2 on the ground were killed
when the aircraft crashed into an open field [74, 75].
• the explosion of the Ariane 5 rocket on 4th June 1996, where the reason was
a fault in the Internal Reference Unit that had the task to provide the control
system with altitude and trajectory information. As a result, incorrect altitude
information was delivered to the control unit [67].
The question that immediately arises is “Could something have been done to
prevent these disasters?”. While in most situations the occurrences of faults in
the systems cannot be prevented, subsequent analysis often reveals that the con-
sequences of the faults could be avoided or, at least, that their severity (in terms of
economic losses, casualties, etc.) could be minimized. If faults could be detected
and diagnosed rapidly enough, then, in many cases, it is possible to subsequently
reconfigure the control system so that it can safely continue its operation (though
with degraded performance) until the time comes when it can be switched off to
allow repair. In order to minimize the chances for such catastrophic events as those
summarized above, safety-critical systems must possess the properties of increased
reliability and safety.
A way to offer increased reliability and safety is by means of a fault-tolerant
control (FTC) system design. An FTC system could have been designed to lead to
a safe shutdown of the Chernobyl reactor way before it exploded [67]. Subsequent
studies following the McDonnell-Douglas DC-10 crash showed that the crash could
have been avoided [75]. In the last minutes of the Ariane 5 crash the normal alti-
tude information had been replaced by some diagnostic information that the control
system was not designed to understand [67]. Fortunately, there are also examples,
2 Fault Tolerant Flight Control - A Survey 49
system faults
actuators
sensors
reference inputs Controlled outputs
Controller
System
-
Fig. 2.1 According to their location, faults are classified into sensor, actuator and component
faults.
which show that taking appropriate measures can indeed prevent disasters (see also
Chapter 1):
1. A McDonnell-Douglas DC-10 aircraft executing flight 232 of U NITED A IR -
LINES from Denver to Minneapolis experienced a disastrous failure in the hy-
draulic lines that left the plane without any control surfaces at 37,000 ft. The
crew then improvised a control strategy that used only the throttles of the two
wing engines and managed to successfully crash-land the plane in Sioux City,
Iowa, saving the lives of 184 out of the 296 passengers on board [66].
2. In the D ELTA A IRLINES flight 1080 an elevator became jammed at 19 degrees.
The pilot was not given any indication of what had actually occurred but still
was able to reconfigure the remaining lateral control elements to land the aircraft
safely [75].
All these examples clearly motivate the need for increased fault-tolerance in order
to improve to the maximum possible extent the safety, reliability and availability of
controlled systems. This is particularly true as modern systems become increasingly
complex. The examples above also explain the large amount of research in the field
of fault detection, diagnosis and fault-tolerant control. An overview of this research
is provided in this chapter.
order to achieve increased fault-tolerance is often not an option due to their high
prices and large size and mass.
Sensor faults: these faults represent incorrect readings from the sensors that the
system is equipped with. Sensor faults can also be subdivided into partial and
total. Total sensor faults produce information that is not related to the value of
the measured physical parameter. They can be due to broken wires, lost contact
with the surface, etc. Partial sensor faults produce readings that are related to the
measured signal in such a way that useful information could still be retrieved.
This can, for instance, be a gain reduction so that a scaled version of the signal
is measured, a biased measurement resulting in a (usually constant) offset in the
reading, or increased noise. Due to their smaller sizes sensors can be duplicated
in the system to increase fault tolerance. For instance, by using three sensors to
measure the same variable one may consider it reliable enough to compare the
readings from the sensors to detect faults in (one and only one) of them. The so-
called “majority voting” method can then be used to pinpoint the faulty sensor.
This approach usually implies significant increases in the related costs.
Component faults: these are faults in the components of the plant itself, i.e. all
faults that cannot be categorized as sensor or actuator faults will be referred to as
component faults. These faults represent changes in the physical parameters of
the system, e.g. mass, aerodynamic coefficients, damping constant, etc., that are
often due to structural damage. They often result in a change in the dynamical
behaviour of the controlled system. Due to their diversity, component faults cover
a very wide class of (unanticipated) situations, and as such are the most difficult
ones to deal with.
Further, with respect to the way faults are modelled, they are classified as ad-
ditive and multiplicative, as depicted in Figure 2.2. Additive faults are suitable for
representing component faults in the system, while sensor and actuator faults are in
practice most often multiplicative by nature.
Faults are also classified according to their time characteristics (see Figure 2.3)
as abrupt, incipient and intermittent. Abrupt faults occur instantaneously often as a
result of hardware damage. They can be very severe since, if they affect the perfor-
mance and/or the stability of the controlled system, prompt reaction from the FTC
system is required. Incipient faults represent slow parametric changes, often as a re-
sult of aging. They are more difficult to detect due to their slow time characteristics,
fault fault
fault
fault
fault
time time time
abrupt incipient intermittent
Fig. 2.3 With respect to their time characteristics faults can be abrupt, incipient and
intermittent.
but are also less severe. Finally, intermittent faults are faults that appear and disap-
pear repeatedly, for instance due to partially damaged wiring.
where xk ∈ Rn denotes the state of the system at time instance k, and A, B, C and D
are matrices (possibly time-varying) of appropriate dimension.
the other hand, σia = 1 implies that the i-th actuator operates normally (uk (i) = u(i)).
f
The quantities σia , i = 1, 2, . . . , m can also take values in between 0 and 1, making it
possible to represent partial actuator faults. Substituting the nominal control action
uk in equation (2.1) with the faulty ukf results in the following state-space model
xk+1 = Axk + BΣAuk + B(I − ΣA )ū
Smult,a f : (2.3)
yk = Cxk + DΣA uk + D(I − ΣA )ū.
Models in the form (2.3) are referred to as multiplicative fault models and have been
widely used in the literature (see, for example [86, 73]).
It needs to be noted that while such multiplicative actuator faults do not directly
affect the dynamics of the controlled system itself, they can significantly affect the
dynamics of the closed-loop system, and may even affect the controllability of the
system. Figure 2.4 presents a simple example with a 50% actuator fault that results
in instability of the closed-loop system. In the example of Figure 2.4 a system con-
sisting of the transfer function S(s) = 1/(s − 1) is controlled by a PI controller with
transfer function C(s) = 1.5 + 5s , so that a sinusoidal reference signal is tracked un-
der normal operating conditions (i.e. during the first 20 seconds of the simulation).
At time instance t = 20 sec, a 50% loss of control effectiveness is introduced and
as a result the closed-loop system stability is lost. This example makes it clear that
even “seemingly simple” faults may significantly degrade the performance and can
even destabilize the system.
Similarly, sensor faults occurring in the system (2.1) represent incorrect reading
from the sensors, so that as a result the real output of the system yreal
k differs from
the variable being measured. Multiplicative sensor faults can be modelled in the
following way
yk = yk + (I − ΣS )(ȳ − yk ),
f
(2.4)
where ȳ ∈ R p is an offset vector, and
ΣS = diag{ σ1s , . . . , σ ps }, σis ∈ R,
so that σ sj = 0 represents a total fault of the j-th sensor, and σ sj = 1 models the
normal mode of operation of the j-th sensor. Partial faults are then modelled by tak-
ing σ sj ∈ (0, 1). Substitution of the nominal measurement yk in (2.1) with its faulty
counterpart ykf results in the following state-space model that represents multiplica-
tive sensor faults
xk+1 = Axk + Buk
Smult,s f : (2.5)
yk = ΣSCxk + ΣS Duk + (I − ΣS )ȳ.
In this way, combinations of multiplicative sensor and actuator faults are represented
in the following way
xk+1 = Axk + BΣA uk + b(ΣA , ū)
Smult : (2.6)
yk = ΣSCxk + ΣS DΣA uk + d(ΣA , ΣS , ū, ȳ),
2 Fault Tolerant Flight Control - A Survey 53
Monitoring
1
1,5+5/s 50% fault
s−1
reference actuator
PI Controller fault System
generator
6
reference trajectory
fault occurrence
system output
−2
−4
−6
0 5 10 15 20 25 30 35 40
time, sec
Fig. 2.4 After a multiplicative fault the system may become unstable if no reconfiguration
takes place.
with
b(ΣA , ū) = B(I − ΣA )ū,
d(ΣA , ΣS , ū, ȳ) = ΣS D(I − ΣA )ū + (I − ΣS )ȳ.
The multiplicative model is thus a “natural” way to model a wide variety of sensor
and actuator faults, but cannot be used to represent more general component faults.
This fault model representation is most often used in the design of the controller
reconfiguration scheme of an active FTC system since for controller redesign one
usually needs the state-space matrices of the faulty system.
f(x)
fault constant constant
scaling offset
component faults. Using model (2.7), however, often results in the signal fk becom-
ing related to one or more of the signals uk , yk and xk . For instance, when using this
additive fault representation to model a total fault in all actuators (ΣA = 0 and ū = 0
in equation (2.2)) then in order to make model (2.7) equivalent to model (2.3) one
F B
needs to take a signal fk such that E fk = − D uk holds, making fk dependent
on uk . Clearly, the fault signal being a function of the control action is not desirable
for controller design. On the other hand, fk is independent of uk when multiplicative
representation is utilized. Figure 2.5 illustrates this.
Another disadvantage of the additive model when used to represent sensor and
actuator faults is that, in terms of input-output relationships, these two faults become
difficult to distinguish. Indeed, suppose that the model
is used to represent faults in the sensors and actuators. By writing the corresponding
transfer function
it becomes clear that the effect of an actuator fault on the output of the system can
be modelled not only by the signal fka , but also by fks .
An advantage is, as already mentioned, that the additive representation can be
used to model a more general class of faults than multiplicative ones. In addition, it
is more suitable for the design of FDD schemes because the faults are represented
by one signal rather than by changes in the state-space matrices of the system as is
the case with the multiplicative representation. For that reason the majority of FDD
methods are focused on additive faults [33, 3, 57].
faults. A component fault may introduce changes in each matrix of the state-space
representation of the system due to the fact they may all depend on the same physical
parameter that undergoes a change. Component faults are often modelled in the form
of a linear parameter-varying (LPV) system
FDD
Reconfiguration Fault Detection &
mechanism estimated
fault
Diagnosis
FTC
reference
input output
Controller System
faults
The projection based methods rely on the controller selection from a set of off-line
predesigned controllers. Usually each controller from the set is designed for a partic-
ular fault situation and is switched on by the RM whenever the corresponding fault
pattern has been diagnosed by the FDD scheme. In this way only a restricted, finite
class of faults can be treated. The on-line redesign methods involve on-line compu-
tation of the controller parameters, referred to as reconfigurable control, or recalcu-
lation of both the structure and the parameters of the controller, called restructurable
control. Comparing the achievable post-fault system performances, the on-line re-
design method is superior to the passive method and the off-line projection-based
method. However, it is computationally the most expensive method as it often boils
down to on-line optimization.
There are a number of important issues when designing active FTC systems.
Probably the most significant one is the integration between the FDD part and the
FTC part. The majority of approaches in the literature are focused on one of these
two parts by either considering the absence of the other or assuming that it is perfect.
To be more specific, many FDD algorithms do not consider the closed-loop oper-
ation of the system and, conversely, many FTC methods assume the availability of
perfect fault estimates from the FDD scheme. The interconnection of such methods
is potentially infeasible and there can be no guarantees that a satisfactory post-fault
performance, or even stability, can be maintained by such a scheme. It is therefore
very important that the designs of the FDD and FTC, when carried out separately,
are each performed bearing in mind the presence and imperfections of the other. For
making the interconnection possible, one should first investigate what information
from the FDD is needed by the FTC, as well as what information can actually be
provided by the FDD scheme. Imprecise information from the FDD that is incor-
rectly interpreted by the FTC scheme might lead to a complete loss of stability of
the system.
The usual situation in practice is that after the occurrence of a fault in the sys-
tem there is initially not enough information in terms of input/output measurements
from the system to make it possible for the FDD scheme to diagnose the fault. For
this reason, only after some time elapses and more information becomes available
can the FDD scheme detect that a fault has occurred. Even more time is required to
2 Fault Tolerant Flight Control - A Survey 57
localize the fault and its magnitude. As a result, the information that is provided
to the FTC part is initially more imprecise (i.e. with larger uncertainty), and it gets
more and more accurate (with less uncertainty) as more data becomes available from
the system. The FTC scheme should be able to deal with such situations. There-
fore, the FTC should necessarily be capable of dealing with uncertainty in the FDD
information/estimates, and should perform satisfactorily (guaranteeing at least the
stability) during the transition period that the FDD scheme needs to diagnose the
fault(s).
Very often the dynamics of real physical systems cannot be represented accu-
rately enough by linear dynamical models so that nonlinear models have to be used.
This necessitates the development of techniques for FTC system design that can
explicitly deal with nonlinearities in the mathematical representation of the system.
Nonlinearities are, in fact, very often encountered in the representations of complex
safety-critical controlled systems like aircraft and spacecraft. To reduce the inherent
complexity of the control design, it is usual that the lateral and longitudinal dy-
namics of an aircraft are decoupled so that they have no effect on each other. This
significantly simplifies the model of the aircraft and makes it possible to design the
corresponding controllers independently. This decoupling condition can approxi-
mately be achieved for a healthy aircraft, but certain faults can easily destroy it, so
that the two controllers could not be considered separately.
An important issue in FTC system design is that even for a fixed operating re-
gion, where a nonlinear system allows approximation by a linear model, it is very
difficult to obtain an accurate linear representation, either due to the fact that the
physical parameters in the nonlinear model are not exactly known or because they
vary with time. Even the nonlinear model is often derived after some simplifying
assumptions, so that it only approximates the behaviour of the system. Even more,
this uncertainty is further increased due to the linearization that basically consists
in truncating second and higher order terms in the Taylor series expansion of the
nonlinear function. As a result only a representation with uncertainty is available.
It is important that the FTC system is designed to be robust to such uncertainties
within the model.
Another very important issue is that every real-life controlled system has control
action saturation, i.e. the input and/or output signals cannot exceed certain values.
In the design phase of a control system usually the effect of the saturation is ac-
commodated by making sure that the control action will not get overly active and
will remain inside the saturation limits under normal operating conditions. Faults,
however, can have the effect that the control action stays at the saturation limit. For
instance, when a partial 50% loss of effectiveness in an actuator has been diagnosed,
a standard and easy way to accommodate the fault is to re-scale the control action
by two so that the resulting actuation approximates the fault-free actuation. As a
result the control action becomes twice as big and may go to the saturation lim-
its. Clearly, in such situations one should not try to completely accommodate the
fault but one should be willing to accept certain performance degradation imposed
by the saturation. In other words, a trade-off between achievable performance and
58 M. Verhaegen et al.
available actuator capability might need to be made after the occurrence of a fault.
This situation is often referred to as graceful performance degradation [95].
with
Ai (pk ) = ∂x f (x(i) , u(i) , pk ), Bi (pk ) = ∂u f (x(i) , u(i) , pk )
Ci (pk ) = ∂x h(x(i) , u(i) , pk ), Di (pk ) = ∂u h(x(i) , u(i) , pk )
bi (pk ) = f (x(i) , u(i) , pk ) − A(pk )x(i) − B(pk )u(i)
ci (pk ) = h(x(i) , u(i) , pk ) − C(pk )x(i) − D(pk )u(i) ,
2 Fault Tolerant Flight Control - A Survey 59
Such approximations are widely used in the literature (see, for instance, [47]).
In fact it is shown in [46] that, under certain smoothness properties, the nonlinear
system S(pk ) can be approximated to any desired accuracy on a compact subset of
the state and input spaces by means of the representation (2.10) for a sufficiently
large number of local models.
The multiple model representation (2.10) is both intuitive and attractive, and is
(i)
related to the Takagi-Sugeno fuzzy model, where the weights μk in the linear com-
bination of the local outputs are called degrees of membership.
Suppose that the parameter vector pk is formed by two vectors, δk ∈ Δ ⊆ Rnδ and
fk ∈ F ⊆ Rn f , so that
δ
pk = k , (2.11)
fk
where the vector δk is used to represent unknown, time-varying physical parameters
of the system, and where the vector fk represents faults in the system. For consis-
tency in terms of dimensions nδ + n f = n p . While both vectors are unknown, the
fault vector fk is assumed to be estimated by an FDD scheme, and its estimate is
denoted here as fˆk . Let δ0 ∈ Δ represent the nominal values of the uncertain param-
eters, and f0 ∈ F represent the fault-free mode of operation.
Collect all local models Mi (pk ) into a model set
and consider only one element of the set M (pk ) which, due to (2.11), is denoted as
M(δ , f ). For simplicity of notation, the time symbol is omitted in M(δ , f ).
The following objectives are considered:
• passive robust FTC: design one controller K that achieves some desired perfor-
mance for the model M(δ , f ) for all possible uncertainties δk ∈ Δ and faults
fk ∈ F ,
• active robust FTC: given an estimate fˆ of the fault vector f by some FDD
scheme, design a controller K( fˆ) that achieves some desired performance for
the model M(δ , f ) for all possible uncertainties δk ∈ Δ and faults fk ∈ F ,
• active MM-based FTC: design a controller that achieves some desired perfor-
mance for the nonlinear system S(pk ) for some fixed δk = δ0 ∈ Δ (i.e. in the case
of no uncertainty) and for all possible faults fk ∈ F .
60 M. Verhaegen et al.
measured outputs
u2
control actions
2
K
FL (M(δ , f ), K)
Fig. 2.7 Partitioning of the model M(δ , f ) and forming the closed-loop with the
controller K.
J : R nz ×nξ → R+ ,
such that J(M) = ∞ for any M ∈ RH ∞ , where R nz ×nξ denotes the set of rational
transfer nz × nξ matrices, and RH ∞ denotes the set of stable real rational transfer
matrices. Let M(δ , f ) ∈ R (p+nz )×(m+nξ ) be partitioned as follows
M11 (δ , f ) M12 (δ , f )
M(δ , f ) = ,
M21 (δ , f ) M22 (δ , f )
where, as depicted in Figure 2.7, the subsystem M22 (δ , f ) ∈ R p×m gives the re-
lationships between the control actions and the measured output signals, and the
subsystem M11 (δ , f ) ∈ R nz ×nξ describes the relationships between all exogenous
inputs (such as noises, disturbances, reference signals) and the regulated (controlled)
outputs that are related to the performance of the system (e.g. tracking errors). The
feedback interconnection of the model M(δ , f ) with some controller K ∈ R m×p is
represented by the lower linear fractional transformation
The resulting controller would, in this way, be scheduled by the fault estimate fˆ
and will be robust with respect to uncertainties both in the model M(δ , f ) and in
the estimate of f . Clearly, the way in which the scheduling parameter fˆ enters the
controller needs to be assumed before one could proceed with the optimization.
In the above, Δ f represents the FDD uncertainty that, as already discussed, usu-
ally increases after the occurrence of a fault. This will then subsequently decrease
as the FDD scheme refines the estimate based on the availability of more input-
output data from the impaired system. As a result the “maximal uncertainty” is only
active for some relatively short periods of time compared with the lifetime of the
system. Therefore, assuming a maximal uncertainty size during the complete op-
eration might be overly conservative since the robust controller effectively trades
off performance for increased robustness to uncertainties. Hence, it is interesting to
allow the controller to deal with an FDD uncertainty with time-varying size. To this
end, however, the FDD scheme should be capable of providing not only an estimate
of the fault but also an upper bound on the magnitude of the uncertainty on this
estimate. The size of the FDD uncertainty might, for instance, be represented by a
scalar γ f (k) such that fk = (I + γ f (k)Δ̄ f ) fˆk with Δ̄ f 2 ≤ 1. In this way the size
of the uncertainty set is allowed to vary with time. In fact γ f (k) might be a vector
to make it possible to assign different uncertainty sizes on the different entries of
the fault vector fk . Therefore, provided that the FDD scheme produces ( fˆk , γ f (k)) at
each time instance, the achievable performance in (2.14) may further be improved
by computing the controller by solving the following optimization problem
Active FTC:
given f = (I + γ f Δ̄ f ) fˆ, evaluate
KA ( fˆ, γ f ) = arg min sup J(FL (M(δ , f ), K( fˆ, γ f ))),
K( fˆ,γ f ) (2.15)
δ ∈Δ
Δ̄ f ∈ Δ̄ f
γ f ≤ γ f ≤ γ̄ f
performance guarantees. However, any controller with a large enough stability ra-
dius to encompass most failure situations will likely be unnecessarily conservative
and there is no guarantee that unanticipated or multiple failures could be handled
or even that such a controller exists. There are also many types of common fail-
ures, such as actuator or sensor faults, which cannot be adequately modelled as
uncertainty. These problems motivate the need for a controller which more directly
addresses the situation.
The active methods differentiate themselves from passive approaches in that they
take fault information explicitly into account and do not assume a static nominal
model. Reconfigurable flight control is for the most part still an academic notion.
Although there have been very few controllers implemented on physical systems
and none on commercial aircraft, over the last 20 years several research programs
have been formed to investigate their potential and as a result there are a variety of
active methods. The following sections give an overview of each approach.
where ui (k) is the control action produced by a controller designed for the i-th local
model.
The multiple model method is a very attractive tool for modelling and control of
nonlinear systems. However, these approaches usually only consider a finite number
of anticipated faults and proceed by building one local model for each anticipated
fault. In this way, at each time instance only one model, say model Mi , is assumed to
be in effect, so that its corresponding weight μi is approximately equal to unity and
all the other weights μ j , j = i are close to zero. In such cases at each time instance
one local controller is “active”, namely the one corresponding to the model Mi that is
in effect. The disadvantage here is that if the current model is not in the predesigned
2 Fault Tolerant Flight Control - A Survey 65
model set and is instead formed by some convex combination of the local models in
the model set (representing, for instance, unanticipated faults) then, in general, the
control action (2.16) is not the optimal one for this model. It can easily be shown
that forming the global control action as in (2.16) can even lead to instability of the
closed-loop system. In order to avoid that when dealing with unanticipated faults,
an approach is proposed in [51] that uses a bank of predictive controllers and forms
the global control action in an optimal way, so that the optimal control action for the
current model is used at each time instance instead of (2.16). Another disadvantage
of the MM approaches is that model uncertainties, as well as uncertainties in the
weights μi (k), cannot be considered.
There are three types of reconfigurable control that fall under the heading of
multiple model control: Multiple Model Switching and Tuning (MMST), Interact-
ing Multiple Model (IMM) and Propulsion Controlled Aircraft (PCA). In the first
two cases all expected failure scenarios are enumerated during a Failure Modes and
Effects Analysis (FMEA) and fault models constructed which cover each situation.
When a failure occurs, MMST switches to a pre-computed control law correspond-
ing to the current failure situation. Rather than using the model which is closest to
the current failure scenario, IMM computes a fault model as a convex combination
of all pre-computed fault models and then uses this new model to make control
decisions. PCA is a special case of MMST, where the only anticipated fault is a
total hydraulics failure, and in this case only the engines are used for control. The
following sections discuss these three approaches.
66 M. Verhaegen et al.
Although the idea of multiple model control has been around for many years, it
has seen some interest in the reconfigurable control literature in the last few years
[13, 34, 14, 10, 11, 12, 53, 25]. In MMST, the dynamics of each fault scenario is
described by a different model. These models are referred to as the identification
models [13] and are setup in parallel, with each one having a corresponding con-
troller as shown in Figure 2.9. The problem then becomes one of choosing which
model/controller pair to switch to at each time instant.
Figure 2.10 helps to motivate the use of MMST in reconfigurable control systems.
During a failure the plant is assumed to move from some nominal model P0 to a
failure model Pf some distance away in parameter space. The top half of the figure
shows an adaptive control scheme which is using only a single model, and the lower
a MMST method. For certain plants, the MMST converges to the correct fault model
faster than a single model approach.
Consider a system of the form
ẋ = A0 (p(t))x + B0 (p(t))u
P= (2.17)
y = C0 (p(t))x
2 Fault Tolerant Flight Control - A Survey 67
Definition 6.1 (Model Set). The model set M is a set of N linear models
M : {M1 , . . . , MN }
such that
ẋi = Ai xi + Bi u
Mi :
yi = Ci xi
where model Mi corresponds to a particular set of parameters pi ∈ S .
A stabilizing controller Ki is designed for each model Mi ∈ M .
The control law proceeds as follows. At each time step, the model which is closest
to the current system is determined by computing a performance index Ji (t), which
is a function of the errors ei (t) between the estimated outputs of model Mi and the
measurements at time t. A commonly used index is [71]
Ji (t) = α e2i (t) + β 0t e−λ (t−τ ) e2i (τ )d τ
α ≥ 0, β > 0, λ > 0
where α and β are chosen to give a desired combination of instantaneous and long-
term accuracy measures. The forgetting factor λ ensures the boundedness of Ji (t)
for bounded ei . The model/controller, Mi /Ki with the smallest index is switched to
and a waiting period of Tmin > 0 is allowed to pass in order to prevent arbitrarily fast
switching. Most MMST algorithms include a ‘tuning’ part which occurs during the
period while a controller Ki is active, during which time the parameters of the cor-
responding model, and only the corresponding model Mi , are being updated using
an appropriate identification technique (e.g. [2]).
Recent interest in this approach arises from the following stability result:
Theorem 6.2 [71]. Consider the switching and tuning system described above,
where the N models are all fixed and the proposed switching scheme is used with β ,
λ , Tmin > 0, and α ≥ 0. Then, for each plant with parameter vector p ∈ S , there is
a positive number TS and a function μS (p, Tmin ) > 0, such that if:
• the waiting time Tmin ∈ (0, TS )
• there is at least one model Mi with parameter error || p̂i − p|| < μS (p, Tmin )
then all the signals in the overall system, as well as the performance indices {Ji (t)},
are uniformly bounded. Here TS depends only upon S , and μS also depends upon
α , β , λ and S .
In essence, Theorem 6.2 states that the MMST system is stable if the set of models
Mi is dense enough in the parameter space S and the sampling rate Tmin is fast
68 M. Verhaegen et al.
enough. How dense and how fast depend on the particular system and Theorem 6.2
gives no insight into the selection of M or Tmin .
Despite the limitations of Theorem 6.2, there are several papers which have ap-
plied these methods. In [13, 10, 11, 12] a MMST controller is developed for the
highly over-actuated tailless advanced fighter aircraft (TAFA). Eleven fault models
are required to cover the scenario of right wing damage ranging from 0% to 100%
and a switching interval of 25ms is needed for stability. Clearly, this approach will
not scale well to the situation where more than one failure, or multiple failures are
considered. Ref. [14] describes a MMST scheme which can handle locked, floating,
hard-over or loss of effectiveness actuator failures for an F-18 aircraft carrier land-
ing manoeuvre. Only five models are needed for satisfactory performance, but again,
multiple failures cannot be accommodated. Ref. [13] introduced a new method of
failure parameterizations for jammed actuators, enabling multiple complete failures
of control surfaces for an F-18 to be handled using a large number of simple models.
For systems with relatively few and well understood failure modes, multiple
model switching and tuning has advantages in being fast and provably stable. How-
ever, the main limitation is that there may be failure scenarios that were not mod-
elled, which would likely be the case for multiple or structural failures. A severe
limitation for larger systems is that the number of models required increases expo-
nentially with the number of simultaneous failures considered.
It is still an open question how to choose this model set or when the assumption that
the failure model can be written as a convex combination of the models in the set,
is valid.
Fault detection and modelling is then done online by identifying the variables
μi in Equation (2.18). Two proposed methods exist for computing the coefficients
μ . In the first, a Kalman filter is designed for each Mi ∈ M and all filters are run
in parallel. The probability that each of these models represents the true state of
the system can be computed and the coefficients μ are set to these probabilities.
This method is named Multiple Model Adaptive Estimation (MMAE) and is used
in [68, 93]. In the second approach, the previous k f time instants are considered and
the estimated output at each point is computed as a function of μ , which is then
selected to minimize this difference. This approach is advocated in [52, 54].
Once a fault model has been identified, there are a variety of methods for con-
trol law calculation. Refs. [52] and [54] suggest a Model Predictive Control (MPC)
scheme where the minimization of the past tracking error, and therefore of μ , is in-
cluded in the cost function. Ref. [93] proposes an Eigenstructure Assignment (EA)
(see Section 2.6.6) method and [68] uses a fixed controller, using the fault model
M f only for state estimation.
IMM is attractive in its ability to handle multiple failure scenarios by combining
single failure models. However, the requirement of finding the coefficients μ after a
failure makes this an adaptive algorithm and not a model-switching one. As a result
it loses some of the speed of the MMST approach. The formulation of IMM as an
MPC problem given in [54] also offers the potential of handling actuator constraints
naturally.
Fig. 2.11 Landing demonstration of MD-11 Propulsion Controlled Aircraft (PCA), NASA
Dryden, 2001 (copyright NASA)
allocation block is then to select appropriate setpoints for the actuators which will
produce those moments.
The control allocation algorithm takes as inputs the desired moments and an es-
timation of the input derivatives (adaptive B f matrix) from either a FDI or a system
identification algorithm. The algorithm therefore has the ability to adapt the way
actuation forces are generated from the available actuators, to the faults that have
occurred. For example, if the effectiveness of a certain actuator becomes 0% due to
a fault, the corresponding column in B f will also become 0. This actuator is then
not considered anymore by the control allocation method. Instead, the remaining
actuators can be used to generate the desired actuation forces. The goal is then to
produce the desired moments ud by selecting the appropriate inputs to the system
u. Whether this can be done depends on the difference between the size of ud ∈ Rm
and the column rank of B f ∈ Rn×k . There are three cases to consider:
• If m < k the moments can be selected exactly and the remaining degrees of free-
dom can be used (for example) to drive the actuators towards a desired position
u p by minimizing [90, 15, 20]:
2 Fault Tolerant Flight Control - A Survey 71
2 ||u − u p||Wp
= 12 (u − u p)T Wp (u − u p) where Wp = WpT > 0
1
subject to Bu = ud
u = B−1 ud
• In the case when m > k there are not enough degrees of freedom to achieve ud
and so a compromise must be made by (for example) minimizing the weighted
norm
1
||Bu − ud ||Wd
2
Control allocation has been heavily studied in relation to over-actuated systems
(see [29] for a survey) and has received a great deal of attention in the literature for
reconfigurable systems as it allows actuator failures to be handled without the need
to modify the control law. However, there are two major limitations to this approach
to reconfiguration. Firstly, the system will not necessarily be stable, even with a
stabilizing control law, when m > k, as the input seen by the system may not be
equal to that intended by the controller. Secondly, the dynamics and limitations of
the actuators after a failure are not taken into account in the control law. This means
that the controller will still be attempting to achieve the original system performance
even though the actuators are not capable of achieving it.
Control allocation has received considerable attention from the field of aerospace
engineering. Extensions to the simple control allocation problem presented here
have been considered in the literature. In [9] and [28] the problem of control allo-
cation with magnitude and rate limits on the actuators is considered, [24] develops
a control allocation controller for the extremely over-actuated Innovative Control
Effector (ICE) aircraft and [98] looks at restoring as much of the performance of the
original B matrix as possible after an actuator failure. Other examples of work in the
area of control allocation for aerospace applications can be found in [7] and [38].
it is then the job of the Integrated Control Effector Management (ICEM) [15, 90],
a form of control allocation, to generate these moments using the available control
surfaces. In the next three sections, a brief overview of the principles of feedback
linearization on SISO systems will be given, review the particulars and benefits of
its use in reconfiguration and finally discuss the ICEM and its role in the proposed
method.
ẋ = f (x, u)
x ∈ Rn , u, y ∈ R (2.20)
y = h(x)
In feedback linearization the goal is to design a control law for the SISO nonlinear
system given in Equation 2.20 such that the closed loop system is linear and con-
trollable. Assuming the relative degree of h is r = n, the rth derivative of the output
is the first derivative that is directly affected by the control. As a result, we can write
the system dynamics in the normal form ([44], Section 4.2):
Φ1 (x) = h(x) = z1 =y
Φ2 (x) = dh(x)
dt = ż1 = z2
2
Φ3 (x) = d dth(x)
2 = ż2 = z3
.. .. .. (2.21)
. . .
r
Φr (x) = d dth(x)
r = żr−1 = zr
żr = hr (z, u)
ν = ĥr (Φ (x), u)
where ĥr (Φ (x), u) is an invertible estimate of hr (z, u). Then the system dynamics
can be expressed as
żi = zi+1 , 1 ≤ i ≤ r − 1
żr = ν + Δ (2.22)
y = z1
where
Δ = Δ (z, u) = hr (z, u) − ĥr (y, u)
In effect, the transformation places r integrators between the pseudo control ν
and the system output y, with the error Δ acting as a disturbance signal. This is now
a linear and controllable system.
2 Fault Tolerant Flight Control - A Survey 73
where νdc is the output of a stabilizing linear compensator for the linearized system
given by Equation (2.22) with Δ = 0. The quantity νad is an adaptive signal designed
to cancel Δ and yrc is the rth derivative of the signal to be tracked. The signal yrc can
be obtained from an (at least) rth order reference model which defines the desired
dynamics.
If the model of the system is perfect, Δ = 0 and we could simply apply the input
u = ĥ−1 −1
r (x, ν ) = hr (x, yc + νdc ) and the system would track the reference trajectory.
r
However, as there will always be modelling errors, the error Δ needs to be compen-
sated online and for this an ANN can be used. Neural networks can be trained to
approximate any function with an arbitrary precision. As a result, the ANN can
estimate the modelling error and hence cancel it. The benefit of this approach is
that no model structure needs to be assumed in order to estimate the error. Figure
2.13 shows the structure of the full controller, and Figure 2.14 that of the linear
compensator.
This control technique was proposed as a method of reconfigurable control in
combination with Wise’s ICEM [15]. This scheme is suited to reconfigurable con-
trol, as the adaptation makes no assumptions about the structure of the system after
74 M. Verhaegen et al.
the failure. Since the ANN can approximate any nonlinear function, it can track
and cancel any structural failures which may occur under the assumption of suffi-
cient control authority and excitation for adaptation. The techniques presented in
this section have been developed and expanded upon in several publications: Single
Input Single Output (SISO) stability proofs [19], input saturation [48], combined
aero/engine control [42] and highly over-actuated systems [21].
the control surfaces, which is not realistic as floating or jammed actuators are
certainly possible failure scenarios. This problem could be addressed by placing
a control allocation algorithm (see Section 2.6.3) between the requested outputs
and the physical actuators.
2. The method proposes to use robust control to handle all structural failures. This
requires a de-tuning of the controller to the point that it can handle uncertainties
including all possible structural failures, which may well result in an excessively
conservative controller in the non-failure situation.
f f f
where vi − vi W 2
i
= (vi − vi )T Wi (vi − vi ). In other words, the new gain FR needs to
be such that the poles of the resulting closed-loop system coincide with the poles of
the nominal closed-loop system and, in addition, the eigenvectors of the closed-loop
A-matrices are as close as possible. As both the eigenvectors and the eigenvalues
76 M. Verhaegen et al.
determine the shape of the time response of the closed-loop system, this method can
be thought of as trying to preserve the nominal closed-loop system time-response
after the occurrence of faults. Thus, the objective of the EA method seems more
“natural” than that of the Pseudo Inverse Method (PIM) and, moreover, the stability
is guaranteed. The computational burden of the approach is not high since an ana-
lytic expression for the solution to (2.23) is available, i.e. no on-line optimization is
necessary. The disadvantage is that model and FDD uncertainties cannot be easily
incorporated in the optimization problem, and that only static controllers are consid-
ered. The references [22, 58] further describe the use of Eigenstructure Assignment.
ẋ = A f x + B f u
y = Cf x
u = Kf Cf x (2.24)
Theorem 2.1. [23] Consider a controllable and observable system with the output
feedback law of (2.24) and the assumption that the matrices B and C are full rank.
Then, there exists a matrix K ∈ Rm×k such that
1. max(m, k) closed-loop eigenvalues can be assigned
2. max(m, k) eigenvectors can be partially assigned with min(m, k) entries in each
vector arbitrarily chosen
is not well understood. The result of these significant limitations is that only a few
researchers have proposed this approach.
with a linear state-feedback control law uk = Fxk , under the assumption that the
state vector is available for measurement. The method allows for a very general
post-fault system representation
f
xk+1 = A f xkf + B f uRk
(2.26)
ykf = C f xkf ,
where the new, reconfigured control law is taken with the same structure, i.e. uRk =
FR xkf . The goal is then to find the new state-feedback gain matrix FR in such a way
that the “distance” (defined below) between the A-matrices of the nominal and the
post-fault closed-loop systems is minimized, i.e.
FR = arg min (A + BF) − (A f + B f FR ) F
PIM : FR (2.27)
= B†f (A + BF − A f ),
where B†f is the pseudo-inverse of the matrix B f . The advantages of this approach are
that it is very suitable for on-line implementation due to its simplicity, and moreover,
that it allows for changes in all state-space matrices of the system as a consequence
of the faults. A very strong disadvantage is, however, that the optimal control law
computed by equation (2.27) does not always stabilize the closed-loop system. Sim-
ple examples that confirm this fact can easily be generated, see for example [31].
To circumvent this problem, the modified pseudo-inverse method was developed in
[31] that basically solves the same problem under the additional constraint that the
resulting closed-loop system remains stable. This, however, results in a constrained
optimization problem that increases the computational burden. A similar approach
is also discussed in [77, 62], where the reconfigured control action uRk is directly
computed from the nominal control uk as uRk = B†f Buk . Other modifications of this
approach that were proposed include the consideration of additive faults on the state
equation and additive terms on the control action to compensate for them in [73]
and static output-feedback in [59].
78 M. Verhaegen et al.
ẋ = Ax + Bu + d
(2.28)
y = Cx
ẏd = Ad yd + Bd r (2.29)
u = C0 r + G0 x + v
where C0 ∈ Rk×k , G0 ∈ Rk×n and v ∈ Rk are free controller parameters. The closed
loop dynamics are then
The goal is now to make the closed loop dynamics given by Equation (2.30)
match the desired dynamics of Equation (2.29). If the model shown in Equation
(2.28) was known exactly, the controller parameters C0 , G0 and v could be computed
to achieve this. However, since post-failure the model in (2.28) is not known exactly,
2 Fault Tolerant Flight Control - A Survey 79
the controller parameters need to be adapted. There are two methods to achieve this:
direct and indirect adaptation.
C0 = (CB̂)−1 Bd
G0 = (CB̂)−1 (Ad C − CÂ)
v = (CB̂)−1 (Cd)
Direct adaptive control attempts to estimate the controller parameters G0 ,C0 and v
directly rather than first computing the model parameters. We define G0 ,C0 and v as
the ‘correct’ values of the controller parameters which will force the plant to track
the reference model. A problem can then be formulated such that a least squares
routine can be used to estimate the correct controller parameters [8]. The idea of
direct adaptation is seen in algorithms such as the adaptive feedback linearization
approach presented in Section 2.6.4.
The basic model-reference adaptive control techniques described here are not
by themselves suitable for reconfigurable control for two main reasons. Firstly, in
order for these approaches to work a model structure must be assumed. However,
the types of failures addressed in reconfigurable control may well cause the plant
structure to change drastically. Secondly, adaptive control requires the system pa-
rameters to change slowly enough for the estimation algorithm to track them. Faults
may well cause abrupt and drastic changes in the parameters moving the system
instantaneously to a new region of the parameter space. There is no guarantee that
the system will be stable during the transient period in which the adaptive algorithm
is identifying the faulty plant. Despite the limitations of adaptive control for recon-
figuration, some researchers have attempted to apply it in slightly modified forms
[6, 35, 8]. As a result adaptive control on its own is not enough to handle the general
problem, but may well be an important part of a reconfigurable algorithm.
80 M. Verhaegen et al.
for actuator inputs u1 through um . If actuator i becomes jammed at position ui the
MPC controller can be made to compensate by simply changing the constraints on
input i to
ui ≤ ui (t) ≤ ui
0 ≤ u̇i (t) ≤ 0
2 Fault Tolerant Flight Control - A Survey 81
The result will be similar to the control allocation approach where other input chan-
nels are used to create the same effect. As noted in [64], an MPC controller can
be designed so that it has an intrinsic ability to handle jammed actuators without
the need to explicitly model the failure. Structural failures can also be handled in a
natural fashion by changing the internal model used to make prediction in either an
adaptive fashion [52], a multi-model switching scheme [13] or by assuming an FDI
scheme which provides a fault model [40, 39, 55, 66].
An important issue when using MPC is the robustness with respect to model
uncertainties. Since MPC heavily depends on how well the controlled system is rep-
resented by the model used, measures should be taken in case of model uncertainty.
One method to do so is to define an uncertainty region around the nominal model
and to ensure that the MPC algorithm achieves a certain minimum performance
level for the whole uncertainty region. MPC methods that take model uncertainty
explicitly into account are referred to as robust MPC methods. One of the first re-
search efforts that addresses the issue of robust MPC was performed by [60]. This
issue has been addressed in the context of FTC in [51].
Like most active FTC methods, MPC-based FTC requires availability of fault in-
formation to accommodate faults. This requirement limits the ability of MPC-based
FTC to deal with unanticipated fault conditions for which fault information cannot
be obtained most of the time. An FTC algorithm that has this ability is therefore
very desirable. Such an algorithm is subspace predictive control (SPC). This algo-
rithm consists of a predictor that is derived using subspace identification theory [87],
making it a data-driven control method. This subspace predictor is subsequently in-
tegrated into a predictive control objective function. The basic SPC algorithm was
introduced by [30] and has since been used by various researchers [91, 49, 88]. If the
subspace predictor is updated on-line with new input-output data when it becomes
available, then SPC has the ability to adapt to changing system conditions, which
can also include unanticipated faults. Besides having this ability, another important
advantage of the SPC algorithm is that the issue of robustness with respect to model
uncertainty is implicitly addressed because of the adaptation of the predictor. In [37]
the SPC algorithm is used for FTC of the GARTEUR benchmark model.
k+1 = AM xk + BM rk ,
xM M
yk = xk ,
M M
uk = Kr rk + Kx xk
82 M. Verhaegen et al.
matches the reference model. To this end the reference model and closed-loop sys-
tem are written in the form
k+1 = AM xk + BM rk ,
yM M
provided that the system is square (i.e. dim(y) = dim(u)), and that the inverse of
the matrix CB exists. When the exact system matrices (A, B) in (2.31) are unknown,
they can be substituted by some estimated values (Â, B̂), resulting in the indirect
(explicit) method [8]. The indirect method provides no guarantees for closed-loop
stability, and in addition, the matrix (CB̂) may not be invertible. In order to avoid
the need for estimating the plant parameters, the direct (implicit) method of model
following can be used, which directly estimates the controller gain matrices Kr and
Kx by means of an adaptive scheme. Two approaches to direct model following exist,
the output error method and the input error method. Examples of the application of
the model following approach can be found in [8, 70, 85]. We note here, that the
direct model following method is based on adaptation rules and as such is also a
candidate for the group of adaptive control methods.
The model following methods have the advantage that they usually do not require
an FDD scheme. A strong drawback is, however, that they are not applicable to
sensor faults. In addition, these methods do not deal with model uncertainty.
are developed that deal with structured parametric and FDD uncertainty. Further-
more, these methods are applicable to a wide class of faults as the fault signal is
allowed to enter the state-space matrices of the system in any way as long as the
matrices remain bounded. Other applications of LPV control for FTC can be found,
for example in [80, 32].
References
1. Andry, A.N., Shapiro, E.Y., Chung, J.C.: Eigenstructure assignment for linear systems.
IEEE Transactions on Aerospace Electronic Systems 19(5) (September 1983)
2. Aström, K.J., Wittenmark, B.: Adaptive control, 2nd edn. Addison-Wesley Publishing
Company, Reading (1995)
3. Basseville, M.: On-board component fault detection and isolation using the statistical
local approach. Automatica 34(11), 1391–1415 (1998)
4. Belkharraz, A.I., Sobel, K.: Fault tolerant flight control for a class of control surface
failures. In: Proceedings of the American Control Conference, June 2000. IEEE, Los
Alamitos (2000)
5. Blanke, M., Kinnaert, M., Lunze, J., Staroswiecki, M.: Diagnosis and fault-tolerant con-
trol, 2nd edn. Springer, Heidelberg (2006)
6. Bodson, M.: Multivariable adaptive algorithms for reconfigurable flight control. In: Pro-
ceedings of the 33rd Conference on Decision and Control, December 1994. IEEE, Los
Alamitos (1994)
7. Bodson, M.: Evaluation of optimization methods for control allocation. Journal of Guid-
ance, Control, and Dynamics 25(4), 703–711 (2002)
8. Bodson, M., Groszkiewicz, J.E.: Multivariable adaptive algorithms for reconfigurable
flight control. IEEE Transactions on Control Systems Technology 5(2), 217–229 (1997)
9. Bordignon, K.A., Durham, W.C.: Closed-form solutions to constrained control allocation
problem. Journal of Guidance, Control and Dynamics 18(5) (September 1995)
10. Boskovic, J.D., Li, S.M., Mehra, R.K.: Reconfigurable flight control design using multi-
ple switching controllers and on-line estimation of damage-related parameters. In: Pro-
ceedings of the 2000 IEEE International Conference on Control Applications, September
2000. IEEE, Los Alamitos (2000)
11. Boskovic, J.D., Li, S.M., Mehra, R.K.: Study of an adaptive reconfigurable control
scheme for tailless advanced fighter aircraft (TAFA) in the presence of wing damage.
In: Position Location and Navigation Symposium, pp. 341–348. IEEE, Los Alamitos
(2000)
12. Boskovic, J.D., Li, S.M., Mehra, R.K.: Robust supervisory fault-tolerant flight control
system. In: Proceedings of the American Control Conference (June 2001)
13. Boskovic, J.D., Mehra, R.K.: A multiple model-based reconfigurable flight control sys-
tem design. In: Proceedings on the 37th IEEE Conference on Decision & Control, De-
cember 1998. IEEE, Los Alamitos (1998)
14. Boskovic, J.D., Mehra, R.K.: Stable multiple model adaptive flight control for accom-
modation of a large class of control effector failures. In: Proceedings of the American
Control Conference (June 1999)
15. Brinker, J.S., Wise, K.A.: Flight testing of reconfigurable control law on the X-36 tailless
aircraft. Journal of Guidance, Control and Dynamics 24(5) (September 2001)
16. Burcham, F.W., Burken, J.J., Maine, T.A., Bull, J.: Emergency flight control using only
engine thrust and lateral center-of-gravity offset: a first look. Technical report, NASA
(1997)
17. Burcham, F.W., Burken, J.J., Maine, T.A., Fullerton, C.G.: Development and flight test
of an emergency flight control system using only engine thrust on an MD-11 transport
airplane. Technical report, NASA (October 1997)
18. Burken, J.J., Burcham, F.W.: Flight-test results of propulsion-only emergency control
system on MD-11 airplane. Journal of Guidance, Control and Dynamics 20(5) (October
1997)
86 M. Verhaegen et al.
19. Calise, A.J., Hovakimyan, N., Idan, M.: Adaptive output feedback control of nonlinear
systems using neural networks. Automatica 37(8) (March 2001)
20. Calise, A.J., Lee, S., Sharma, M.: Direct adaptive reconfigurable control of a tailless
fighter aircraft. In: AIAA Guidance, Navigation and Control Conference, Boston, MA
(August 1998)
21. Calise, A.J., Lee, S., Sharma, M.: Development of a reconfigurable flight control law for
the X-36 tailless fighter aircraft. In: AIAA Guidance, Navigation, and Control Confer-
ence (August 2000)
22. Davidson, J.B., Andrisani, D.: Gain weighted eigenspace assignment. Technical report,
NASA (May 1994)
23. Davidson, J.B., Andrisani, D.: Lateral-directional eigenvector flying qualities guidelines
for high performance aircraft. Technical report, NASA (December 1996)
24. Davidson, J.B., Lallman, F.J., Bundick, W.T.: Real-time adaptive control allocation ap-
plied to a high performance aircraft. In: 5th SIAM Conference on Control & Its Appli-
cations (2001)
25. Demetriou, M.A.: Adaptive reorganization of switched systems with faulty actuators. In:
Proceedings of the 40th IEEE Conference on Decision and Control (December 2001)
26. Duan, G.R.: Parametric eigenstructure assignment via output feedback based on singular
value decompositions. IEE Proceedings - Control Theory and Applications 150(1), 93–
100 (2003)
27. Ducard, G., Geering, H.P.: Efficient nonlinear actuator fault detection and isolation sys-
tem for unmanned aerial vehicles. Journal of Guidance, Control, and Dynamics 31(1),
225–237 (2008)
28. Durham, W.C., Bordignon, K.A.: Multiple control effector rate limiting. Journal of Guid-
ance, Control and Dynamics 19(1) (February 1996)
29. Enns, D.F.: Control allocation approaches. In: Proceedings of AIAA GNC Conference
(August 1998)
30. Favoreel, W.: Subspace methods for identification and control of linear and bilinear sys-
tems. PhD thesis, Faculty of Engineering, K.U. Leuven, Belgium (1999)
31. Gao, Z., Antsaklis, P.: Stability of the pseudo-inverse method for reconfigurable control
systems. International Journal of Control 53(3), 717–729 (1991)
32. Gáspár, P., Bokor, J.: A fault-tolerant rollover prevention system based on an LPV
method. International Journal of Vehicle Design 42(3-4), 392–412 (2006)
33. Gertler, J.: Designing dynamic consistancy relations for fault detection and isolation.
International Journal of Control 73(8), 720–732 (2000)
34. Gopinathan, M., Boskovic, J.D., Mehra, R.K., Rago, C.: A multiple model predictive
scheme for fault-tolerant flight control design. In: Proceedings of the 37th IEEE Confer-
ence on Decision & Control, December 1998. IEEE, Los Alamitos (1998)
35. Groszkiewicz, J.E., Bodson, M.: Flight control reconfiguration using adaptive methods.
In: Proceedings of the 34th Conference on Decision & Control, December 1995. IEEE,
Los Alamitos (1995)
36. Hajiyev, C., Caliskan, F.: Fault diagnosis and reconfiguration in flight control systems.
Kluwer Academic Publishers, Dordrecht (2003)
37. Hallouzi, R.: Multiple-model based diagnosis for adaptive fault-tolerant control. PhD
thesis, Delft University of Technology (2008)
38. Härkegård, O.: Dynamic control allocation using constrained quadratic programming.
Journal of Guidance, Control, and Dynamics 27(6), 1028–1034 (2004)
39. Huzmezan, M., Maciejowski, J.M.: Reconfiguration and scheduling in flight using quasi-
LPV high-fidelity models and MBPC control. In: Proceedings of the American Control
Conference (June 1998)
2 Fault Tolerant Flight Control - A Survey 87
40. Huzmezan, M., Maciejowski, J.M.: Reconfigurable flight control of a high incidence
research model using predictive control. In: UKACC International Conference on CON-
TROL (September 1998)
41. Idan, M., Johnson, M., Calise, A.J.: A hierarchical approach to adaptive control for im-
proved flight safety. AIAA Journal on Guidance, Control and Dynamics (July 2001)
42. Idan, M., Johnson, M., Calise, A.J., Kaneshige, J.: Intelligent aerodynamic/propulsion
flight control for flight safety: a nonlinear adaptive approach. In: American Control Con-
ference, ACC (2001)
43. Isermann, R., Ballé, P.: Trends in the application of model-based fault detection and
diagnosis of technical processes. Control Engineering Practice 5(5), 709–719 (1997)
44. Isidori, A.: Nonlinear control systems, 2nd edn. Springer, Heidelberg (1989)
45. Jiang, J.: Fault-tolerant control systems - an introductory overview. Acta Automatica
Sinica 31(1), 161–174 (2005)
46. Johansen, T.A.: Operating regime based process modeling and identification. The Nor-
wegian Institute of Technology, University of Trondheim, ph.d. thesis, itk-report 94-109-
w edition (1994)
47. Johansen, T., Foss, B.: Identification of non-linear system structure and parameters using
regime decomposition. Automatica 31(2), 321–326 (1995)
48. Johnson, E.N., Calise, A.J.: Neural network adaptive control of systems with input satu-
ration. In: American Control Conference (ACC), Arlington, Virginia (June 2001)
49. Kadali, R., Huang, B., Rossiter, A.: A data driven subspace approach to predictive con-
troller design. Control Engineering Practice 11(3), 261–278 (2003)
50. Kale, M.M., Chipperfield, A.J.: Stabilized MPC formulations for robust reconfigurable
flight control. Control Engineering Practice 13(6), 771–788 (2005)
51. Kanev, S.: Robust fault-tolerant control. PhD thesis, University of Twente (2004)
52. Kanev, S., Verhaegen, M.: Controller reconfiguration for non-linear systems. Control
Engineering Practice 8, 1223–1235 (2000)
53. Kanev, S., Verhaegen, M.: A bank of reconfigurable LQG controllers for linear systems
subjected to failures. In: 39th IEEE Conference on Decision and Control (December
2000)
54. Kanev, S., Verhaegen, M., Nijsse, G.: A method for the design of fault-tolerant systems
in case of sensor and actuator faults. In: European Control Conference, ECC (September
2001)
55. Kerrigan, E.: Fault-tolerant control of the COSY ship propulsion benchmark using model
predictive control. Technical report, University of Cambridge (November 1998)
56. Keviczky, T., Balas, G.J.: Software-enabled receding horizon control for autonomous
unmanned aerial vehicle guidance. Journal of Guidance, Control, and Dynamics 29(3),
680–694 (2006)
57. Kinnaert, M.: Fault diagnosis based on analytical models for linear and nonlinear systems
- a tutorial. In: Proceedings of the 5th Symposium on Fault Detection, Supervision and
Safety for Technical Processes (SAFEPROCESS 2003), Washington D.C., USA, pp. 37–
50 (2003)
58. Konstantopoulos, I.K., Antsaklis, P.J.: Eigenstructure assignment in reconfigurable con-
trol systems. Technical report, Interdisciplinary Studies of Intelligent Systems (January
1996)
59. Konstantopoulos, I.K., Antsaklis, P.J.: An optimization approach to control reconfigura-
tion. Dynamics and Control 9(3), 255–270 (1999)
60. Kothare, M.V., Balakrishnan, V., Morari, M.: Robust constrained model predictive con-
trol using linear matrix inequalities. Automatica 32(10), 1361–1379 (1996)
88 M. Verhaegen et al.
61. Liao, F., Wang, J.L., Yang, G.H.: Reliable robust flight tracking control: an LMI ap-
proach. IEEE Transactions on Control Systems Technology 10(1), 76–89 (2002)
62. Liu, W.: An on-line expert system-based fault-tolerant control system. Expert Systems
with Applications 11(1), 59–64 (1996)
63. Liu, G., Patton, R.: Eigenstructure assignment for control systems design. John Wiley &
Sons, Chichester (1998)
64. Maciejowski, J.M.: The implicit daisy-chaining property of constrained predictive con-
trol. Applied Math and Computer Science 8(4), 695–711 (1998)
65. Maciejowski, J.M.: Predictive control with constraints. Prentice Hall, Englewood Cliffs
(2002)
66. Maciejowski, J.M., Jones, C.N.: MPC fault-tolerant flight control case study: Flight
1862. In: Proceedings of the 5th Symposium on Fault Detection, Supervision and Safety
for Technical Processes (SAFEPROCESS 2003), Washington D.C., USA, pp. 121–126
(2003)
67. Mahmoud, M., Jiang, J., Zhang, Y.: Active fault tolerant control systems: stochastic anal-
ysis and synthesis. Springer, Berlin (2003)
68. Maybeck, P.S.: Multiple model adaptive algorithms for detecting and compensating sen-
sor and actuator/surface failures in aircraft flight control systems. International Journal
of Robust and Nonlinear Control 9, 1051–1070 (1999)
69. Mignone, D.: Control and estimation of hybrid systems with mathematical optimization.
PhD thesis, Swiss Federal Institute of Technology, ETH (January 2002)
70. Morse, W., Ossman, K.: Model-following reconfigurable flight control system for the
AFTI/F-16. Journal of Guidance, Control, and Dynamics 13(6), 969–976 (1990)
71. Narendra, K.S., Balakrishnan, J.: Adaptive control using multiple models. IEEE Trans-
actions on Automatic Control 42(2) (February 1997)
72. Niemann, H., Stoustrup, J.: Passive fault tolerant control of a double inverted pendulum
- case study. Control Engineering Practice 13(8), 1047–1059 (2005)
73. Noura, H., Sauter, D., Hamelin, F., Theilliol: Fault-tolerant control in dynamic systems:
application to a winding machine. IEEE Control Systems Magazine 20(1), 33–49 (2000)
74. NTSB. Aircraft accident report - american airlines, inc. DC-10-10. Technical Report
NTSB-AAR-79-17, National Transpotration Safety Board, USA (1979)
75. Patton, R.: Fault tolerant control: the 1997 situation. In: Proceedings of the 3rd Sympo-
sium on Fault Detection, Supervision and Safety for Technical Processes (SAFEPRO-
CESS 1997), pp. 1033–1054. Hull University, Hull (1997)
76. Prakash, J., Narasimhan, S., Patwardhan, S.C.: Integrating model based fault diagno-
sis with model predictive control. Industrial & Engineering Chemistry Research 44(12),
4344–4360 (2005)
77. Rauch, H.: Intelligent fault diagnosis and control reconfiguration. IEEE Control System
Magazine 14(3), 6–12 (1994)
78. Ru, J., Li, X.R.: Variable-structure multiple-model approach to fault detection, identifi-
cation, and estimation. IEEE Transactions on Control Systems Technology 16(5), 1029–
1038 (2008)
79. Seguchi, H., Ohtsuka, T.: Nonlinear receding horizon control of an underactuated hover-
craft. International Journal of Robust and Nonlinear Control 13(3-4), 381–398 (2003)
80. Shin, J.-Y., Belcastro, C.M.: Performance analysis on fault tolerant control system. IEEE
Transactions on Control Systems Technology 14(5), 920–925 (2006)
81. Shtessel, Y.B.: Sliding mode control: overview and applications to aerospace control.
Talk notes (2001)
82. Shtessel, Y.B., Buffington, J.: Multiple time scale flight control using reconfigurable slid-
ing modes. AIAA Journal on Guidance, Control and Dynamics 22(6), 873–883 (1999)
2 Fault Tolerant Flight Control - A Survey 89
83. Slotine, J.J.E., Li, W.: Applied Nonlinear Control. Prentice-Hall International, Inc., En-
glewood Cliffs (1991)
84. Stoustrup, J., Blondel, V.D.: Fault tolerant control: A simultaneous stabilization result.
IEEE Transactions on Automatic Control 49(4), 305–310 (2004)
85. Tao, G., Chen, S., Joshi, S.: An adaptive actuator failure compensation controller using
output feedback. IEEE Transactions on Automatic Control 47(3), 506–511 (2002)
86. Tao, G., Ma, X., Joshi, S.: Adaptive state feedback and tracking control of systems with
actuator failures. IEEE Transactions on Automatic Control 46(1), 78–95 (2001)
87. Verhaegen, M., Verdult, V.: Filtering and system identification: an introduction. Cam-
bridge University Press, Cambridge (2007)
88. Wang, X., Huang, B., Chen, T.: Data-driven predictive control for solid oxide fuel cells.
Journal of Process Control 17(2), 103–114 (2007)
89. Wang, G.S., Lv, Q., Liang, B., Duan, G.R.: Design of reconfiguring control systems via
state feedback eigenstructure assignment. International Journal of Information Technol-
ogy 11(7), 61–70 (2005)
90. Wise, K.A., Brinker, J.S., Calise, A.J., Enns, D.F., Elgersma, M.R., Voulgaris, P.: Direct
adaptive reconfigurable flight control for a tailless advanced fighter aircraft. International
Journal of Robust and Nonlinear Control 9(14), 999–1022 (1999)
91. Woodley, B.R., How, J.P., Kosut, R.L.: Subspace based direct adaptive H∞ control. In-
ternational Journal of Adaptive Control and Signal Processing 15, 535–561 (2001)
92. Yen, G.G., Ho, L.-W.: Online multiple-model-based fault diagnosis and accommodation.
IEEE Transactions on Industrial Electronics 50(2), 296–312 (2003)
93. Zhang, Y., Jiang, J.: An interacting multiple-model based fault detection, diagnosis and
fault-tolerant control approach. In: Proceedings of the 38th Conference on Decision &
Control (December 1999)
94. Zhang, Y., Jiang, J.: Integrated design of reconfigurable fault-tolerant control systems.
Journal of Guidance 24(1), 133–136 (2000)
95. Zhang, Y.M., Jiang, J.: Fault tolerant control system design with explicit considera-
tion of performance degradation. IEEE Transactions on Aerospace and Electronic Sys-
tems 39(3), 838–848 (2003)
96. Zhang, Y., Jiang, J.: Issues on integration of fault diagnosis and reconfigurable control
in active fault-tolerant control systems. In: Proceedings of the IFAC SAFEPROCESS,
Beijing, China (August 2006)
97. Zhang, D., Wang, Z., Hu, S.: Robust satisfactory fault-tolerant control of uncertain linear
discrete-time systems: an LMI approach. International Journal of Systems Science 38(2),
151–165 (2007)
98. Zhenyu, Y., Huazhang, S., Zongji, C.: The frequency-domain heterogeneous control
mixer module for control reconfiguration. In: Proceedings of the 1999 IEEE Interna-
tional Conference on Control Applications, August 1999. IEEE, Los Alamitos (1999)
Chapter 3
Fault Detection and Diagnosis for Aeronautic
and Aerospace Missions
3.1 Introduction
The term Fault Detection and Diagnosis (FDD) is a development of the term Fault
Detection and Isolation (FDI). Generally speaking, FDD goes slightly further than
FDI by including the possibility of estimating the effect of the fault and/or diagnos-
ing the effect or severity of the fault. Hence, the term FDD also covers the capabil-
ity of isolating or locating a fault. Both of these topics have received considerable
attention worldwide and have been theoretically and experimentally investigated
with different types of approaches, as can be seen from the general survey works
[1, 2, 3, 4, 5, 6, 7].
To complete the terminology, the use of the word ‘failure’ (widely used in the
early literature) has been generally replaced by the word ‘fault’ [1]. This is important
and it is now widely recognised that faults are unwanted malfunctions of a system,
whereas a failure denotes a total cessation of a function, via a subsystem or a total
system failure [8].
The developments outlined in this Chapter have been stimulated mainly by the
trend in automation toward systems with increasing complexity and the growing
demands for fault-tolerance, cost efficiency, reliability, and safety as these consti-
tute fundamental design features in modern control systems. Studies of the ways
in which FDI and FDD methods can be applied in aerospace systems have been
David Henry
IMS laboratory, Bordeaux 1 University, 351 cours de la libération, 33405 Talence cédex
e-mail: david.henry@laps.ims-bordeaux.fr
Silvio Simani
University of Ferrara, Department of Engineering, 1 Via Saragat, 44100 Ferrara, Italy
e-mail: silvio.simani@unife.it
Ron J. Patton
University of Hull, Department of Engineering, Cottingham Road, Hull HU6 7RX,
United Kingdom
e-mail: R.J.Patton@hull.ac.uk
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 91–128.
springerlink.com
c Springer-Verlag Berlin Heidelberg 2010
92 D. Henry, S. Simani, and R.J. Patton
given by [9, 10]. This Chapter moves the subject on about 17 years by presenting
a non-exhaustive overview of recent advances in model-based FDI/FDD and their
applicability for aeronautical systems and aerospace missions. This Chapter focuses
on methods that have either been applied to real aerospace systems or to high fi-
delity simulations. For the remainder of the Chapter the terms FDI and FDD will be
replaced by the term FDD because of the overlap between these two topics and as
a consequence of the preference for the use of the term FDD in aerospace system
studies.
Measurement sensors are among the most important components for flight con-
trol and aircraft safety. For example, pitot tube air velocity sensors work in a harsh
environment (e.g. the possibility of becoming iced up at high altitude). When sen-
sors of this kind have a common mode fault (e.g. all becoming iced up) all the
redundant lanes of the flight control system can potentially fail as a consequence
of failing to receive suitable air data information. It is generally the case that the
fault probabilities for sensors are high when compared with other components and
control actuators, thus making these devices the least reliable components of the
flight system. In order to improve the reliability of the system, sensor hardware and
software (analytical) redundancy schemes have been investigated for aircraft over
the last twenty or more years [9, 10].
For small and military aircraft, multiple hardware redundancy is harder to achieve
due to a lack of operating space and weight limitations. Multiple hardware is costly
and very complex to engineer and maintain. Analytical redundancy makes use of a
mathematical model of the monitored process and is therefore often referred to as
the model-based approach to FDD [1, 4, 11, 12]. The model-based FDD algorithms
are normally programmed in computer software that may be difficult to implement
on real and complex systems, where modelling uncertainty arises inevitably (due
for example to process noise, parameter variations and modelling errors). The FDD
procedure for incipient faults represents a challenge to the theory of model-based
FDD techniques due to the inseparable mixture between fault effects and modelling
uncertainty. This has been defined in the literature as the robustness problem in
FDI/FDD [1, 3].
Model-based FDI/FDD commonly make use of the so-called ‘residual signal’
to facilitate the detection and isolation of faults. Methods which use the residual
approach are known as the residual based methods. By far the most studied topic of
the use of residual generators for FDI/FDD has been that of the deterministic state
observer [13, 14, 3]. In the context of observers for stochastic systems there have
also been many studies [15, 16, 3].
A number of researchers have developed residual-based methods using the parity
space concept [17, 18, 2]. Others have developed the theme of robust FDI/FDD
around the Unknown Input Observer (UIO) [19, 3]. Parameter identification has
been a key subject for some investigators [15, 20].
Another popular approach to FDD/FDI, particularly considering robustness has
been via the use of eigenstructure assignment (EA) coupled with the UIO. Patton
and co-workers [21, 22] conducted a number of studies on this subject and a toolbox
3 FDD for Aeronautic and Aerospace Missions 93
for EA design was developed [23]. The UIO together with EA have been applied
successfully in a robust FDI/FDD study on a jet engine [24].
Geometrical concepts for FDI/FDD (and the so-called ‘failure’ detection for the
USA) were first proposed by [25]. The geometrical concepts were successfully ex-
tended in theoretical work to nonlinear systems [26, 27].
Nonlinear geometric approaches can also be found in [28, 29], in which the fault
estimation method relies on the successive derivatives of input/output signals. A
drawback of these strategies is a high sensitivity to measurement noise and uncer-
tainty due to dynamical system structure.
Ref. [30] describes an interesting FDD application of an UIO strategy for
Lipschitz-bounded nonlinear systems. This approach is applicable to a wide class
of non-linear systems without requiring a non-linear geometrical approach.
A further approach to FDI/FDD has been based on state estimation using non-
linear stochastic methods such ‘Particle Filters’, a technique belonging to the class
of Monte-Carlo methods, for nonlinear systems with non-Gaussian noise [31, 32].
Soft computing techniques for FDD/FDI [33] can be also exploited, making use
of neural networks, fuzzy logic or neuro-fuzzy structures. Uppal and Patton [34]
have shown that the neuro-fuzzy approach can be developed from the UIO concept,
making structured residuals as consequents in a neuro-fuzzy system with sets of
residual signals covering the non-linear operation of the system being monitored. In
essence, the soft computing approaches make use of ‘implicit’ rather than ‘explicit’
models of the monitored system and hence also constitute a part of the model-based
approach. The main advantages of the soft computing approaches is that an implicit
mathematical model of the system being diagnosed or monitored is not required and
the techniques handle non-linear dynamics in a very natural way, making them very
suitable for the design of FDD schemes.
Adaptive methods for fault estimation and FDI/FDD are applicable to a wide
class of nonlinear systems and are becoming popular as they blend well with fault
tolerant Control (FTC) or fault detection, isolation and recovery (FDIR). One adap-
tive method that addresses only output sensor faults, is reported in [35].
A crucial issue with any FDD scheme is its robustness to modelling uncertainty.
The robustness problem in FDD is defined as the maximisation of the detectability
and isolability of faults together with the minimisation of the effects of uncertainty
and disturbances on the FDD procedure [1, 3, 6]. A number of FDD techniques have
been mainly developed for linear systems. However, practical models of real-world
systems are mostly nonlinear. Hence, viable procedures for practical application of
FDD techniques must take into account model-reality mismatches and hence mod-
elling uncertainty. For aircraft and aerospace systems the development of FDD tools
that can be applied to real systems design and integration is still an open issue, par-
ticularly with interest in the reduction in the use of some multiple hardware and the
integrated development of analytical redundancy methods. This is an important area
for practical research.
This Chapter is organised as follows. Section 3.2 summarises the basic method-
ologies for actuator, system component and sensor FDD. The methods are based
on output estimation approaches, in conjunction with residual processing schemes,
94 D. Henry, S. Simani, and R.J. Patton
which include simple threshold detection (for the deterministic case), as well as sta-
tistical analysis when data is affected by noise. The final result consists of a strategy
based on model-based FDI, namely to generate robust and redundant residual sig-
nals. The concept of residual generation is examined with reference to dynamic ob-
servers or Kalman filters. A residual signal is defined as an output estimation error,
in general obtained by the difference between the measurement of one output and
its corresponding estimate. Section 3.2 outlines the design of these FDD estimators
for both deterministic and stochastic environments.
Section 3.3 shows how the proposed FDD algorithms can be applied to the diag-
nosis of actuators, process components and input-output sensors for general exam-
ple of a flight control problem. Other aerospace examples (e.g. spacecraft)are also
considered. In particular, the FDD techniques presented in this Chapter have been
tested on time series of data acquired from different high fidelity prototypes, whose
linear mathematical descriptions are obtained by using both ‘first principles’ mod-
elling and dynamic system identification procedures. Results from simulations show
that diagnosed faults are perfectly compatible with the FDD requirements for these
applications. Finally, Section 3.4 summarises the contributions and achievements of
the Chapter.
Fig. 3.1 The octahedron (left), the dodecahedron (centre)and the dedicated pyramid (right)
configurations
where measurements m1 , m3 , m5 are for IMU1 and m2 , m4 , m6 are for IMU2. For
the fault detection purpose, only ri (t), i = 1, 2, 3 are used whereas the four last sig-
nals ri (t), i = 4, ..., 7 are used for fault isolation in gyros and accelerometers. The
96 D. Henry, S. Simani, and R.J. Patton
dedicated pyramidal configuration FDD technique is used in the Mars Sample Re-
turn mission, a mission undertaken jointly by NASA and the ESA.
The parity-space approach can be based on the parity equations derived from the
dynamic model of the system under diagnosis. The relationship between the parity-
space approach and other model-based approaches has been described by a number
of authors. For example, Patton and Chen describe the equivalent properties between
the state observer approach and the parity space, under certain conditions [9, 18]
and [44] have described the relationship between the parity space and parameter
estimation approaches.
In all of these methods the analytical redundancy that is developed relies on an
input-output polynomial description of the system under diagnosis. The methods
comprise input-output strategies for FDD, in some sense. The use of input-output
forms facilitates the development of analytical descriptions for the disturbance de-
coupled residual generators. These dynamic filters, organised into bank structures,
are able to achieve fault isolation properties. An appropriate choice of their parame-
ters facilitates the maximistaion of the robustness with respect to both measurement
noise and modelling errors, whilst optimising fault sensitivity characteristics.
An approach which is strongly based on the use of input-output polynomials is
referred to as the Polynomial Method (PM), presented in [45]. The PM requires the
knowledge of the input-output representation of the continuous-time (or discrete-
time), time-invariant linear dynamic system affected by faults and disturbances. An
important aspect of the PM residual generator design concerns the decoupling prop-
erties of the disturbance. This decoupling is obtained by means of a suitable coordi-
nate exchange of the monitored input-output system.
Hence, the residual generator model for the investigated system depends on suit-
able design polynomials and matrices, which can be arbitrarily selected among the
polynomials with degree greater than or equal to the maximum row degree of the in-
put output model. The diagnostic capabilities of the PM residual generator strongly
depend on the choice of the residual transfer function. The analytical solution to
this problem exists and is unique, as demonstrated in [46], due to the choice of a
quadratic constraint equation. The design of the PM filter is completed by intro-
ducing a method for assigning both the zeros and the poles of the continuous time
transfer function from the fault to the residual. The pole and zero locations influence
the transient characteristics(maximum overshoot, delay time, rise time, settling time,
etc.) of the filter as described in [45].
Finally, this PM method can be used for fault isolation. In particular, for the
isolation of a fault affecting one of the output sensors, under the hypotheses that
the input sensors and the remaining output sensors are fault-free, a generalized bank
of residual generator filters is used. The number of these generators is equal to the
number m of the system outputs, and the i-th device (i = 1, . . . , m) is driven by all
but the i-th output and all the inputs of the system. In this case, a fault on the i-th
output sensor affects all but the i-th residual generator. The same technique can be
applied for the isolation of input sensor faults. However, it must be emphasised that
the PM approach is merely a re-iteration or a new interpretation of the parity space
philosophy of utilising input-output signals in polynomial form.
3 FDD for Aeronautic and Aerospace Missions 97
where s(t) = (x(t), z(t)), knowing a set of samples i.e. output/input data y(t), y(t −
1), ...., u(t), u(t − 1).....
Within the Bayesian context, the filtering problem is simplified by assuming that
s(t) evolves in a Markovian way. A Markov system is one in which past and fu-
ture states are conditionally independent, given the current state. The Markovian
assumption facilitates a recursive formulation of the estimation problem. The prob-
lem then turns out to be the computation of x̂ and ẑ satisfying the following jump
Markov linear Gaussian model:
z(t) ∼ P (z(t)|z(t − 1))
x(t) = A(z(t))x(t − 1) + B(z(t))u(t) + E1(z(t))w(t) (3.4)
y(t) = C(z(t))x(t) + D(z(t))u(t) + E2 (z(t))v(t)
where y(t) ∈ ℜm denotes the observations, x(t) ∈ ℜn the unknown Gaussian states,
u ∈ ℜ p a known control signal and where z(t) ∈ {1, ..., q} is the set of unknown
discrete states i.e. the fault modes). The noise processes are assumed to be Gaussian
so that w(t) ∼ N (0, I) and v(t) ∼ N (0, I). The parameters A, B,C, D, E1 , E2 and
P (z(t)|z(t − 1)) are known matrices with D(z(t))D(z(t))T > 0 for any z(t).
squared derivations of the transitioned sigma points from the mean. The UKF up-
date yields an approximation to the a-posteriori probability whose error depends on
how different the true probability distribution is from the ideal Gaussian case.
The particle filtering approach has been used successfully for fault diagnosis in
planetary rovers, e.g. the Hyperion robot (four wheeled robot), the K-9 rover (six
wheeled rover).
The software code for the implementation of the PF strategy is freely available at
the website http://www.cs.ubc.ca/˜nando/software.html[53, 32].
where
fi (.) = f (x(k), δs (k), Ψ (x, k)) δi (k) (3.6)
δs refers to the healthy control surfaces and Ψ (x) is a vector composed of nonlinear
functions depending on a subset of the state vector x. The index ”i” is used to outline
that the estimation of the i-th fault δ̂i needs to be performed. The stochastic inputs v
and w denote the process and measurement noises, respectively which are assumed
to be uncorrelated white noise processes with covariance matrices:
The initial estimates of state and covariance matrix are denoted by:
x0 = E{x0 } (3.8)
Following the method proposed in [59], the problem of recursively estimating the
augmented state vector x can be formulated as a nonlinear filtering problem that
minimizes the conditional mean-square-error, i.e:
where x̃(k) = x(k) − x̂(k) is the state estimate error and Y k−1 = {y0 , y1 , · · · , yk−1 }
is a matrix containing the past measurements. The state estimate x̂(k) is equivalent to
100 D. Henry, S. Simani, and R.J. Patton
the conditional mean of the Gaussian probability density function p(x(k)/Y (k−1) ) ∼
N (x̂(k), P(k)) such as:
and where:
refers to the state covariance matrix in charge to quantify the uncertainty of the esti-
mate. The estimation algorithm can then be formulated into the following nonlinear
observer-based scheme:
x̂(k + 1) = fi (x̂(k), δs (k), Ψ (x, k)) + K(k)e(k)
(3.13)
ŷ(k) = g(x̂(k))
where K(k) is a non stationary gain to be computed and e(k) = y(k) − ŷ(k/k − 1) is
the innovation sequence associated to the covariance matrix Pee :
Based on the previous estimate of the state x̂(k/k) with covariance P̂(k/k), the filter
computes at a subsequent time-step an optimal forecast of the state x̂(k + 1/k) and its
covariance matrix P̂(k + 1/k) whenever observations become available. This leads
to the following update equations:
As the above statistical expectations are generally intractable, some kind of ap-
proximation must be used, like for e.g. the Extended Kalman Filter (EKF) which
is based on a first-order Taylor linearization. However, even if the EKF estimator
seems to be adapted, some well-known drawbacks exist in practice, i.e. the parame-
ters estimates can converge slower than the state estimates and in general, only local
convergence can be expected. Based on the work reported in [59], this motivated
[57, 58, 56] to use an approximation of the nonlinear function ‘ fi (.)’ by means of a
multi-dimensional extension of Stirling’s interpolation formula.
Although this method presents some optimality proofs, the key feature remains
the a-priori choice of the covariance matrices Q and R. The matrix Q controls the
3 FDD for Aeronautic and Aerospace Missions 101
flexibility of the model whereas the measurement covariance matrix R controls the
flexibility of the measurement equations. In the most practical cases, the optimiza-
tion of Q and R is done by iteratively testing different values and evaluating the
results over a test period.
In practice, this tuning problem is often tackled as an ad hoc process involving
a very large number of manual trials. In view of this difficulty, it has been chosen
in [56] to automatically tune these matrices by means of an optimization method.
The performance index to be minimized corresponds to the root-mean-square of the
state estimate errors subjected to positivity constraints of Q and R matrices that is:
t 1 ⎧
f 2 ⎨ Q > 0, R > 0
J(k) = N1 ∑( x Π x)
T
s.t. R = diag(ri ) (3.18)
⎩
t0 Q = diag(qi )
For convenience, the additional constraints Q = diag(qi ) and R = diag(ri ) are im-
posed in the optimization algorithm. Π is a weighting matrix introduced to manage
separately each component of the vector x̃. t0 and t f are respectively the initial and
final discrete time of the tuning interval and N denotes the number of data points in
the tuning interval.
Because of the multi-parameter, non-linear and discrete nature of this optimiza-
tion problem, a Particle Swarm Optimization (PSO) algorithm is retained in [56] to
derive a numerical solution.
This approach has been applied successfully in [56] to the problem of control
surface failures in the HL-20 Reusable Launch Vehicles (RLV) during its landing
phase. See fig. 3.8 that illustrates some results.
To proceed, let the system model be given in the discrete-time domain according
to:
xk+1 = Ak xk + Bk uk + Ek dk + Fk1 fk + w1k
(3.19)
yk = Ck xk + Fk2 fk + w2k
where xk , uk , yk denote the state, the input and the output vectors, respectively. Each
entry of fk corresponds to a specific fault, dk denotes the unknown inputs to be de-
coupled and w1k , w2k are independent zero-mean white noise sequences with covari-
ance matrices Qk , Rk , assumed to be known. The authors show that the following
UIO can be used for FDD:
zk+1 = Fk+1 zk + Tk+1 Bk uk + Kk+1 yk
(3.20)
ŷk+1 = Ck+1 zk+1 + Ck+1 Hk+1 yk+1
The residual rk is also defined according to rk = yk − ŷk . Then the problem turns
out to be the design of F, T, K, H to achieve disturbance decoupling with minimum
variance of state estimation, K playing the role of a Kalman gain.
It is shown in [16, 3] that the decoupling objectives are achieved iff the following
conditions are satisfied:
Ek = Hk+1Ck+1 Ek (3.21)
Tk+1 = I − Hk+1Ck+1 (3.22)
Fk+1 = Tk+1 Ak − Kk+1
1
Ck (3.23)
2
Kk+1 = Fk+1 Hk (3.24)
Kk+1 = Kk+1
1
+ Kk+1
2
(3.25)
The necessary and sufficient condition for the existence of a solution to Eq. (3.21)
is rank (Ck+1 Ek ) = rank (Ek ) and a special solution is:
−1
Hk+1 = Ek (Ck+1 Ek )T (Ck+1 Ek ) (Ck+1 Ek )T (3.26)
1
The matrix Kk+1 is designed to stabilise the observer and achieve minimum state
estimation error variance. The solution to this problem is:
−1
1
Kk+1 = A1k+1 PkCkT Ck PkCkT + Rk (3.27)
where A1k+1 = Tk+1 Ak and Pk = E{(xk − x̂k )(xk − x̂k )T } is the covariance matrix of
the estimation state error at time k that can be computed according to the recursive
equation:
Remark 1. It can be seen that the observer structure described above is equivalent
to a classical Kalman filter for systems without unknown inputs.
3 FDD for Aeronautic and Aerospace Missions 103
Remark 2. Note that the UIO decoupling approach was used for FDD in gyro-
scopes [61]. For this study the author used eigenstructure assignment to achieve the
necessary de-coupling, based on the work on EA for UIO decoupling by [22].
where K1 , K2 are gain matrices. The parameter τ is the updating interval. It may be
taken as the sampling-time interval, or as an integer multiple of the sampling-time
interval. The parameter Λ is a positive definite matrix and ϕ (t) is called the ILO
input that is used to estimate the time-varying fault. As it can be seen, the signal
ϕ (t) is updated by both its past information and the state estimation error.
• fault signal estimation based approaches: see [65, 67, 70, 71]
• and residuals generation based approaches: see [66, 73, 74, 68, 69, 75, 76, 72]
A great advantage of these methods is that the framework employed i.e. the H∞
framework) facilitates the inclusion of several robustness objectives within the de-
sign procedure, e.g. against various disturbances, perturbations and model uncer-
tainties.
fictitious signal f through a filter W f . This filter is chosen taking into account the
frequency location of the fault to be detected, e.g. if the energy of the faults to be
detected are located at low frequencies, W f is chosen to be a low-pass filter.
Now, let us define the estimation error signal e:
e = f − fˆ (3.32)
Then the design problem turns out to be a minimization problem of the maximal
gain of the closed-loop transfers from the signals f and d to the fault estimation
error e. In other words, the goal is to design the filter F so that:
The proposed method is developed in a very similar manner to the well known
H∞ /μ robust controller design technique. The FDD problem consists of jointly de-
signing My , Mu and L(s) such that the effects that faults have on r are maximized in
the H− -norm sense, whilst minimizing the influence of unknown inputs and model
106 D. Henry, S. Simani, and R.J. Patton
r = z − ẑ (3.36)
λ = 1 + γ2 . Define the signal r̃ such that r̃ = r −WF (s) f . Then a sufficient condition
for the fault sensitivity specification (S.2) to hold, is
Using the above lemma, the H∞ /H− filter design problem can be re-cast in a ficti-
tious H∞ -framework: Using linear fractional algebra and including γ1 , λ ,WF and the
weighting functions Wd into the model P, one can derive from (3.31) a new model
P̃(My , Mu ) depending on the residual structuring matrices My and Mu so that:
rr̃ = Fu Fl P̃(My , Mu ), L , Δ d (3.38)
T
T
where d = d f in which d is the fictitious signal generating d through Wd . In
∞ 1/2
this formulation, we assume that d 2 = −∞ ||d(t)||2 dt ≤ 1, since it is always
possible to scale P̃(My , Mu ).
Then, a sufficient condition for specifications (S.1) and (S.2) to hold is:
Fl P̃(My , Mu ), L ∞ < 1 (3.39)
of the fault. The proposed approach can be properly applied to a nonlinear system
model in the form described in [27]. Moreover, as detailed in [81] and subsequently
developed in [27], a state and output coordinate transformation can be applied to
the considered nonlinear system if and only if a proper fault detectability condi-
tion is satisfied. In this case, the nonlinear system in the new reference frame can
be decomposed into 3 subsystems where the first one (the x̄1 -subsystem) is always
decoupled from the disturbance vector and affected by the fault.
The new proposed FDD scheme can be applied only if the fault detectability con-
dition presented in [81] holds and some new constraints are satisfied, as described
in [82].
Thus, an adaptive filter can be designed with reference to the transformed non-
linear system, in order to perform an estimation of the fault signal, which asymp-
totically converges to the magnitude of the fault f . The proposed adaptive filter that
solves this FDD problem is based on the least squares algorithm with forgetting fac-
tor [83] and described by a suitable adaptation law [45]. It can also be shown that
the designed adaptive filter represents a solution to the considered FDD problem,
so that the fault signal estimate provides an asymptotically convergent estimation of
the magnitude of the actual fault, as reported in [45].
of the system under diagnosis, which is derived by following a NLGA strategy. The
use of the NLGA facilitates the determination of disturbance decoupled residual
generators in a stochastic framework. The fault isolation and the disturbance decou-
pling suggested in this section is different from the method presented in [32], as
achieved via the NLGA strategy.
isolation and identification of actuator as well as input and output sensor faults are
developed. In order to analyze the diagnostic effectiveness of the FDD strategies in
the presence of abrupt changes or drifts in measurements, realistic fault scenarios
have been considered. The results obtained by the presented FDD approaches indi-
cate that the detected faults on the various processes are of interest for future aircraft
and aerospace diagnostic applications.
1 1
0.5 0.5
0 0
residual (°)
residual (°)
−0.5 −0.5
−1 −1
−1.5 −1.5
0 500 1000 1500 0 500 1000 1500
Time (s) Time (s)
Fig. 3.3 Behaviour of the residual r - Fault-free situation (left) / OFC (right)
reported in this Section which also considers briefly the important features of the
performance evaluation of the diagnosis schemes, i.e. their robustness and reliabil-
ity with respect to the uncertainty and disturbance acting on the system by means of
a Monte-Carlo analysis.
The mathematical simulation model of the aircraft used in this Section is based
on the classical nonlinear 6 Degrees of Freedom (6 DoF) rigid body formulation
[85], whose motion occurs as a consequence of applied forces and moments (aero-
dynamic, thrust and gravitational). A set of local approximations for these forces
has been computed and scheduled depending on the values assumed by True Air
Speed (TAS), flap, altitude, curvature radius and flight path angle. In this way, it is
also possible to obtain a simplified mathematical model for each flight condition that
is suitable for a state-space representation, as it can be made explicit. The param-
eters in the analytic representation of the aerodynamic actions have been obtained
from wind tunnel experimental data. It should be observed that aerodynamic forces
and moments are not implemented by the classical linearised expressions (stability
derivatives).
Static aerodynamic actions (e.g. lift and drag characteristics), are implemented
by means of cubic splines approximating nonlinear experimental curves. More de-
tails can be found in the related paper [86]. The linear aircraft model used by the
proposed PM described in Section 3.2.1 embeds the linearisation both of the 6 DoF
model and of the propulsion system. On the other hand, the NLGA-AF FDD scheme
described in Section 3.2.7 requires a nonlinear input affine system [27], but the
adopted simulation model of the aircraft does not fulfil this requirement. For this
reason, a simplified aircraft model has been considered, as reported in [45].
The PM residual generator filters are fed by the 4 component input vector c(t) and
the 9 component output vector y(t) acquired from the nonlinear simulation aircraft
model [87, 46]. Each filter of the PM bank is independent of one of the 4 input
signals and then is also insensitive to the corresponding fault signals. Clearly, the
residual generator bank has been designed to be decoupled from the disturbance
signals, i.e. the wind gust signals, which represent disturbance terms acting on the
aircraft system.
112 D. Henry, S. Simani, and R.J. Patton
In order to assess the diagnosis technique, different fault sizes have been simu-
lated on each sensor. As an example, the 4 residual functions rci (t) generated by the
filter bank for input sensor fault isolation, under both fault-free and faulty conditions
are shown in fig. 3.4.
Continuous lines represent the fault-free residual functions, while the dashed
lines depict the faulty residual signals. The dotted lines correspond to the settled
thresholds. The fault considered in Fig 3.4 has been generated on the elevator sen-
sor of the considered aircraft, starting at time t = 150 s. The first residual function
of fig. 3.4 also provides the isolation of the input sensor fault under consideration.
Regarding the new NLGA-AF FDD scheme, in order to assess its effectiveness in
estimating the faults affecting the input sensors, the same flight condition (a coordi-
nated turn at constant altitude) previously described for the PM evaluation has been
considered. A bank of 4 adaptive filters has been used in order to perform the diag-
nosis, the isolation, and the estimation of the elevator, aileron, rudder and throttle
actuator fault magnitudes. It is important to note that each filter is structurally de-
coupled from the vertical and lateral wind disturbance components and is sensitive
to a single input sensor fault.
In fig. 3.5, the simulation results referring to a particular case are reported, where
a small fault with a size of 2o starting at time t = 150 s is added to the elevator
actuator.
With reference to the results obtained, the proposed FDD strategies appear to be
promising for diagnostic application to commercial aircraft. Advantages and draw-
backs of the PM and the new NLGA-AF FDD methods developed in this Section
can be summarised as follows. Both PM filters and NLGA-AF perform lowpass
filtering of input/output measurements. For the particular aircraft application, the
computational burden of polynomial filters is lower than that of NLGA adaptive
filters, so that they are suitable for low-cost implementations. On the other hand,
NLGA-AF can obtain smaller detection time, compared with PM filters, thanks to
3 FDD for Aeronautic and Aerospace Missions 113
2 0
1 -0.5
0 -1
-1 -1.5
0 100 200 300 0 100 200 300
Samples (sec.) Samples (sec.)
Rudder sensor fault estimate Throttle sensor fault estimate
1.5
1 0.02
0.01
0.5
0
0 -0.01
-0.5 -0.02
0 100 200 300 0 100 200 300
Samples (sec.) Samples (sec.)
Fig. 3.5 Adaptive filters via the nonlinear geometric approach for elevator sensor fault diag-
nosis and size estimation.
the fact that they directly take into account nonlinear terms [45]. It is worth not-
ing that the results of the Monte-Carlo analysis applied to the PM and NLGA-AF
FDD scheme show how the proper design and optimisation of the dynamic filters
allows the achievement of low false and missed alarm rates, with high detection and
isolation rates, and with minimal detection and isolation delay times, as described
in [45].
As for the NLGA-NF, the NLGA Particle Filter (NLGA-PF) has been designed
as described in [82, 46]). The NLGA-PF filter is implemented via the algorithm
summarised in Section 3.2.2 with a number M = 200 of particles and it uses 20000
data samples δthk and nek , acquired from the continuous-time aircraft model.
As an example, the residual functions generated by the NLGA-NF and NLGA-PF
filters for the throttle actuator FDI, under both fault-free and faulty conditions, are
shown in fig. 3.6. The continuous lines represent the fault-free residual functions,
whilst the dotted lines depict the faulty residual signals. As illustrated in fig. 3.6,
the fault has been generated on the throttle actuator of the aircraft, starting at time
t = 100s.
Fig. 3.6 NLGA-PF and NLGA-NF residuals for throttle actuator FDD.
often done by operators using telemetry data collected by ground stations. This data
are usually elaborated using on-board functions based on, e.g. hardware redundancy
like IMUs placed in a pyramidal structure, cross checks using many star-trackers or
short rendezvous sensors, limit value checking with regard to certain tolerances of
normal values. However, the potential lack of communication between the system
and the stations and/or the time used to analyse the collected data, could lead the
missions to be aborted. This problem becomes crucial e.g. during the hypersonic
phase of an atmospheric re-entry and specially during the well known blackout
phase where no communication between the vehicle and the ground stations ex-
ist due to excessive thermic flow. In such cases, only on-board fault detection and
isolation solutions can be considered for aerospace systems.
Model-based methods applied to aerospace example systems can be considered
today as a mature and structured field of research. Significant progress has been
made during the past two decades to address the problem of robustness and perfor-
mances assessment. However, except within the Livingstone system [88] which flew
on the Deep Space One spacecraft as part of the Remote Agent Experiment, such
techniques have not been used so far in on-board computers for aerospace missions.
The principal reason is related to the fact that any new technique should provide a
solution having well-defined real-time characteristics and well-defined error rates.
The selection of an advanced model-based fault diagnosis solution at a local or
global level, necessarily includes a trade-off between the best adequacy of the tech-
nique and its implementation level for covering an expected fault profile, as well
as its industrialisation process with support tools for its design/tuning and valida-
tion. Very attractive advanced algorithmic solutions would not be accepted, without
such industrial framework capability, e.g. for easy parameter tuning and validation
by non specialist operators. A classical approach could therefore be preferred de-
spite its smaller fault coverage, because classical methods are well industrially mas-
tered and well characterized, without risk of excessive false alarms. It follows that
a good balance between physical redundancy and model-based techniques could be
the right solution, leading to more efficient health monitoring systems based on less
redundant elements. See discussion in [9, 10].
3 FDD for Aeronautic and Aerospace Missions 115
This section presents the results achieved when several diagnosis techniques, that
are designed exploiting both hardware and system redundancy, are applied success-
fully to aerospace missions.
Fig. 3.7 Fault-free and faulty residuals with the decision test (left) and the isolation criteria
(right).
made robust against measurement noise, winds turbulence, the guidance reference
signals and faults in a given wing flap actuator, whilst remaining sensitive to all
faults in the other wing flap actuator. For the purpose of estimating the position of
the faulty control surfaces, the nonlinear EKF method presented in Section 3.2.3 is
used. Fig. 3.8 illustrates the results for some nonlinear simulations in the presence
of wind and atmospheric turbulence. As it can be seen, the faults are successfully
detected, isolated and estimated by the FDI unit.
30
30
Runaway-type fault on δwfl δwfl
25
20
δwfl (deg)
δwfl (deg)
20
10
15
0 Fault is declared
by the FDI unit 10 δ̂wfl
−10
5
10 20 30 40 50 60 20 25 30
Simulation time (s) Simulation time (s)
20
Jamming-type fault on δwfr 12 δwfr
15
11
δwfr (deg)
δwfr (deg)
10 10
5 9
δ̂wfr
Fault is declared 8
0 by the FDI unit
7
−5
0 20 40 60 32 34 36 38 40 42 44
Simulation time (s) Simulation time (s)
Fig. 3.8 HL–20 vehicle (top), residuals and position estimates (bottom)
makes the isolation possible. This disturbance is mainly contributed by the main en-
gine misalignment but may also include un-modelled dynamics. Local linear math-
ematical models of the satellite are estimated by means of a robust dynamic system
identification approach based on minimisation of the estimation error [5, 91]. The
identified models are used in the design of robust FDD residual generators based on
dynamic observers that are structurally decoupled from both disturbances and esti-
mated uncertainties acting on the space vehicle. For the satellite problem, the main
source of disturbance is caused by the large torque imbalance effects arising from
118 D. Henry, S. Simani, and R.J. Patton
deployment of the main engine. These FDD observers are organised into observer
bank structures, providing good fault isolation properties. The parameters of these
optimal robust disturbance decoupling observers together with the use of a concur-
rent disturbance estimation strategy are designed jointly to maximise the robustness
with respect to both measurement noise and modelling errors, whilst optimising
fault sensitivity characteristics.
The FDD robustness obtained via unknown decoupling is far less conservative
than the best robustness that can be achieved using nonlinear strategies.
Nonlinear methods usually work well if the nonlinear structure of the mathemat-
ical model of the system under investigation is perfectly known. Nonlinear system
approaches are challenged heavily when the uncertainties are unstructured, whilst
the approach can be easily outperformed when the concurrent disturbance estima-
tion strategy is exploited, due to the conservativeness of the robust results arising
from the way in which the uncertainty bounds are defined.
In this study software algorithms to determine the overall performances of the
proposed FDD methods are described and implemented in the MATLAB and
SIMULINK environments. They perform simulations of the attitude control of the
MEX satellite system based on a reasonable detailed nonlinear model of the MEX
satellite system. The overall FDD scheme exploits a Monte Carlo (MC) tool for
both the design of the robust FDD technique and the final performance evaluation,
as described in [92, 93, 94, 95, 60].
As shown in fig. 3.9, the structure of the MEX orbiter consists of a cube-shaped
spacecraft with two solar panel wings extending from opposite sides. More details
can be found in [96].
The background to the FDD methods used in this study has developed from the
combined experiences of the academic authors [92, 93, 94, 95, 60]. The main ap-
proach to the FDD is to make use of unknown input decoupling to suppress/remove
the large main engine-induced disturbances from the residuals used for the FDD of
the gas thrusters. The decoupling approach is based on the work of Chen and Pat-
ton [16, 97], with the additional feature of direction of unknown input estimation
-3
C o m p a r is o n o f s y m p t om s f o r f a u lt is o l a t io n ( S 2 )
x 10
O b se rve r-0
9 O b se rve r-1
O b se rve r-2
8 O b se rve r-3
O b se rve r-4
a v e r a g in g f u n c t i o n [ r a d / s e c ]
F a u lt
6 is o la ti o n
rk w in d o w
4
W e ig h te d
0
7 00 7 05 710 7 15 7 20
t im e [ s e c ]
D e tecti on ti m e t I s o la t io n t im e t
d i
using an augmented observer described in [3]. Instead of using the nonlinear physi-
cal model of the satellite directly, this model is used in a robust recursive identifica-
tion study to generate an identified model taking account of some of the modelling
errors associated with variations around a point of operation of the system. The iter-
ative procedure is included in the MC strategy to optimize the model and structure
of the residuals for robust FDD. The work of Simani and co-workers has been used
for the identification study [5]. The identified model is then used in the residual
generation strategy [92, 93, 94, 95, 60].
Once the linear model for the system under investigation is available, the FDI
scheme relies on the design of the so-called ORDDO [98]. The original work by
Uppal and Patton made use of a multiple-model structure consisting of a group of
decoupling observers for generating the required FDI residuals.
Each observer in the group is designed to be sensitive to a subset of faults (that
have to be detected and isolated). The authors selected the ORDDO strategy for
its ability to decouple faults and to make the FDI design robust w.r.t. the mod-
elling/parameter uncertainty, noise and disturbance. A separate augmented observer
proposed originally by Chen and Patton [3] is included in the design in order to es-
timate the directions of the distribution of the disturbance torque, mainly caused by
main engine misalignment, into the system.
As an example, the residual signals due to the thruster fault case are reported in
fig. 3.10. The residuals indicate a fault occurrence when their values are lower or
120 D. Henry, S. Simani, and R.J. Patton
higher than the thresholds fixed in fault-free conditions. Regarding the MEX thruster
FDD, fig.3.10 shows the faulty residuals when thruster 1 is open.
According to the observer bank design described in [95, 60], the residual signal
with the smallest value indicates the corresponding faulty thruster command signal.
In this case, the thruster fault commences at the instant t = 700s.
Finally, various indices for performance evaluation of the suggested method
were analysed on the monitored MEX system. The MC simulation approach to
both the FDD scheme design and its performance evaluation as exploited here has
facilitated more reliable results than the conventional software reliability models
[92, 93, 94, 95, 60]. These evaluation performance and reliability indices were com-
puted based on extensive simulations using the MEX MATLAB and SIMULINK en-
vironments. Through many MC runs, the imperfect process modelling, uncertainty,
disturbance and noise can be taken into account, to give more accurate and realistic
results. The complete procedure was implemented using MATLAB and SIMULINK
software tools in order to automate the simulation process. The diagnosis feasibility
and reliability studies are of paramount importance for real application of FDI once
implemented on-board future spacecraft.
3.4 Conclusion
This chapter has provided some theoretical and mainly application study results for
the detection and diagnosis of faults in the actuators and sensors of aircraft and
aerospace systems, through the use of different FDD schemes.
Residual generators can be designed from the input-output description of the
linearised model of the system under diagnosis and the disturbance decoupling has
been obtained. A procedure for optimising the residual generator fault sensitivity
and dynamic response has also been presented.
An important aspect of the strategies based on linear residual generators is the sim-
plicity of the technique used to generate these residuals when compared with differ-
ent schemes. The algorithmic simplicity is a very important aspect when considering
the need for verification and validation of a demonstrable scheme for air-worthiness
certification. The more complex the computations required to implement the scheme,
the higher the cost and complexity in terms of air-worthiness certification.
On the other hand, nonlinear methodologies rely on a design scheme based on the
structural decoupling of the disturbance obtained by means of a coordinate transfor-
mation in the state space and in the output space. To apply the nonlinear theory,
a simplified model of the system under investigation can be required. The mixed
H− /H∞ optimisation of the tradeoff between fault sensitivity, disturbances and
modelling errors is now well understood in the theoretical work and is a promis-
ing area for application study. On the other hand, UIO strategies can have practical
application via moving ‘unknown input estimation windows’ as demonstrated on a
real satellite thruster modulation design problem.
The nonlinear FDD strategies can be based also on adaptive filters scheme. In
addition to a proper detection and isolation, these methods provided also a fault size
3 FDD for Aeronautic and Aerospace Missions 121
estimation. This feature is not usual for a fault detection and isolation method and
can be very useful during an on-line automatic flight control system reconfiguration,
in order to recover a faulty operating condition. Compared with similar methods
proposed in the literature, the nonlinear adaptive fault diagnosis technique described
here has the advantage of being applicable to more general classes of nonlinear
systems and less sensitive to measurement noise, since it does not use input/output
signal derivatives.
Suitable filtering algorithms for stochastic systems were also proposed. The
knowledge regarding the noise process acting on the system under diagnosis can
be exploited by the fault diagnosis method design, hence the proposed scheme pro-
vides a possible solution to nonlinear system diagnosis with non-Gaussian noise and
disturbance.
The main advantage of nonlinear based FDD techniques with disturbance de-
coupling features is represented by the fact that they take into account directly the
model nonlinearity and the system reality-model mismatch.
The FDD techniques that have been outlined in this chapter have been tested by
considering high fidelity simulators that are able to take into account disturbances
and measurement errors acting on the system under investigation. Moreover, the
robustness characteristics and the achievable performances of the FDD approaches
described have been carefully considered and investigated.
The effectiveness of the proposed diagnosis schemes was shown by simulations
and a comparison with widely used data driven and model-based FDI schemes with
disturbance decoupling. The reliability and the robustness properties of the designed
residual generators to model uncertainty, disturbances and measurements noise were
analysed via extensive simulations, including the use of Monte-Carlo simulation
experiments to tune the FDD parameters.
Finally, the need to bridge the design gap between FDD and recovery mecha-
nisms, i.e. e.g. Fault Tolerant Control (FTC) schemes is obvious. FDD and FTC
strategies can be combined as shown in Chapter 12 and in related works by the
same authors and by [99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110].
References
1. Patton, R.J., Frank, P.M., Clark, R.N.: Fault Diagnosis in Dynamic Systems, Theory
and Application. Control Engineering Series. Prentice Hall, New York (1989)
2. Gertler, J.: Fault Detection and Diagnosis in Engineering Systems. Marcel Dekker, New
York (1998)
3. Chen, J., Patton, R.J.: Robust Model-Based Fault Diagnosis for Dynamic Systems.
Kluwer Academic Publishers, Dordrecht (1999)
4. Patton, R.J., Frank, P.M., Clark, R.N.: Advances in Fault Diagnosis for Dynamic Sys-
tems. Springer, London (2000)
5. Simani, S., Fantuzzi, C., Patton, R.J.: Model-based fault diagnosis in dynamic systems
using identification techniques. In: Advances in Industrial Control, 1st edn. Springer,
London (November 2003)
6. Isermann, R.: Fault-Diagnosis Systems: An Introduction from Fault Detection to Fault
Tolerance, 1st edn. Springer, Heidelberg (November 28, 2005)
122 D. Henry, S. Simani, and R.J. Patton
28. Kaboré, P., Othman, S., McKenna, T., Hammouri, H.: An observer-based fault diag-
nosis for a class of nonlinear systems – application to a free radical copolymerization
reaction. International Journal of Control 73, 787–803 (2000)
29. Kaboré, P., Wang, H.: Design of fault diagnosis filters and fault tolerant control for
a class of nonlinear systems. IEEE Trans. on Automatic Control 46(11), 1805–1810
(2001)
30. Pertew, A., Marquez, H., Zhao, Q.: LMI–based sensor fault diagnosis for nonlinear
Lipschitz systems. Automatica 43(8), 1464–1469 (2007)
31. Cheng, Q., Varshney, P., Michels, J., Belcastro, C.: Fault detection in dynamic systems
via decision fusion. IEEE Trans. on Aerospace and Electronics Systems 44, 227–242
(2008)
32. Zhang, Q., Campillo, F., Cerou, F., Legland, F.: Nonlinear system fault detection and
isolation based on bootstrap particle filters. In: Proc. of 44th IEEE CDC-ECC, Seville,
Spain, December 2005, pp. 3821–3826 (2005)
33. Korbicz, J., Koscielny, J.M., Kowalczuk, Z., Cholewa, W. (eds.): Fault Diagnosis: Mod-
els, Artificial Intelligence, Applications, 1st edn. Springer, Heidelberg (February 12,
2004)
34. Uppal, F.J., Patton, R.J.: Neuro-fuzzy uncertainty de-coupling: A multiple-model
paradigm for fault detection and isolation. Int. Journal of Adaptive Control & Signal
Processing (Invited Special Issue Paper) 19, 281–304 (2005)
35. Wang, H., Huang, Z., Daley, S.: On the use of adaptive updating rules for actuator and
sensor diagnosis. Automatica 33(2), 217–225 (1997)
36. Chow, E.Y.: Failure detection system design methodology. PhD thesis, Lab. Information
and Decision system, University of Cambridge (1980)
37. Gertler, J.: Survey of model-based failure detection and isolation in complex plants.
IEEE Control Systems Magazine (1988)
38. Patton, R.J., Chen, J.: A review of parity space approaches to fault diagnosis. In: IFAC
Symposium Safeprocess 1991, pp. 239–255 (1991)
39. Chen, J., Zhang, H.Y.: Parity vector approach for detecting failures in dynamic systems.
International Journal of Systems and Science 21, 765–770 (1991)
40. Gertler, J.: Fault detection and isolation using parity relations. Control Eng. Prac-
tice 5(5), 653–661 (1997)
41. Satin, A.L., Gates, R.L.: Evaluation of parity equations for gyro failure detection and
isolation. Journal of Guidance and Control 1(1), 14–20 (2005)
42. Shim, D.S., Yang, C.K.: Geometric fdi based on svd for redundant inertial sensor sys-
tems. In: Proceedings of the 5th Asian Control Conference, Melbourne - Australia,
vol. 29, pp. 1093–1099 (2004)
43. Yang, C.K., Shim, D.S.: Double faults isolation based on the reduced-order parity vec-
tors in redundant sensor configuration. International Journal of Control, Automation
and Systems 5(2), 155–160 (2007)
44. Gertler, J., DiPierro, G.: On the relationship between parity relations and parameter
estimation. In: Proceedings of SAFEPROCESS 1997, Hull - England, pp. 468–473.
IFAC (1997)
45. Castaldi, P., Geri, W., Bonfè, M., Simani, S., Benini, M.: Design of residual generators
and adaptive filters for the fdi of aircraft model sensors. In: Control Engineering Prac-
tice, 2009. ACA 2007 – 17th IFAC Symposium on Automatic Control in Aerospace
Special Issue. Elsevier Science, Amsterdam (2007)
124 D. Henry, S. Simani, and R.J. Patton
46. Benini, M., Bonfè, M., Castaldi, P., Geri, W., Simani, S.: Design and Performance Eval-
uation of Fault Diagnosis Strategies for a Simulated Aircraft Nonlinear Model. Journal
of Control Science and Engineering 2008, 1–18 (2008); Special Issue on Robustness
Issues in Fault Diagnosis and Fault Tolerant Control. Hindawi Publishing Corporation
47. Doucent, A.: On sequential simulation-based methods for Bayesian filtering. Technical
report, Cambridge University (1998)
48. Liu, J., Chen, R.: Sequential montecarlo methods for dynamic systems. Journal of the
American Statistical Association 93 (1998)
49. Pitt, M., Shephard, N.: Filtering via simulation: Auxiliary particle filter. Journal of the
American Statistical Association 94 (1999)
50. Isard, M., Blake, A.: Condensation: conditional density propagation for visual tracking.
International Journal of Computer Vision 29(1), 5–28 (1998)
51. Fox, D., Burgard, W., Thrun, S.: Markov localization for mobile robots in dynamic
environments. Journal of Artificial Intelligence 11, 391–427 (1999)
52. Thrun, S., Fox, D., Burgard, W.: Montecarlo localization with mixture proposal distri-
bution. In: Proceedings of the AAAI National Conf. on Artificial Intelligence. AAAI,
Menlo Park (2000)
53. Doucet, A., de Freitas, N., Gordon, N. (eds.): Sequential Monte Carlo Methods in
Practice. Statistics for Engineering and Information Science. Springer, New York (July
2001)
54. DeFreitas, N.: Rao-blackwellised particle filtering for fault diagnosis. Aerospace (2002)
55. Hutter, F., Dearden, R.: Efficient on-line fault diagnosis for non-linear systems. In: In-
ternational Symposium on Artificial Intelligence, Robotics and Automation in Space,
Nara, Japan, May 19-23 (2003)
56. Falcoz, A., Henry, D., Zolghadri, A.: A nonlinear fault identification scheme for
reusable launch vehicles control surfaces. International Review of Aerospace Engineer-
ing (October 2008)
57. Lavigne, L., Zolghadri, A., Goupil, P., Simon, P.: Robust and early detection of oscil-
latory failure case for new generation airbus. In: AIAA GNC 2008, Honolulu, Hawaii.
AIAA (2008)
58. Lavigne, L., Zolghadri, A., Goupil, P., Simon, P.: Oscillatory failure case detection for
new generation airbus aircraft: a model-based challenge. In: Proceedings of the 47th
IEEE Conference on Decision and Control, Cancun, Mexico, pp. 1249–1254. IEEE,
Los Alamitos (2008)
59. Norgaard, M., Poulsen, N.K., Ravn, O.: New developments in state estimation for non-
linear systems. Automatica 36, 1627–1638 (2000)
60. Patton, R.J., Uppal, F.J., Simani, S., Polle, B.: Robust fdi applied to thuster faults of a
satellite system. In: Control Engineering Practice, 2009. ACA 2007 – 17th IFAC Sym-
posium on Automatic Control in Aerospace Special Issue (2007)
61. Venkateswaran, N., Siva, M., Goel, P.: Analytical redundancy based fault detection of
gyroscopes in spacecraft applications. ACTA Astronomica 50(9), 535–545 (2002)
62. Chen, W., Saif, M.: Observer-based fault diagnosis of satellite systems subject to time-
varying thruster faults. Transactions of the ASME 129, 352–356 (2007)
63. Jacobson, C.A., Nett, C.N.: An integrated approach to control and diagnosis for the
minimisation of uncertainties effects on residual generation. IEEE Control Systems
Magazine 11(6), 22–29 (1991)
64. Marcos, A., Balas, G.: A robust integrated controller/diagnosis aircraft application. In-
ternational Journal of Robust and Nonlinear Control 15, 531–551 (2005)
65. Mangoubi, R.: Robust estimation and failure detection: A concise treatment. Springer,
Heidelberg (1998)
3 FDD for Aeronautic and Aerospace Missions 125
66. Henry, D., Zolghadri, A., Castang, F., Monsion, M.: A new multi-objective filter design
for guaranteed robust fdi performance. In: Proceedings of CDC 2001, Orlando, Florida,
USA, pp. 173–178 (2001)
67. Marcos, A., Ganguli, S., Balas, G.: An application of h∞ fault detection and isolation to
a transport aircraft. Control Engineering Practice 13, 105–119 (2005)
68. Henry, D., Zolghadri, A.: Design and analysis of robust residual generators for systems
under feedback control. Automatica 41, 251–264 (2005)
69. Henry, D., Zolghadri, A.: Design of fault diagnosis filters: A multi-objective approach.
Journal of Franklin Institute 342(4), 421–446 (2005)
70. Castro, H.V., Bennani, S., Marcos, A.: Robust filter design for a re-entry vehicle. In:
Proceedings of the 7th International Conference on Dynamics and Control of Systems
and Structures in Space, Greenwish, UK (2006)
71. Castro, H.V., Bennani, S., Marcos, A.: Integrated vs decoupled fault detection filter
and flight control law designs for a re-entry vehicle. In: Proceedings of the 2006 IEEE
International Conference on Control Applications, Munich, Germany (2006)
72. Henry, D.: Fault diagnosis of the MICROSCOPE satellite actuators using h∞ /h− filters.
AIAA Journal of Guidance, Control, and Dynamics 31(3), 699–711 (2008)
73. Henry, D., Zolghadri, A., Castang, F., Monsion, M.: A multiobjective filtering approach
for fault diagnosis with guaranteed sensitivity performances. In: Proceedings of the 15th
IFAC World Congress, Barcelona, Spain. IFAC (2002)
74. Henry, D., Zolgahdri, A.: h∞ /h− filters for fault diagnosis in systems under feedback
control. In: Proceedings of SAFEPROCESS 2003, Washington DC, USA, pp. 87–92.
IFAC (2003)
75. Henry, D., Zolghadri, A.: Norm-based design of robust fdi schemes for uncertain sys-
tems under feedback control: Comparison of two approaches. Control Engineering
Practice 14(9), 1081–1097 (2006)
76. Zolghadri, A., Castang, F., Henry, D.: Design of robust fault detection filters for mul-
tivariable feedback systems. International Journal of Modelling and Simulation 26(1),
17–26 (2006)
77. Kerr, M.L., Marcos, A., Penin, L.F., Bornschlegl, E.: Gain-scheduled fdi for a re-entry
vehicle. In: AIAA Guidance, Navigation and Control Conferences and Exhibit, Hon-
oluku - Hawaii, AIAA–2008–7266. AIAA (2008)
78. Hou, M., Patton, R.J.: An LMI approach to H∞ /H− fault detection observers. In: Pro-
ceedings of the UKACC International Conference, CONTROL 1996 (1996)
79. Hou, M., Patton, R.J.: An H∞ /H− approach to the design of robust fault diagnosis ob-
servers based upon LMI optimisation. In: Proceedings of the 4th European Control
Conference, ECC 1997, Brussels, July 1–4 (1997)
80. De Persis, C., De Sanctis, R., Isidori, A.: Nonlinear actuator fault detection and isolation
for a VTOL aircraft. In: Proceedings of the American Control Conference, June 2001,
pp. 4449–4454 (2001)
81. De Persis, C., Isidori, A.: On the observability codistributions of a nonlinear system.
Systems and Control Letters 40, 297–304 (2000)
82. Bonfè, M., Castaldi, P., Geri, W., Simani, S.: Nonlinear Actuator Fault Detection and
Isolation for a General Aviation Aircraft. Space Technology – Space Engineering,
Telecommunication, Systems Engineering and Control 27, 107–113 (2007); Special
Issue on Automatic Control in Aerospace
83. Ioannou, P., Sun, J.: Robust Adaptive Control. PTR Prentice–Hall, Upper Saddle River
(1996)
84. Germani, A., Manes, C., Palumbo, P.: Filtering of Stochastic Nonlinear Differential
Systems via a Carleman Approximation Approach. IEEE Transactions on Automatic
Control 52, 2166–2172 (2007)
126 D. Henry, S. Simani, and R.J. Patton
85. Stevens, B.L., Lewis, F.L.: Aircraft Control and Simulation, 2nd edn. John Wiley and
Son, Chichester (2003)
86. Bonfè, M., Castaldi, P., Geri, W., Simani, S.: Fault Detection and Isolation for On–
Board Sensors of a General Aviation Aircraft. International Journal of Adaptive Control
and Signal Processing 20, 381–408 (2006) (Copyright 2006 John Wiley & Sons, Ltd.)
87. Bonfè, M., Castaldi, P., Geri, W., Simani, S.: Design and Performance Evaluation of
Residual Generators for the FDI of an Aircraft. International Journal of Automation
and Computing 4, 156–163 (2007), doi:10.1007/s11633–007–0156–7
88. Williams, B.C., Nayak, P.P.: A model-based approach to reactive self-configuring sys-
tems. In: Proceedings of the 13th National Conf. on Artificial Intelligence and 8th Inno-
vative Applications of Artificial Intelligence Conf., pp. 971–978. AAAI Press/The MIT
Press (1996)
89. Falcoz, A., Henry, D., Zolghadri, A.: Development of a robust model-based fault diag-
nosis technique for re-entry launch vehicles: A case study. Progress report (2007)
90. Falcoz, A., Henry, D., Zolghadri, A., Bornschleg, E., Ganet, M.: On-board model-based
robust fdir strategy for reusable launch vehicles (rlv). In: 7th International ESA Con-
ference on Guidance, Navigation and Control Systems, County Kerry, Ireland (2008)
91. Simani, S.: Identification of Residual Generators for Fault Detection and Isolation of
a Satellite Simulated Model. In: EUCA, I. (ed.) European Control Conference 2007 –
ECC 2007, Kos, Greece, July 2–5, vol. CD–Rom, pp. 2296–2303. EUCA, ICCS, IFAC,
ACPA & IEEE CSS (2007)
92. Patton, R.J., Uppal, F., Simani, S., Polle, B.: A Monte Carlo Analysis and Design for
FDI of a Satellite Attitude Control System. In: B. C. Department of Automation, Ts-
inghua University (ed.) SAFEPROCESS 2006, 6th IFAC Symposium on Fault Detec-
tion Supervision and Safety for Technical Processes, IFAC, Beijing, PR China, August
30 – September 1, vol. CDRom, pp. 1393–1398 (2006)
93. Patton, R.J., Uppal, F., Simani, S., Polle, B.: Monte–Carlo Reliability and Perfor-
mance Analysis of Satellite FDI System. In: IFAC (ed.) MECHATRONICS 2006 – 4th
IFAC Symposium on Mechatronic Systems, Heidelberg, Germany, September 12-14,
vol. CD–Rom, pp. 187–192. VDI VDE, IFAC (2006)
94. Patton, R.J., Uppal, F., Simani, S., Polle, B.: Robust FDI Applied to Thruster Faults of
A Satellite System. In: IFAC (ed.) ACA2007 – 17th IFAC Symposium on Automatic
Control in Aerospace, Toulouse, France, June 25–29, vol. CD–Rom, pp. 1–6. IFAC
ACA, IFAC (2007)
95. Patton, R.J., Uppal, F.J., Simani, S., Polle, B.: Reliable fault diagnosis scheme for a
spacecraft attitude control system. Journal of Risk and Reliability 222(2), 139–152
(2008); 6th IFAC SAFEPROCESS Special Issue. Professional Engineering Publishing
96. ESA, ESA – Mars Express – The Spacecraft, tech. rep., ESA – European Space Agency
(October 2005), http://www.esa.int/SPECIALS/MarsExpress/
97. Köenig, D., Patton, R.J.: New design of robust kalman filters for fault detection and
isolation. In: Chen, H.-F., Cheng, D.-Z., Zhang, J.-F. (eds.) 14th World Congress of
IFAC, Beijing, P.R. China, July 5-9, CD–ROM Paper P–7e–09–6 (1999)
98. Uppal, F.J., Patton, R.: Neuro–fuzzy uncertainty de–coupling: A multiple–model
paradigm for fault detection and isolation. International Journal of Adaptive Control
& Signal Processing 19(4), 281–304 (2005); Invited Special Issue Paper
99. Patton, R.J.: Fault-tolerant control: the 1997 situation (survey). In: Proceedings of IFAC
Symposium SAFEPROCESS 1997, pp. 1033–1055 (1997)
100. Chen, J., Patton, R.J., Chen, Z.: Active fault-tolerant flight control systems design using
the linear matrix inequality method. Trans. Inst. MC 21, 77–84 (1999)
3 FDD for Aeronautic and Aerospace Missions 127
101. Blanke, M., Frei, C.W., Kraus, F., Patton, R.J., Staroswiecki, M.: What is fault-tolerant
control? In: Proceedings of IFAC Symposium SAFEPROCESS 2000, pp. 40–51 (2000)
102. Cieslak, J., Henry, D., Zolghadri, A.: A methodoly for the design of active fault tolerant
systems. In: Proceedings of SAFEPROCESS 2006, Beijing, China. IFAC (2006)
103. Cieslak, J., Henry, D., Zolghadri, A., Goupil, P.: Development of an on-board fault toler-
ant control strategy with application to the Garteur AG16 benchmark. In: Proceedings
of the 17th IFAC Symposium on Automatic Control in Aerospace, Toulouse, France
(2007)
104. Cieslak, J., Henry, D., Zolghadri, A.: An active fault tolerant flight control strategy
for safe recovery against trimmable horizontal stabilizer failure: a case study. AIAA
Journal of Guidance, Control, and Dynamics (2007) (to appear)
105. Cieslak, J., Henry, D., Zolghadri, A.: Une méthodologie pour la synthèse de systémes
de commande tolérants aux défauts, revue électronique e-STA (Sciences et technologies
pour l’automatique), vol. 1, pp. 19–26 (2007)
106. Blanke, M., Kinnaert, M., Lunze, M., Staroswiecki, M.: Diagnosis and fault tolerant
control, 2nd edn. Springer, New York (2008)
107. Bonfè, M., Castaldi, P., Simani, S.: Active Fault Tolerant Control Scheme for a Gen-
eral Aviation Aircraft Model. In: 17th Mediterranean Conference on Control and Au-
tomation (Makedonia Palace, Thessaloniki, Greece), Mediterranean Control Associa-
tion MCA, IEEE Control Systems Society CSS, IEEE Robotics & Automation Society
RAS, June 24–26 (2009) (accepted)
108. Bertozzi, N., Castaldi, P., Bonfè, M., Simani, S., Bertoni, G.: Integrated design of an
aircraft guidance system using feedback linearization. In: IFAC Workshop Aerospace
Guidance, Navigation and Flight Control Systems – AGNFCS 2009, Samara, RUSSIA,
IFAC Technical Committee on Automatic Control in Aerospace, Russian Academy of
Sciences (RAS), Samara Scientific Center (SSC), Department of Dynamics and Motion
Control, IFAC – International Federation of Automatic Control, June 30 -July 2, pp. 1–6
(2009) (accepted)
109. Bonfè, M., Castaldi, P., Simani, S.: Fault Diagnosis and Fault Tolerant Control Inte-
grated Designs Applied to a Civil Unmanned Aerial Vehicle (CUAV). In: Faculty of
Engineering CTAC, Coventry University Computing (eds.) 20th International Confer-
ence on Systems Engineering – ICSE 2009, Coventry, UK, September 2009, Control
Theory and Applications Centre, Coventry University, CTAC, Coventry University, in
cooperation with Technical University of Wroclaw, Wroclaw, Poland, and the Univer-
sity of Nevada, Las Vegas, USA (2009)
110. Patton, R.J., Putra, D., Klinkhieo, S.: A fault-tolerant control approach to friction com-
pensation. In: Proceedings of European Control Conference, ECC 2009 (2009); Invited
Session on FTC in Mechatronic Systems
111. Alwi, H., Edwards, C., Tan, C.P.: Sliding mode estimation schemes for incipient sensor
faults. Automatica 45(7), 1679–1685 (2009)
112. Edwards, C., Spurgeon, S.K.: Sliding Mode Control: Theory and Applications. Taylor
& Francis, London (1998)
113. Edwards, C., Spurgeon, S.K., Patton, R.J.: Sliding mode observers for fault detection.
Automatica 36, 541–553 (2000)
114. Hermans, F.J.J., Zarrop, M.B.: Sliding mode observers for robust sensor monitoring.
In: Proceedings of the 13th IFAC World Congress, pp. 211–216 (1996)
115. Jiang, B., Staroswiecki, M., Cocquempot, V.: Fault estimation in nonlinear uncertain
systems using robust sliding–mode observers. IEE Proceedings: Control Theory & Ap-
plications 151, 29–37 (2004)
116. Khalil, H.K.: Nonlinear Systems. Prentice Hall, Englewood Cliffs (1992)
128 D. Henry, S. Simani, and R.J. Patton
117. Kim, Y.W., Rizzoni, G., Utkin, V.: Developing a fault tolerant power train system by
integrating the design of control and diagnostics. International Journal of Robust and
Nonlinear Control 11, 1095–1114 (2001)
118. Tan, C.P., Edwards, C.: Sliding mode observers for detection and reconstruction of
sensor faults. Automatica, 1815–1821 (2002)
119. Tan, C.P., Edwards, C.: Sliding mode observers for robust detection and reconstruction
of actuator and sensor faults. International Journal of Robust and Nonlinear Control 13,
443–463 (2003)
120. Utkin, V.I.: Sliding Modes in Control Optimization. Springer, Berlin (1992)
121. Wu, N.E., Zhang, Y., Zhou, K.: Detection, estimation, and accommodation of loss of
control effectiveness. International Journal of Adaptive Control and Signal Process-
ing 14, 775–795 (2000)
122. Yang, H., Saif, M.: Fault detection in a class of nonlinear systems via adaptive sliding
observer. In: Proceedings of the IEEE International Conference on Systems, Man and
Cybernetics, pp. 2199–2204 (1995)
123. Zhang, Y., Jiang, J.: Design of integrated fault detection, diagnosis and reconfigurable
control systems. In: Proceedings of the IEEE Conference on Decision and Control,
pp. 3587–3592 (1999)
124. Zhang, Y.M., Jiang, J.: Active fault-tolerant control system against partial actuator fail-
ures. IEE Proceedings: Control Theory & Applications 149, 95–104 (2002)
Chapter 4
Real-Time Identification of Aircraft Physical
Models for Fault Tolerant Flight Control
4.1 Introduction
The primary goal of aircraft fault tolerant flight control is to recover or main-
tain safe flight when failures have occurred. Aircraft failures can be categorized
into subsystem failures and airframe/structural failures. Modern aircraft subsystems
are equipped with redundancies and failure detection systems for maintaining and
monitoring the health status of subsystems. However, when failures such as en-
gine separations, vertical tail loss, or wing separation (see Chapter 1) have occurred
to aircraft, the airframe/structure of the aircraft will experience significant changes.
These failures are not detected by current on-board monitoring systems. As a conse-
quence of these failures, the aerodynamic model and even the mass/inertia properties
of the aircraft will be obviously different from their nominal forms. The basic flight
control system designed for the nominal aircraft will suffer from the new configura-
tion of the vehicle. In most cases, the human pilot will take over from the automatic
flight control system (autopilot) when unexpected behaviour has been recognised,
and will try to handle the aircraft manually. Experienced pilots have been trained for
handling aircraft with a limited number of failures. However, unsuccessful recovery
of the flight may still happen due to human errors or limitations imposed by the
Ping Chu
Delft University of Technology, Faculty of Aerospace Engineering,
Kluyverweg 1, 2629 HS Delft, The Netherlands
e-mail: q.p.chu@tudelft.nl
Jan Albert (Bob) Mulder
Delft University of Technology, Faculty of Aerospace Engineering,
Kluyverweg 1, 2629 HS Delft, The Netherlands
e-mail: j.a.mulder@tudelft.nl
Jan Breeman
National Aerospace Laboratory NLR, P.O. Box 90502, 1059 CM Amsterdam,
The Netherlands
e-mail: breeman@nlr.nl
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 129–155.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
130 P. Chu, J.A. (Bob) Mulder, and J. Breeman
Fig. 4.1 Delft University DHC2 Beaver PH-VTH, photo by Jack Wolbrink
132 P. Chu, J.A. (Bob) Mulder, and J. Breeman
Fig. 4.2 NLR Hawker Hunter MK7, PH-NLH, copyright Richard Vandervord, via airlin-
ers.net
the engine manufacturer. An overview of the results of these very successful flight
tests is given in Ref. [29].
Around 1978, further flight test programs were planned aiming at aircraft model
identification both in symmetric and asymmetric nonsteady manoeuvring flight in
an international cooperative program with DLR in Braunschweig, Germany. The
results of these investigations were reported in Ref. [33]. The method for parameter
identification developed at DUT was by then dubbed the Two- Step Method: in the
first step, the flight path is reconstructed, followed by the second step in which
the parameters are identified. Based upon the confidence and experience gained in
methods and analysis, further flight test programs were carried out by the National
Aerospace Laboratory (NLR) to investigate the applicability of this method for the
case of a twin engined transport type aircraft, the Fokker F 28 Fellowship. Initial
results of the assessment of performance and stability and control characteristics
were reported in Ref. [2]. The techniques developed in the course of these flight
test programs were subsequently applied with a high degree of success during the
testing and development phase of the Fokker 50 and Fokker 100 type aircraft (Ref.
[3]). In 1987 flight simulation models were developed for the Cessna Citation 500
of the Dutch Government civil aviation flying school (RLS) flight simulator (Ref.
[29]) based on the same technique.
The National Aerospace Laboratory and Delft University of Technology have
cooperated in a flight test program with the Fairchild Metro II experimental air-
craft owned by NLR. These experiments have demonstrated that estimation of the
aircraft state, as well as the identification of longitudinal and lateral aerodynamic
model parameters can be performed on-board in real time (Refs. [20], [19], [22]).
In the same flight test programme, attention was focused on different measurement
and analysis methods to identify propeller thrust in dynamic flight test manoeuvres
(Ref. [26]).
4 Real-Time Identification of Aircraft Physical Models for FTFC 133
(a) Fokker F28 PH-JHG, photo by (b) RLS Cessna Citation 500, PH-CTF,
Klaus P. Krapp Erik
c Frikke, via airliners.net
Fig. 4.3 Fokker F28, Cessna Citation 500, Fokker 50 and 100
The new flight test instrumentation system even offers the capability of measur-
ing the attitude of the aircraft using a GPS multi antenna receiver (see Fig. 4.6) to
calibrate rotational rate sensors in flight.
With the new instrumentation system, many successful flight tests were per-
formed and a flight simulation model of the Citation II was obtained under the
support of the Dutch Applied Science foundation (STW).
Thus, this successful chain of experiments and analyses amply demonstrated that
nonsteady flight test techniques as developed and tested at the Delft University of
Technology and the National Aerospace Laboratory was a proven, cost effective
and well established technique for the measurement of performance and stability
and control characteristics as required for the certification of aircraft.
The goals of most flight test programs for civil and military aircraft are the certifi-
cation for airworthiness and the estimation of performance and stability and control
characteristics. While certain characteristics can be measured directly in flight such
as rate of climb in stationary rectilinear flight or damping ratios and time constants
of eigenmotions, a much more efficient approach is to start with the mathemati-
cal model of the aerodynamic forces and moments from measurements of dynamic
flight test manoeuvres. Identification implies the development of an adequate math-
ematical model structure as well as estimation of the numerical values of the pa-
rameters in the model. When applied to aircraft, this process is often referred to
as aircraft parameter identification. After successful identification of aerodynamic
models for different aircraft configurations and flight conditions they may be ex-
ploited in numerous different ways. It is possible now to compute a variety of per-
formance and stability and control characteristics, to compile tables and graphs for
Aircraft Operations Manuals and compare actual aerodynamic characteristics with
theoretical predictions using Computational Fluid Dynamics (CFD) or wind tunnel
results. A very interesting application is the enhancement of the fidelity of mathe-
matical models for flight simulation. During the last two decades, the advent of the
digital computer and improvements in flight measurement techniques has made a
tremendous impact on the theory and practice of aircraft parameter identification.
Stability and control derivatives are the parameters in a linear aerodynamic model
of the aircraft. Linear aerodynamic models can be represented by homogeneous
polynomials of the first degree in the state and control input variables of the lin-
earized equations of motion. Such polynomials are widely used as linear approxi-
mations of aerodynamic forces and moments acting on the aircraft in dynamic flight
conditions. In general the domain in which linear models are valid is restricted to
small deviations from a nominal flight condition. The advantage of using nonlinear
models is that such models should be valid for a larger range of flight conditions
and that flight test manoeuvres are much less constrained in terms of manoeuvre
amplitudes. A proven way of representing nonlinear models is by using higher or-
der polynomials in the state and control input variables. In principle, the domain of
nonlinear models covers larger deviations from a given nominal flight condition, as
compared to linear models.
This chapter presents and discusses a successful and practical method for aircraft
parameter identification that has originated at the Delft University of Technology.
This method is referred to here as the Two-Step Method (Ref. [28]), although one
may find other names like Estimation Before Modelling (EBM) in the literature. The
chapter goes into some detail on the two-step method as an attractive and efficient
identification tool for real-time aircraft aerodynamic model identification for fault
tolerant flight control.
where the average radius of the earth Re = 6367434m. The relation between the
time derivatives of the Euler angles φ , θ , ψ and the rotational rates p, q, r in the
body-fixed reference frame is:
UE cos ψ
φ̇ = p + q sin φ tan θ + r cos φ tan θ − + Ω cos δ +
R cos θ
UN sin ψ
+ ,
R cos θ
UE UN cos ψ
θ̇ = q cos φ − r sin φ + + Ω cos δ sin ψ + , (4.4)
R R
UE
ψ̇ = q sin φ sec θ + r cos φ sec θ + + Ω cos δ tan θ cos ψ +
R
UN tan θ sin ψ UE tan δ
+ + + Ω sin δ
R R
In Eq. (4.3) Ax , Ay and Az denote the aerodynamic specific force components di-
rectly sensed by ideal accelerometers. From these the aerodynamic forces X = m Ax ,
Y = m Ay and Z = m Az , and the dimensionless aerodynamic force coefficients
CX = 1 X 2 , CY = 1 Y 2 and CZ = 1 Z 2 , where ρ , V and S are the air density, true
2 ρV S 2 ρV S 2 ρV S
airspeed and wing area. The aircraft rotational motion can be described by Euler’s
dynamic equation. Assuming that the aircraft inertia matrix is given by I , Euler’s
equation has the following form:
ω̇ = I −1 (T − ω × I ω ) (4.5)
138 P. Chu, J.A. (Bob) Mulder, and J. Breeman
T T
where ω = p q r denotes the rotational rate vector and T = L M N is total
moment vector about the centre of gravity of the aircraft. The dimensionless moment
coefficients about each axis follow from
L M
Cl = , Cm =
2 ρ V Sb 2 ρ V Sc
1 2 1 2
and Cn = N
1 ρV 2 S with the wing span b and aerodynamic mean chord c.
2
The observations of the system are provided by flight instrumentation system
including inertial sensors, airdata sensors and satellite radio navigation devices. The
observation model is given after laboratory calibrations (Ref. [28]) as
1. inertial sensors
⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤
Axm Ax λx pm p
⎣ Aym ⎦ = ⎣ Ay ⎦ + ⎣ λy ⎦ ; ⎣ qm ⎦ = ⎣ q ⎦ (4.6)
A zm Az λz rm r
2. airdata sensors
!
V = (UN − WN )2 + (UE − WE )2 + (UD − WD )2
(UN −WN )(cφ sθ cψ +sφ sψ )+(UE −WE )(cφ sθ sψ −sφ cψ )+(UD −WD )cφ cθ
α = arctan (UE −WE )cθ cψ +(UE −WE )cθ sψ −(UE −WE )sθ
(4.7)
(UN −WN )(sφ sθ cψ −cφ sψ )+(UE −WE )(sφ sθ sψ +cφ cψ )+(UD −WD )sφ cθ
β = arctan (UE −WE )cθ cψ +(UE −WE )cθ sψ −(UE −WE )sθ
where λ and W are the known sensor biases and wind velocity components.
Combining all these equations in a general form, the aircraft model is given as
The dimensionless force and moment coefficients can be expressed in terms of aero-
dynamic, engine thrust and control surface deflection angle variables. This is called
the aerodynamic model.
Applying the output-error method (Ref. [1]), the unknown parameters ξ are es-
timated by minimizing the negative logarithm of the likelihood function composed
of the output errors:
4 Real-Time Identification of Aircraft Physical Models for FTFC 139
1 N N
(ξ ) = ∑ μ (k, ξ )T Vv−1(ξ )μ (k, ξ ) + 2 ln detVv (ξ )
2 k=1
(4.10)
where μ (k, ξ ) is the computed system output error vector and Vv (ξ ) is the covari-
ance matrix of the output errors.
Since the state and the parameter estimation problems are solved simultaneously,
the method may be termed the One-Step Method (OSM) (Ref. [28]).
The aircraft model to be used for the following discussion is a reorganization of
the same model as used in the one-step method in the sense that the accelerometers
and the rate gyros serve as system inputs.
With this organization of the model, the unknown parameter vector ξ can be
T
separated into two sets ξ = ξ1T ξ2T in which ξ1 consists only of unknown pa-
rameters from the flight test instrumentation system. These parameters are biases
and scale factors in the models of the inertial and air data transducers. The ξ2 are
the aerodynamic parameters. The aircraft model can then be written in the following
form:
It should be noticed that in order to meet this model, certain conditions have to be
satisfied. These are:
1. The mass and inertial characteristics have to be known.
2. The measured or calculated angular acceleration must be available.
It can be seen that the aerodynamic model only appears in the second observation
equation. The first observation equation only consists of air data measurements. It
can also be recognized that the system outputs consist of um1 and um2 . The um1
denote the measured quantities of specific forces and the rotation rates and um2 rep-
resents the elevator deflection and the thrust force. The process noise vector w(t)
then consists of the measurement noise of the accelerometers and rate gyros.
Although the system state equations are decomposed from aerodynamic models,
y2 will be compatible if and only if the state variables x , parameters ξ1 and measured
quantities um1 and um2 are the true values. Therefore the system model is not totally
decomposed. In this situation, joint state and parameter estimation is the only viable
solution.
Using the Maximum Likelihood method all the parameters ξ may be estimated
by minimizing the negative logarithm of the likelihood function composed of the
prediction errors:
140 P. Chu, J.A. (Bob) Mulder, and J. Breeman
(a) High performance ac- (b) High performance fiber (c) Inertial sensor calibra-
celerometers as part of TU optical rate sensors as part tion facility at TU Delft,
Delft flight test instrumenta- of TU Delft flight test instru- source: Acutronic
tion system, source: Honey- mentation system, source: Fi-
well zoptika
Fig. 4.7 Inertial measurement unit equipment used at Delft University of Technology
N
(ξ ) = 1
2 ∑ μ (k|k − 1, ξ )T Vμ−1 (k|k − 1, ξ )μ (k|k − 1, ξ )
k=1 (4.12)
N
+ 12 ∑ ln detVμ (k|k − 1, ξ )
k=1
1 N T N
+ ∑ μ2 (k, ξ )Vv−1
2 k=1 2
(ξ2 )μ2 (k, ξ ) + ln detVv2 (ξ2 ) = 1 (ξ1 ) + 2(ξ )
2
4 Real-Time Identification of Aircraft Physical Models for FTFC 141
in which μ1 , μ2 , Vv1 , and Vv2 are the calculated output errors and corresponding
covariance matrices with
Vv1 (ξ1 ) 0
Vv (ξ ) =
0 Vv2 (ξ2 )
It may be seen from Eq. (4.14) that the likelihood function is now decomposed into
two terms with respect to two observation models. All cross coupling terms in Eq.
(4.12) are neglected (Ref. [4]).
The necessary condition for a minimum of Eq. (4.14) is:
" # " ∂ (ξ ) #
∂ 1 (ξ1 )
∂ (ξ ) 2
= ∂ ξ1 + ∂ ∂2ξ(1ξ ) = 0 (4.15)
∂ξ 0 ∂ξ 2
and:
N ∂ μ T (k,ξ )
∂ 2 (ξ ) −1
= ∑ ∂ ξ2i Vv2 (ξ2 )μ2 (k, ξ )
2
∂ ξ2i
k=1
N ∂ Vv (ξ )
− 12 ∑ μ2T (k, ξ )Vv−1 2
(ξ2 ) ∂ 2ξ 2 Vv−1
2
(ξ2 )μ2 (k, ξ ) (4.17)
k=1 2i
∂ Vv (ξ )
+ N2 Tr Vv−1 2
(ξ2 ) ∂ 2ξ 2 = 0; (i = 1, 2, . . . , L2 )
2
i
in which L1 and L2 are the sizes of the parameter sets ξ1 and ξ2 respectively.
Eq. (4.16) shows that the gradient of the second term of the likelihood function
with respect to the first set of parameters ξ1 should also be evaluated to satisfy the
minimization condition because the second output error vector is also the function
of the first set of parameters ξ1 . This leads to the following assumption which has
to be made:
Assumption 2: With only the first set of observation equations y1 (t) the identifia-
bility of parameter ξ1 is guaranteed and the state variables x(k) , parameters ξ1 can
be estimated by minimizing the first term of the likelihood function.
In order to satisfy this assumption, the flight instrumentation system should make
information available about ground velocity, air velocity, altitude, and aircraft at-
titude. This is in practice achievable with modern flight instrumentation systems.
With this assumption, the contribution from the second observation equation can be
142 P. Chu, J.A. (Bob) Mulder, and J. Breeman
neglected with respect to the estimation accuracy. It is equivalent to the case that the
second output error vector only takes the estimated states and parameters as perfect
measurements, therefore, μ2 (k, ξ ) is no longer a function of ξ1 , i.e.:
The gradient of the second likelihood function with respect to the first set of param-
eters is then:
∂ 2 (ξ ) N
∂ μ2T (k, ξ2 ) −1
=∑ Vv2 (ξ2 )μ2 (k, ξ2 ) = 0 (4.19)
∂ ξ1 k=1 ∂ ξ1
The necessary conditions in Eqs. (4.16),(4.17) become:
N ∂ μ T (k,ξ )
∂ 1 (ξ1 ) −1
= ∑ ∂ ξ1i Vv1 (ξ1 )μ1 (k, ξ1 )
1 1
∂ ξ1i
k=1
N ∂ Vv (ξ )
− 12 ∑ μ1T (k, ξ )Vv−1 1
(ξ1 ) ∂ 1ξ 1 Vv−1
1
(ξ1 )μ1 (k, ξ1 ) (4.20)
k=1 1i
∂ Vv (ξ )
+ N2 Tr Vv−1 1
(ξ1 ) ∂ 1ξ 1 = 0; (i = 1, 2, . . . , L1 )
1i
and:
N ∂ μ T (k,ξ )
∂ 2 (ξ ) −1
= ∑ ∂ ξ2i Vv2 (ξ2 )μ2 (k, ξ2 )
2 2
∂ ξ2i
k=1
N ∂ Vv (ξ )
− 12 ∑ μ2T (k, ξ2 )Vv−1 2
(ξ2 ) ∂ 2ξ 2 Vv−1
2
(ξ2 )μ2 (k, ξ2 ) (4.21)
k=1 2i
∂ Vv (ξ )
+ N2 Tr Vv−1 2
(ξ2 ) ∂ 2ξ 2 = 0; (i = 1, 2, . . . , L2 )
2i
Now the original joint state and parameter estimation problem Eq. (4.12) is solved
in two consecutive steps. In the first step the state trajectory is estimated simulta-
neously with some unknown parameters from the flight test instrumentation system
Eq. (4.20) named Flight Path Reconstruction (Refs. [14], [7], [5], [6], [30]) while
the aerodynamic parameters are estimated in the second step Eq. (4.21). The method
is then called the two-step method (Refs. [28], [32]).
From above discussions it is shown that in the limiting case, the two-step method
may produce the same results as the joint state and parameter estimation algorithm
i.e. one-step Maximum Likelihood method. This limit case requires an accurate
flight test instrumentation system to make the flight path reconstruction perfect, i.e.:
The second set of the observation equations, which is in fact the aerodynamic model,
is now written as:
It should be noticed that Eq. (4.24) is usually not compatible due to the errors in
xm ,um1 , um2 , and ξ1m , i.e.:
ym2 (k) = Hm [xm (k), um1 (k), um2 (k), ξ1m ]ξ2 + v2 (k) (4.26)
where Hm [xm (k), um1 (k), um2 (k), ξ1m ] is a matrix of the variables xm ,um1 , um2 and
ξ1m . Since these variables are all available, this matrix may be called a data matrix.
The model becomes now a set of linear regression equations and the estimation
problem for this type of model is easier to solve than nonlinear models. This is
considered to be a great advantage of the two-step method.
Eq. (4.26) can further be written in terms of the total number of samples:
Ym = Ξm ξ2 + ζ (4.27)
in which:
It is shown from the aerodynamic model Eq. (4.3) that the aerodynamic parameters
are all independent from each other. Therefore, the multi-output parameter estima-
tion problem of Eq. (4.29) can be simplified as number of single-output parameter
estimations. For each parameter estimation problem the Maximum Likelihood pa-
rameter estimation is reduced to a Least Squares estimation problem (Ref. [4]):
(i) (i)T (i) (i)T (i) (i)
ξ̂2ML = (Ξm Ξm )−1 Ξm Ym = ξ̂2LS (4.32)
In Eq. (4.32) index i denotes the ith aerodynamic model. In the present case i =
1, 2, 3, see Eq. (4.3). The index i will be dropped in the following discussions for
simplicity.
Ξm = Ξ (4.33)
it is shown below that the Least Squares estimates of aerodynamic model param-
eters are unbiased when measurement noise is independent from the measured
data matrix and moreover it is efficient if the measurement noise is Gaussian
distributed.
The expectation of the Least Squares estimates of parameter ξ2 is:
$ % & ' & '
E ξ̂2LS = E (Ξ T Ξ )−1 Ξ T Ym = ξ2 + E (Ξ T Ξ )−1 Ξ T ζ (4.34)
This means that the measured data matrix should be independent of the measure-
ment noise. This is the case when the measurement noise ζ is white, then:
& ' & '
E (Ξ T Ξ )−1 Ξ T ζ = E (Ξ T Ξ )−1 Ξ T E{ζ } = 0 (4.36)
Comparing Eqs. (4.41) and (4.37) the Least Squares estimation is efficient.
B. In the imperfect flight path reconstruction case the measured data matrix can ap-
proximately be written in terms of a sum of the true data matrix and an additional
error term:
Ξm = Ξ + Δ Ξ (4.42)
The Least Squares estimates of ξ2 can be calculated if the error term is known.
Unfortunately, this error term is usually an unknown and the Least Squares
method only takes the measured data matrix with errors to calculate the Least
Squares estimates of the unknown parameters ξ2 using the incompatible obser-
vation equations Eq. (4.25):
Eq. (4.44) shows that even when the noise is white the Least Squares method
using an incorrectly measured data matrix still produces biased estimates of pa-
rameters. The estimation bias is given by:
& '
E (ΞmT Ξm )−1 ΞmT Δ Ξ ξ2 (4.45)
146 P. Chu, J.A. (Bob) Mulder, and J. Breeman
Comparing Eqs. (4.46) and (4.37), the Least Squares estimation is not efficient
because of the errors in the data.
4.4.1 Preliminaries
The ordinary least-squares problem deals with the determination of the vector x ∈
ℜn that minimizes Ax − b 2 , in which the matrix of independent variables A ∈
ℜm×n and the vector of dependent variables b ∈ ℜm are the known elements in
the overdetermined set of equations b ≈ Ax. If rank(A) equals the dimension of
the parameter vector n, the least-squares problem has the unique solution xLS =
(AT A)−1 AT b (Refs. [11], [36]). The recursive least-squares algorithm computes the
solution to the LS problem for ATm = [ATm−1 , aTm ] and bTm = [bTm−1 , bm ] from the
solution for the case Am−1 , bm−1 . If the matrix ATm Am = ATm−1 Am−1 + aTm am is written
−1
as Pm−1 + aTm Iam , the matrix inversion lemma can be used to yield
Pm−1 aTm am Pm−1
(ATm Am )−1 = Pm = Pm−1 − (4.47)
1 + amPm−1 aTm
in which the remaining inverse is scalar. Setting k = (Pm−1 aTm )/(1 + am Pm−1 aTm )
and using (4.47), the recursive least-squares estimator consists of the following two
steps after the computation of k:
Pm = Pm−1 − k amPm−1
(4.48)
xm = xm−1 + k(bm − am xm−1 )
Because the matrix A contains the set of row vectors of explanatory variables - one
for each measurement - and the rank of a matrix equals its number of independent
row vectors, rank(A) cannot decrease when a new measurement is added. Once
enough independent measurements have been collected, the matrix AT A therefore
cannot become rank deficient again, although its condition may deteriorate. This
ensures successful propagation of the matrix P , a property that will prove useful for
the sequential TLS as well.
148 P. Chu, J.A. (Bob) Mulder, and J. Breeman
The total least-squares solution for the overdetermined set b ≈ Ax is the vector
that satifies the approximate set of compatible equations b ≈ A xT LS , for which the
Frobenius norm [A, b] − [A , b ] F is minimal (Ref. [36]). If U Σ V T is the singular
value decomposition of [A, b] where Σ = diag(σ1 , . . . , σn , σn+1 ) contains the ordered
set of real singular values for which σi ≥ σi+1 , then the closest approximate set of
rank n is U Σ V T with Σ = diag(σ1 , . . . , σn , 0) . The desired solution xT LS must then
satisfy U Σ V T [xTT LS , −1]T = 0 . Hence, the vector [xTT LS , −1]T is part of the kernel
of U Σ V T and must be perpendicular to the first n column vectors of V . As V is
orthonormal, the desired vector equals the last column vector of V .
pT p
Pm = Pm−1 − (4.49)
1 + p[am, bm ]T
with p = [am , bm ]Pm−1 . If the actual estimate is required, it can be computed by
updating the eigenvector estimate v in the iteration
In Eq. (4.50) vk,n+1 denotes the (n + 1)th element of the vector vk . By dividing the
vector by its last element, an explosion of the iterated vector and potential numerical
problems are avoided. Because eigenvectors can arbitrarily be scaled, this does not
influence the iteration itself. Instead, because the last element of the vector is repeat-
edly scaled to 1, vk+1,n+1 converges to the largest eigenvalue of P and can be used
as a convergence requirement for the iteration: The dominant eigenvector is found
when the difference between vk,n+1 and vk+1,n+1 drops below a preset convergence
requirement. By choosing v0 = [0, . . . , 0, 1]T , it is guaranteed that the vector has
a component along the desired eigenvector. Because the converged vector can be
used as starting point for a later iteration when P has been updated, v needs only
to be initialized once. Finally, the actual parameter estimate is obtained from the
eigenvector estimate:
xT LS = −v1:n /vn+1 (4.51)
reliable model in flight. During normal flight with an undamaged aircraft, such a
model can best be based on an extensive set of aerodynamic data, which has been
previously built on the results of flight testing in different parts of the flight envelope.
A structure with different hyperboxes for different Mach numbers and angles of
attack can be used to provide the best estimation of the behaviour of an undamaged
aircraft. The flight controller can fully rely on this data to control the aircraft.
Based on different error criteria, the best aerodynamic model available will be
chosen to be forwarded to the model-based controller. This means that the on-line
estimated aerodynamic model will only be used if the aircraft encounters a failure.
As long as an aircraft is not damaged, the aerodynamic models originating from the
database will be the most accurate source.
When a failure does occur, a different situation is created, in which the aerody-
namic models originating from the database lose their reliability. A successful fault
tolerant flight control (FTFC) system will need to take two crucial steps in order to
adapt the controller to this new situation.
I. Trigger reconfiguration. This means that the control system needs to realize
that the current aerodynamic model (originating from the available aerodynamic
database) is not sufficiently accurate. The difficulty of this step is to create a sys-
tem which is both sufficiently reliable and sensitive to make a correct decision
for reconfiguration, without pilot interference.
II. Loading the on-line identified model of the damaged aircraft into the control
system. As soon as the conclusion is drawn that the model from the database
is unreliable, the on-line identified model can be loaded. This identification has
continuously been performed during the flight, meaning it is readily available for
uploading.
In order to remove the compromise between data loss and adaptivity which is the
negative effect of the use of a forgetting factor in any recursive parameter estimation
approaches, a different approach is now suggested. The use of a forgetting factor
λ < 1 has been shown to be useful in making the identification adaptive to model
changes over time. The effect of this forgetting factor is that the covariance matrix
Real-time
X identification of
aerodyn. model
Aircraft Trigger
reconfig.
To controller:
X Output of most accurate
aerodyn. model available
Choose most
X States
accurate model
Database
aerodynamic
models
Fig. 4.8 Trigger for reconfiguration and real-time aerodynamic model identification
4 Real-Time Identification of Aircraft Physical Models for FTFC 151
Fig. 4.9 An example of model based adaptive flight controller using on-line identified aircraft
physical model
P does not reduce to zero, but constantly grows whenever the input channels are
excited insufficiently. A solution to the problem of data loss and model instabil-
ity would be to artificially only increase the covariance matrix P, when the current
model cannot be relied upon anymore. In this way, no data will be lost during nor-
mal flight, maintaining the quality of the model also in constant flight conditions. In
case an error occurs that affects the model, the aircraft will move (or this induced
movement will be counteracted by the nominal flight control system), creating suf-
ficient data on the input channels to identify the new model within a limited time
span.
The major requirement for this procedure is that reliable information is available
about the quality of the aerodynamic model. In Ref. [12], the authors describe a
procedure to use the innovation (difference between the model prediction and the
actual behaviour of the system or aircraft) as a measure for the quality of the model.
The absolute value of the innovation does not only depend on the model quality, but
also on the noise in the input channels, which makes it unsuitable for quality de-
termination. Instead, the ‘whiteness’ of the innovation is used as a quality measure,
since a perfect model would have a residual comparable to the noise present in the
input signals.
Once the whiteness criterion has suggested that the current model contains er-
rors, reconfiguration will take place. The covariance matrix of the parameter es-
timator gives a measure for quality of the data that has entered the identification.
Without a forgetting factor, this ‘data richness’ can only improve, since all informa-
tion from previous measurements is retained. This results in a gradual ‘freezing’ of
the parameter values, since every new data point is weighted less in the parameter
152 P. Chu, J.A. (Bob) Mulder, and J. Breeman
identification. When it is concluded that the real-life situation has changed to such
an extent that the identified model is not valid anymore, this old data should be dis-
regarded. By artificially returning the covariance matrix to its initial state (a matrix
with relatively large values), the parameters are more influenced by new measure-
ments and can be identified based on the flight data of the aircraft in its new, changed
situation. The newly identified model will be available to be presented to a model
based adaptive flight controller. Fig. 4.9 illustrates an example of this type of flight
controller.
4.6 Conclusions
In this chapter, the decomposition of the aircraft state and parameter estimation
problem has been discussed and the resulting two-step method is proven to possess
the same estimation properties as that of one-step Maximum Likelihood method, in
the case of accurate measurements given by the flight test instrumentation systems.
Once the flight path reconstruction has been performed, the aerodynamic param-
eter estimation becomes linear-in-the-parameters. A simple linear Least Squares
method can be applied to estimate the aerodynamic parameters. The Total Least
Squares method may be used in case of necessity.
Since the system and observation models for the flight path reconstruction are
known in detail it is not necessary to evaluate different model structures, and flight
path reconstruction needs only to be solved once for each flight test manoeuvre
without any knowledge about aircraft aerodynamic models. This is considered to
be one of the advantages of the two-step method because the aerodynamic model
must be assumed to be known correctly in advance before the one-step maximum
likelihood method can be used.
In the case of incorrect aerodynamic models, the one-step method may diverge
or converge to wrong values of aerodynamic parameters (local maximum of the
likelihood function). Therefore, the modification of the aerodynamic models has to
be considered and the one-step joint state and parameter estimation procedure has
to be performed over and over again. The two-step method does not suffer from
this problem. One can always construct the modified aerodynamic model and run
the linear Least Squares method to estimate the aerodynamic parameter again using
the same reconstructed state trajectories. Therefore, this method is very suitable for
routine analysis of large amounts of flight test data. The optimization algorithms
and initial parameters for the one-step method must be selected properly in order to
achieve the global maximum of the likelihood function – even in the case that correct
aerodynamic models are specified. On the other hand, this problem is obviated by
the use of the two-step method as the solution of the Least Squares method is direct
and unique. In the case of errors in the measured data or from the first step of the two
step approach, Total Least Squares can be applied to reduce the bias of the model
parameter estimates.
4 Real-Time Identification of Aircraft Physical Models for FTFC 153
Recursive and sequential approaches for both steps can easily be implemented for
on-line applications of model identification, in order to realize the design of model
based adaptive flight controllers.
References
1. Anonymous. Rotorcraft system identification. Technical Report AGARD-AR-280,
AGARD (1991)
2. Breeman, J.H., Erkelens, L.J.J., Nieuwpoort, A.M.H.: Determination of performance and
stability characteristics from dynamic manoeuvres with a transport aircraft using pa-
rameter identification. In: AGARD FMP Symposium on Flight Test Techniques, Lisbon
(1984)
3. Breeman, J.H., Simons, J.L.: Evaluation of a method to extract performance data from
dynamic manoeuvres for a jet transport aircraft. In: 11th ICAS congress, Lisbon (1978)
4. Chu, Q.P., Mulder, J.A., Sridhar, J.K.: Analytical and numerical comparison of the maxi-
mum likelihood method and two step method for aircraft state and parameter estimation.
In: Proceedings of the 10th IFAC Symposium on System Identification, SYSID 1994,
July 1994, vol. 3, pp. 61–66 (1994)
5. Chu, Q.P., Mulder, J.A., Van Woerkom, P.T.L.M.: Aircraft flight path reconstruction with
nonlinear adaptive filters. In: Proceedings of the American Control Conference, ACC,
Seattle, vol. 2, pp. 1196–1200 (1995)
6. Chu, Q.P., Mulder, J.A., Van Woerkom, P.T.L.M.: Modified recursive maximum likeli-
hood adaptive filter for nonlinear aircraft flight path reconstruction. AIAA Journal of
Guidance, Control and Dynamics 19(6), 1285–1295 (1996)
7. Chu, Q.P., Verbass, A., Mulder, J.A., van den Broek, P.P.: Nonlinear adaptive filtering
with application to spaceplane flight path reconstruction. In: Proceedings of the 2nd
ESA International Conference on Guidance, Navigation and Control Systems, ESTEC,
ESTEC Conference Bureau, Noordwijk, April 1994, pp. 107–116 (1994)
8. Gerlach, O.H.: Analyse van een mogelijke methode voor het meten van prestaties
en stabiliteits- en besturingseigenschappen van een vliegtuig in niet stationaire, sym-
metrische vluchten (analysis of a possible method for the measurement of performance
and stability and control characteristics in non-steady symmetrical flight). Technical Re-
port VTH-117, Delft University of Technology, Department of Aerospace Engineering
(November 1964)
9. Gerlach, O.H.: Determination of performance and stability perameters from non-steady
flight test manoeuvres. In: SAE paper, number 700236, Wichita, Kansas. National busi-
ness aircraft meeting (1970)
10. Gerlach, O.H.: Determination of stability derivatives and performance characteristics
from non-steady flight test manoeuvres. Technical Report CP-85, AGARD, Toulouse
(1971), Also as report VTH-163, Delft University of Technology, Department of
Aerospace Engineering (February 1976)
11. Golub, G.H., Van Loan, C.F.: Matrix Computations. Johns Hopkins University Press,
Baltimore (1996)
12. Hajiyev, C., Caliskan, F.: Fault Diagnosis and Reconfiguration in Flight Control Systems.
Cooperative Systems, vol. 2. Kluwer Academic Publishers, Dordrecht (2003)
13. Huisman, H.O.: Fault tolerant flight control based on real-time physical model identifi-
cation and nonlinear dynamic inversion. Master’s thesis, Delft University of Technology,
Faculty of Aerospace Engineering, Control and Simulation Division, June 20 (2007)
154 P. Chu, J.A. (Bob) Mulder, and J. Breeman
14. Jonkers, H.L.: Application of the kalman filter to flight path reconstruction from flight
test data including estimation of instrumental bias error corrections. Technical Re-
port VTH-162, Delft University of Technology, Department of Aerospace Engineering
(February 1976)
15. Jonkers, H.L., Mulder, J.A.: Accuracy limits in nonsteady flight testing. In: The tenth
congress of the International Council of the Aerospace Sciences, ICAS, number 76-46,
Ottawa, October 1976. ICAS (1976)
16. Jonkers, H.L., Mulder, J.A.: New developments and accuracy limits in aircraft flight test-
ing. In: AIAA Aircraft System and Technology Meeting, number AIAA 76-897, Dallas,
Texas (September 1976)
17. Jonkers, H.L., Mulder, J.A., van Woerkom, K.: Measurements in non-steady flight: In-
strumentation and analysis. In: Proceedings of the 7th international aerospace instrumen-
tation symposium, Cranfield (1972)
18. Klein, V.: Identification evaluation method. AGARD Lecture Series, vol. 104, pp. 2-1–
2-21 (1979)
19. Laban, M.: Online aircraft state and parameter estimation. Technical Report AGARD-
CP-519, paper 29, AGARD (May 1992)
20. Laban, M.: Online aircraft aerodynamic model identification. PhD thesis, Delft Univer-
sity of Technology (1994)
21. Laban, M., Masui, K.: Total least squares estimation of aerodynamic model parameters
from flight data. Journal of Aircraft 30(1), 150–152 (1993)
22. Laban, M., Mulder, J.A.: Online identification of aircraft aerodynamic model parameters.
In: 9th IFAC/IFORS Symposium on Identification and System Parameter Estimation,
Budapest, Hungary (July 1991)
23. Liu, Y., Cukic, B., Fuller, E., Yerramalla, S., Gururajan, S.: Monitoring techniques for an
online neuro-adaptive controller. The Journal of Systems and Software 79, 1527–1540
(2006)
24. Maine, R.E., Illif, K.W.: Agard flight test techniques series. On identification of dynamic
systems - application to aircraft, part 1: The output error approach, vol. 3. Technical
report, AGARDograph (1986)
25. Moonen, M., van Dooren, P., Vandewalle, J.: An svd updating algorithm for subspace
tracking. SIAM Journal on Matrix Analysis and Applications 13(4), 1015–1038 (1992)
26. Muhammad, H.: Identification of turboprop thrust from flight test data. PhD thesis, Delft
University of Technology (December 1995)
27. Mulder, J.A.: Estimation of thrust and drag in nonsteady flight. In: Proceedings of the
4th IFAC Symposium, Identification and System Parameter Estimation, Tbilisi (1976)
28. Mulder, J.A.: Design and evaluation of dynamic flight test manoeuvers. Technical Report
LR-497, Delft University of Technology, Delft, the Netherlands (1986)
29. Mulder, J.A., Baarspul, M., Breeman, J.H., Nieuwpoort, A.M.H.: Determination of the
mathematical model for the new dutch government civil aviation flying school flight sim-
ulator. In: 18th Annual Symposium on Society of Flight Test Engineers, SFTE, Amster-
dam (September 1987), Also as Memorandum M-578, Delft University of Technology,
Department of Aerospace Engineering (July 1987)
30. Mulder, J.A., Chu, Q.P., Sridhar, J.K., Breeman, J.H., Laban, M.: Non-linear air-
craft flight path reconstruction review and new advances. Progress in Aerospace Sci-
ences 35(7), 673–726 (1999)
31. Mulder, J.A., Jonkers, H.L., Horsten, J.J., Breeman, J.H., Simons, J.L.: Analysis of air-
craft performance, stability and control measurements. AGARD Lecture Series, vol. 104
(1979)
4 Real-Time Identification of Aircraft Physical Models for FTFC 155
32. Mulder, J.A., Sridhar, J.K., Breeman, J.H.: Identification of dynamic systems, applica-
tions to aircraft, part 2: nonlinear analysis and manoeuvre design. AGARDograph 300,
vol. 3 (1986)
33. Plaetschke, E., Mulder, J.A., Breeman, J.H.: Results of beaver aircraft parameter identi-
fication. Technical Report FB 83-10, DFVLR Institut für Flugmechanik, Braunschweig,
Germany (1983)
34. Soijer, M.W.: Sequential computation of total least squares parameter estimates. Journal
of Guidance and Control 27(3), 501–503 (2003)
35. Van Huffel, S.: Analysis of the Total Least Squares Problem and its use in Parameter
Estimation. PhD thesis, Catholic University of Leuven (1987)
36. van Huffel, S., Vandewalle, J.: The total least squares problem computational aspects and
analysis. SIAM, Philadelphia (1991)
Chapter 5
Industrial Practices in Fault Tolerant Control
Philippe Goupil
5.1 Introduction
Electrical Flight Control System (EFCS1 ), first developed by Aerospatiale and in-
stalled on Concorde (as an analog system) and then designed with digital technology
on Airbus aircraft from the 1980’s (A310), provides more sophisticated control of
the aircraft and flight envelope protection functions[3],[4],[5]. The main character-
istics are that high-level control laws in normal operation allow all control surfaces
to be controlled electrically and that the system is designed to be available under all
circumstances. The EFCS is a safety-critical system designed to meet very stringent
requirements in terms of safety and availability. Most, but not all, of these require-
ments come directly from the Aviation Authorities (for example FAA, EASA, for
details see [2],[1]).
In this chapter, Fault Tolerant practices used to design a dependable safety-critical
EFCS are described. In section 5.2, as a general introduction, the aircraft develop-
ment process is described using the V-cycle. The next section details some ‘golden
rules’ used for designing a Fault Tolerant EFCS. Section 5.4 outlines the flight con-
trol computer specification and shows how the dedicated process contributes to the
EFCS Fault Tolerant design. Section 5.5 discusses some aspects of the system vali-
dation and verification as a part of the Fault Tolerant design. Finally, the last section
shows an example of a failure detection technique implemented on the A380, illus-
trating one of the golden rules previously described.
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 157–167.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
158 P. Goupil
branch of the V-cycle is the development phase. It starts with the aircraft speci-
fication corresponding to the ’top level requirements’: the definition of the needs,
the choice of concepts, control laws, technologies, etc. The aircraft is decomposed
into sub-parts called systems which are specified in the next step. The systems are
decomposed in sub-parts called ‘equipment’ which are then specified. For exam-
ple, the software of the Flight Control Computers is specified thanks to a specific
graphical language and an automatic generation tool produces the code (see Section
5.4). At this step the code is used in a desktop simulator to begin the initial vali-
dation. It is also used in a development simulator, a real cockpit where everything
is simulated. After equipment specification, the corresponding code is generated
and implemented inside the equipment. Then, the second part of the V-cycle can
start. This integration phase consists of a severe validation campaign on different
test benches (see Section 5.5 for more details), from the simplest ones (an actuator
bench) to more complete ones (the ‘Iron Bird’). The validation phase ends with the
flight tests. The V-cycle ends with the certification process. Significant verification
and validation is performed all along the cycle (see Section 5.5). The verification
objective is to get assurance that the product (system/equipment) is compliant to its
specification. The validation objective is, on the one hand, to get the assurance that
the specifications are correct and complete, and on the other hand, to get the assur-
ance that the final product is compliant with the customer needs. Consequently, the
V-cycle is not a fixed process but rather an iterative process due to the verification
and validation activities that can lead to changes in some specifications all along
the cycle. Aviation Authorities regulations (FAR/CS [2],[1]) are requirements and
part of the aircraft specification. Hence verification and validation need to demon-
strate aircraft compliance to these requirements in order to obtain certification. As a
consequence, certification may be considered as a sub-process of the validation and
verification process but with a more of formalism (certification sheets, reviews...)
and a particular point of view (safety oriented).
energy to pressurize one of the hydraulic circuits and/or to supply the electric
network. Redundant sensors also provide air data and inertial information to other
systems through dedicated, separate but identical units2 .
• Monitoring: all the elements of the flight control system are monitored in real-
time, for example the sensors, actuators, probes, and the other computers. An
example of such monitoring is given in Section 6.
• Reconfiguration: meaning automatic management following a failure. This is a
key point in the design of a fault-tolerant aircraft. There are two levels of recon-
figuration:
– First level, system reconfiguration: consider a control surface with two ac-
tuators (Fig. 2). The first one is in active mode and is servo-controlled by
computer P1. The second one is in passive mode (it follows the movement
of the active actuator) and is associated with a second computer P2, in stand-
by mode. If a failure is detected (by the dedicated monitoring schemes, see
above) on the active actuator, then it changes to passive mode and the passive
one becomes active. There is a hand-over: P2 becomes active and controls
its associated actuator while P1 changes to stand-by mode. P1 loses its func-
tionality on this actuator but not all the others functionalities (control of other
actuators, flight control law calculations, etc). This reconfiguration is clearly
based on hardware redundancy (computers and actuators).
– Second level, flight control law reconfiguration: in normal conditions, with
the EFCS the aircraft is protected against critical events[5] such as stall, over-
speed, etc. The corresponding flight control law is called the ‘normal law’.
However some protection can be lost following failures, for example the loss
of a control surface, IRS (Inertial Reference System), ADR (Air Data Refer-
ence) or a Flight Control Computer. As a result of the loss of protection, there
is a reversion to low-level laws. Flight is still possible, but with less protec-
tion. The last level law is the ‘direct law’ where there is no protection. The
probability of reverting to a low-level law is very small. This reconfiguration
is a way to be fault tolerant and is due to a loss of hardware redundancy. For
more information on the control laws, see chapter 1.
• Dissimilarity: this is also a very important point to ensure fault tolerance. All
Airbus aircraft have at least two types of computer: a primary and a secondary
computer. Their hardware and software are different, and they are not developed
by the same teams. The system reconfiguration (hand-over) described above uses
primary and secondary computers (Fig. 2). The secondary computer is simpler
than the primary computer. The dissimilarity also concerns actuators. On the
A380, two types are used: the conventional hydraulic actuator and a new genera-
tion of electrically powered actuators - the Electro-Hydrostatic Actuator (EHA).
EHA has been developed mainly from the viewpoint of reducing the number of
hydraulic systems, generating significant weight and cost savings, and providing
additional dissimilarity[10]. Electrical Backup Hydraulic Actuators (EBHA) are
2 A.k.a as ADIRU (Air Data Inertial Reference Units).
5 Industrial Practices in Fault Tolerant Control 161
also used on the A380. An EBHA can be viewed as an actuator with two modes:
a conventional hydraulic one that can switch to an EHA mode.
• Installation segregation: computers are not physically installed at the same place
on the aircraft, to avoid total loss in the case of any damage. Such an event could
be for example an engine rotor-burst that cuts the electrical wires supplying the
computers. The same reasoning leads to segregation of hydraulic and electrical
routes.
• Flight Control Computer architecture: this is divided into two parts, a command
channel (COM) and a monitoring channel (MON). Each channel monitors the
other but each channel has a specific task. The COM channel provides the main
functions allocated to the computer (flight control law computation and the servo-
control of moving surfaces). The MON channel ensures (mainly) the permanent
monitoring of all the components of the flight control system (sensors, actuators,
other computers, probes, etc.). It is designed to detect failure cases and to trigger
reconfiguration by signalling the failure detection to the COM channel and to the
other computers.
• A perfect robustness for software and system equipment: e.g. no monitoring
false alarms, protection against ElectroMagnetic Interference and severe light-
ning strikes, no upset in the case of total air cooling loss, etc.
Fig. 5.2 System reconfiguration. In the case of two actuators per control surface, a first pri-
mary computer P1 ensures the servo control of the active actuator powered by a first hydraulic
system. A second primary computer P2, in stand-by mode, is associated with the second actu-
ator in passive mode. A second hydraulic system powers this second actuator. When a failure
is detected, a hand-over between P1 and P2 changes the active actuator to passive mode and
the passive one becomes active. S1 and S2 are the secondary computers ensuring a second
line of redundancy with the same principle.
• Tests on the ‘Iron Bird’: a test bench that is a kind of very light aircraft, without
the fuselage, the structure, the seats, etc, but with all system equipment installed
and powered as on an aircraft (e.g. hydraulic and electric circuits).
• Tests on a flight simulator: a test bench with a real aircraft cockpit, flight con-
trol computers and coupled to a rigid aircraft model. The Iron Bird can also be
coupled to the flight simulator.
• Flight tests, on several aircraft, fitted with ‘heavy’ flight test instrumentation.
More than 10000 flight control parameters are permanently monitored and
recorded.
in the servo-loop control of the moving surfaces are considered, that is, between the
Flight Control Computer and the control surface, including these two elements (Fig.
3). Consequently, the failures under consideration impact only one control surface.
OFCs are mainly due to electronic components in fault mode generating spurious si-
nusoidal signals. This oscillatory signal propagates through the servo-loop control,
leading to control surface oscillations. The faulty components are located inside the
Analog Inputs/Outputs, the position sensors or the actuators. The flight control com-
puter may also generate unwanted oscillations of the command current sent to the
actuator servo-valve. OFC signals are considered as sinusoids with frequency and
amplitude uniformly distributed over the frequency range 0-10 Hz. Beyond 10 Hz,
OFCs have no significant effects because of the low-pass behaviour of the actua-
tor. For structure-related system objectives, it is necessary to detect OFCs beyond
a given amplitude in a given number of periods, whatever the OFC frequency. For
example, it could be necessary to detect an OFC with minimal amplitude of 1 de-
gree in 5 periods, in the frequency band 5-10 Hz. The time detection is expressed
in period numbers, which means that, depending on the failure frequency, the time
allowed for detection is not the same. Two kinds of OFC have to be considered:
‘liquid’ and ‘solid’ failures. The liquid failure adds to the normal signal (inside the
control loop) while the solid failure substitutes the normal signal. The OFC detec-
tion methodology must take into account the specifics of these two different cases.
To detect an OFC on the A380, the concept of analytical redundancy is used. This
is a conventional approach well known in the Fault Diagnosis community[12, 13].
The principle consists of comparing the real functioning of the monitored control
surface with an ideal functioning expected in the absence of failure, in order to
exhibit the failure. A nonlinear knowledge-based model of the actuator is used to
5 Industrial Practices in Fault Tolerant Control 165
provide this ideal functioning. The overall method is usually built in two steps[6]:
residual generation and residual evaluation. Firstly, a residual is generated by com-
paring the real position p of the control surface (obtained by a sensor) with an es-
timated position produced by the actuator model. The input of the model is the
flight control law (the command used in the servo-control of the control surface).
Then secondly, the residual is decomposed in several spectral sub-bands. In each
166 P. Goupil
sub-band, counting oscillations of the filtered residual, performs the OFC detection.
The overall method is summarized in Fig. 4. Specific counting is applied for each
failure type (liquid and solid). In this approach, the flight control law is considered
as fault-free. All its oscillations are calculated in order to compensate for any normal
perturbation (e.g. an external disturbance such as turbulence). The hypothesis of a
fault-free command is justified because the flight control law is also monitored by
dedicated techniques. For more details, the reader can refer to Ref [6]. This model-
based method is currently used on the A380 and gives highly satisfactory results
in term of robustness and detection and permits very stringent load requirements to
be met.
5.7 Conclusions
Safety is the first priority: in service experience has shown that the Airbus EFCS is
safe, and even features safety margins. For future and upcoming programs, in par-
ticular in the context of aircraft overall optimization and their increasing size, more
stringent requirements will be demanded. Consequently, new solutions should be
studied. The example given in Section 6 shows that Airbus is continuously improv-
ing, in an innovative way, the Fault Tolerant design of its aircraft. The collaborative
work done in a research group like GARTEUR AG-16 is a good chance to study the
capabilities and viability of novel Fault Tolerant Control techniques. With respect
to Fault Tolerance, one of the future challenge to be faced is to get the system right
’first time’. Future work will focus on this challenge.
References
1. Anon. Certification Specifications for Large Aeroplanes, Amendment 1, CS-25. Euro-
pean Aviation Safety Agency (EASA) (former JAA)
2. Anon. FAR/CS 25, Airworthiness Standards: Transport Category Airplane, vol. 14, part
25. FAA
3. Briére, B., Favre, C., Traverse, P.: A familly of fault-tolerant systems: electrical flight
controls, from a320/330/340 to future military transport aircraft. Micoprocessors and
Microsystems 19(2) (1995)
4. Favre, C.: Fly-by-wire for commercial aircraft: the airbus experience. International Jour-
nal of Control 59(1), 139–157 (1994)
5. Traverse, P., Lacaze, I., Souyris, J.: Airbus fly-by-wire: A total approach to dependability.
In: Proc. 18th IFIP World Computer Congress, Toulouse, France (2004)
6. Goupil, P.: Oscillatory Failure Case detection in A380 Electrical Flight Control System
by analytical redundancy. In: 17th IFAC Symposium on Automatic Control in Aerospace,
Toulouse (2007)
7. Anon. ARP 4754/ED79, Certification Considerations for Highly-Integrated or Complex
Systems. SAE, no. ARP4754, and EUROCAE, no. ED79 (1996)
8. Anon. DO178B/ED12, Software Considerations in Airborne Systems and Equipment
Certification. ARINC, no. DO178B, and EUROCAE, no. ED12 (1992)
9. Anon. DO254/ED80, Design Assurance Guidance for Airborne Electronic Hardware.
ARINC, no. DO254, and EUROCAE, no. ED80 (2000)
5 Industrial Practices in Fault Tolerant Control 167
10. Van den Bossche, D.: The A380 Flight Control Electrohydrostatic Actuators, Achieve-
ments and Lessons Learnt. In: Proc. 25th Congress of the International Council of the
Aeronautical Sciences, Hamburg (2006)
11. Besch, H.M., Giesseler, H.G., Schuller, J.: Impact of Electronic Flight Control System
(EFCS) Failure Cases on Structural Design Loads. AGARD Report 815, Loads and Re-
quirements for Military Aircraft (1996)
12. Zolghadri, A., Goetz, C., Bergeon, B., Denoise, X.: Integrity monitoring of flight pa-
rameters using analytical redundancy. In: UKACC International Conference on Control
(CONTROL 1998), Swansea, UK, pp. 1534–1539 (1998)
13. Frank, P.M.: Fault diagnosis in dynamic systems using analytical and knowledge-based
redundancy: A survey and some new results. Automatica 26(3), 459–474 (1990)
Part II
RECOVER: The Benchmark Challenge
Chapter 6
RECOVER: A Benchmark for Integrated Fault
Tolerant Flight Control Evaluation
6.1 Introduction
Fault tolerant flight control (FTFC), or intelligent self-adaptive control, enables im-
proved survivability and recovery from adverse flight conditions induced by faults,
damage and associated upsets. This can be achieved by ’intelligent’ utilisation of
the control authority of the remaining control effectors in all axes consisting of the
control surfaces and engines or a combination of both. In this technique, control
strategies are applied to restore vehicle stability, manoeuvrability and conventional
piloting techniques for continued safe operation and a survivable landing of the
aircraft.
The design of the GARTEUR REconfigurable COntrol for Vehicle Emergency
Return (RECOVER) benchmark was driven by the requirement to demonstrate, both
offline and in real-time (piloted) simulation, the performance and viability of new
fault tolerant flight control schemes when applied to a realistic, nonlinear advanced
Hafid Smaili
National Aerospace Laboratory NLR, Anthony Fokkerweg 2, 1059 CM Amsterdam,
The Netherlands
e-mail: smaili@nlr.nl
Jan Breeman
National Aerospace Laboratory NLR, Anthony Fokkerweg 2, 1059 CM Amsterdam,
The Netherlands
e-mail: breeman@nlr.nl
Thomas Lombaerts
Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1,
2629 HS Delft, The Netherlands
e-mail: t.j.j.lombaerts@tudelft.nl
Diederick Joosten
Delft University of Technology, Delft Center for Systems and Control, Mekelweg 2,
2628 CD Delft, The Netherlands
e-mail: d.a.joosten@tudelft.nl
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 171–221.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
172 H. Smaili et al.
flight control application. The test scenarios of the benchmark provide challenging
assessment criteria, based on a review of operational requirements, to assess the
effectiveness and potential of the FTFC methods to improve aircraft survivability.
The assessment criteria of the GARTEUR RECOVER benchmark scenarios are fur-
ther described in detail in Chapter 7. This Chapter provides a description of the
flight data reconstruction, analysis and simulation modelling of the 1992 Amster-
dam Bijlmermeer aircraft accident case (Flight 1862) using the Digital Flight Data
Recorder (DFDR) recovered after the accident. This study, based on accident inves-
tigation work conducted for the Flight 1862 case [17, 18], resulted in high fidelity
non-linear aircraft and fault models for a large transport aircraft that are part of the
GARTEUR RECOVER benchmark. Section 6.2 of this Chapter first starts with a
description of the Flight 1862 accident case in order to provide a background on the
events that led up to the accident, associated flight technical issues, aircraft handling
characteristics and survivability aspects. The application of flight data from the acci-
dent aircraft’s DFDR is described for the reconstruction and simulation of the Flight
1862 benchmark scenario. Section 6.3 provides a description of the GARTEUR RE-
COVER benchmark including design specifications, simulation model architecture,
analysis and visualisation tools and some examples demonstrating the use of the
benchmark. Chapter 7 provides a detailed description of the defined operational as-
sessment criteria, which are an integral part of the RECOVER benchmark, for the
evaluation of new fault tolerant flight control algorithms.
A quick reference guide to the GARTEUR RECOVER benchmark is provided
as part of the software package [6]. The additional literature references [8, 9, 12]
provide further details of the basic simulation architecture, mathematical models,
signal definitions and conventions.
analysis of the accident [17, 18]. In contrast to the analysis performed by the
Netherlands Accident Investigation Bureau, the parameters of the digital flight data
recorder (DFDR) were reconstructed using comprehensive modelling, simulation
and visualisation techniques. In this alternative approach, the DFDR pilot control
inputs were applied to detailed flight control and aerodynamic models of the acci-
dent aircraft. The purpose of the analysis was to acquire an estimate of the actual
flying capabilities of the aircraft and to study alternative (unconventional) pilot con-
trol strategies for a safe recovery and landing. The application of this technique
resulted in a simulation model of the impaired aircraft that could reasonably predict
the performance, controllability effects and control surface deflections as observed
on the DFDR. The analysis of the reconstructed model of the aircraft, as used for
the GARTEUR RECOVER benchmark, indicated that from a flight mechanics point
of view, the Flight 1862 accident aircraft was recoverable if unconventional control
strategies were used [17, 18].
Fig. 6.1 The Flight 1862 accident aircraft taxiing before takeoff at Amsterdam Schiphol
Airport, October 4, 1992 (copyright Werner Fischdick)
Fig. 6.2 The Flight 1862 accident aircraft returning to the airport after separation of the No.
3 and 4 engines (picture: R. Plooy, Diemen)
heading of 40 degrees at 21 knots. The crew of the flight, however, requested the use
of runway 27 for landing. Because the aircraft was only 7 miles from the airport at
an altitude of 5,000 feet, a straight-in approach was not possible. ATC instructed the
crew to a northerly heading of 360 degrees to fly a circuit and to descend to 2,000
feet. By then the wind was coming from a heading of 50 degrees at 22 knots.
At 17:31.17, the crew indicated that they needed “12 miles final for landing”.
During the transmission of this reply, the crew commenced the selection of flaps 1
for landing. While instructed to turn right to a heading of 100 degrees, the crew re-
ported ”No. 3 and 4 are out and we have problems with the flaps”. After the aircraft
6 RECOVER: A Benchmark for Integrated FTFC Evaluation 175
Fig. 6.3 Flight 1862 ground track showing time (UTC) of events (copyright Google Earth)
was established on a heading of 120 degrees, the crew maintained an indicated air-
speed of 260 knots and a gradual descent. ATC cleared Flight 1862 for approach and
instructed a westerly heading of 270 degrees to intercept the final approach course.
Indicated airspeed remained at about 260 knots at an altitude of 4,000 feet. After
the heading instruction from ATC, it took about thirty seconds before the heading
change was actually performed. When it became clear that the aircraft was going to
overshoot the runway centerline, ATC instructed Flight 1862 to turn to a heading of
290 degrees to intercept the localizer from the south. Twenty seconds later a new
heading of 310 degrees was instructed by ATC, along with the clearance to descend
to 1,500 feet.
At 17:35.03, the crew acknowledged the clearance by reporting “1,500, and we
have a controlling problem”. At this point, the DFDR shows that indicated airspeed
decreased below 260 knots which appeared to be causing a further significant reduc-
tion in controllability. The crew was losing control of the aircraft and approximately
25 seconds later the captain called, ”going down 1862, going down”. During this
transmission, the crew tried to recover the aircraft by raising the flaps and by lower-
ing the gear. The stick shaker1 and ground proximity warning system were audible
in the background of the transmission. The remaining engines No. 1 and 2 were set
at maximum thrust.
At 17:35.42, the aircraft impacted in the Amsterdam Bijlmermeer area (Fig. 6.4)
at a roll angle of approximately 104 degrees to the right, a load factor of about 2.5g
and approximately 70 degrees pitch down.
1 The stick shaker is a component of the aircraft’s Stall Protection System that rapidly vi-
brates the control column to warn the pilot of an imminent stall.
176 H. Smaili et al.
Fig. 6.4 Impact area of the Flight 1862 accident aircraft (picture: Jos Wiersema)
will create a negative sideslip angle (β ) that creates a positive rolling moment to the
right (L̄β ). Instant control compensation in an engine failure flight condition may
consist of applying a rudder pedal input to counteract the yawing moment due to
thrust asymmetry (N̄t ), a control wheel deflection to counteract the rolling moment
due to sideslip (L̄β ) and rudder deflection (L̄δr ) or applying a thrust reduction on the
remaining engines to decrease the yawing moment.
For the case of Flight 1862 (Fig. 6.5), the wing damage caused an additional
lift loss (Δ Ldamage ) and drag increase (Δ Ddamage ) on the right wing. Because these
effects are a function of angle-of-attack, an increase in angle-of-attack will create
an additional rolling moment (Δ L̄damage ) and yawing moment (Δ N̄damage ) into the
direction of the dead engines. This in turn will require more opposite control wheel
deflection, especially to counteract bank steepening during manoeuvring. Banking
into the dead engines will increase the minimum control speed and therefore reduce
the available controllability.
The Flight 1862 accident aircraft was designed to have enough rudder authority
to keep the control wheel almost neutral with two engines inoperative on one side.
This flight condition can be maintained up to the remaining engines set at maximum
continuous thrust (MCT) corresponding to an engine pressure ratio (EPR) of 1.35
(MCT/EPR 1.35). Note that maximum continuous thrust is defined as the maximum
thrust setting at which the engines may be operated for unlimited time. The engine
pressure ratio is used here as a measure for the applied power setting and represents
the total pressure ratio across the engine (according to the Flight 1862 DFDR, an
EPR of about 1.45 was used as the takeoff thrust setting). For the Flight 1862 case,
the DFDR indicates that control wheel deflections between 20 to 60 degrees to the
left were needed for lateral control and straight flight (Fig. 6(a)). The aerodynamic
effects due to the wing damage and degraded effectiveness of the right-wing inboard
aileron required larger left wing down control wheel deflections than in the nominal
case. The largest deflection of approximately 60 degrees was required for straight
and almost level flight. This condition could only be maintained at full rudder pedal
and at high thrust (engine #1 set at EPR 1.56 and engine #2 set at EPR 1.45).
As observed on the DFDR data, maximum available rudder was needed during
straight flight (constant track angle) to counteract the yawing moment caused by
the separated right-wing engines. The traces of the rudder control surface activity
as a response to the rudder pedal inputs are shown in Fig. 6(b). In this figure, it
can be seen that, between about t=490s and t=790s into the flight, the lower rudder
lags the upper rudder when full pedal is applied. The simulation model of the Flight
1862 aircraft, developed during the study in [17, 18], enabled a reconstruction of the
DFDR rudder deflections and an analysis of the contribution of their control author-
ity to the aircraft’s control capabilities. By applying the DFDR pilot control inputs
to the simulation, taking into account the rudder surface hinge moments and partial
loss of hydraulic pressure, rudder deflections could be reconstructed subjected to the
effects of calculated aerodynamic blowdown and sideslip. As the cause of the lim-
ited lower rudder control authority was unknown [2], the lower rudder deflections,
as observed in Fig. 6(b), were approximated in the simulation study in [17, 18] by
178 H. Smaili et al.
Fig. 6.5 Flight 1862 aircraft forces and moments for equilibrium flight with separated right-
wing engines and wing damage
6 RECOVER: A Benchmark for Integrated FTFC Evaluation 179
10
100
50 6
4
0
2
0
−50
−2 Upper rudder
Lower rudder
−100 −4
0 200 400 600 800 0 200 400 600 800
Time (sec) Time (sec)
(a) DFDR control wheel position (maxi- (b) DFDR rudder surface deflections
mum deflection +/- 88 deg)
Fig. 6.6 Flight 1862 Digital Flight Data Recorder (DFDR) control wheel and rudder surface
deflections
assuming a reduced lower rudder actuator hinge moment as a failure mode showing
a reasonable match with the DFDR rudder deflections.
The DFDR indicates that the Flight 1862 controllability and performance con-
dition, after separation of the right-wing engines, required engine thrust settings
between approximately MCT (EPR 1.3) and overboost thrust (EPR 1.62) (Fig. 6.7).
A high thrust setting (engine #1 set at EPR 1.56 and engine #2 set at EPR 1.45) was
needed to sustain almost straight and level flight.
180 H. Smaili et al.
1.6
1.4
1.3
1.2
1.1
1 Engine #1
Engine #2
0.9
0 200 400 600 800
Time (sec)
Fig. 6.7 Flight 1862 DFDR engine No. 1 and 2 thrust settings
An energy analysis of the flight using the DFDR data [2] indicated that after the
separation of the engines, the aircraft had level flight capability at go-around thrust
and at an indicated airspeed (IAS) of approximately 270 knots. Maneuvering ca-
pabilities were marginal and resulted in a loss of altitude. A normal load of 1.1g,
equivalent to 25 degrees of bank, reduced the maximum climb capability to approx-
imately minus 400 feet per minute. At MCT thrust and at an indicated airspeed of
approximately 270 knots, maximum climb performance was about minus 350 feet
per minute. Below 260 knots, a normal load factor of 1.15g and an angle-of-attack
above approximately 8 degrees resulted in significant performance degradation. At
an airspeed of 256 knots, a normal load factor of 1.2g (corresponding to about 33
degrees of bank angle) and MCT thrust, maximum climb performance was reduced
to minus 2000 feet per minute.
Fig. 6.8 Failure modes and structural damage configuration of the Flight 1862 accident air-
craft, suffering right-wing engine separation, partial loss of hydraulics and change in aerody-
namics
Table 6.1 DFDR parameters used for the Flight 1862 accident reconstruction and simulation
data Xm are input to a feedback controller. The output of the feedback controller
is a measure of the fidelity of the reconstructed model. The reconstruction method
has the advantage that the combined effect of structural and flight control system
failures can be visualised using the simulation inputs and outputs. The estimation of
the aerodynamic effects due to structural damage caused by engine separation can be
performed by adjusting the parameters of an a-priori model structure of the damaged
6 RECOVER: A Benchmark for Integrated FTFC Evaluation 183
Fig. 6.10 Inverse simulation principle for flight data reconstruction [5]
wing until the controller output is minimised. An additional advantage of the method
is that the DFDR data, with a low sample rate, can be used directly to excite the
simulation model. The Flight 1862 reconstruction and simulation modelling process
is illustrated in Fig. 6.11. A proportional feedback controller was used to feed back
the DFDR and calculated pitch and roll state error responses to obtain a proof-of-
match between DFDR measurements and simulation data.
Initial reconstruction of the DFDR data was conducted for the departure phase of
the undamaged aircraft using the published Flight 1862 weight and configuration.
This allowed a validation of the nonlinear baseline aircraft model and reconstruction
methodology by means of a proof-of-match with the DFDR data. The additional ef-
fects due to engine separation could then be identified for the damaged aircraft in the
subsequent flight phases using the model reconstruction process. The example flight
parameters, illustrated in Fig. 6.12, show that the applied reconstruction methodol-
ogy achieves a close match between the DFDR and baseline aircraft model before
the separation of the right-wing engines. The effect of wind conditions on the recon-
structed data was taken into account by including a wind model in the simulation
using meteorological data recorded at the time of the crash. Gust and turbulence
effects were not included in the simulation.
Fig. 6.11 Flight 1862 reconstruction and simulation modelling setup [17]
A similar incident in 1993, in which a Boeing 747 freighter (Flight 46E) lost its
left inboard engine [16], substantiates the amount of structural damage most proba-
bly incurred by the Flight 1862 accident aircraft (Fig. 6.14). In the 1993 incident, the
flight crew managed to recover the aircraft and conduct an emergency landing de-
spite the severe performance and controllability problems caused by the separated
engine. The Flight 46E control and performance capabilities were representative
of those encountered on Flight 1862. Ref. [16] shows that the pilot required up to
full right rudder pedal, approximately 60 degrees of right wing down control wheel
deflection and overboost thrust on engine No. 1 to control the aircraft towards a
survivable landing.
The aerodynamic effects due to engine separation and structural wing damage
were estimated using the Flight 1862 reconstruction and simulation modelling pro-
cess as illustrated in Fig. 6.11. The reconstructed aerodynamic effects were added
as contributions to the baseline aerodynamic coefficient equations of the validated
undamaged aircraft model. An initial estimation of the aerodynamic drag effects
of a partially damaged wing, having the most significant impact on aircraft perfor-
mance, was done using literature wind-tunnel data for a representative wing having
a cut-out, up to the front spar, at mid-span [17]. The loss of lift as a function of
angle-of-attack, caused by the damaged wing, is based on Boeing wind-tunnel data.
Additional effects were estimated to take into account the contribution of the sepa-
rated right-wing engines and leading edge structural damage to the aircraft’s pitch-
ing moment and control effectiveness of the right-wing inboard aileron and spoilers.
6 RECOVER: A Benchmark for Integrated FTFC Evaluation 185
8000 300
4000 200
2000 150
DFDR DFDR
Simulation Simulation
0 100
50 100 150 200 250 300 350 50 100 150 200 250 300 350
Time (s) Time (s)
(a) DFDR and reconstructed altitude (b) DFDR and reconstructed indicated air-
speed
30
15
Pitch angle (deg)
20
Roll angle (deg)
10 10
0
5
−10
DFDR DFDR
Simulation Simulation
−20 0
50 100 150 200 250 300 350 50 100 150 200 250 300 350
Time (s) Time (s)
(c) DFDR and reconstructed roll angle (d) DFDR and reconstructed pitch angle
5
30
Control column position (deg)
4
Control wheel position (deg)
20 3
10 2
0 1
−10 0
−1
−20
DFDR −2 DFDR
−30 Simulation Simulation
−3
50 100 150 200 250 300 350 50 100 150 200 250 300 350
Time (s) Time (s)
(e) DFDR and reconstructed control wheel (f) DFDR and reconstructed control col-
position umn position
Fig. 6.12 Validation of the unfailed nonlinear baseline aircraft model and DFDR reconstruc-
tion methodology for the Flight 1862 departure phase (t=47-371s)
186 H. Smaili et al.
Fig. 6.13 Flight 1862 estimated right-wing structural damage configuration (black and
shaded parts indicating loss of leading edge structure)
Fig. 6.14 Structural wing damage due to separation of engine No. 2, Evergreen Boeing 747-
121, Anchorage, 1993 [16]
100 100
DFDR DFDR
Simulation Simulation
Control wheel position (deg)
0 0
−50 −50
−100 −100
400 450 500 550 600 650 400 450 500 550 600 650
Time (s) Time (s)
(a) Reconstructed control wheel position (b) Reconstructed control wheel position
without aerodynamic estimates including aerodynamic estimates
40 40
20 20
Roll angle (deg)
0 0
−20 −20
DFDR DFDR
−40 Simulation −40 Simulation
400 450 500 550 600 650 400 450 500 550 600 650
Time (s) Time (s)
(c) Reconstructed roll angle without aero- (d) Reconstructed roll angle including aero-
dynamic estimates dynamic estimates
Fig. 6.15 Effect of estimated aerodynamic contributions due to right-wing engine separation
on reconstructed control wheel deflection and roll angle (t=378-647s)
reconstructed control wheel deflection (Fig. 15(a) and 15(b)) and roll angle (Fig.
15(c) and 15(d)) can be achieved.
Fig. 16(a) shows the estimated amount of aerodynamic drag increase, due to the
loss of the right-wing engines, obtained by reconstruction of the DFDR aircraft per-
formance capabilities [17]. The shown reconstructed DFDR data includes the flight
segment up to the loss of control and with the inboard trailing edge flaps extended
to the flaps 1 detent. The figure indicates that, for the amount of right-wing leading
edge structural damage as shown in Fig. 6.13, a drag increase of about 10 percent
at low angle-of-attack may be expected as compared to the unfailed case. At higher
angle-of-attack, local flow separation at the right-wing damaged section (mid-span)
occurs, resulting in a rapid increase of drag of about 20 to 30 percent. This effect
resulted in a significant reduction of the aircraft’s maximum climb capability down
to approximately minus 1500-2000 feet/min, as observed on the DFDR, and can
be predicted well by the reconstructed model as shown in Fig. 16(b). The reduced
control authority of the damaged aircraft was insufficient to recover from the sig-
nificant performance degradation using the remaining engines as shown in Fig. 6.16
for both the DFDR data and reconstructed model. Post-accident visualisation of the
188 H. Smaili et al.
Flight 1862 loss of control sequence using the DFDR data is shown in Fig. 6.17
illustrating the relevant flight parameters as reconstructed by the simulation model.
Further validation and analysis results of the baseline aircraft model and Flight
1862 DFDR reconstruction can be obtained from [17, 18].
0.06 −1
0.04 −2
0.02 −3
650 700 750 800 850 650 700 750 800 850
Time (s) Time (s)
(a) Estimated aerodynamic drag in- (b) DFDR and reconstructed maxi-
crease due to loss of right-wing engines mum climb capability
5000 340
DFDR
320 Simulation
3000 280
2000 260
240
1000
DFDR 220
Simulation
0 200
650 700 750 800 850 650 700 750 800 850
Time (s) Time (s)
(c) DFDR and reconstructed altitude (d) DFDR and reconstructed indicated
airspeed
120 10
DFDR
100 Simulation
0
Pitch angle (deg)
80
Roll angle (deg)
−10
60
−20
40
−30
20
0 −40
DFDR
Simulation
−20 −50
650 700 750 800 850 650 700 750 800 850
Time (s) Time (s)
(e) DFDR and reconstructed roll angle (f) DFDR and reconstructed pitch an-
gle
100 DFDR
DFDR
Control column position (deg)
10 Simulation
Simulation
Control wheel position (deg)
50
5
0
0
−50
−100 −5
650 700 750 800 850 650 700 750 800 850
Time (s) Time (s)
(g) DFDR and reconstructed control (h) DFDR and reconstructed control
wheel position column position
Fig. 6.16 DFDR and reconstructed flight parameters of the Flight 1862 final stage of flight
up to the loss of control (inboard trailing edge flaps 1, t=648-874s)
190 H. Smaili et al.
Fig. 6.17 Post-accident visualisation of the Flight 1862 DFDR data illustrating loss of control
sequence and relevant flight parameters as reconstructed by the simulation model (NLR)
6 RECOVER: A Benchmark for Integrated FTFC Evaluation 191
0.5
−40
0
−60
1 1.1 1.2 1.3 1.4 1.5 1.6 1 1.1 1.2 1.3 1.4 1.5 1.6
EPR engines #1 & #2 (−) EPR engines #1 & #2 (−)
(a) Effect of engine thrust and weight on (b) Effect of engine thrust and weight on
maximum climb performance for straight control wheel position for straight flight at
flight at 260kts 260kts
−2 100
317,460 kg (700,000 lb) 317,460 kg (700,000 lb)
261,972 kg (577,648 lb) 261,972 kg (577,648 lb)
Control wheel position (deg)
Glide slope angle (deg)
−3
50
−4
0
−5
−50
−6
−7 −100
160 170 180 190 200 210 220 −7 −6 −5 −4 −3 −2
Indicated airspeed (knots) Glide slope angle (deg)
(c) Effect of indicated airspeed and weight (d) Effect of glide slope angle and weight
on glide slope angle for simulated low- on control wheel position for simulated
drag/low power approach profile low-drag/low power approach profile
Fig. 6.18 Flight 1862 estimated aircraft performance, lateral control and gliding capabilities
following the separation of the right-wing engines (inboard trailing edge flaps 1, full rudder
pedal)
(flaps 1) for approach according to the DFDR. For the engine separation scenario,
the simulator data confirms that larger control wheel deflections are required when
airspeed reduces or load factor increases. After the failure, a moderate climb re-
quires takeoff/go-around thrust (EPR 1.45-1.5) on the remaining engines No. 1 and
2, further control wheel deflections between approximately 40 and 60 degrees to the
left and full rudder pedal for straight flight. The climb capability in these conditions
is between approximately 200-500 feet/min. For the current aircraft configuration,
loss of flight control (Fig. 6.19) occurs at around 260kts while the aircraft is in a
30 degrees bank turn and the engines set at maximum continuous thrust. The result-
ing climb capability is reduced to approximately minus 1,000-1,500 feet/min prior
to the loss of control. Fig. 6.20 provides a validation of the offline predicted glid-
ing capabilities of the damaged aircraft. The data shows that at almost idle thrust,
192 H. Smaili et al.
310
2000 300
1500 280
270
1000
260
250
500
240
0 230
0 50 100 150 200 250 300 350 0 50 100 150 200 250 300 350
Time (sec) Time (sec)
(a) Altitude (b) Indicated airspeed
50 8
40
Angle−of−attack (deg)
30 6
Roll angle (deg)
20
10 4
−10 2
−20
−30 0
0 50 100 150 200 250 300 350 0 50 100 150 200 250 300 350
Time (sec) Time (sec)
(c) Roll angle (d) Angle-of-attack
Maximum climb capability (feet/min * 1000)
1.6
1
1.5
Engine pressure ratio (−)
0
1.4
1.3 −1
1.2
−2
1.1
1 −3
0 50 100 150 200 250 300 350 0 50 100 150 200 250 300 350
Time (sec) Time (sec)
(e) Engine #1 and #2 EPR (f) Maximum climb capability
100 14
Control wheel position (deg)
12
50
10
8
0
6
4
−50
2
−100 0
0 50 100 150 200 250 300 350 0 50 100 150 200 250 300 350
Time (sec) Time (sec)
(g) Control wheel position (h) Rudder pedal position
Fig. 6.19 Piloted simulator validation of aircraft loss of control sequence for engine separa-
tion failure mode occurring at t=150s (Flight 1862 scenario)
6 RECOVER: A Benchmark for Integrated FTFC Evaluation 193
300
280
Altitude (feet)
1500
1000 260
500 240
0 220
0 100 200 300 400 500 600 0 100 200 300 400 500 600
Time (sec) Time (sec)
(a) Altitude (b) Indicated airspeed
50 3
40 2
20 0
10 −1
0 −2
−10 −3
−20 −4
−30 −5
0 100 200 300 400 500 600 0 100 200 300 400 500 600
Time (sec) Time (sec)
(c) Roll angle (d) Flight path angle
Maximum climb capability (feet/min * 1000)
1.6
1.5 1
Engine pressure ratio (−)
1.4
0
1.3
−1
1.2
−2
1.1
1 −3
0 100 200 300 400 500 600 0 100 200 300 400 500 600
Time (sec) Time (sec)
(e) Engine #1 and #2 EPR (f) Maximum climb capability
100 14
Control wheel position (deg)
12
50
10
8
0
6
4
−50
2
−100 0
0 100 200 300 400 500 600 0 100 200 300 400 500 600
Time (sec) Time (sec)
(g) Control wheel position (h) Rudder pedal position
Fig. 6.20 Piloted simulator validation of aircraft gliding capabilities for engine separation
failure mode occurring at t=215s (Flight 1862 scenario)
194 H. Smaili et al.
stabilised flight is maintained while decelerating along a 3-4 degrees glide slope
requiring control wheel deflections between neutral and 20 degrees to the right.
The estimated control capabilities of the Flight 1862 aircraft only satisfy a part
of the critical requirements for survivability and safe operation of a damaged air-
craft. Additional operational requirements include knowledge concerning the air-
craft’s limited operating envelope following a failure or damage, information on the
configuration of the damaged aircraft and piloting skills.
6.3.1 Description
The GARTEUR RECOVER software package is equipped with several simulation
and analysis tools, all centered around a generic nonlinear aircraft model for six-
degrees-of-freedom nonlinear aircraft simulations. For high performance compu-
tation and visualisation capabilities, the package has been integrated as a toolbox
in the computing environment Matlab R
/Simulink R
. The tools of the RECOVER
benchmark include trimming and linearisation for (adaptive) flight control law de-
sign, nonlinear off-line (interactive) simulations, simulation data analysis and flight
trajectory and pilot interface visualisations. Customisation of the RECOVER soft-
ware by applying user-generated models to the generic package is possible for the
simulation of any specific aircraft type or fault scenario. In conjunction with the
Matlab R
/Simulink R
Real-Time Workshop R
, the benchmark model is suitable for
integration on simulation platforms for piloted hardware in the loop testing.
The GARTEUR RECOVER benchmark provides enhanced graphical and high
resolution aircraft visualisation capabilities supporting tool-based advanced control
system design and evaluation. This includes, for instance, the replay and anima-
tion of offline (or piloted) simulation data, the visualisation of fault or aircraft up-
set recovery scenarios or analysis of flight control system states and performance.
6 RECOVER: A Benchmark for Integrated FTFC Evaluation 195
Additionally, the capabilities of the software are suitable for any educational or
demonstration purposes providing insight into the design of advanced flight con-
trol algorithms, aircraft flight dynamics and handling qualities and human factors
interfaces.
The software architecture of the RECOVER simulation benchmark (Fig. 6.21)
comprises a generic aircraft model and aircraft specific modules including aero-
dynamics, flight control system and engines. The baseline flight control system
model reflects the hydro-mechanical system architecture of the Boeing 747-100/200
196 H. Smaili et al.
(a) Original benchmark model with classic controller and pilot control inputs
(b) RECOVER benchmark model with modern controller and control surface inputs
Fig. 6.22 Adaptation of original benchmark model for simulation of ’fly-by-wire’ aircraft
aircraft [1, 8]. All modelled control surfaces are subjected to aerodynamic effects
and mechanical (rate) limits throughout the flight envelope to account for actua-
tor force limitations and control surface floating in the case of (multiple) hydraulic
system failures. Through the graphical user interface (Section 6.3.4), the user has
access to the RECOVER benchmark simulation and analysis tools.
The original aircraft model of the RECOVER benchmark [15, 17] was based on
the classical Boeing 747-100/200 aircraft with a hydro-mechanical flight control
system (Fig. 22(a)) and with the pilot cockpit controls as inputs. For the research
goals in this Action Group, a ’fly-by-wire’ version of the Boeing 747-100/200 air-
craft was created where all twenty-six aerodynamic control surfaces and four en-
gines can be controlled individually. This allows new fault tolerant flight control
designs, as developed in this Action Group, to have the capability to completely
reconfigure the utilisation of the available flight control effectors (Fig. 22(b)).
Fig. 6.23 illustrates a schematic overview of the GARTEUR RECOVER bench-
mark including relationships between the different model components of the bench-
mark. The basic aircraft model contains airframe, actuator, engine and turbulence
models and is represented by the outline in the diagram designated as B747 model.
As described above, the input of this model was initially based on the pilot’s control
inputs, which have a fixed linkage to the control surfaces. To control the surfaces
separately, as required for the reconfigurable control algorithms, the Pilot controls
6 RECOVER: A Benchmark for Integrated FTFC Evaluation 197
Fig. 6.23 Detailed schematic of the GARTEUR RECOVER benchmark showing model
component relationships including test manoeuvre and failure scenario generation and fault
injection
to actuators block is separated from the baseline aircraft model. A basic classical
controller is available in the benchmark, based on the Boeing 747 classic autopilot
including autothrottle, to serve as a reference for new adaptive control algorithm
designs. Any newly designed FTFC controller, to be evaluated with the benchmark
model, is meant to replace the classic autopilot and autothrottle and should drive
the separate control surfaces directly. This is indicated in the diagram by the outline
called Modern Controller. In order to operate the benchmark, a scenario and failure
mode generator is added. The scenario consists of commands fed into the autopilot
and autothrottle, while the failures are directly introduced into the airframe, flight
control system and propulsion models via Matlab R
/Simulink R
Goto/From blocks
as indicated by the broken lines.
6.3.2 Implementation
The GARTEUR RECOVER benchmark model consists of a combination of
Matlab R
scripts and Simulink
R
block diagrams. In order to ensure consistency, the
top-level models have been built from common blocks that are linked to libraries.
All blocks and libraries are contained in the root directory of the benchmark called
’RECOVERv65’ (extension ’v65’ referring to the current Matlab R
version 6.5.1).
A basic library (B747 library.mdl) contains the basic aircraft, engine and actu-
ator models, complete with failure models (Fig. 6.24). For the purpose of the GAR-
TEUR applications, an additional library was developed (ag16 library.mdl),
based on the basic library, that contains the larger and more extensively modified
sub-models out of which the top-level benchmark is built (Fig. 6.25). This extended
198 H. Smaili et al.
library contains models of the aircraft, the actuators, the sensors, the classic flight
control system and the benchmark failure generator.
The actual benchmark model (b747 auto g.mdl) is depicted in Fig. 6.26. The
most important block is airframe which is the combination of the aircraft aerody-
namic model, engines and actuators. It also contains the fault models and the turbu-
lence and wind models. The inputs to this block are twenty-six separately control-
lable aerodynamic surfaces and four engine controls. The autoflight block represents
the implementation of the classic Boeing 747-100/200 autoflight system based on
[11]. This is the block that is to be replaced by any new FTFC controller design and
is intended as a working example of how the new controller is supposed to fit into the
aircraft. The classic autoflight system block consists internally of the B747-100/200
hydro-mechanical flight control system model (FCS) which forms the inner con-
trol loop and the autopilot and autothrottle systems, which together form the outer
control loop.
It is important to note that in the actual aircraft the autoflight block is driven by
switches and dials operated by the pilot. The pilot can independently select a pitch
mode and a roll mode and an autothrottle setting. The pitch mode is used to control
the aircraft in the vertical plane (up and down) and the roll mode is used to control
the aircraft in the horizontal plane (left and right). The autothrottle in the classical
autoflight system is needed to keep the airspeed at a constant reference value during
manoeuvres in the vertical and horizontal plane (advanced flight control concepts,
such as Multi-Input Multi-Output (MIMO) controllers, do not necessarily use thrust
6 RECOVER: A Benchmark for Integrated FTFC Evaluation 199
to control airspeed). In the benchmark, the pilot commands are replaced by signals
generated by the benchmark scenario generator. A new FTFC controller is not re-
quired to work in independent axes like the classical autopilot controller; however,
it should be able to accept the same commands.
200 H. Smaili et al.
The Test Scenarios block uses two pitch modes: altitude select and landing
(glideslope) and three roll modes: bank angle command, heading select and landing
(localizer). The Standard Sensors block represents three standard sensor systems
that are available in a modern aircraft, i.e. an Inertial Reference System (IRS), an
Air Data Computer (ADC) and an Instrument Landing System (ILS) receiver. The
ILS model in this block generates the glideslope deviation angle, the localiser devi-
ation angle and the distance to the threshold. Since the ILS signals have a limited
coverage area, ’glideslope valid’ and ’localizer valid’ signals are available to deter-
mine when the ILS is in range. The Standard Sensors block also contains realistic
measurement noise levels for these sensors. Since the classic Boeing 747-100/200
autoflight system [11] did not exactly use the standard sensors, there is a dedicated
measurements block (B747 Sensors) for this purpose. It should be noted that there
is not more information in these measurements than in the Standard Sensors block,
so any new controller should not use the B747 Sensors block.
The Failure Generator block activates any failure mode, as currently imple-
mented and described in Section 6.3.3.2, that is selected by the user during the
benchmark initialisation and trim procedure (Section 6.3.6). For the Flight 1862
scenario, all reconstructed failure modes associated with the physical loss of the
two right-wing engines (Fig. 6.8) are activated. The time delay after which a failure
mode is activated during any simulation can be customised in this block.
For interactive (manual) simulation purposes, an open loop simulation model
(b747 funpc d.mdl) is available (Fig. 6.27). It contains the same aircraft, engine
and actuator model as the benchmark. Also the failure generator is exactly the same.
The RECOVER open loop model is in a functional form, i.e. it has explicit inputs
(12) and outputs (140). The inputs basically consist of the pilot’s controls as found
on the Boeing 747 flight deck. The structure of this model is very similar to the
model that is used for trimming (b747 trim d.mdl).
Fig. 6.27 GARTEUR RECOVER functional model for open loop simulation
(b747 funpc d.mdl)
Fig. 6.28 GARTEUR RECOVER benchmark flight scenario for qualification of fault tolerant
flight control systems for safe landing of a damaged large transport aircraft (source: Jerome
Cieslak / IMS-Bordeaux)
qualities are degraded and the flight envelope is severely limited. In the last two
cases, it cannot be expected that the aircraft will be able to follow the reference
trajectory closely. The benchmark assessment criteria have been designed to take
this into account by emphasising end conditions in the specifications (Chapter 7).
Appendix 1 of Chapter 17 shows a complete overview of the failure mode test matrix
for the (piloted) evaluation of the FTFC methods indicating available means of flight
control reconfiguration and assessment criteria.
Fig. 6.29, 6.30, 6.31, 6.32 and 6.33 illustrate how the selected fault cases are mod-
elled and implemented in the Matlab R
/SimulinkR
RECOVER benchmark model.
As an example, Fig. 6.29 shows the model for the rudder failure modes, including
the rudder hardover and vertical tail loss fault cases. The first part of the rudder
failure model implements fault case #4 (Table 6.3) which is the rudder runaway or
rudder hardover failure mode. In this failure mode, the rudder surfaces are deflected
204 H. Smaili et al.
Table 6.3 GARTEUR RECOVER benchmark standard fault cases and effect on aircraft han-
dling qualities
Fig. 6.29 Rudder fault model including rudder hardover and vertical tail loss failure modes
Fig. 6.30 Elevator fault model including stuck elevator failure mode
Fig. 6.31 Aileron fault model including stuck aileron failure mode
Fig. 6.32 Stabiliser fault model including stabiliser runaway failure mode
Fig. 6.33 Fault model including estimated aerodynamic effects due to separation of the right-
wing engines No. 3 and 4 (Flight 1862 scenario)
208 H. Smaili et al.
Fig. 6.35 GARTEUR RECOVER benchmark high resolution aircraft visualisation tool
showing out-of-the-window view and electronic flight instrument system (EFIS) displays for
interactive (real-time) simulation and analysis of new fault tolerant flight control systems
210 H. Smaili et al.
(a) Primary Flight Display: indicated air- (b) EICAS display: engine EPR (1), in-
speed (1), altitude (2), aircraft attitude and board trailing edge flap position, angle-of-
envelope protection limits (3), aircraft head- attack, sideslip and load factor (2), control
ing (4) surface and stabiliser deflections (3)
Fig. 6.36 GARTEUR RECOVER benchmark electronic flight instrument system (EFIS) dis-
play elements
a view of the aircraft’s flight path in the out-of-the-window view allows analysis of
the flight trajectory and manoeuvres. The RECOVER interactive simulation window
can be started via the RECOVER Visualisation button following initialisation of an
open loop or closed loop simulation.
weight and balance of the aircraft, altitude and airspeed and aircraft configuration.
For the Failure event scenario, the pitch mode is selected as Altitude select with a
reference altitude (1000m in this example) and the roll mode is selected as Bank
angle command with a reference bank angle of 0 deg. No further information to the
trim routine is required since everything is prescribed by the test scenario.
Fig. 6.40: The user is then able to set initial values for the controls used for trim-
ming, but it is usually sufficient to accept the default values here. For trimming, the
b747 trim d.mdl model is used. This completes the setup of the trim routine for
the optimisation. The trim routine runs and gives a trim result in terms of stabiliser
deflection and thrust. The user is asked if he is satisfied with the trim results.
Fig. 6.41: If the optimisation is acceptable, the required engine EPR setting is
derived from the thrust in the next step and the trim results can be saved.
Fig. 6.42: The simulation is performed using the closed loop model given in
b747 auto g.mdl which contains the test scenario generator. When the simula-
tion has ended, the user is able to save the results and to make some plots. These
212 H. Smaili et al.
Fig. 6.39 Confirmation of test scenario and aircraft and control mode variables set by the test
scenario
plots are generated by the plot sim.m script that can also be activated via the
main menu.
Fig. 6.43: The plotted simulation results of the aircraft states demonstrate that
up to t=5s the flight condition is stable. When the failure is inserted at t=5s the
aircraft begins to diverge. The simulation run has been ended at t=35s because the
angle-of-attack (α ) is outside the validated model boundaries.
Fig. 6.44: The calculated specific forces show the effect of the sudden loss of
thrust, due to the separation of the right-wing engines, on the longitudinal accel-
eration (Axb ) at t=5s. Lateral acceleration (Ayb ) shows an increase following the
detachment of the engines at t=5s due to sideslip caused by the asymmetrical thrust
and wing damage configuration.
Fig. 6.40 Controls initialisation for trimming and trim routine results
associated with an engine. Pressurization units for hydraulic power to the flight con-
trol and landing gear systems are located at every engine.
The B747-100/200 flight control system comprises a primary flight control sys-
tem and a secondary flight control system. The primary flight control surfaces are
powered by irreversible hydraulic actuators which are supplied by the four inde-
pendent hydraulic systems. The actuators for the elevator, aileron and rudder sur-
faces are driven by single dual tandem type actuators supplied by two independent
214 H. Smaili et al.
Fig. 6.41 Trimmed engine EPR settings and end of the optimisation procedure
hydraulic systems (full boost). The spoilers of the secondary flight control system
are driven by conventional single cylinder actuators. The availability of the control
surfaces will be affected in case of the loss of hydraulic supply. The control surface
actuators are designed to allow unrestricted operation of the surface in the event of
the loss of one actuator (half boost). When hydraulic supply to both actuators is lost,
the surface reverts to a zero-hinge moment floating position. The arrangements of
the hydraulic power supply distribution for the B747-100/200 flight control system
is summarised in Table 6.4.
The B747-100/200 high lift system consists of the trailing edge flaps and the lead-
ing edge flaps with selectable detents of 1, 5, 10, 20, 25 and 30 degrees. Automatic
flap retraction to the 25 detent (flap load relief) is provided to prevent structural
overload of the fully extended trailing edge flaps when indicated airspeed exceeds
6 RECOVER: A Benchmark for Integrated FTFC Evaluation 215
Fig. 6.43 State variables during benchmark run with closed loop model
(b747 auto g.mdl) and Flight 1862 failure case starting at t=5s
Fig. 6.44 Specific forces in body axes during benchmark run with closed loop model
(b747 auto g.mdl) and Flight 1862 failure case starting at t=5s
216 H. Smaili et al.
Table 6.4 Arrangements of the hydraulic power supply distribution for the B747-100/200
flight control system
Table 6.5 B747-100/200 flight control surface operating limits (positive sign: surface deflec-
tion downward / spoiler panel up)
169kts at flaps 30. Extension of the outboard trailing edge flaps will unlock the
outboard ailerons.
The B747-100/200 flight control surface arrangements and operating limitations
are illustrated in Fig. 6.45 and Table 6.5. Fig. 6.46 and Table 6.6 provide aircraft op-
erational data and geometric dimensions for both the B747-100/200 and B747-200F
(freighter version). For the benchmark simulation, the B747-100/200 hydraulic and
flight control system specifications, as described in this Section, were taken from
[1, 8].
6 RECOVER: A Benchmark for Integrated FTFC Evaluation 217
Fig. 6.45 Boeing 747-100/200 flight control surface arrangements and body axes and mo-
ment definitions (L̄ = rolling moment, M = pitching moment, N̄ = yawing moment, p = roll
rate, q = pitch rate, r = yaw rate)
Fig. 6.47 Simulation demonstrating flight control reconfiguration and safe landing of the
Flight 1862 accident aircraft using Model Predictive Control (MPC) (red: accident aircraft,
green: reconfigured aircraft) [13]
reconfiguration are addressed, formed the basis of a PhD project at the Delft Uni-
versity of Technology financed by the Dutch Technology Foundation STW. Some
of the developed reconfiguration schemes in this project were further evaluated in
this Action Group.
6.5 Conclusion
A simulation benchmark for the integrated evaluation of new fault detection, isola-
tion and reconfigurable control techniques has been developed within the framework
of the GARTEUR Flight Mechanics Action Group FM-AG(16) on Fault Tolerant
Control. The REconfigurable COntrol for Vehicle Emergency Return (RECOVER)
benchmark addresses the need for high-fidelity nonlinear simulation models to im-
prove the prediction of the performance of newly designed fault tolerant flight con-
trol system algorithms in degraded modes. The GARTEUR RECOVER benchmark
provides accurate failure models, realistic scenarios and assessment criteria for a
civil large transport aircraft with fault conditions ranging in severity from major to
catastrophic. The benchmark aircraft model has been validated against data from
the Digital Flight Data Recorder (DFDR) recovered after the crash of a Boeing
747-200 freighter aircraft (Flight 1862), caused by the separation of its right-wing
220 H. Smaili et al.
engines, in the Amsterdam Bijlmermeer in 1992. For the reconstruction of the ac-
cident flight data, a methodology based on inverse simulation was used to obtain a
proof-of-match between the Flight 1862 DFDR measurements and simulation. This
assured the validity of the simulation, as part of the benchmark, in terms of aircraft
performance and controllability representative of a damaged large transport aircraft
operating in a degraded and limited flight envelope. The identified operational con-
straints of the Flight 1862 accident aircraft provided a guidance for the fault tolerant
control design challenge in the GARTEUR FM-AG(16) Action Group and a refer-
ence for the definition of the benchmark assessment criteria.
The GARTEUR RECOVER benchmark is suitable for both offline design and
analysis of new fault tolerant flight control systems and integration on simulation
platforms for piloted hardware in the loop testing. The enhanced graphical tools of
the benchmark, including high resolution aircraft visualisation, support tool-based
advanced flight control system design and evaluation within research, educational
or industrial framework.
Acknowledgements. The authors recognise the contributions of the members of the GAR-
TEUR FM-AG(16) Action Group to this Chapter. The authors also appreciate the funding
that the Dutch Technology Foundation STW has provided as part of the GARTEUR activities.
Special thanks to Jaap Groeneweg and Ronald Verhoeven of NLR for their contribution to the
RECOVER aircraft visualisation tools. Finally, a word of thanks to all those who have con-
tributed to the further improvement of the GARTEUR RECOVER benchmark model within
their flight control research programmes, especially Andres Marcos of DEIMOS Space and
Gary Balas of the University of Minnesota.
References
1. Anon. Boeing 747 Aircraft Operations Manual (1976)
2. Anon. EL AL Flight 1862, aircraft accident report 92-11. Netherlands Aviation Safety
Board, Hoofddorp, The Netherlands (1994)
3. Anon. MIL-HDBK-1797 Flying qualities of piloted aircraft (1997)
4. Federal Aviation Administration, Department of Transport. FAR/JAR 25 Airworthiness
Standards: Transport Category Airplanes
5. Fischenberg, D.: Ground effect modeling using a hybrid approach of inverse simulation
and system identification. In: AIAA Modeling and Simulation Technologies Conference
and Exhibit, AIAA-1999-4324, Portland, OR (August 1999)
6. GARTEUR. GARTEUR RECOVER benchmark quickstart guide (2009)
7. Hallouzi, R., Verhaegen, M., Kanev, S.: Model weight estimation for FDI using convex
fault models. In: IFAC Conference 2006 (2006)
8. Hanke, C.R.: The simulation of a large transport aircraft. Modeling data, vol. II. NASA
CR-114494 (September 1970)
9. Hanke, C.R.: The simulation of a large transport aircraft. Mathematical model, vol. I.
NASA CR-1756 (March 1971)
10. Harefors, M., Bates, D.G.: Integrated propulsion-based flight control system design for a
civil transport aircraft. In: Proceedings of the IEEE Conference on Control Applications,
Glasgow (September 2002)
6 RECOVER: A Benchmark for Integrated FTFC Evaluation 221
11. van Keulen, R.: Real-time simulation and analysis of the automatic flight control sys-
tem of the Boeing 747-200. Final thesis, Delft University of Technology, Faculty of
Aerospace Engineering, Delft, The Netherlands (1991)
12. van der Linden, C.A.A.M.: DASMAT- Delft University Aircraft Simulation Model and
Analysis Tool. Report LR-781, Delft University of Technology, Faculty of Aerospace
Engineering, Delft, The Netherlands (1996)
13. Maciejowski, J.M., Jones, C.N.: MPC fault-tolerant flight control case study: Flight
1862. In: IFAC Safeprocess Conference (2003)
14. Marcos, A., Balas, G.J.: Linear parameter varying modeling of the Boeing 747-100/200
longitudinal motion. American Insitute of Aeronautics and Astronautics 2001, AIAA-
2001-4347 (2001)
15. Marcos, A., Balas, G.J.: A Boeing 747-100/200 aircraft fault tolerant and fault diagnostic
benchmark. Technical Report AEM-UoM-2003-1, University of Minnesota, Minnesota
(June 2003)
16. National Transportation Safety Board. In-flight engine separation Japan Airlines, Inc.
Flight 46E, Boeing 747-121, N473EV, Anchorage, Alaska, March 31 (1993); Aircraft
accident report NTSB/AAR-93/06 (October 1993)
17. Smaili, M.H.: Flight data reconstruction and simulation of El Al Flight 1862. Final thesis,
Delft University of Technology, Faculty of Aerospace Engineering, Delft, The Nether-
lands (1997)
18. Smaili, M.H., Mulder, J.A.: Flight data reconstruction and simulation of the 1992 Ams-
terdam Bijlmermeer airplane accident. In: AIAA Modeling and Simulation Technologies
Conference and Exhibit, AIAA-2000-4586, Denver, CO (August 2000)
19. Szaszi, I., et al.: Application of FDI to a nonlinear Boeing 747 aircraft. In: 10th Mediter-
ranean Conference on Control and Automation - MED 2002 (2002)
Chapter 7
Assessment Criteria as Specifications for
Reconfiguring Flight Control
7.1 Introduction
To obtain a quantitative measure of predicted FTFC system performance in degraded
modes, specifications need to be defined to assess proper functioning under realistic
operational flight conditions. The goal of the benchmark specifications modelling,
as described in this chapter, is to create a set of assessment criteria in order to eval-
uate the quality of the performance of fault detection and identification (FDI) and
reconfigurable control algorithms. The lay-out of this chapter is as follows. First,
the specifications modelling process is introduced by discussing the benchmark sce-
nario. Subsequently, the general evaluation criteria will be considered by defining
two classes of test manoeuvres. Thereafter, focus is placed on the test manoeuvres
for FTFC qualification, which is the major topic of this chapter. After the discus-
sion on how the assessment quantities of interest can be divided into two categories,
four qualification test manoeuvres are discussed in depth. These include straight
Thomas Lombaerts
Delft University of Technology, Faculty of Aerospace Engineering,
Kluyverweg 1, 2629 HS Delft, The Netherlands
e-mail: t.j.j.lombaerts@tudelft.nl
Diederick Joosten
Delft University of Technology, Delft Center of Systems and Control,
Mekelweg 2, 2628 CD Delft, The Netherlands
e-mail: d.a.joosten@tudelft.nl
Hafid Smaili
National Aerospace Laboratory NLR, P.O. Box 90502, 1059 CM Amsterdam,
The Netherlands
e-mail: smaili@nlr.nl
Jan Breeman
National Aerospace Laboratory NLR, P.O. Box 90502, 1059 CM Amsterdam,
The Netherlands
e-mail: breeman@nlr.nl
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 223–243.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
224 T. Lombaerts et al.
flight, right turn and localizer intercept, glideslope intercept and final approach with
sidestep. Finally, a summary of the specified assessment quantities is given for the
different FTFC qualification test manoeuvres. These criteria have also been pub-
lished in Ref. [3].
Fig. 7.1 Benchmark scenario with test manoeuvres for qualification of FTFC techniques
Fig. 7.2 Graphic representation of FDI and control reconfiguration assessment criteria rep-
resenting test manoeuvre with trajectory constraints
226 T. Lombaerts et al.
Fig. 7.3 Graphic representation of FDI and control reconfiguration assessment criteria rep-
resenting test manoeuvre with end-point position constraints
operational limitations, which can be divided over two categories, according to the
relevant part of the time span. When a failure occurs at time t0 , the flight control
systems have some time for identification and reconfiguration up to the moment
trecovery , whereafter a test manoeuvre is performed in order to analyse if the recon-
figuration was successful.
In the first part, where identification and reconfiguration take place, the variables
are limited by structural and crew capability (human performance) boundaries. Af-
ter trecovery the qualification test manoeuvre is performed. In the case of a test ma-
noeuvre with trajectory constraints, some fairly stringent manoeuvre limitations are
defined for the relevant assessment quantity values from trecovery onward till the end
of the test manoeuvre. These limitations define a box which specifies if the manoeu-
vre performance is desired or adequate (Fig. 7.2). On the other hand, when a test
manoeuvre is considered with end-point position constraints, the relevant assess-
ment quantity values are restricted to a larger range defined by slightly reduced safe
flight boundaries as initial trajectory constraints (critical manoeuvre limitations, Fig.
7.3). More stringent boundaries to evaluate the manoeuvre quality are then defined
at the end point tfinal , where the boundaries represent a limitation box specifying
whether the manoeuvre performance is desired or adequate. The aircraft must be in
(quasi) steady state at tfinal , otherwise the performance criteria cannot be guaranteed
persistently.
A possible definition of adequate and desired performance boxes for the bench-
mark flight phases including straight flight, right turn and localizer intercept, glides-
lope intercept and final approach with sidestep down to decision height will be
discussed later in this chapter. The performance limitations may depend on many
other variables, like indicated airspeed of the aircraft and altitude. Therefore, it is
7 Assessment Criteria as Specifications for Reconfiguring Flight Control 227
important to define one representative reference trajectory with fixed altitude and
velocity as initial conditions, because in that way the complexity is already reduced
considerably. Here, most interest is in low altitudes because of the small margins
there.
The manoeuvres are a very important aspect in this work. It should be noted that
there are two kinds of manoeuvres. The first kind are manoeuvres for parameter
identification that take place in the identification and reconfiguration phase, before
trecovery in Fig. 7.2 and 7.3, these are facultative manoeuvres. The other kind of
manoeuvres are test manoeuvres for qualification which are performed during the
second part of the time span in Fig. 7.2 and 7.3, after trecovery . These are mandatory
for qualification of the fault tolerant flight control system.
Table 7.1 Initial conditions for the three benchmark scenario’s: nominal flight, heavy weight
(Flight 1862) and low weight (Flight 1862)
The initial conditions for the benchmark qualification test manoeuvres are de-
fined in Table 7.1. A distinction is made between a nominal flight scenario, a heavy
weight Flight 1862 scenario and a low weight Flight 1862 scenario, since each of the
Flight 1862 scenarios has a different aircraft weight value. In the nominal situation,
the aircraft weight is approximately 263 tons and the touchdown speed is 165 knots.
As the Flight 1862 accident happened just after take off, the aircraft weight was
considerably higher, namely 317 tons (after separation of the right-wing engines).
This resulted into the fact that the crew had to maintain a high speed of about 260
knots, which reduced the chances for a survivable landing significantly. Based on
the Flight 1862 performance capability analysis [4], the aircraft was able to main-
tain level flight in order to reduce the landing weight by dumping fuel. A weight
reduction due to fuel jettison down to approximately 263 tons would have led to a
more survivable landing at a speed of about 210 knots.
With the flap setting stuck at 1 and an aircraft weight of 317 tons, the minimum
speed is limited to the relatively high value of 133.8 m/s. The stuck flap setting at
position 1 in the case of the Flight 1862 accident scenario results into a minimum
allowable speed of 108 m/s in the final approach phase at a weight of 263 tons in
the case of fuel jettison.
The benchmark qualification test manoeuvres are based on operational proce-
dures in order to approximate realistic flight conditions as much as possible. To
achieve this, some manoeuvres have been based upon the instrument approach chart
to runway 27 of Amsterdam airport Schiphol (ICAO-code EHAM). This chart is
included in the appendix of this chapter. In this chart, a red line marks the trajectory
of the flight 1862 accident aircraft. Indicated in green in this chart is the approx-
imate trajectory of the proposed benchmark scenario. Note that closely following
this trajectory is not part of the benchmark criteria. The end-point is more relevant
than the trajectory in this set-up.
Table 7.2 Specified assessment quantities for the straight flight qualification manoeuvre
sb cc symbol quantity
✓ ✓ V velocity
✓ ✓ χ course or track angle
✓ ✓ γ flight path angle
✓ α angle of attack
✓ ✓ β sideslip angle
✓ ✓ nz load factor
✓ ✓ φ roll angle
order to analyse this manoeuvre, the assessment quantities of interest are defined in
Table 7.2. The abbreviations sb and cc in the first two columns of the table represent
specification boundary (sb) and competitiveness criteria (cc) respectively.
Applying the above mentioned specifications and criteria to the benchmark simu-
lation model with the classical (mechanical) flight control system results in the plots
shown in Fig. 7.5. The performance of each fault tolerant control design can be as-
sessed by generating similar plots for the relevant outputs. The routines to generate
the performance plots are an integral part of the benchmark simulation software
package.
In Fig. 7.5, competitiveness criteria apply on all shown states, except for the angle
of attack α . The light regions indicate where the desired performance is not met,
where failure to achieve adequate performance is indicated by the darker regions.
It is clear that for the straight flight phase, trajectory constraints apply. Fig. 7.5
shows that the baseline aircraft model, with classical control system, satisfies all
assessment criteria for the straight flight phase with considerable margins.
Fig. 7.4 Definition of performance boxes for straight flight qualification manoeuvre
230 T. Lombaerts et al.
[m/s]
χ [°]
TAS 0
90
V
−2
0 10 20 30 40 50 0 10 20 30 40 50
2 15
10
α [°]
γ [°]
0
5
−2 0
0 10 20 30 40 50 0 10 20 30 40 50
10
2
nz [−]
β [°]
0
0
−10 −2
0 10 20 30 40 50 0 10 20 30 40 50
time [s]
40
20
φ [°]
0
−20
−40
0 10 20 30 40 50
time [s]
(a) aircraft states
0.05
axb [m/s2]
−0.05
−0.1
0 5 10 15 20 25 30 35 40 45 50
0.05
ayb [m/s2]
−0.05
0 5 10 15 20 25 30 35 40 45 50
0.6
0.4
azb [m/s2]
0.2
−0.2
0 5 10 15 20 25 30 35 40 45 50
time [s]
(b) kinematic accelerations
Fig. 7.5 Specifications on the aircraft states for the downwind straight flight qualification
manoeuvre
are imposed on the turn manoeuvre itself1 , except for the fact that the time necessary
to complete the turn is a competitiveness criterion. The specific lateral force Ay and
1 E.g. also a left turn is allowed, as can be seen in Fig. 7.6.
7 Assessment Criteria as Specifications for Reconfiguring Flight Control 231
Table 7.3 Specified assessment quantities for the right turn and localizer intercept qualifica-
tion manoeuvre
sb cc symbol quantity
✓ xrunway distance from runway threshold
✓ ✓ λ localizer deviation during end phase
Λ LOC intercept angle
✓ ✓ V velocity
✓ φ roll angle during turn
✓ ✓ φ roll angle during end phase
✓ p roll rate during end phase
✓ q pitch rate during end phase
✓ r yaw rate during end phase
✓ ax longitudinal acceleration during end phase
✓ ay lateral acceleration during end phase
✓ az vertical acceleration during end phase
✓ α angle of attack
✓ ✓ β sideslip angle
✓ ✓ Ay lateral specific force
✓ ✓ nz load factor
✓ ✓ Δh altitude deviation
altitude changes Δh during this manoeuvre should be minimal for the sake of passen-
ger comfort and trajectory accuracy respectively. The localizer intercept manoeuvre
is performed with a 45◦ heading change, where ±5◦ deviation is still acceptable
and velocity should be close to the reference value. After this manoeuvre, the air-
craft should be on the localizer beam. In order to analyse this final position and the
equilibrium at the end of this manoeuvre, an end phase for evaluation is defined.
This end phase starts on the moment the aircraft crosses a vertical plane at 15 km
distance from the runway threshold. From this moment onward, the end phase lasts
for the following 10 seconds, during which angular rates and linear accelerations
should remain within their predefined equilibrium limits to show that the aircraft is
fully stabilized. The relevant assessment quantities during the complete manoeuvre
are enumerated in Table 7.3. The abbreviations sb and cc in the first two columns
of the table represent specification boundary (sb) and competitiveness criteria (cc)
respectively. As illustrated by the performance box in Fig. 7.6, it is clear that the
allowed cross track deviation is presented as the localizer angular deviation, while
the longitudinal deviation is linear. The roll angle φ is an assessment quantity to
verify if the aircraft rolled out properly to end the turn manoeuvre. As the localiser
and glideslope are presented to the pilot on an uncalibrated scale, the deviations are
indicated in ”dots” (1 dot is 1.25◦ ). During tracking of the localizer, 0.5 dot localiser
deviation is allowed as a maximum, see also Fig. 7.7. The right turn and localizer
intercept performance criteria are as follows:
Applying the above mentioned specifications and criteria to the benchmark sim-
ulation model with the classical control system results in the plots shown in Fig. 7.8.
232 T. Lombaerts et al.
Fig. 7.6 Definition of performance boxes for right turn and localizer intercept
Fig. 7.7 Primary Flight Display (PFD) with the Localizer (LOC) deviation scale and magenta
diamond shaped LOC signal indicator in the middle of the scale
In Fig. 7.8, competitiveness criteria apply on all shown states, except for the angle
of attack α . The light regions indicate where the desired performance is not met,
where failure to achieve adequate performance is indicated by the darker regions.
It is clear that end-point position constraints can be found for certain states in the
right turn and localizer intercept phase. It can be seen in Fig. 7.8 that not all criteria
are met. More precisely, the roll angle φ the aircraft achieves is slightly too large.
7 Assessment Criteria as Specifications for Reconfiguring Flight Control 233
lambda [°]
VTAS [m/s]
0
90
−5
0 50 100 150 200 0 50 100 150 200
40 2
20
p [°/s]
φ [°]
0 0
b
−20
−40 −2
0 50 100 150 200 0 50 100 150 200
2 2
qb [°/s]
r [°/s]
0 0
b
−2 −2
0 50 100 150 200 0 50 100 150 200
15 10
10
α [°]
β [°]
0
5
0 −10
0 50 100 150 200 0 50 100 150 200
2 2
nz [−]
n [−]
0
0
y
−2
−2
0 50 100 150 200 0 50 100 150 200
time [s] time [s]
(a) aircraft states
2
axb [m/s2]
−2
2
ayb [m/s2]
−2
2
azb [m/s2]
−2
Fig. 7.8 Specifications on the aircraft states for the right hand turn and localizer intercept
flight qualification manoeuvre
234 T. Lombaerts et al.
Table 7.4 Specified assessment quantities for the glideslope intercept qualification
manoeuvre
sb cc symbol quantity
✓ xrunway longitudinal distance from runway threshold
✓ ✓ V velocity
✓ ✓ Γ glideslope deviation during end phase
✓ α angle of attack
✓ p roll rate during end phase
✓ q pitch rate during end phase
✓ r yaw rate during end phase
✓ ax longitudinal acceleration during end phase
✓ ay lateral acceleration during end phase
✓ az vertical acceleration during end phase
✓ ✓ nz load factor
✓ ✓ λ localizer deviation
However, for comfort reasons, it is advisable to enforce that the fault tolerant flight
control designs satisfy this requirement.
Fig. 7.9 Primary Flight Display (PFD) with the Glideslope (GS) deviation scale and magenta
diamond shaped GS signal indicator in the middle of the scale
Fig. 7.10 Definition of performance boxes for glideslope intercept qualification manoeuvre
In Fig. 7.11, competitiveness criteria apply on all shown aircraft states, except
for the angle of attack α . As with the foregoing specifications, the light regions
indicate where the desired performance is not met and failure to comply with ade-
quate performance is indicated by the darker regions. For this test phase, end-point
constraints apply after the glideslope interception point. For this particular exam-
ple with the baseline classical control system, the aircraft satisfies all assessment
criteria for the glideslope intercept phase with considerable margins, except for the
localizer error angle λ . However, this maximum localizer deviation can still be used
as a design guideline for the fault tolerant control designs.
236 T. Lombaerts et al.
[m/s]
Γ [°]
0
TAS
90
V
−1
0 20 40 60 80 0 20 40 60 80
15 2
p [°/s]
10
α [°]
0
5
b
0 −2
0 20 40 60 80 0 20 40 60 80
2 2
q [°/s]
r [°/s]
0 0
b
b
−2 −2
0 20 40 60 80 0 20 40 60 80
5
2
n [−]
λ [°]
0 0
z
−2 −5
0 20 40 60 80 0 20 40 60 80
time [s]
5
γ [°]
−5
0 20 40 60 80
time [s]
(a) aircraft states
2
axb [m/s ]
2
−2
0 10 20 30 40 50 60 70 80
2
ayb [m/s ]
2
−2
0 10 20 30 40 50 60 70 80
2
azb [m/s ]
2
−2
0 10 20 30 40 50 60 70 80
time [s]
(b) kinematic accelerations
Fig. 7.11 Specifications on the aircraft states for the glideslope intercept qualification ma-
noeuvre
Table 7.5 Specified assessment quantities for the final approach with sidestep qualification
manoeuvre
Some turbulence is included during this manoeuvre. No special limitations are im-
posed on the approach manoeuvre itself, except for the fact that the time necessary
to complete the approach is a competitiveness criterion. Additionally, lateral spe-
cific force Ay and glideslope deviations Γ during this manoeuvre should be minimal
for the sake of passenger comfort and trajectory accuracy respectively. However,
after this manoeuvre, the aircraft should arrive in a predefined performance box on
decision height above the runway (note that the flare manoeuvre is not included in
this study). The origin of the reference frame for these performance boxes is placed
at decision height on the centerline of the runway above the runway threshold and is
defined as the end-point. It is assumed that the aircraft ends up in the vicinity of this
point at the end of the manoeuvre. In order to analyse this final position and the equi-
librium at the end of this manoeuvre, an end phase for evaluation is defined. This end
phase starts 10 seconds before the aircraft reaches the runway threshold and ends on
the moment the aircraft crosses the threshold. During this test phase, angular rates
and linear accelerations should remain within their predefined equilibrium limits. To
analyse the complete manoeuvre, the assessment quantities of interest are enumer-
ated in Table 7.5. The abbreviations sb and cc in the first two columns of the table
represent the specification boundary (sb) and competitiveness criteria (cc) respec-
tively. As can be seen from the illustration of the performance box in Fig. 7.12, the
allowed cross track deviation Δ y is more restricted than the wider longitudinal Δ x
range. Also in this phase, the roll angle φ is an assessment quantity to verify if the
aircraft rolled out properly to end the turn manoeuvre. The vertical speed w can be
deduced from the glideslope angle γ and forward speed u. The heading ψ is a mea-
sure of the alignment of the aircraft with the runway. A measure of the alignment
of the velocity vector with the runway is indicated by the track angle χ . Because
238 T. Lombaerts et al.
arriving at the runway is the main challenge, the track should be aligned with the
runway and not necessarily the heading. The heading deviates from the track angle
due to the wind components. Normally the aircraft will align the heading with the
runway to put the landing gear wheels in the direction of the ground velocity. This is
called a de-crab manoeuvre, but this is not a strictly necessary practice during Boe-
ing 747 crosswind landings according to the Aircraft Operation Manual, so it is not
considered here. However, it should be noted that de-crab is still required for other
types of aircraft. For the Boeing 747 aircraft, the roll angle φ should be kept small
close to the ground in order to prevent one of the outboard engines and/or wingtips
hitting the runway. For this reason, a roll angle deviation of maximum ±8◦ is ac-
ceptable. Lateral velocity vr with reference to the runway is also relevant here, since
lateral velocity is not consistent with sideslip angle β in the presence of turbulence.
Also the angular rates p, q, r (pitch, roll and yaw) should be minimal in order to
guarantee a smooth touchdown. Finally the angle of attack α should be well within
its stall limits.
Applying the above mentioned specifications and criteria on the simulation model
with the classical controller results in the plots shown in Fig. 7.13.
In Fig. 7.13, competitiveness criteria apply on all shown states, except for the
angle of attack α . Again, the light regions indicate where the desired performance
is not met, and adequate performance failure is indicated by the darker regions. It
is clear that for this phase, end-point position constraints apply. For this particular
example with the baseline aircraft model including classical control system, a num-
ber of criteria have been violated. However, these requirements can still be used as a
design guideline for the fault tolerant control systems. Since these advanced control
systems have more freedom to control the aircraft, it can be expected that they are
capable of meeting these requirements.
Fig. 7.12 Definition of performance boxes for approach with sidestep qualification manoeu-
vre
7 Assessment Criteria as Specifications for Reconfiguring Flight Control 239
w [m/s]
u [m/s]
8
90 6
4
0 10 20 30 40 50 0 10 20 30 40 50
2 10
ψ [°]
χ [°]
0 0
−2 −10
0 10 20 30 40 50 0 10 20 30 40 50
10
vr [m/s]
0.2
φ [°]
0 0
−10 −0.2
0 10 20 30 40 50 0 10 20 30 40 50
p [m/s]
qb [m/s]
0.2 0.2
0 0
−0.2 −0.2
b
0 10 20 30 40 50 0 10 20 30 40 50
15
r [m/s]
0.2
α [°]
10
0 5
−0.2
b
0
0 10 20 30 40 50 0 10 20 30 40 50
time [s]
2
n [−]
0
z
−2
0 10 20 30 40 50
time [s]
(a) aircraft states
2
axb [m/s ]
2
−2
0 5 10 15 20 25 30 35 40 45 50
2
ayb [m/s ]
2
−2
0 5 10 15 20 25 30 35 40 45 50
2
azb [m/s ]
2
−2
0 5 10 15 20 25 30 35 40 45 50
time [s]
(b) kinematic accelerations
Fig. 7.13 Specifications on the aircraft states for the final approach with sidestep qualification
manoeuvre
7.3 Discussion
The proposed assessment criteria, as discussed in this chapter, can be used to eval-
uate the performances of the different fault tolerant control methods and strategies.
240 T. Lombaerts et al.
Table 7.6 Summary of all benchmark assessment quantities and their relevance for each
qualification test manoeuvre
By making a distinction between the described four different qualification test ma-
noeuvres, instead of considering one global sequence of manoeuvres, it is possible
to identify particular advantages and disadvantages of each FTFC method. The test
scenarios have been integrated in the FTFC benchmark simulation environment for
analytical evaluation purposes. A final assessment using piloted simulation (as con-
ducted on the SIMONA research simulator of Delft University of Technology as
part of this study) will provide pilot opinions on the operational acceptability of the
designed FTFC methodologies. Real-time piloted simulation also makes it possible
to analyse objectively the failure accommodation capabilities and handling qualities
of reconfigurable flight control systems for aircraft subjected to critical structural
and system failure modes. By flying the benchmark scenario with the baseline non-
damaged aircraft model, a comparison can be made to determine the overall quality
of all control algorithms with reference to the standard situation.
7 Assessment Criteria as Specifications for Reconfiguring Flight Control 241
References
1. Hajiyev, C., Fikret, C.: Fault diagnosis and reconfiguration in flight control systems.
Kluwer Academic, Boston (2003)
2. Lombaerts, T.J.J., Breeman, J., Joosten, D.A., van den Boom, T.J.J., Chu, Q.P., Mulder,
J.A., Verhaegen, M.: Specifications modelling document for Garteur AG16 fault tolerant
control. Technical report, Delft University of Technology (December 2005)
3. Lombaerts, T.J.J., Joosten, D.A., Breeman, J.A., Smaili, M.H., van den Boom, A.J.J., Chu,
Q.P., Mulder, J.A., Verhaegen, M.: Assessment criteria as specifications for reconfiguring
control. In: AIAA Guidance, Navigation and Control Conference and Exhibit, AIAA-
2006-6331, Keystone, CO (August 2006)
4. Smaili, H., Mulder, J.A.: Flight data reconstruction and simulation of the 1992 Amster-
dam Bijlmermeer airplane accident. In: AIAA Modeling and Simulation Technologies
conference and exhibit, AIAA-2000-4586 (August 2000)
Part III
Design Methods and Benchmark Analysis
Chapter 8
Fault Tolerant Control Using Sliding Modes with
On-Line Control Allocation
8.1 Introduction
8.1.1 Sliding Mode Control
Sliding mode control was conceived in the USSR during the 1950’s and spread to
the ‘west’ after the end of the ‘cold war’. Sliding mode control (SMC) is a non-
linear type of control methodology and a special case of variable structure control.
An interesting account of early developments in this area appears in [26]. SMC is a
robust control methodology and it is quite unique compared to other controller de-
sign paradigms, since the performance of the controller depends on the design of the
‘sliding surface’ and not the state tracking directly. The idea of sliding mode control
is to force the trajectory of the states onto a predefined surface in the state space.
Once reached (usually in finite time), the states are forced to remain on that surface
for all subsequent time. Sliding mode control has an inherent robustness property
to a certain type of uncertainty which makes SMC a strong candidate for passive
fault tolerant control (FTC). Recent accounts of the theory associated with sliding
modes appear in [14, 27]. Sliding mode control systems are, in theory, completely
insensitive to a class of uncertainty called matched uncertainty [14]. This represents
uncertainty which occurs in the channels associated with the control inputs. Intu-
itively this suggests SMC schemes should inherently have passive FTC capability
with respect to actuator faults. The work by Hess & Wells [19] argues that sliding
mode control has the potential to become an alternative to reconfigurable control
Halim Alwi
Control and Instrumentation Research Group, Department of Engineering,
University of Leicester, University Road, Leicester, LE1 7RH, UK
e-mail: ha18@le.ac.uk
Christopher Edwards
Control and Instrumentation Research Group, Department of Engineering,
University of Leicester, University Road, Leicester, LE1 7RH, UK
e-mail: ce14@le.ac.uk
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 247–272.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
248 H. Alwi and C. Edwards
and has the ability to maintain the required performance without requiring fault de-
tection and isolation (FDI).
There are two stages for designing SMC controllers. First to be designed is the
sliding surface. Only then can the control law be designed so that sliding is achieved
in finite time, and once achieved, is maintained on the surface. Once sliding occurs,
robustness to matched uncertainty is guaranteed and the system behaves as a re-
duced order motion independent of the control. The closed loop performance of
the scheme depends on the choice of the sliding surface. Traditional sliding mode
control laws consist of linear and nonlinear components. The nonlinear control law
drives the states towards the sliding surface and once on the surface, the linear con-
trol law becomes more dominant. This chapter considers the design of a certain type
of sliding mode controller based on an uncertain linear representation of the plant.
For this class of system, under the assumption that all states are available, there is a
good deal of literature to describe the different design approaches – ostensively for
the selection of the sliding surface (see for example [14]). In this chapter, a so–called
unit–vector controller [22] will be adopted.
The combination of sliding modes and CA therefore seems to have great potential
for the development of simple, robust fault tolerant flight controllers. Shin et al.[23],
Wells & Hess [28] and Shtessel et al.[24] are some of the researchers actively work-
ing on this combination. However most of this literature uses only CA schemes,
without formally exploring in detail the stability of the closed loop system. In [3],
a rigorous design procedure has been developed from a theoretical perspective to
achieve FTC while proving stability for a class of faults and failures. This chapter
describes designs, and the associated performance analysis of the sliding mode FTC
scheme from [3], on the GARTEUR AG16 benchmark.
where A ∈ IRn×n and B ∈ IRn×m . The effectiveness gain K(t) = diag(k1 (t), . . . , km (t))
where the ki (t) are scalars satisfying 0 ≤ ki (t) ≤ 1. These scalars model a decrease
in effectiveness of a particular actuator. If ki (t) = 0, the ith actuator is working per-
fectly whereas if ki (t) > 0, a fault is present, and if ki (t) = 1 the actuator has failed
completely. In this chapter, information about K(t) will be incorporated into the
control allocation algorithm. In most CA strategies, the control signal is distributed
equally among all the actuators [23, 24, 28] or distributed based on the limits (posi-
tion and rate) of the actuators [13, 5, 6, 18]. In this chapter, the control is distributed
based on the efficiency of the actuators, and redistributed to the remaining ‘healthy’
actuators when faults/failures occur.
The information necessary to compute K(t) on–line in real time can be supplied
by a fault reconstruction scheme as described in [25] for example, or by using a mea-
surement of the actual actuator deflection which is available in many systems e.g.
passenger aircraft [7]. Alternatively fault reconstruction schemes based on Kalman
filters [29] can be used. The idea is that if an actuator fault occurs, the control input
u(t) is reallocated to minimize the use of the faulty control surfaces.
B = Bν N (8.2)
250 H. Alwi and C. Edwards
where Bν ∈ IRn×l , N ∈ IRl×m and both matrices have rank l < m [18]. Then a ‘virtual
control input’ is defined as
ν (t) := Nu(t)
The control law ν (t) is designed based on the pair (A, Bν ) which is assumed to be
controllable. Once the design of ν (t) is complete, by direct manipulation, the true
control signal u(t) is recovered as u(t) = N † ν (t) where N † ∈ IRm×l is a right pseudo-
inverse of the matrix N. The choice of N † is not unique and different approaches
have been proposed in the literature [23, 13, 5, 6, 18] for the choice of the pseudo
inverse N † . However for most systems with actuator redundancy, the assumption
that rank(B) = l < m is not valid and hence the perfect factorization in (8.2) cannot
hold. However usually the system states can be reordered, and the matrix B from
(8.1) can be partitioned as:
B1
B= (8.3)
B2
where B1 ∈ IR(n−l)×m and B2 ∈ IRl×m has rank l. The partition is in keeping with
the notion of splitting the control law from the control allocation task [17, 13, 4].
This separation comes naturally with design methods like feedback linearization
and backstepping [17, 4]. In most aircraft systems the control objectives can be
achieved by commanding some desired moment to be generated by the control sur-
faces [17, 4]. Therefore in aircraft systems, B2 is associated with the equations of
angular acceleration in roll, pitch and yaw [18]. However this can be extended to
any system even for systems which have no obvious splitting of control law and
control allocation [4]. Here it is assumed that the matrix B2 represents the dominant
contribution of the control action on the system, while B1 generally will have ele-
ments of small magnitude compared with B2 . Compared to the work in [23] where
it is assumed that B1 = 0, here B1 = 0 will be considered explicitly in the controller
design and in the stability analysis. It will be assumed without loss of generality
that the states of the system in (8.1) have been transformed so that B2 BT2 = Il and
therefore B2 = 1. This is always possible since rank(B2 ) = l by construction. As
in [3], let the ‘virtual control’
so that
u(t) = B†2 ν (t) (8.5)
where the pseudo inverse is chosen as
W := I − K (8.8)
B1 B†2 B KB†
ẋ(t) = Ax(t) + ν (t) − 1 2† ν (t) (8.9)
Il B2 KB2
σ (t) = Sx(t)
where S ∈ IRl×n and det(SBν ) = 0. The matrix S represents design freedom. Let S
be the hyperplane defined by
If a control law can be developed which forces the closed–loop trajectories onto the
surface S in finite time and constrains the states to remain there, then an ideal slid-
ing motion is said to have been attained [14]. During the sliding motion, some of the
dynamics of the closed–loop system collapse, and the sliding dynamics associated
with the motion once constrained to S will be of order n − m. The selection of the
sliding surface is the first part of any design and defines the system’s closed–loop
performance. The sliding surface will be designed based on the nominal no fault
condition (K = 0). The second aspect of the control design, is the synthesis of a
control law to guarantee that the surface is reached in finite time and a sliding mode
is subsequently maintained.
First define
ν̂ (t) := (B2W 2 BT2 )(B2W BT2 )−1 ν (t) (8.10)
then as argued in [3], after a coordinate transformation, x → Tr x = x̂, where
I −B1 BT2
Tr = (8.11)
0 Il
where
B+ 2 T −1
2 := W B2 (B2W B2 )
2 T
(8.13)
and
BN2 := (I − BT2 B2 ) (8.14)
It is important to point out that there is an upper bound on the norm of the pseudo-
inverse B+2 in (8.13) which is independent of W . Specifically:
B+ 2 T −1
2 = W B2 (B2W B2 )
2 T
< γ0 (8.15)
If (Â, B̂) is controllable, then (Â11 , Â12 ) is controllable [14] and a matrix M can
always be found to make Ã11 = Â11 − Â12M stable. Also since
MB1 BN2 B+
2 < MB1 B2
N
B+
2 < γ1 γ0
provided γ1 < γ10 , MB1 BN2 B+2 < 1 for all 0 < W ≤ I. To facilitate the subsequent
analysis, define
G̃(s) := Ã21 (sI − Ã11 )−1 B1 BN2 (8.18)
where s represents the Laplace variable and the matrix Ã21 := M Ã11 + Â21 − Â22 M.
By construction the transfer function G̃(s) is stable. If
G̃(s) ∞ = γ2 (8.19)
Proposition 8.2. During a fault or failure condition, for any combination of 0 <
wi ≤ 1, the closed–loop system will be stable if
8 Fault Tolerant Control Using Sliding Modes with On-Line Control Allocation 253
γ2 γ0
0≤ <1 (8.20)
1 − γ1γ0
which is more in keeping with the notation in [14]. Note here ŜB̂ = Il and so this
simplifies to ν̂l (t) = −ŜÂx(t).
Remark 4: The control structure in (8.22) is known as a ‘unit vector’ controller
since the vector component σσ has unity norm [22].
Remark 5: Whilst SMC has been successfully tested on systems with faulty actua-
tors, it was claimed that SMC cannot deal directly with total failures [21]. However,
in this chapter, provided that the choice of sliding surface matrix M satisfies the sta-
bility condition (8.20), the SMC for the ‘virtual’ system proposed above, can handle
actuator failures in the original system provided that det(B2W BT2 ) = 0.
254 H. Alwi and C. Edwards
elevators (an inner and outer on each left and right elevator), a horizontal stabilizer
and 4 engine thrusts (which are controlled through engine pressure ratios (EPR)).
The controller design objective considered here is to bring a faulty aircraft to
a near landing condition. This can be achieved by a change of direction through a
‘banking turn’ manoeuvre [8], followed by a decrease in altitude and speed. This can
be achieved by tracking appropriate roll angle (φ ) and sideslip angle (β ) commands
using the lateral controller, and tracking flight path angle (FPA) and airspeed (Vtas )
commands using the longitudinal controller. For lateral control, the settling time
when there is no fault/failure should be approximately 20s for φ and 20s for β . These
specifications are chosen to ensure that there is almost zero side force and therefore
passenger comfort is maintained (page 233 of Bryson [8]). For longitudinal control,
the settling time when there is no failure should be 20s for FPA and 45s for Vtas .
A linearization has been obtained around an operating condition of 263,000Kg,
92.6m/s true airspeed, and an altitude of 600m at 25.6% of maximum thrust and
at a 20◦ flap position. The result is a 12th order linear model (separated into two
6th order models) associated with the lateral and longitudinal states. For design
purposes, only the first four longitudinal (xlong = [q Vtas α θ ]T ) and lateral states
(xlat = [p r β φ ]T ) have been retained. For lateral control, the 4 individual engine
pressure ratios (EPR) and the 4 individual ailerons have been used. The 10 spoilers1
have been aggregated to produce two control inputs on each wing (spoilers 1-4, 5,
8 and 9-12 have been grouped respectively). The other input represents rudder de-
flection (the upper and lower rudder has been aggregated to produce a single control
signal). For longitudinal control, the 4 elevators have been aggregated to produce
one control input while the 4 EPRs can be controlled independently. The other input
represents horizontal stabilizer deflection. The following state-space system pairs
represent the lateral and longitudinal systems about the trim condition
⎡ ⎤
−1.0579 0.1718 −1.6478 0.0004
⎢ −0.1186 −0.2066 0.2767 −0.0019 ⎥
Alat = ⎢⎣ 0.1014 −0.9887 −0.0999 0.1055 ⎦
⎥ (8.26)
1.0000 0.0893 0 0
⎡
−0.0832 0.0832 −0.2285 0.2285 −0.2625 −0.0678 0.0678
⎢ −0.0154 0.0154 −0.0123 0.0123 −0.0180 −0.0052 0.0052
Blat =⎢
⎣ 0 0 0 0 0.0017 0.0006 −0.0006
0 0 0 0 0 0 0
⎤
0.2625 0.1187 0.0246 0.0140 −0.0140 −0.0246 %
0.0180 −0.2478 0.1269 0.0724 −0.0724 −0.1269 ⎥ B
⎥ % lat,2 (8.27)
−0.0017 0.0174 0.0005 0.0005 −0.0005 −0.0005 ⎦ Blat,1
0 0 0 0 0 0
and
1 Spoilers 6 & 7 are ground spoilers and are not used during flight [16].
256 H. Alwi and C. Edwards
⎡ ⎤
−0.5137 0.0004 −0.5831 0
⎢ 0 −0.0166 1.7171 −9.8046 ⎥
Along = ⎢
⎣ 1.0064 −0.0021 −0.6284
⎥ (8.28)
0⎦
1.0000 0 0 0
⎡ ⎤
−0.6228 −1.3578 0.0082 0.0218 0.0218 0.0082 %
⎢ 0 −0.1756 1.4268 1.4268 1.4268 1.4268 ⎥ B
Blong = ⎢ ⎥ % long,2(8.29)
⎣ −0.0352 −0.0819 −0.0021 −0.0021 −0.0021 −0.0021 ⎦
Blong,1
0 0 0 0 0 0
δlat = [δair δail δaor δaol δsp1−4 δsp5 δsp8 δsp9−12 δr e1lat e2lat e3lat e4lat ]T
which represent aileron deflection (right & left - inner & outer)(rad), spoiler deflec-
tions (left: 1-4 & 5 & right: 8 & 9-12) (rad), rudder deflection (rad) and lateral con-
tributions to the engine pressure ratios (EPR). The longitudinal control surfaces are
which represent elevator deflection (rad), horizontal stabilizer deflection (rad), and
longitudinal contributions to EPR. The partition of B in (8.27) and (8.29) shows the
terms B1 and B2 (although a further change of coordinates is necessary to obtain the
form in (8.3) to scale B2 to ensure B2 BT2 = I).
The controlled output distribution matrices are
0010 0 0 −1 1
Cclat = , Cclong =
0001 01 00
which represent the states φ and β for lateral control and flight path angle (FPA)
and Vtas for longitudinal control. These linear models will be used to design the
control schemes which will be described in the next sections.
where Cc ∈ IRl×n is the distribution matrix associated with the controlled outputs
and the differentiable signal r(t) is assumed to satisfy
with Γ ∈ IRl×l a stable design matrix and rc a constant demand vector [14]. Aug-
menting the states from (8.26)-(8.29) with the integral action states and defining
xa (t) = col(xr (t), x(t)) it follows that
where
0 −Cc 0 Ip
Aa = Ba = Br = (8.33)
0 A B 0
If (A, B) is controllable and (A, B,Cc ) does not have any zeros at the origin then
(Aa , Ba ) is controllable [14]. Define a switching function σa (t) : IR(n+l) → IRl to be
This controller is a special case of the one in [14] because the reference dependent
aspect of the sliding surface adopted in [14] has been dropped. From (8.5) and (8.10)
it follows that
u(t) = W BT2 (B2W 2 BT2 )−1 ν̂ (t) (8.36)
i.e. the control which is sent to the actuators is dependent on the effectiveness gains
ki (through the diagonal weighting matrix W ).
where Q is a s.p.d matrix and ts is the time at which the sliding motion com-
mences (see for example [27, 14]). The matrix Q is used to tune the closed loop
response. The cost function in (8.37) is a special case of the more familiar LQR
cost. In (8.37) the weighting of the control cost penalizing the use of control effort
has been dropped. As such it represents a singular LQR control problem associated
with ‘cheap control’. Consider a coordinate transformation z(t) = Ta xa (t) so that
the system is in ‘regular form’ [27, 14]. In regular form, the matrix Q and Aa (from
(8.32)) can be written as:
where Q21 = QT12 and B2 ∈ IRm×m . After some factorization and algebraic manipu-
lation, equation (8.37) can be written as
0 ∞
1
J= (zT1 Q̂z1 + υ T Q22 υ )dt (8.39)
2 ts
where
Q̂ := Q11 − Q12Q−1
22 Q21 (8.40)
and
υ := z2 + Q−1
22 Q21 z1 . (8.41)
The minimization of (8.39) is associated with the dynamical system given by
z2 = −Mz1 (8.45)
The manipulations resulting from solving for z2 from equation (8.41) and (8.43)
yield
z2 = −Q−1
22 (Aa12 P1 + Q21 )z1
T
(8.46)
and therefore the matrix M is defined as
8 Fault Tolerant Control Using Sliding Modes with On-Line Control Allocation 259
M = Q−1
22 (Aa12 P1 + Q21 )
T
(8.47)
The s.p.d weighting matrix has been chosen as Qlat = diag(0.005, 0.1, 6, 6, 1, 1).
The first two terms of Qlat are associated with the integral action and are less heav-
ily weighted. The third and fourth term of Qlat are associated with the equations
of the angular acceleration in roll and yaw (i.e. Blat,2 term partition in (8.3)) and
thus weight the virtual control term. Thus by analogy to a more typical LQR frame-
work, they affect the speed of response of the closed loop system. Here, the third
and fourth terms of Qlat have been heavily weighted compared to the last two terms
to reflect fairly a fast closed loop system response. The poles associated with the
reduced order sliding motion are {−0.0707, −0.3867, −0.3405 ± 0.1481}. The pre-
filter matrix from (8.31) has been designed to be Γlat = diag(−0.5, −0.5). This may
be viewed as representing the ideal response in the φ and the β channels. In the sim-
ulations the discontinuity in the nonlinear control term in (8.35) has been smoothed
by using a sigmoidal approximation
σlat
ν̂nδ = σlat +δlat
where the scalar δlat = 0.05 (see for example §3.7 in [14]). This removes the dis-
continuity at σlat = 0 and introduces a further degree of tuning to accommodate the
actuator rate limits – especially during actuator fault or failure conditions. The gain
ρ from (8.35) has been chosen as ρ = 1. In normal operation, the ailerons will be
the primary control surface for φ tracking, whilst the spoilers introduce redundancy.
Meanwhile for β tracking, the rudder will be the primary control surface and dif-
ferential engine thrust is the associated redundancy. It will be assumed that at least
one of the control surfaces for both φ and β tracking will be available when a fault
or failure occurs (i.e. one of either the two ailerons or the two spoilers will be avail-
able and one of either the rudder or the two engine thrusts are available). Based on
these assumptions, it can be verified from a numerical search that γ0lat from (8.15) is
γ0lat = 8.1314. Simple calculations from (8.17) show that γ1lat = 0.0145, therefore
γ0lat γ1lat = 0.1180 < 1 and so the requirements of Proposition 8.2 are satisfied. Also
for this particular choice of sliding surface, G̃lat (s) ∞ < γ2lat = 0.0764 from (8.19).
Therefore from Proposition 8.2,
γ2lat γ0lat
= 0.7043 < 1
1 − γ1lat γ0lat
partition in (8.3) (i.e. states q and Vtas ) which weight the virtual control term and has
been heavily weighted compared to the last two terms. The poles associated with the
reduced order sliding motion are {−0.7066, −0.2393 ± 0.1706, −0.0447}. The pre-
filter matrix from (8.31) has been designed to be Γlong = diag(−0.5, −0.125). As
in the lateral control, the discontinuity in the nonlinear control term in (8.35) has
been smoothed by using a sigmoidal approximation where the scalar δlong = 0.05.
The gain ρ from (8.35) has been chosen as ρ = 1. In normal operation, the elevators
will be the primary control surface for FPA tracking, whilst the horizontal stabilizer
introduces redundancy. Meanwhile for Vtas tracking, the collective thrust will be the
only actuator without any redundancy. It will be assumed that at least one of the
control surfaces for FPA tracking will be available when a fault or failure occurs
(i.e. one of either the elevator or the horizontal stabilizer is available). Since the
collective engine thrust is the only actuator available for Vtas tracking, the engines
are assumed to be fault free. Based on these assumptions, it can be verified from a
numerical search that γ0long = 8.2913 from (8.15). Simple calculations from (8.17)
show that γ1long = 1.9513 × 10−4, therefore γ0long γ1long = 0.0016 < 1 and so the re-
quirements of Proposition 8.2 are satisfied. Also for this particular choice of sliding
surface G̃long (s) ∞ < γ2long = 0.0122 from (8.19). Therefore from Proposition 8.2,
γ2long γ0long
= 0.0931 < 1
1 − γ1long γ0long
which shows that the system is stable for all choices of 0 < wi ≤ 1.
Remark 6: In terms of the control laws, no actuator magnitude or rate saturations
are accounted for explicitly, although, in the tests and evaluations which have been
carried out, these effects are present. However, if a rate limit or position limit is
exceeded, a difference between the expected actuator position and the commanded
one occurs, which would be interpreted as a fault. The proposed scheme would then
inherently attempt to reduce the burden in this channel and redistribute the control
effort to other actuators, which would mitigate the effect of the saturation.
Remark 7: Although the controller design and analysis is based on a linear LTI
system, and no specific analysis has been carried out for a wide flight envelope,
SMC has the ability to handle a certain degree of plant–model mismatch caused by
varying operating conditions. It will be shown later that the designed SMC controller
still performs well in a wide flight envelope away from its designed operating point.
proportional gain and the derivative gain was set as K plong = 0.001 and Kdlong = 0.05
respectively.
Note that both the lateral and longitudinal controller manipulate the engine EPRs.
For lateral control, differential engine EPR is required as a secondary ‘actuator’ for
β tracking; whilst for longitudinal control, collective EPR is used for Vtas tracking.
In the simulations, ‘control mixing’ was employed, where the signals from both the
lateral controller (e1lat , e2lat , e3lat and e4lat ) and longitudinal controller (e1long , e2long ,
e3long and e4long ) were added together before being applied into each of the engines
(page 14 of Burcham et al.[11]). This is similar to the control strategy used for the
NASA propulsion control aircraft described in Burcham et al.[11]. This is possible
since, during a turn manoeuvre, differential thrust from the two left and the two right
engines is required, but if at the same time an increase (or decrease) in the forward
speed is needed, a collective amount of thrust can be added (or deducted) to both
the left and right engines and so the difference between the thrust on the left wing
and right wing remains the same and does not contradict the turning manoeuvre.
LOC & GS
logic
Aircraft model
LOC & GS
Roll
PID
FPA
Roll=0
FPA=0 Roll Linear Ȟl Ȟ(t) Control u(t) (equation (35))
Command: LOC & GS logic switch FPA component allocation
Heading
Altitude
PID Roll
Command: FPA APP switch W
Roll
FPA Command:
Adaptive Ȟn FDI
Roll
unit vector (W=I-K)
MCP switch Sideslip
term States & actuator deflections
FPA
Vtas ȡ(t) ||s||
Command:
Sideslip Adaptation
Vtas scheme
100 2
track angle
Vtas (m/s)
χ (deg)
0
90
−2
0 50 100 150 0 50 100 150
2 15
angle of attack
flightpath angle
10
γ (deg)
α (deg)
0
5
−2 0
0 50 100 150 0 50 100 150
10
sideslip angle
loading factor
2
β (deg)
nz
0
0
−10 −2
0 50 100 150 0 50 100 150
Time (sec)
40
roll angle
20
φ (deg)
0
−20
−40
0 50 100 150
Time (sec)
Fig. 8.4 Straight and level flight with Horizontal stabilizer runaway: states with specifications
1.5
axb [m/s2]
0.5
0
0 50 100 150
0.2
ayb [m/s2]
0.1
0
−0.1
−0.2
0 50 100 150
−8
−9
azb [m/s2]
−10
−11
−12
0 50 100 150
Time (sec)
Fig. 8.5 Straight and level flight with Horizontal stabilizer runaway: kinematic accelerations
in body axes
automatic landing procedure. The outer loop controller (LOC and GS) is armed by
the pilot by engaging the APP (approach) button on the MCP (see Figure 8.3) when
the aircraft is near the LOC signal coverage. In normal operation, the LOC will
be the first to be engaged (LOC valid) when the aircraft is inside the LOC cover-
age (i.e. the DME2 (Distance Measuring Equipment) is less than 46.3km, LOC is
2 DME is used by aircraft to determine their distance from a land-based transponder which
is typically collocated with VORs or ILS localizer.
8 Fault Tolerant Control Using Sliding Modes with On-Line Control Allocation 263
4
x 10
0.99 1100
0.992
1050
0.994
0.996
1000
0.998
ye (East) (m)
start end
Altitude (m)
1
950
1.002
1.004 900
1.006
850
1.008
1.01
−4.4 −4.2 −4 −3.8 −3.6 −3.4 −3.2 −3
4 800
x 10 0 2000 4000 6000 8000 10000 12000 14000
xe (North) (m) Distance (m)
Fig. 8.6 Straight and level flight with Horizontal stabilizer runaway
LOC deviation
5
λ (deg)
0
−5
0 100 200 300 400
roll angle
100 40
(m/s)
20
φ (deg)
Vtas
90 0
−20
−40
0 100 200 300 400 0 100 200 300 400
angle of attack pitch rate
2 2
roll rate
(deg/s)
(deg/s)
0 0
−2 −2
0 100 200 300 400 0 100 200 300 400
yaw rate
2 15
α (deg)
10
(deg/s)
0 5
−2 0
0 100 200 300 400 0 100 200 300 400
factor ny
10
sideslip
loading
2
β (deg)
0 0
−10 −2
0 100 200 300 400 0 100 200 300 400
Time (sec)
factor ny
loading
2
0
−2
0 100 200 300 400
Time (sec)
Fig. 8.7 Right turn and localizer intercept with aileron jam: states with specifications
within ±10◦ and the GS is within (-7◦ ,-0.75◦)). During the armed phase, the LOC
controller is in standby mode and the aircraft is controlled either by heading or roll
commands from the pilot. When the LOC is engaged (LOC valid), the LOC con-
troller will provide the inner roll command to the core lateral sliding mode controller
and the whole process becomes an automatic landing mode: no input from the pi-
lot is needed. The GS is then engaged (GS valid) when the aircraft is inside the GS
264 H. Alwi and C. Edwards
axb (m/s2)
0
−2
ayb (m/s2)
0
−2
2
azb (m/s2)
−2
Fig. 8.8 Right turn and localizer intercept with aileron jam: kinematic accelerations in body
axes
1000
−5000 995
990
End
0
985
Altitude (m)
ye (East)
980
5000
975
Start
10000
970
965
15000
960
−3.5 −3 −2.5 −2 −1.5 −1 0.5 1 1.5 2 2.5 3 3.5 4
xe (North) 4
x 10
Distance (m) x 10
4
Fig. 8.9 Right turn and localizer intercept with aileron jam: trajectories
coverage (i.e. the DME is less than 18.5km, LOC is within ±8◦ and the GS is within
(-1.35◦,-5.25◦)). The GS is in armed phase (after the APP button is engaged), and
the GS controller is in a standby mode with the aircraft controlled using altitude or
via FPA commands from the pilot. When the GS controller is engaged (GS valid),
the GS controller will provide the FPA command to the core longitudinal SMC con-
troller: again no input from the pilot is needed. If for some reason during the LOC
and GS manoeuvre to the runway the LOC or GS becomes invalid (i.e. if the aircraft
goes outside the LOC and GS coverage), then the LOC and GS controller provide
zero roll and FPA commands respectively. Then, the pilot can disengage the APP
button to retake full control of the aircraft.
GS deviation 1 100
Γ (deg)
Vtas
(m/s)
0
90
−1
0 100 200 300 0 100 200 300
angle of attack
15 2
roll rate
10
α (deg)
(deg/s)
0
5
0 −2
0 100 200 300 0 100 200 300
2 2
pitch rate
yaw rate
(deg/s)
(deg/s)
0 0
−2 −2
0 100 200 300 0 100 200 300
LOC deviation
loading factor
λ (deg)
2
nz
0 0
−2 −5
0 100 200 300 0 100 200 300
Time (sec)
5
γ (deg)
FPA
−5
0 100 200 300
Time (Sec)
Fig. 8.10 Glide slope intercept with elevator jam: states with specifications
2
axb (m/s2)
−2
2
ayb (m/s2)
−2
2
azb (m/s2)
−2
Fig. 8.11 Glide slope intercept with elevator jam: kinematic accelerations in body axes
u(i,a) = wi ui + ci
266 H. Alwi and C. Edwards
1000
−100
900
−80
800
−60
700
−40
600
Altitude (m)
−20
end
ye (East) (m)
start
500
0
400
20
300
40
200
60
80 100
100 0
−3 −2.5 −2 −1.5 −1 −0.5 0 0 0.5 1 1.5 2 2.5 3
xe (North) (m) x 10
4 Distance (m) 4
x 10
(a) horizontal trajectory (b) vertical trajectory
Fig. 8.12 Glide slope intercept with elevator jam: trajectories
100 w (m/s)
u (m/s)
8
90 6
4
0 50 100 150 200 250 0 50 100 150 200 250
yaw angle
2 10
χ (deg)
course
ψ (deg)
0 0
−2 −10
0 50 100 150 200 250 0 50 100 150 200 250
transversal vel
roll angle
10
vr (m/s)
0.2
φ (deg)
0 0
−10 −0.2
0 50 100 150 200 250 0 50 100 150 200 250
pitch rate
roll rate
0.2 0.2
angle of attack (deg/s)
(deg/s)
0 0
−0.2 −0.2
0 50 100 150 200 250 0 50 100 150 200 250
yaw rate
0.2 15
α (deg)
10
loading factor (deg/s)
0 5
−0.2 0
0 50 100 150 200 250 0 50 100 150 200 250
Time (sec)
2
nz
0
−2
0 50 100 150 200 250
Time (sec)
Fig. 8.13 Final approach and side step with rudder missing: states with specifications
where u(i,a) represents the actual deflection and ui represents the demanded deflec-
tion i.e. the controller output. The scalars wi and ci can be obtained from a least
squares optimization and W := diag(w1 , ..., wm ). If the ith actuator is working per-
fectly, wi = 1 and ci = 0. If wi < 1 then a fault is present. During the simulation, 10
data samples from a ‘moving window’, collected at 100Hz are used to compute the
wi and ci . Both the lateral and longitudinal controller have their own fault estimation
blocks based on the control surfaces to be controlled.
8 Fault Tolerant Control Using Sliding Modes with On-Line Control Allocation 267
a b (m/s2)
0
x
−2
a b (m/s2)
0
y
−2
2
a b (m/s2)
0
z
−2
Fig. 8.14 Final approach and side step with rudder missing: kinematic accelerations in body
axes
600
−20
end
500
0
20 400
Altitude (m)
ye (East) (m)
40
300
60
200
80
100
100
start
120 0
−1 −0.5 0 0.5 1 1.5 0 0.5 1 1.5 2 2.5
xe (North) (m) x 10
4 Distance (m) 4
x 10
(a) horizontal trajectory (b) vertical trajectory
Fig. 8.15 Final approach and side step with rudder missing: trajectories
1 100
GS deviation
Γ (deg)
(m/s)
tas
0
V
90
−1
0 100 200 300 400 500 0 100 200 300 400 500
angle of attack
15 2
roll rate
10
α (deg)
(deg/s)
0
5
0 −2
0 100 200 300 400 500 0 100 200 300 400 500
2 2
pitch rate
yaw rate
(deg/s)
(deg/s)
0 0
−2 −2
0 100 200 300 400 500 0 100 200 300 400 500
LOC deviation
5
loading factor
λ (deg) 0
nz
−2 −5
0 100 200 300 400 500 0 100 200 300 400 500
10 5
γ (deg)
max
FPA
0 0
RC
−10 −5
0 100 200 300 400 500 0 100 200 300 400 500
Time (sec) Time (sec)
Fig. 8.16 Full manoeuvre with missing rudder: states with specifications
2
axb (m/s2)
−2
2
ayb (m/s2)
−2
2
azb (m/s2)
−2
Fig. 8.17 Full manoeuvre with missing rudder: kinematic accelerations in body axes
even during the catastrophic failure. As expected, Figure 6(a) shows no impact of
the stabilizer runaway on the lateral performance with no alteration in the course of
the aircraft. Figure 6(b) shows that there is a small drop in altitude which could be
corrected using the altitude hold setting. (In the current configuration the controller
is set at zero FPA and roll angle demand.)
8 Fault Tolerant Control Using Sliding Modes with On-Line Control Allocation 269
1000
−2000
900
end
0 800
700
2000
600
Altitude (m)
ye (East) (m)
4000
500
6000 400
300
8000
200
10000
start 100
12000 0
−4 −3.5 −3 −2.5 −2 −1.5 −1 −0.5 0 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5
xe (North) (m) x 10
4 Distance (m) 4
x 10
(a) horizontal trajectory (b) vertical trajectory
Figures 8.7-8.9 show the results when an aileron jams at a nonzero offset after 10 s.
There is no effect of the aileron offset jam on the performance. At around 50s, the
aircraft performs a right bank before capturing the LOC at about 100s by banking
further to the right and aligning to the centreline of the extended runway (see LOC
deviation). Figure 8.7 shows that all performance requirements are satisfied. Fig-
ure 8.8 shows that the end-point performance requirement is also satisfied and the
specific forces stabilize and maintain almost zero kinematic accelerations. Figure
8.9 shows the trajectory of the aircraft. Figure 9(a) clearly shows that the LOC is
intercepted. Figure 9(b) shows that the altitude enters the critical (red) region dur-
ing the two banking manoeuvres but stabilizes into the desired performance during
level flight.
aircraft. This simulation starts at an altitude of 500m with 92.6m/s speed at a 20◦ flap
setting. During this test, the aircraft descends at 3◦ FPA to an altitude of 50m above
ground while a 100m right sidestep is applied (see Figure 8.15). In the absence of the
rudder, differential thrust and a banking turn are required to achieve the manoeuvre.
Figure 8.13 shows that most states satisfy the required performance. The transversal
velocity and roll remain zero after the side step. Only the rate of descent (w) enters
the adequate (lightly coloured) performance region due to the absence of rate of
descent control (in this test descent is achieved through FPA control). Figure 8.14
shows small changes in the y and z-axes kinematic forces.
Since the missing rudder has an effect on both lateral and longitudinal control
(due to the loss of directional control and because of the EPR mixing for speed
control), the test is repeated for the overall flight manoeuvre from straight and level
flight until the final approach. The simulation starts at an altitude of 980m, 92.6m/s
speed with a 20◦ flap setting. The simulation results are presented in Figures 8.16-
8.18. Figure 8.16 shows that the required heading and altitude change is obtained
even without the rudder. The LOC and GS deviation and FPA plots show that the
LOC and GS are intercepted and tracked with high accuracy. All pitch, roll and yaw
rates show steady state is achieved during the last 100s of the simulation. Figure
8.17 shows some changes to the kinematic acceleration especially in the y and z-axis
during the banking turn and the LOC intercept. Figure 8.18 shows the full trajectory
of the aircraft until a near landing condition on the runway. The figure shows that
the runway is reached and near landing is achieved.
8.4 Conclusions
This chapter has described the application of a recently developed on-line sliding
mode control allocation scheme for fault tolerant control to the GARTEUR bench-
mark problem. The effectiveness level of the actuators is used by the control alloca-
tion scheme to redistribute the control signals to other functioning actuators when a
fault or failure occurs. This chapter has described the design of the sliding surface
and has determined the nonlinear gain required to maintain sliding. Sufficient con-
ditions have been given to ensure the closed loop system remains stable for a class
of faults and failures. Very good performance has been achieved on the GARTEUR
benchmark evaluations.
References
1. Alwi, H., Edwards, C.: Fault tolerant control of a civil aircraft using a sliding mode based
scheme. In: 44th IEEE Conference on Decision and Control (2005)
2. Alwi, H., Edwards, C.: Robust sensor fault estimation for tolerant control of a civil air-
craft using sliding modes. In: Silver Anniversary American Control Conference (2006)
3. Alwi, H., Edwards, C.: Fault tolerant control using sliding modes with on-line control
allocation. Automatica 44(7), 1859–1866 (2008)
8 Fault Tolerant Control Using Sliding Modes with On-Line Control Allocation 271
4. Beck, R.E.: Application of Control Allocation Methods to Linear Systems with Four or
More Objectives. PhD thesis, Virginia Polytechnic Institute and State University, Blacks-
burg, Virginia (2002)
5. Bordignon, K.A., Durham, W.C.: Closed-form solutions to constrained control allocation
problem. Journal of Guidance, Control, and Dynamics 18(5), 1000–1007 (1995)
6. Bošković, J.D., Mehra, R.K.: Control allocation in overactuated aircraft under position
and rate limiting. In: Proceedings of the American Control Conference, pp. 791–796
(2002)
7. Brière, D., Traverse, P.: Airbus A320/A330/A340 electrical flight controls: A family of
fault-tolerant systems. In: Digest of Papers FTCS-23 The Twenty-Third International
Symposium on Fault-Tolerant Computing, pp. 616–623 (1993)
8. Bryson, A.E.: Control of spacecraft and aircraft. Princeton University Press, Princeton
(1994)
9. Buffington, J., Chandler, P., Pachter, M.: On-line system identification for aircraft with
distributed control effectors. International Journal of Robust and Nonlinear Control 9,
1033–1049 (1999)
10. Burcham, F.W., Fullertron, C.G., Maine, T.A.: Manual manipulaton of engine throttles
for emergency flight control. Technical Report NASA/TM-2004-212045, NASA (2004)
11. Burcham, F.W., Maine, T.A., Kaneshinge, J., Bull, J.: Simulator evaluation of simplified
propulsion–only emergency flight control system on transport aircraft. Technical Report
NASA/TM-1999-206578, NASA (1999)
12. Corradini, M.L., Orlando, G., Parlangeli, G.: A fault tolerant sliding mode controller for
accommodating actuator failures. In: 44th IEEE Conference on Decision and Control
(2005)
13. Davidson, J.B., Lallman, F.J., Bundick, W.T.: Real-time adaptive control allocation ap-
plied to a high performance aircraft. In: 5th SIAM Conference on Control & Its Appli-
cation (2001)
14. Edwards, C., Spurgeon, S.K.: Sliding Mode Control: Theory and Applications. Taylor &
Francis, London (1998)
15. Enns, D.: Control allocation approaches. In: AIAA Guidance, Navigation and Control,
pp. 98–108 (1998)
16. Hanke, C., Nordwall, D.: The simulation of a jumbo jet transport aircraft. Modelling
data, vol. II. Technical Report CR-114494/D6-30643-VOL2, NASA and The Boeing
Company (1970)
17. Härkegård, O.: Backstepping and Control Allocation with Applications to Flight Con-
trol. PhD thesis, Division of Automatic Control, Department of Electrical Engineering
Linköping University, Sweden (2003)
18. Härkegård, O., Glad, S.T.: Resolving actuator redundancy - optimal control vs. control
allocation. Automatica 41, 137–144 (2005)
19. Hess, R.A., Wells, S.R.: Sliding mode control applied to reconfigurable flight control
design. Journal of Guidance, Control and Dynamics 26, 452–462 (2003)
20. Jones, C.N.: Reconfigurable flight control: First year report. Technical report, Cambridge
University Engineering Department (2005)
21. Jones, C.N., Maciejowski, J.M.: Fault tolerant flight control: An overview. GARTEUR
action group 16: Fault tolerant control. draft for deliverable D1.1 (task T1.2). Technical
report, Cambridge University Engineering Department (2005)
22. Ryan, E.P., Corless, M.: Ultimate boundedness and asymptotic stability of a class of
uncertain dynamical systems via continuous and discontinuous control. IMA Journal of
Mathematical Control and Information 1, 223–242 (1984)
272 H. Alwi and C. Edwards
23. Shin, D., Moon, G., Kim, Y.: Design of reconfigurable flight control system using adap-
tive sliding mode control: actuator fault. Proceedings of the Institution of Mechanical
Engineers, Part G (Journal of Aerospace Engineering) 219, 321–328 (2005)
24. Shtessel, Y., Buffington, J., Banda, S.: Tailless aircraft flight control using multiple time
scale re-configurable sliding modes. IEEE Transactions on Control Systems Technol-
ogy 10, 288–296 (2002)
25. Tan, C.P., Edwards, C.: Sliding mode observers for robust detection and reconstruction
of actuator and sensor faults. International Journal of Robust and Nonlinear Control 13,
443–463 (2003)
26. Utkin, V., Guldner, J., Shi, J.: Sliding Mode Control in Electromechanical Systems. Tay-
lor & Francis, London (1999)
27. Utkin, V.I.: Sliding Modes in Control Optimization. Springer, Berlin (1992)
28. Wells, S.R., Hess, R.A.: Multi–input/multi–output sliding mode control for a tailless
fighter aircraft. Journal of Guidance, Control and Dynamics 26, 463–473 (2003)
29. Zhang, Y.M., Jiang, J.: Active fault-tolerant control system against partial actuator fail-
ures. IEE Proceedings: Control Theory & Applications 149, 95–104 (2002)
Chapter 9
An Adaptive Fault-Tolerant FCS for a Large
Transport Aircraft
Fig. 9.1 The scheme of the final design of the Fault-Tolerant FCS
Adolfo Sollazzo
Italian Aerospace Research Center - CIRA
e-mail: a.sollazzo@cira.it
Gianfranco Morani
Italian Aerospace Research Center - CIRA
e-mail: g.morani@cira.it
Andrea Giovannini
Italian Aerospace Research Center - CIRA
e-mail: a.giovannini@cira.it
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 273–291.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
274 A. Sollazzo, G. Morani, and A. Giovannini
Fig. 9.2 The scheme of the current design of the Fault-Tolerant FCS
the Fault-Detection and Identification module. The FDI module also gives informa-
tion about the aircraft’s general behaviour and efficiency, thus allowing a supervisor
module to manage the FCS in terms of estimated envelope protection, in addition
to the attitude and rate limitations. Finally, an autopilot module, whose mode is se-
lected by the panel, gives the attitude reference to the robust control law module for
the aircraft state regulation.
The current state of the research in CIRA in the field of fault-tolerant flight
control systems is focused on how to achieve robustness against actuator faults by
means of adaptive control techniques. While this topic and the control allocation are
already well assessed, the FDI techniques represent the next step forward towards
the final design. In this chapter, the core module involving the robust control laws is
described and reported in detail, along with some descriptions of the autopilot mod-
ule. The control module is based on the adaptive model-following technique, while
the latter is designed by means of the classical sequential loop closure approach.
The FCS is the main focus of this chapter and is depicted in Fig. 9.2. Its theoretical
background is recalled in the next section.
that makes these methods very attractive, because it allows the designer to focus
on achieving the desired robustness level for the closed loop system. A further fea-
ture of the AMF technique is its strong robustness against parameter uncertainty in
the system model, compared to classical control techniques. Moreover, the model
following strategy lets the designer fix in a clear and simple way the reference dy-
namics for the system. This is attractive for the designer who can also schedule
the control laws across the whole flight envelope, even though the design has been
carried out in only one flight condition.
In this section, some details about the AMF control technique [2] are reported.
Consider the linear model of the plant:
ẋ = Ax + Bu + d
(9.1)
y = Cx
where the term d represents the trim data for the state derivatives. The reference
system dynamics are written as:
ẏm = Am ym + Bm r (9.2)
where ym is the desired output for the plant, r is the given demand, and Am and
Bm represent the reference linear system dynamics. The control law structure is the
following:
u = C0 (G0 x + v + r + K0 ym ) (9.3)
where G0 , C0 and v are terms evaluated by the adaptation rules, and K0 is a feed-
forward gain matrix evaluated once. It is now possible to calculate the error function
(tracking error) as follows:
e = ym − y (9.4)
and it is particularly interesting to evaluate the error dynamics, in terms of the plant
parameters and the reference system dynamics:
ė = Ae e + Φ (9.6)
where Ae is a stable and properly chosen matrix and Φ represents a bounded forc-
ing function, it is possible to write the following identities to ensure the tracking
objective (ym = y):
CA + CBC0∗ G∗0 = AeC
CBC0∗ = Bm
(9.7)
CBC0∗ v∗ = −Cd
CBC0∗ K0 = Am − Ae
276 A. Sollazzo, G. Morani, and A. Giovannini
The identities (9.7) facilitate writing expressions for the optimal terms G∗0 , C0∗ , v∗
and K0 to obtain a perfect model inversion that guarantees the asymptotic stability
of the plant and asymptotic zero error:
G∗0 = B−1
m (AeC − CA)
C0∗ = (CB)−1 Bm
(9.8)
v∗ = −B−1
m Cd
K0 = B−1
m (Am − Ae )
Δ G = G0 − G∗0
ΔΨ = C0∗−1 − C0−1 (9.9)
Δ v = v0 − v∗0
It is now possible to write expressions for the error dynamics taking into account
parameter variations. After some calculations [2] it can be shown:
ė = Ae e + Bm Δ Gx + Bm ΔΨ u + Bm Δ v (9.10)
Now, Lyapunov stability condition for the error system will be investigated. Con-
sider the Lyapunov candidate function:
Δ GT Δ G ΔΨ T ΔΨ Δ vT Δ v
V = eT Pe + tr{ } + tr{ }+ (9.11)
γ1 γ2 γ3
where γi with i = 1, . . . , 3 are three positive scalars and P is the symmetric and
positive definite matrix solution of the Lyapunov equation:
9 An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft 277
V̇ = −eT Pe ≤ 0 (9.15)
x = vTAS , α , φ , θ
y = φ, θ
u = pdem , qdem , rdem
r = φdem , θdem
where the control variable, u, is left generically as the ailerons, the elevator and
the rudder commands. The design parameters of both the inner and the outer loops
consist of a few matrices. First of all, the dynamics of the reference model are ex-
pressed in terms of the two matrices Am and Bm with the limitation that the former
must be chosen with negative eigenvalues and the latter invertible. The desired error
9 An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft 279
dynamics are chosen by means of Ae . The tuning of this matrix allows the modifica-
tion of the system performance, in conjunction with the reference model parameters,
but it also affects the capability of rejecting noise and disturbances, so it has meaning
in terms of the real control system bandwidth. The matrix Q, used in the calculation
of the Lyapunov matrix P (see equation 9.12), can be interpreted as a weighting
matrix. The tuning of this matrix makes it possible to trade off the tracking require-
ment, in terms of adaptability, of one or more output variables with respect to the
others. Finally, the three parameters γ1 , γ2 and γ3 are used to change the adaptive ca-
pability, the higher the values of these parameters, the faster the adaptability. These
parameters have been designed by means of a trial and error analysis.
control variables and, in the case of failures, of the current actuator condition. In the
FCS here described, the only way to avoid this kind of problem has been to reduce
the performance as far as possible without going below an acceptable level.
A harder problem is the stall condition. It is always necessary to include a proper
envelope protection system. For instance, as is typically done in classical control, it
would be possible to consider a module to override the control laws when the flight
condition approaches stall. In the case of an FTC technique, in the case of structural
damage, this is a very critical topic due to the higher complexity level of such a FCS
and the interactions between the control laws and the envelope protection module.
Moreover, in the case of heavy structural damage (as in the case of the Bijlmermeer
accident [6]) the stall angle may change significantly (from 15 to 8.5 degrees), so,
while designing the envelope protection strategy, it is necessary to avoid destructive
interactions between the control laws and the stall prevention system. Thus, two
opposite philosophies are possible: one could try to identify the new value of the
stall angle by means of a proper FDI technique and to use it as a new threshold. The
latter would adopt a safety rule by considering blindly a reduction in the supposed
stall angle of a certain percentage of the nominal one. This technique was taken
into account in order to retain one of the main features of the FCS, that is to say,
the absence of an FDI subsystem. On the other hand, this represents a drawback
due to the performance reduction caused in all cases that do not involve a stall
angle variation with respect to the nominal one. In practice, this assertion relates
to all the benchmark cases except for the EL AL 1862 test scenario. This results
from the weakness of a strategy that tries to recover stability in the case of severe
structural damage without having knowledge of what has actually happened. In the
FCS, described here, the stall prevention module involves two actions. The first
concerns the attitude angles (φ , θ ), whose references are both limited by means of a
couple of variable thresholds that depend on the current value of the angle of attack.
The second action refers to the attitude rates (p, q, r), whose references are modified
to counteract the stall condition when a stall condition is approached.
Longitudinal Lateral
Altitude Hold/Select Heading Hold/Select
Glideslope Intercept Localizer Intercept
Approach Lon Approach Lat
variable description
δaiL the left inboard aileron command
δaiR the right inboard aileron command
δaoL the left outboard aileron command
δaoR the right outboard aileron command
δsp the spoilers command
δspb the speedbrakes command
δe i the inboard elevators command
δe o the outboard elevators command
δr u the upper rudder command
δr l the lower rudder command
ih the horizontal stabilizer command
Δ th the differential throttle command
control variables is reported in Table 9.2. It is worth adding that the A/P module
provides the demand for the attitude angles, φ and θ , and the mean value of the
throttle command to the engines.
The benchmark environment includes a detailed model of the vehicle, and is able
to reproduce the actual behaviour even in faulty conditions. Figures 9.5 and 9.6
report the considered surface failure scenarios and the EL AL 1862 flight failure
condition [6], [7]. The FCS has been tested in the face of each failure condition,
while performing all the available manoeuvres (see chapter 6 for details). These
manoeuvres represent the four phases of an emergency landing manoeuvre after a
failure occurs during the initial climb phase. These manoeuvres are: straight flight,
a right turn and localizer beam intercept, glideslope beam intercept and the final
approach. All the tests have been carried out in turbulence and windy (uwind = 11
m/s, vwind = 12 m/s, wwind = 0 m/s) conditions.
The results of the numerical tests are reported in terms of time histories of the
main quantities with respect to the fixed manoeuvre along with their desired and
acceptable limits (see chapter 7 for details). Even though all the combinations of
faulty conditions and manoeuvres have been explored, it is not practical to report all
the figures here. Only the most meaningful results are reported here and, at the end
of the section, a table with a summary of the test results is added to give an overview
of the fault-tolerance achieved thanks to the proposed FCS.
282 A. Sollazzo, G. Morani, and A. Giovannini
One of the worse failure cases is the rudder runaway. In this situation, the rud-
der generates a strong yawing moment that reduces the directional manoeuvrability.
This problem is particularly evident in the case of the right turn manoeuvre (see
Fig.9.7), when it is necessary to generate a yawing moment opposite to the disturb-
ing one to perform the turn. The performance is not really good, but stability is
maintained.
The loss of the vertical fin seems not to be a critical failure (see Fig.9.8). The
adaptive FCS is able to handle this condition without any problem, the performances
9 An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft 283
−5 0
0 50 100 150 200 0 0.2 0.4 0.6 0.8 1
100 40
vTAS [m/s]
φ [deg]
20
0
90 −20
−40
0 50 100 150 200 0 50 100 150 200
2 2
p [deg/s]
q [deg/s]
0 0
−2 −2
0 50 100 150 200 0 50 100 150 200
2 15
r [deg/s]
α [deg]
10
0
5
−2 0
0 50 100 150 200 0 50 100 150 200
10
2
β [deg]
0 nz
0
−10 −2
0 50 100 150 200 0 50 100 150 200
RCmax [m/s]
4
2 2
ny
0 0
−2 −2
−4
0 50 100 150 200 0 50 100 150 200
Fig. 9.7 Right turn and Localizer intercept with rudder runaway
0 0.5
−5 0
0 50 100 150 200 0 0.2 0.4 0.6 0.8 1
100 40
vTAS [m/s]
φ [deg]
20
0
90 −20
−40
0 50 100 150 200 0 50 100 150 200
2 2
p [deg/s]
q [deg/s]
0 0
−2 −2
0 50 100 150 200 0 50 100 150 200
2 15
r [deg/s]
α [deg]
10
0
5
−2 0
0 50 100 150 200 0 50 100 150 200
10
2
β [deg]
nz
0 0
−10 −2
0 50 100 150 200 0 50 100 150 200
RCmax [m/s]
4
2 2
ny
0 0
−2 −2
−4
0 50 100 150 200 0 50 100 150 200
Fig. 9.8 Right turn and Localizer intercept with loss of vertical tail
284 A. Sollazzo, G. Morani, and A. Giovannini
vTAS [m/s]
Γ [deg]
0
90
−1
0 50 100 150 0 50 100 150
15 2
p [deg/s]
α [deg]
10
0
5
0 −2
0 50 100 150 0 50 100 150
2 2
q [deg/s]
r [deg/s]
0 0
−2 −2
0 50 100 150 0 50 100 150
5
2
λ [deg]
nZ [g]
0
0
−2 −5
0 50 100 150 0 50 100 150
2
RCmax [m/s]
0
0
γ [deg]
−2
−4 −2
−6 −4
−8
0 50 100 150 0 50 100 150
are also acceptable. The stuck elevator failure also does not represent a critical con-
dition in any of the considered manoeuvres, thanks to the stabilizer being used as
an alternative control surface. As an example the glideslope intercept manoeuvre is
considered, and it is evident the control laws manage the failure with no difficulties
(see Fig.9.9).
However, the stabilizer runaway is a quite important failure. During the glides-
lope intercept, it is evident (see Fig.9.10) that the pitch down disturbing moment,
generated by the failed stabilizer, makes the aircraft dive quickly. The control laws
”work hard” to react and to reach the proper altitude to follow the beam. Here, the
absence of an FDI subsystem is evidently a drawback. The control laws suppose all
the surfaces are available and the control effort is distributed on this basis. If FDI
information is available, starting from the knowledge of the failure, all the control
effort would have been moved onto the elevators.
In Fig.9.11 the whole manoeuvre is performed in the case of rudder runaway. As
discussed earlier the right turn is the critical phase, but in this case the failure occurs
during the early straight flight, so the aircraft has time to acquire a proper attitude to
approach the turn and the successive phases of the manoeuvre.
The EL AL 1862 failure scenario is surely the most difficult condition (see
Fig.9.12). This failure is particularly critical not only due to the reduced number
of control effectors available, but also due to the structural damage on the right
wing that makes strong and abrupt variations in the inertial and aerodynamical pa-
rameters, such as the stall angle. This important parameter is significantly reduced
9 An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft 285
vTAS [m/s]
Γ [deg]
0
90
−1
0 50 100 150 0 50 100 150
15 2
p [deg/s]
α [deg]
10
0
5
0 −2
0 50 100 150 0 50 100 150
2 2
q [deg/s]
r [deg/s]
0 0
−2 −2
0 50 100 150 0 50 100 150
5
2
λ [deg]
nZ [g]
0
0
−2 −5
0 50 100 150 0 50 100 150
2
RCmax [m/s]
0
0
γ [deg]
−2
−4 −2
−6 −4
−8
0 50 100 150 0 50 100 150
States
10 20
p [deg/s]
φ [deg]
0 0
−10 −20
0 100 200 300 400 500 0 100 200 300 400 500
1 10
q [deg/s]
θ [deg]
0 5
−1 0
0 100 200 300 400 500 0 100 200 300 400 500
5 400
r [deg/s]
ψ [deg]
0 200
−5 0
0 100 200 300 400 500 0 100 200 300 400 500
95 800
vTAS [m/s]
h [m]
90 600
85 400
0 100 200 300 400 500 0 100 200 300 400 500
4
x 10
8 0
α [deg]
x [m]
6 −2
4 −4
0 100 200 300 400 500 0 100 200 300 400 500
4
x 10
20 1
β [deg]
y [m]
0 0
−20 −1
0 100 200 300 400 500 0 100 200 300 400 500
time [s] time [s]
States
10
20
p [deg/s]
φ [deg]
0 0
−20
−10
0 100 200 300 400 500 0 100 200 300 400 500
10
2
q [deg/s]
θ [deg]
0 5
−2
0
0 100 200 300 400 500 0 100 200 300 400 500
2 400
r [deg/s]
ψ [deg]
0 300
200
−2
0 100 200 300 400 500 0 100 200 300 400 500
140
600
vTAS [m/s]
h [m]
135
400
130 200
0 100 200 300 400 500 0 100 200 300 400 500
4
x 10
10 0
α [deg]
x [m]
5 −2
0 −4
0 100 200 300 400 500 0 100 200 300 400 500
5 10000
β [deg]
5000
y [m]
0
0
−5 −5000
0 100 200 300 400 500 0 100 200 300 400 500
Fig. 9.12 Entire emergency manoeuvre in the case of flight EL AL 1862 failure scenario
as a result of the damage. As the right turn phase starts, the angle of attack increases
quickly, approaching the new stall value, thus a persistent oscillation arises, slightly
damped, but it only fades out when the right turn is almost accomplished.
The following table gives a summary of the test results. First of all it is necessary
to define a classification able to give an idea of the overall effectiveness of the FCS
to achieve stable flight and, if possible, good quality of performance. A four levels
scale is used as follows:
• Not critical (). The failure condition is not critical both in terms of stability and
performance achieved;
• Negligibly critical (). The failure does not compromise the stability, but the per-
formances are slightly degraded;
• Critical (). The failure results in strong reduction in performance even though
stability can be maintained;
• Dramatically critical (•). The failure causes instability;
It is evident that stuck elevators, stuck ailerons and the loss of the vertical tail are
easily manageable failure conditions. However, stabilizer runaway and even more
dramatically rudder runaway are critical failure conditions. Finally, the EL AL 1862
failure case is quite manageable by means of the adaptive FCS, even though it is not
always possible to achieve acceptable performances.
9 An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft 287
Fig. 9.13 Rudder runaway failure case, improvements achievable thanks to control
allocation: trajectory
288 A. Sollazzo, G. Morani, and A. Giovannini
20 400
15 350
ψ [deg]
10 300
φ [deg]
5 250
0 200
−5 150
0 50 100 150 200 0 50 100 150 200
5 4
2
0
p [deg/s]
r [deg/s]
0
−5
−2
−10 −4
0 50 100 150 200 0 50 100 150 200
10000
5000
y [m]
0 AMF
AMF+CA
−5000
0 20 40 60 80 100 120 140 160 180 200 220
(a)
25
Upper Rudder [deg]
20
15 AMF
10 AMF+CA
0
0 20 40 60 80 100 120 140 160 180 200 220
20
Inner Ailerons [deg]
10
−10
−20
0 20 40 60 80 100 120 140 160 180 200 220
20
Outer Ailerons [deg]
10
−10
−20
−30
0 20 40 60 80 100 120 140 160 180 200 220
2
(eng 1,2 − eng 3,4)
1.5
Throttles [pu]
0.5
0 20 40 60 80 100 120 140 160 180 200 220
(b)
Fig. 9.14 Rudder runaway failure case, improvements achievable thanks to control alloca-
tion: time histories
following, one is the rudder runaway while performing the right turn manoeuvre.
Figure 9.13 shows both the achievable trajectory with and without the Control
Allocation module. Moreover, in Fig.9.14 the time histories of some state variables
are reported. The black dashed lines represent the results obtained with the control
allocation, while the blue solid lines represent the ‘adaptive only’ technique. It is
evident how the control allocation module gives smoother manoeuvres. The second
condition chosen is the horizontal stabilizer failure, while flying straight and with
level wings. The results are reported in Fig.9.15, using the line style meaning as
previously used. The improvements achieved are evident.
9 An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft 289
98 7
6
96
[m/s]
α [deg]
5
94
TAS
4
V
92
3
90 2
0 10 20 30 40 50 0 10 20 30 40 50
10 2
1
5
q [deg/s]
θ [deg]
0
0
−1
−5 −2
0 10 20 30 40 50 0 10 20 30 40 50
700
600
altitude [m]
500
400 AMF
AMF+CA
300
0 5 10 15 20 25 30 35 40 45 50
(a)
3
2.5
Stabilizer [deg]
2 AMF
AMF+CA
1.5
0.5
0
0 5 10 15 20 25 30 35 40 45 50
−5
Inner Elevators [deg]
−10
−15
−20
−25
0 5 10 15 20 25 30 35 40 45 50
−4
−6
Outer Elevators [deg]
−8
−10
−12
−14
−16
0 5 10 15 20 25 30 35 40 45 50
time [s]
(b)
Fig. 9.15 Stabilizer runaway failure case, improvements achievable thanks to control
allocation
9.5 Conclusions
The numerical tests demonstrate that the adaptive model-following technique can
be applied successfully to recover from the surface failures in the presence of suf-
ficient remaining control efficiency. In the face of structural damage, (El Al 1862
case) the control laws adopted are again efficient as long as their applicability hy-
potheses remain valid, that is to say controllability, observability and the absence of
unmodelled dynamics. In fact, the main weak point of the FCS, as has been shown
by the numerical tests, is the poor ability to recover steady flight, while the enve-
lope limits are exceeded. In this condition the aircraft behaviour abruptly changes,
thus representing a critical situation for the adaptive control and a real threat to sta-
bility. This condition is particularly critical in the case of structural damage, when
290 A. Sollazzo, G. Morani, and A. Giovannini
the envelope limits may change significantly. A proper solution should be adopted
to achieve more efficient envelope protection, so preserving the validity of the hy-
potheses necessary for the applicability of the adaptive control technique.
Concerning the performances achieved in faulty conditions, it is fair to say that
they are slightly degraded if compared with those of the nominal conditions. In de-
tail, in the case of surface damage, the performance loss is not so evident, but in
the case of structural damage, the behaviour of the aircraft is significantly different
from the nominal case. Furthermore, the aircraft dynamics are also made worse by
the flight conditions which are really close to the stall limit. It is worthwhile remark-
ing that, in the case of stuck surfaces, the damaged ones are considered locked at a
nearly neutral position. In these conditions, the disturbing moment which is gener-
ated is almost negligible, thus the unfailed surfaces are efficient enough to provide
the manoeuvrability necessary for attitude control. This is the reason that these fail-
ure conditions are quite simple to recover from.
In the case of surfaces locked out of their neutral position (e.g. see the stabilizer
and rudder runaway), the adaptive model-following control laws may not be suffi-
cient to recover stable flight and they need the help of a specific technique such as
control allocation - along with a broader set of information about the current state
of the actuators (need of a FDI subsystem).
The adaptive model-following scheme represents an attractive starting point to
build up a fault-tolerant FCS. That is to say, it can be used successfully as the core
control law, but it should be integrated with several other modules such as a con-
trol allocation system (to efficiently and quickly redistribute the control effort) a
FDI subsystem (for providing information to the control allocation system to give
information about the new flight envelope limits) and to ensure a consolidated set
of feedback signals. A further optional module could be a proper supervisor able
to reconfigure the trajectories starting from knowledge of the current flight enve-
lope limits (e.g. right turn not safe but left turn possible) and the control devices
availability.
References
1. Patton, R.J.: Fault-Tolerant Control Systems: The 1997 Situation. In: Proc. of the IFAC
Symposium on Fault Detection, Supervision and Safety for Technical Processes, vol. 2
(1997)
2. Kim, K.S., Lee, K.J., Kim, Y.: Reconfigurable Flight Control System Design Using Di-
rect Adaptive Method. Journal of Guidance, Control, and Dynamics 26(4) (2003)
3. Tandale, M., Valasek, J.: Structured Adaptive Model Inversion Control to Simultane-
ously Handle Actuator failure and Actuator Saturation. In: Proc. of the AIAA Guidance,
Navigation and Control Conf. (2003)
4. Bodson, M., Groszkiewicz, J.E.: Multivariable Adaptive Algorithms for Reconfigurable
Flight Control. IEEE Transactions on Control Systems Technology 5(2) (1997)
5. Boskovic, J.D., Mehra, R.K.: Multiple-Model Adaptive Flight Control Scheme for Ac-
commodation of Actuator Failures. Journal of Guidance, Control, and Dynamics 25(4)
(2002)
9 An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft 291
6. Smaili, M.H.: Flight Data Reconstruction and Simulation of the 1992 Amsterdam Bi-
jlmermeer Airplane Accident. In: AIAA Modeling and Simulation Technologies Conf.
(2000)
7. Smaili, M.H., Breeman, J., Lombaerts, T.J., Joosten, D.A.: A Simulation Benchmark for
Integrated Fault Tolerant Flight Control Evaluation. In: AIAA Modeling and Simulation
Technologies Conf. (2006)
8. Durham, W.C.: Constrained Control Allocation. AIAA Journal of Guidance, Control,
and Dynamics 16(4) (2002)
9. Bodson, M.: Evaluation of Optimization Methods for Control Allocation. AIAA Journal
of Guidance, Control, and Dynamics 25(4) (2002)
10. Harkegard, O.: Efficent Active Set Algorithms for Solving Constrained Least squares
Problems in Aircraft Control Allocation. In: Proc. of the 41st IEEE Conf. on Decision
and Control (2002)
11. Virnig, J., Bodden, D.: Multivariable Control Allocation and Control Law Conditioning
when Control Effector Limit. In: Proc. of the AIAA Guidance, Navigation and Control
Conf. (2000)
12. Enns, D.: Control Allocation Approaches. In: Proc. of the AIAA Guidance, Navigation
and Control Conf. (1998)
13. Buffington, J., Chandler, P.: Integration of on-line system identification and optimization-
based control allocation. In: AIAA Guidance, Navigation, and Control Conf. (1998)
14. van Keulen, R.: Real-time Simulation and Analysis of the Automatic Control System of
the Boeing 747/200. MA Thesis, Technical University of Delft (1991)
Chapter 10
Subspace Predictive Control Applied to
Fault-Tolerant Control
10.1 Introduction
Subspace identification is a technique that can be used for identification of state-
space models from input-output data. This technique has drawn considerable in-
terest in the last two decades [1, 2], especially for linear time-invariant systems. A
reason for this is the efficient way in which models are identified for systems of high
order and with multiple inputs and outputs. Subspace identification can be used to
form a subspace predictor for prediction of future outputs from past input-output
data and a future input-sequence. This subspace predictor can be computed without
realization of the actual state-space models, which significantly reduces computa-
tional requirements. In [3] the subspace predictor has been combined with model
predictive control [4], resulting in a control algorithm that has been given the name
subspace predictive control (SPC). In SPC, the output predicted by the subspace
predictor is part of the cost function of the predictive controller. As a result of the
subspace predictor being generated completely from input-output data, the SPC al-
gorithm is a data-driven one.
In this chapter, which is partly based on [5], extensions are made to the SPC algo-
rithm that include the derivation of the subspace predictor in a stochastic closed-loop
setting and the recursive update of this predictor. In previous papers in which SPC
has been used [3, 6, 7], the subspace predictor has been derived using open-loop sub-
space identification techniques. However, when the SPC algorithm is active, the data
gathered to update the predictor inherently is closed-loop data. It has been proven
that using closed-loop data from a stochastic system for subspace identification
Redouane Hallouzi
ReliaCon, Rotterdamseweg 145, 2628AL Delft, The Netherlands
e-mail: hallouzi@reliacon.nl
Michel Verhaegen
Delft University of Technology, Delft Center for Systems and Control, Mekelweg 2,
2628CD Delft, The Netherlands
e-mail: m.verhaegen@moesp.org
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 293–317.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
294 R. Hallouzi and M. Verhaegen
results in a biased predictor [8]. Therefore, a number of different methods have ap-
peared in literature to deal with this issue [8, 9, 10]. Most of these methods require
explicit knowledge of the controller or are based on (overly) stringent assumptions
that limit their applicability. Recently, a practically applicable closed-loop subspace
identification method that does not require explicit knowledge of the controller has
been developed in [11]. Based on this method a subspace predictor under closed-loop
conditions can be derived [12], which is also used in this chapter.
Another novel feature of the SPC algorithm presented in this chapter is the way
in which the subspace predictor is updated in a recursive manner. This updating
scheme differs from others that are based on the “receding horizon” principle, such
as, for example, the scheme proposed in [6]. In the “receding horizon” updating
scheme the predictor is based on input-output data from a fixed time window lag-
ging behind the current time sample. In the recursive updating scheme new data is
appended to the old data, which is discounted with an exponential forgetting fac-
tor. This scheme has the advantage that it can be implemented in a computationally
efficient manner by using Givens rotations [13].
The implementation of SPC as an adaptive controller makes it very suitable for
fault-tolerant control (FTC) of aircraft. Most FTC systems deal with faults by using
pre-designed or parameter dependent controllers depending on the type of fault that
has occurred [14]. These systems require that the faults either be known in advance
or be modelled by a variation of specific parameters [15, 16, 17]. In this way control
designs can be made for each anticipated fault. Besides the fact that this approach
can be very involved, unanticipated faults or faults that cannot be modelled by pa-
rameter changes such as severe structural damage can occur. An advantage of SPC
is that it can adapt on-line to this type of fault. This property is the result of the
subspace predictor that is continuously updated using new input-output data. The
main contribution of this chapter is to display the usefulness of SPC for realistic
FTC problems. The developed SPC-based FTC system is applied to the benchmark
model. Simulations are performed with this model, in which the objective is to fly a
pre-defined flight trajectory even after the occurrence of a number of critical faults.
The considered fault conditions are stuck control surfaces and the fault condition
of the aircraft during the disaster with EL AL flight 1862, that crashed into an
apartment building in Amsterdam in 1992. This disaster is also referred to as the
“Bijlmerramp”.
Most aircraft flying today have control laws that are designed using classical
single-loop control methods. These methods are preferable over multivariable con-
trol methods from a clearance point of view [18]. However, single-loop control
methods are likely to display a degraded performance in case of faults that cause
cross-couplings between flight modes. These cross-couplings are the result of loss
of symmetry of the aircraft after faults. Multivariable control methods can cope bet-
ter with these cross-couplings because they simultaneously achieve several control
objectives. Multivariable control methods are therefore to be preferred over single-
loop control methods from an FTC point of view [19, 20]. This is one of the reasons
that research into multivariable flight control recently has attracted considerable
10 Subspace Predictive Control Applied to Fault-Tolerant Control 295
interest. From this perspective the FTC application of SPC, which is also a mul-
tivariable control method, is well motivated.
This chapter is organized as follows. First, the architecture of the FTC system
is explained in Section 10.2. Subsequently, the closed-loop SPC algorithm is de-
scribed in Section 10.3. In Section 10.4 the mechanism that (re-)configures the SPC-
based FTC system is explained. The simulation results of this system applied to the
benchmark given in Section 10.5. Section 10.6 explains how the proposed FTC is
implemented in a real-time simulation environment. Finally, concluding remarks are
provided in Section 10.7.
Fault
Isolation
Fm
0
d(h − href )
θref = Pθ (h − href ) + Iθ (h − href )dt + Dθ , (10.1)
dt
where Pθ , Iθ , and Dθ are design parameters that determine the behaviour of the outer
loop. The desired heading angle ψref is tracked by issuing a roll angle command to
the inner loop. This command is generated as follows
0
d(ψ − ψref )
φref = Pφ (ψ − ψref ) + Iφ (ψ − ψref )dt + Dφ , (10.2)
dt
where Pφ , Iφ , and Dφ are the design parameters. An anti-windup scheme is im-
plemented for both (10.1) and (10.2) to prevent the integrators from continuing to
integrate in case of saturated control signals. The command for true airspeed is gen-
erated in the outer loop by directly issuing the true airspeed command to the inner
loop. The inner loop is implemented using SPC, which is explained in detail in
Section 10.3.
system is in its fault-free operation mode, the model corresponding to the nominal
case has maximum activation, which corresponds to a model weight of one, and all
other models in the model set have a model weight of zero (minimum activation). In
case of a fault, one or more of the local models corresponding to faults have model
weights greater than zero.
The model set used for fault isolation is derived using the convex model structure
presented in [24] and the model set design method presented in [25]. Since the local
models in this model set are valid in a limited region around the operating point
at which they have been derived, they are used accordingly. This means that fault
isolation is performed only near this operating point in the simulations.
The model considered for deriving the subspace predictor is a state-space model in
innovation form
where p denotes the “past” time horizon, the subscript [k − p, k) denotes the range of
the time indices of the first column of Z[k−p,k) , and j denotes the number of columns
that is used to create the data matrix Z[k−p,k) . Usually it holds that j p. Let f
denote the “future” time horizon, then the following matrix relation can be derived
[11, 12]
⎡ ⎤ ⎡ ⎤ ⎡ ⎤
Yk 0 0 ··· 0 Ek
⎢ Yk+1 ⎥ ⎢ C[B K] 0 · · · 0⎥ ⎢ Ek+1 ⎥
⎢ ⎥ ⎢ ⎥ ⎢ ⎥
⎢ .. ⎥ = ⎢ .. . . . ⎥ Z[k,k+ f ) + ⎢ . ⎥
⎣ . ⎦ ⎣ . .. . . .. ⎦ ⎣ .. ⎦
Yk+ f −1 CΦ f −2 [B K] · · · C[B K] 0 Ek+ f −1
⎡ s−1 ⎤
CΦ [B K] CΦ [B K] · · ·
s−2 ··· ··· C[B K]
⎢ 0 C Φ s−1 [B K] · · · · · · · · · C Φ [B K] ⎥
⎢ ⎥
+⎢ .. . . . . .. ⎥ Z[k−p,k) , (10.8)
⎣ . . . . . . . . . . ⎦
0 ··· 0 CΦ [B K] · · · CΦ
s−1 f −1 [B K]
where Ek+i and Yk+i , ∀i ∈ {0, 1, . . . , f − 1}, are defined in a similar manner as Yk in
(10.6). Note that an important property of (10.8) is that the first block row does not
depend on “future” inputs, i.e. uk , ∀i ∈ {0, 1, . . . , f − 1}. It is this property that allows
for an unbiased estimate of the system matrices. In order to estimate the predictor,
it suffices to only consider the first block row, which can be written in the compact
form
Yk = Ξ0 Z[k−p,k) + Ek . (10.9)
10 Subspace Predictive Control Applied to Fault-Tolerant Control 299
Let t denote the current time instant, then based on the estimate Ξ̂0 , a subspace
predictor of the following form can be derived
wp
.⎡ /, ⎤- .
Γr Λr
. /, - ⎡ /, ⎤-
⎡ ⎤ ⎡ ⎤ u Λ1 0 ··· 0 ⎡ ut ⎤
ŷt+1 Γ1 ⎢ t−p⎥
⎢ ŷt+2 ⎥ ⎢ Γ2 ⎥ ⎢yt−p⎥ ⎢ .. .. ⎥ ⎢ u
t+1 ⎥
⎢ ⎥ ⎢ ⎥ ⎢ . ⎥ ⎢ Λ2 Λ1 . .⎥⎥⎢ ⎥
⎢ .. ⎥ = ⎢ .. ⎥ ⎢ .. ⎥ + ⎢ ⎥ ⎣ .. ⎥
⎢ , (10.13)
⎣ . ⎦ ⎣ . ⎦⎢ ⎥ ⎢ . .. .. ⎦
⎣ut−1⎦ ⎣ .. . . 0 ⎦ .
ŷt+ f −1 Γf −1 Λ −1 Λ −2 ··· Λ1 ut+ f −2
yt−1 f f
where Γr and Λr are the desired subspace predictor matrices and the parameters Γi
and Λi can be constructed from Ξ̂0 as
i−1
Γi = Ξ̂i + ∑ ĈΦ̂ i− j−1 K̂ Γj , (10.14)
j=0
i−1
Λi = ĈΦ̂ i−1 B̂ + ∑ ĈΦ̂ i− j−1 K̂ Λ j , (10.15)
j=1
with Γ0 = Ξ̂0 and Λ1 = ĈB̂. The parameters Ξ̂i , ∀i ∈ {1, . . . , f − 1} can be con-
structed from Ξ̂0 by using the relation
⎡ ⎤ ⎡ ⎤
ĈΦ̂ s−1 [B̂ K̂] ĈΦ̂ s−2 [B̂ K̂] ··· ··· ··· Ĉ[B̂ K̂] Ξ̂0
⎢ ĈΦ̂ s−1 [B̂ K̂] · · · ĈΦ̂ [B̂ K̂] ⎥ ⎢ ⎥
⎢ 0 ··· ··· ⎥ ⎢ Ξ̂1 ⎥
⎢ .. .. .. .. .. .. ⎥=⎢ . ⎥, (10.16)
⎣ . . . . . . ⎦ ⎣ .. ⎦
0 ··· 0 ĈΦ̂ s−1 [B̂ K̂] · · · ĈΦ̂ f −1 [B̂ K̂] Ξ̂ f −1
where the matrix on the left-hand side of (10.16) is an estimate of the corresponding
matrix from (10.8).
300 R. Hallouzi and M. Verhaegen
where Ω denotes the sequence of orthogonal transformations and R11 (t) (which is
lower triangular) and R21 (t) are the matrices from which an updated Ξ̂0 can be com-
puted according to (10.12). A more detailed explanation of how Ω can be computed
is given in [25]. Note that R33 is not considered in the updating process because it
does not influence the computation of R11 (t) and R21 (t). Also, in (10.17) a forget-
ting factor λ ∈ [0, 1] is implemented to discount old data. The smaller the value of
λ that is chosen, the more old data is discounted.
10 Subspace Predictive Control Applied to Fault-Tolerant Control 301
The cost function used in [3] is equal to (10.18). However, this cost function does not
permit a zero steady-state tracking error in the case of a non-zero constant reference
combined with a system that does not contain an integrator. Therefore, in [7] the
input signal in the cost function has been replaced by incremental inputs Δ u f , where
Δ = (1 − z−1 ) and z−1 is the back-shift operator of one time step. In order to also
penalize large control deflections, a cost function is used with both incremental
inputs and the regular input signals
where the matrix E ensures that the input remains constant after the control horizon
Nc . Next, Δ u f can be written as a function of the optimization variable u f
SΔ
.⎡ /, ⎤- Sw
Im 0 0 · · · 0 .⎡ /, ⎤-
⎢−Im Im 0 0⎥ 0 0 ··· 0 0 Im 0
⎢ ⎥ ⎢0
⎢ .. .. ⎥ ⎢ 0 ··· 0 0 0 0⎥ ⎥
Δuf = ⎢
⎢ 0 −Im Im . .⎥⎥uf − ⎢ . .. .. .. .. .. ⎥ w p . (10.22)
⎢ .. . . . . . . ⎥ ⎣ .. . . . . .⎦
⎣ . . . . 0⎦ 0 0 ··· 0 0 0 0
0 · · · 0 −Im Im
When relations (10.21) and (10.22) are substituted into (10.20) and the terms that
do not depend on u f are discarded, the following cost function results
J(u f ) = uTf E T ΛrT QaΛr E + SΔT RΔa SΔ + Ra u f
+2 wTp ΓrT QaΛr E − rT QaΛr E − wTp SwT RΔa SΔ u f . (10.23)
The predictive control law can now be formulated as a solution of the following
quadratic programming (QP) problem at each sample time
min J(u f )
uf
s.t. Aineq u f ≤ bineq . (10.30)
10 Subspace Predictive Control Applied to Fault-Tolerant Control 303
Efficient solvers exist for this QP problem [4]. At each sample time only the first
input vector from u f , i.e. ut , is used for control.
The control law (10.30) is derived for linear time invariant systems of the form
(10.3)-(10.4). However, in this chapter it is applied to a nonlinear aircraft model.
This usage is justified since the nonlinear aircraft model can be approximated well
by a linear parameter-varying (LPV) model [27], which has the same structure as
(10.3)-(10.4) but with time varying system matrices. The variation of the time-
dependent parameters is relatively small most of the time. In this case SPC can
easily adapt to the time varying system. Only during fast variations of the time-
dependent parameters with respect to the dynamics of the aircraft or during strong
nonlinear behaviour of the aircraft, SPC can be less accurate.
an unanticipated fault. The faults that occurred on the aircraft during this disaster
include loss of the engines and the pylons on the right wing of the aircraft. This loss
caused a shift of the center of gravity of the aircraft, a total weight loss of 10.028 kg
and damage to the right wing of the aircraft. This wing damage at its turn resulted in
lift loss, increased drag, a yawing moment and a pitching moment. On top of these
faults, hydraulic system 3 and 4 malfunctioned, which resulted in reduced or total
loss of control authority of a number of control surfaces [28].
In the nominal case, the previously mentioned manoeuvres can be performed us-
ing SPC with an input vector uk consisting of only 4 inputs, which are listed in
Table 10.1. Each input can, however, drive more than one of the controls of the
benchmark. This is because it is assumed that these controls are symmetrically ac-
tuated (or asymmetrically in case of the ailerons and spoilers). In Table 10.1 the
number of different controls driven by single SPC inputs is shown between brack-
ets. The control surfaces that are not directly driven by SPC are chosen constant and
equal to a value that is valid for a trimmed situation at the beginning of the flight
simulation. For an elevator lock-in-place fault, the SPC-based FTC system uses the
stabilizer instead of the elevator surfaces for control of the longitudinal motion. For
the rudder lock-in-place fault, the engine controls are subdivided into a control input
that controls the left engines and one that controls the right engines such that dif-
ferential engine thrust can be used when necessary. Furthermore, spoilers are used
asymmetrically to increase the control authority in the lateral direction. A positive
value of the SPC spoilers input results in a positive deflection of spoilers 5 to 8,
while spoilers 13 to 16 remain at a zero deflection. A negative value of the SPC
spoilers input results in a positive deflection of spoilers 13 to 16, while spoilers 5 to
8 remain at a zero deflection. For unanticipated faults a set of inputs is chosen with
redundant control authority for both longitudinal and lateral dynamics. Note that for
anticipated conditions, the input set can be chosen smaller. This has the additional
benefit that SPC can be implemented in a more computationally efficient manner.
Besides the input vector uk , the SPC-based FTC system also requires a number
of measurements from the aircraft to be used in the output vector yk . A selection
is made from the many available measurements taking into consideration three is-
sues. The first issue is the size of the output vector yk , which determines the size of
the data matrices defined in (10.6) and (10.7). The size of these matrices should be
kept as small as possible to keep the computational requirements of the SPC-based
FTC system low. The second issue is concerned with the quality of the subspace
predictor. For this purpose, the chosen outputs should capture the relevant dynamics
of the system. Finally, the third issue is concerned with the manipulated variables.
The control objective of the SPC-based FTC system is for the reference trajectory r f
to be tracked by the predicted output vector ŷ f (see (10.20)). Therefore, the output
vector yk should include the measurements of the physical quantities to be manip-
ulated. With the previous considerations in mind, 7 outputs are chosen, which are
listed in Table 10.2. Each of these outputs has been augmented with realistic noise
corresponding to that of conventional aircraft sensors [29].
The SPC-based FTC system should be initialized such that it does not start iden-
tifying the system from scratch when a switch is made from nominal operation to an
10 Subspace Predictive Control Applied to Fault-Tolerant Control 305
Ailerons (4)
Elevators (4)
Nominal case
Rudders (2)
Engines (4)
Ailerons (4)
Stabilizer (1)
Elevator lock-in-place
Rudders (2)
Engines (4)
Ailerons (4)
Spoilers (8)
Rudder lock-in-place Elevators (4)
Engines left (2)
Engines right (2)
Ailerons (4)
Spoilers (8)
Elevators (4)
Unanticipated faults Stabilizer (1)
Rudders (2)
Engines left (2)
Engines right (2)
altitude of 980 m. During this first flight phase, the faults are inserted. Next, a sec-
ond phase consisting of a heading change is initiated. The third and final flight phase
of the trajectory consists of a descent to an altitude of 100 m. In the first simulation,
the flight scenario is simulated without any faults. In the second, third, and fourth
simulation, faults are injected during the first flight phase. In the second simulation
a lock-in-place fault of the elevators is injected, in the third simulation a rudder run-
away fault is injected, and in the fourth simulation the faults that occurred during
the “Bijlmerramp” are injected.
Before the actual simulation results are presented, the choices for the simulation
settings and tuning parameters are described first. The aircraft model is simulated at
a frequency of 100 Hz. The operation frequency of the SPC-based FTC system is
10 Hz, which is chosen sufficiently fast relative to the aircraft dynamics. The fastest
mode of the aircraft that has been observed from linearizations of the nonlinear air-
craft model at different operating points is about 0.25 Hz. The SPC parameters are
chosen as: p = 20, f = 20, λ = 0.995, N p = f , and Nc = 5. The subspace predictor
parameters p and f are chosen relative to the aircraft dynamics. The parameter λ is
tuned such that the predictor is modified just enough at each sample time to cope
with the varying dynamics. The weights Qa , Ra , and RΔa are tuned relative to each
other based on a combination of simulation experience and “rules of thumb” from
[4]. These weights are tuned differently for the different settings described in Table
10.1. Furthermore, weight Qa only contains nonzero entries on its diagonal for the
entries that are manipulated by SPC, i.e. φ , θ , VTAS , and β . The tuning procedure
for the outer loop parameters Pθ , Iθ , Dθ , Pφ , Iφ , and Dφ is based on simulation
experience, similar to the weighting matrices. Parameter j, which determines the
number of columns in the data matrices in (10.6) and (10.7) is chosen to have a
value of 1000. This means that the data matrices contain 1000/10 Hz=100 s of data.
Note that these large data matrices are created only once for each condition. Once
an R-matrix is computed based on these data matrices, only the R-matrix is used
and updated in SPC. The R-matrix is generally much smaller than the data matri-
ces since its dimensions do not depend on j. All simulations have been performed
under closed-loop conditions with realistic measurement noise levels. Moreover,
turbulence that is modelled according to the Dryden turbulence model is added to
the simulated aircraft.
20 93.2
93
0
92.8
−20 Reference signal
System response 92.6
−40 92.4
10 1
0
5
−1
0
−2
−5 −3
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
Fig. 10.2 Roll angle, pitch angle, true airspeed, and sideslip angle of the aircraft for the
nominal condition. The dashed signals correspond to the control reference signals.
Angle of Attack [deg]
10
0
Heading angle [deg]
1000
200
150 800
Altitude [m]
100 600
50
400
1000
Altitude [m]
200 −10000
500
0 −5000
1 1.5
0 2
0 50 100 150 200 250 300 2.5 3 0 x [m]
Time [s] 4
x 10 y [m]
Fig. 10.3 Angle of attack, heading angle, altitude, and trajectory of the aircraft for the nomi-
nal condition.
seen that the reference signals are tracked very well, especially when the fact is con-
sidered that the SPC-based FTC system is completely data-driven. It can be seen
that during the heading change manoeuvre, the sideslip angle is allowed to have a
minimal tracking error, preventing large surface deflections. The flight trajectory is
depicted in Fig. 10.3 as well as the angle of attack, heading angle, and the altitude.
The actuator deflections and the engine commands are depicted in Fig. 10.4. The
engine commands are expressed in engine pressure ratio (EPR). It can be seen that
the control signals are quite smooth and remain well within their operating limits,
which is a result of the constraints on u f .
2
10
Ailerons [deg]
Rudders [deg]
1
5
0
0
−1
−5
−2
10
1.4
Elevators [deg]
EPR engines
5 1.2
1
0
0.8
−5 0.6
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
Fig. 10.4 Actuator deflections and engine commands for the nominal condition.
section for the nominal case. The elevator lock-in-place fault is injected at T = 18 s
at a deflection of 1.9 deg. The fault is correctly isolated at T = 28 s. The relatively
large isolation delay is a result of the fact that the elevator locks at a deflection po-
sition, which exactly suits the flight condition at that time. So, the faults can not
be isolated until the aircraft is sufficiently excited by turbulence. It can be seen in
Fig. 10.5 that the reference signal for the true airspeed has been increased just after
isolation of the fault. This has been done to increase the effectiveness of the sta-
bilizer surface to allow sufficient control authority. Furthermore it can be seen that
tracking of the reference signals is performed satisfactorily. Only during the descent,
which is again performed with a fixed flight path angle of −5 deg, the pitch angle
command is tracked with a small error. In Fig. 10.6, the angle of attack, heading
angle, and altitude are depicted together with the flight trajectory. For comparison
purposes, the same trajectory is also flown using the autopilot from the GARTEUR
AG-16 benchmark, the result of which is indicated by a grey signal in the figure
showing the flight trajectory. It can be seen that the result of the fault is a pitching
moment which cannot be counteracted by the autopilot since it does not have control
over the stabilizer. Therefore, when the autopilot is used, human pilot intervention
is required to accommodate this fault. Since the elevator lock-in-place fault does not
affect lateral motion, the heading change manoeuvre is still performed adequately
by the autopilot. In Fig. 10.7 the actuator deflections and engine commands of the
SPC-based FTC system are shown. It can be seen that the elevator deflection re-
mains constant after the fault is injected and that the stabilizer takes over after the
fault is isolated. Note also that the rate of change of the stabilizer input is small when
compared to the other surfaces. The reason for this is that the stabilizer surface has
a maximum deflection rate of 0.5 deg/s, which is about 100 times smaller than the
other surfaces. Generally, it can be concluded from these simulation results that the
reaction on the fault is performed quickly and adequately as a result of the available
prior knowledge being open-loop simulation data from a similar fault condition.
This prior knowledge has significantly reduced adaptation time.
10 Subspace Predictive Control Applied to Fault-Tolerant Control 309
10 120
0
110
−10
−20
Reference signal 100
−30 System response
−40 90
10 0.5
5 0
0 −0.5
−5 −1
−10 −1.5
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
Fig. 10.5 Roll angle, pitch angle, true airspeed, and sideslip angle of the aircraft for elevator
lock-in-place. The dashed signals correspond to the control reference signals.
Angle of Attack [deg]
2 1200
Fault injection
SPC−based FTC
Heading angle [deg]
1000
200 Autopilot
150 800
Altitude [m]
100
600
50
400
1000
Altitude [m]
200
500
−15000
0 −10000
0 0 0.5 1 −5000
0 50 100 150 200 250 300 1.5 2 2.5 0
3
Time [s] 4
x [m]
x 10 y [m]
Fig. 10.6 Angle of attack, heading angle, altitude, and trajectory of the aircraft for elevator
lock-in-place. In the trajectory plot, the gray line corresponds to the trajectory flown with the
autopilot.
10 −1
Ailerons [deg]
Stabilizer [deg]
5
0 −2
−5
−3
Elevators [deg]
1 1.6
EPR engines
1.4
Rudders [deg]
1 1.2
0 1
0.8
−1
0.6
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
Fig. 10.7 Actuator deflections and engine commands for elevator lock-in-place.
20 160
140
0
120
−20 Reference signal
System response 100
−40
80
20
5 10
0
0
−5
−10 −10
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
Fig. 10.8 Roll angle, pitch angle, true airspeed, and sideslip angle of the aircraft for rudder
runaway. The dashed signals correspond to the control reference signals.
Angle of Attack [deg]
10
5
0
Fault injection
1200
Heading angle [deg]
200
1000 SPC−based FTC
150 Autopilot
800
Altitude [m]
100
600
50
400
1000
Altitude [m]
200 −15000
500 −10000
0 −5000
0 0.5 0
0 1 1.5 2
0 50 100 150 200 250 300 2.5 3 5000
3.5 x [m]
Time [s] x 10
4 y [m]
Fig. 10.9 Angle of attack, heading angle, altitude, and trajectory of the aircraft for rudder
runaway. In the trajectory plot, the gray line corresponds to the trajectory flown with the
autopilot.
SPC-based FTC system manages to quickly regain control and track the reference
signals again after a period of about 15 s. In Fig. 10.12 it can be seen that the tra-
jectory can be flown safely even after occurrence of the very severe fault condition.
Furthermore, it can be seen that the autopilot is not capable of safely flying the air-
craft, since it crashes about 50 s after the injection of the fault. In Fig. 10.13 the
actuator deflections and the engine commands for the “Bijlmerramp” scenario are
shown. It can be seen that the right engines immediately stop providing thrust after
the fault is injected. Furthermore, it can be observed that the stabilizer is used in a
limited range to prevent overly large altitude fluctuations due to the slow operation
of this surface. An important conclusion that can be drawn from this simulation is
that the SPC-based FTC system is able to adapt to an unanticipated condition, which
severely changes the dynamics of the aircraft.
312 R. Hallouzi and M. Verhaegen
20 30
Ailerons [deg]
Rudders [deg]
20
0 10
0
−20
20 1.6
10 1.4
1.2
0 1
−10 0.8
0.6
40
Spoilers [deg]
20 1.6
1.4
0 1.2
−20 1
0.8
−40 0.6
Time [s] 0 50 100 150 200 250 300
Time [s]
Fig. 10.10 Actuator deflections and engine commands for rudder runaway.
10 135
True airspeed [m/s]
Roll angle [deg]
0
134
−10
−20 Reference signal 133
−30 System response
−40 132
10 5
Sideslip angle [deg]
Pitch angle [deg]
5 0
0 −5
−5 −10
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
Fig. 10.11 Roll angle, pitch angle, true airspeed, and sideslip angle of the aircraft for the
“Bijlmerramp” fault condition. The dashed signals correspond to the control reference
signals.
1200
200
1000
150
800
Altitude [m]
100
600
50
400
1000 200
Altitude [m]
−15000
0
500 −10000
−200
0.5 1 −5000
0 1.5 2
0 50 100 150 200 250 300 2.5 3
4 3.5 0 x [m]
Time [s] x 10
y [m]
Fig. 10.12 Angle of attack, heading angle, altitude, and trajectory of the aircraft for the “Bi-
jlmerramp” fault condition. In the trajectory plot, the gray line corresponds to the trajectory
flown with the autopilot.
Spoilers [deg] Elevators [deg] Ailerons [deg]
20
Rudders [deg]
20
0
0
−20
−20
20
0
EPR left engines
1.6
−20 1.4
1.2
30 1
20 0.8
10 0.6
0
−10
EPR right engines
2
Stabilizer [deg]
2
1
0
−2 0
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
Fig. 10.13 Actuator deflections and engine commands for “Bijlmerramp” fault condition.
control for all possible faults since not all possible faults can be anticipated.
However, the proposed methodology can even deal with unanticipated faults by
adapting on-line to faults using input-output data. Therefore, it is a very suitable
method for fault-tolerant control.
presented SPC-based FTC system does not have too restrictive computational re-
quirements, an on-line version has been developed. This on-line version has been
created in the scope of GARTEUR AG-16. In this project the participants have been
invited to develop on-line FTC schemes for implementation on the SIMONA re-
search flight simulator [30]. A real-time simulator environment has been developed
specifically for this research simulator. This environment, which has been named
Delft University Environment for Communication and Activation (DUECA) [31],
poses different requirements to the FTC system than the off-line simulation envi-
ronment, which is MATLAB/Simulink.
An important requirement of the on-line simulation environment is that all com-
putations required for the FTC system should be finished well within the sample
time of the benchmark model, which is 0.01 s. Since the computations required for
the developed SPC-based FTC system are too heavy to be finished within 0.01 s,
a multi-rate real-time architecture has been developed. This architecture consists
of 2 blocks that run at different operating frequencies. One block runs at the same
frequency as the aircraft model and one block runs at a frequency of 10 Hz. A
schematic diagram of the multi-rate architecture is shown in Fig. 10.14. In Block
2 the time-consuming computations that cannot be finished within 0.01 s are per-
formed. These computations include the update of the subspace predictor and the
solver for the quadratic programming problem (10.30). Block 1 contains the less
intensive computations, such as the computations required for the multiple-model
FDI system. It should be noted that the frequency of 10 Hz of Block 2 is chosen
sufficiently fast relative to the dynamics of the benchmark model.
The tuning parameters of the on-line SPC-based FTC system that determine the
computational requirements are chosen as: N p = 20, Nc = 5, p = 20, f = 20, m = 5,
and l = 7. Furthermore, the maximum number of iterations of the solver for the
quadratic programming problem has been set to 100 to ensure that the available
Boeing 747
Model
100 Hz
FTC
Block 1
FTC
10 Hz
Block 2
10.7 Conclusions
A reconfigurable fault-tolerant control system has been presented that is able to
adapt on-line to faults. This system consists of a subspace predictor, derived in
a closed-loop setting, combined with predictive control. The subspace predictor,
which does not require knowledge of a mathematical model, is continuously up-
dated on-line using new input-output data. It is this property that gives the proposed
system its ability to adapt to faults. These faults may be either anticipated or unantic-
ipated. In case of anticipated faults, prior knowledge of the faults allows the changed
dynamics to be captured faster than purely relying on adaptation. A special setting
for unanticipated faults has been designed that uses more control inputs than for
anticipated faults to fully exploit the adaptation capabilities. The proposed fault-
tolerant control system is evaluated in simulation on a detailed benchmark model.
In the performed simulations, three fault conditions have been successfully accom-
modated. These fault conditions include an elevator lock-in-place, rudder runaway,
and the “Bijlmerramp” fault condition. In the simulations it could be observed that
the controller requires some time to adapt to the new fault situation. This is an in-
evitable consequence of the data-driven adaptation concept. However, in general it
can be concluded from the simulations that the system allows to safely perform the
required elementary manoeuvres in both nominal and faulty conditions.
References
1. Van Overschee, P., De Moor, B.: Subspace identification for linear systems: theory, im-
plementation, applications. Kluwer Academic Publishers, Dordrecht (1996)
2. Verhaegen, M., Dewilde, P.: Subspace identification, part I: The output-error state space
model identification class of algorithms. International Journal of Control 56(5), 1187–
1210 (1992)
3. Favoreel, W., de Moor, B.: SPC: Subspace Predictive Control. In: Proceedings of the
IFAC World Congress, Beijing, China (July 1999)
4. Maciejowski, J.M.: Predictive Control with Constraints. Prentice Hall, Englewood Cliffs
(2002)
316 R. Hallouzi and M. Verhaegen
5. Hallouzi, R., Verhaegen, M.: Fault-tolerant subspace predictive control applied to a Boe-
ing 747 model. Journal of Guidance, Control, and Dynamics 31(4), 873–883 (2008)
6. Woodley, B.R., How, J.P., Kosut, R.L.: Subspace based direct adaptive H∞ control. In-
ternational Journal of Adaptive Control and Signal Processing 15, 535–561 (2001)
7. Kadali, R., Huang, B., Rossiter, A.: A data driven subspace approach to predictive con-
troller design. Control Engineering Practice 11(3), 261–278 (2003)
8. Ljung, L., McKelvey, T.: Subspace identification from closed loop data. Signal Process-
ing 52(2), 209–215 (1996)
9. Favoreel, W., de Moor, B., Gevers, M., van Overschee, P.: Closed-loop model-free
subspace-based LQG-design. In: Proceedings of the Mediterranean Conference on Con-
trol and Automation, Haifa, Israel (June 1999)
10. Jansson, M.: A new subspace identification method for open and closed loop data. In:
Proceedings of the IFAC World Congress, Prague, Czech Republic (July 2005)
11. Chiuso, A.: The role of vector autoregressive modeling in predictor-based subspace iden-
tification. Automatica 43(6), 1034–1048 (2007)
12. Dong, J., Verhaegen, M., Holweg, E.: Closed-loop subspace predictive control for fault
tolerant MPC design. In: Proceedings of the IFAC World Congress, Seoul, Korea (July
2008)
13. Golub, G.H., Van Loan, C.F.: Matrix Computations, 3rd edn. The John Hopkins Univer-
sity Press, Baltimore (1996)
14. Hajiyev, C., Caliskan, F.: Fault Diagnosis and Reconfiguration in Flight Control Systems.
Kluwer Academic Publishers, Dordrecht (2003)
15. Song, Y., Campa, G., Napolitano, M., Seanor, B., Perhinschi, M.G.: Online parameter
estimation techniques comparison within a fault tolerant flight control system. Journal of
Guidance, Control, and Dynamics 25(3), 528–537 (2002)
16. Shin, J.-Y., Belcastro, C.M.: Performance analysis on fault tolerant control system. IEEE
Transactions on Control Systems Technology 14(5), 920–925 (2006)
17. Belkharraz, A.I., Sobel, K.: Simple adaptive control for aircraft control surface failures.
IEEE Transactions on Aerospace and Electronic Systems 43(2), 600–611 (2007)
18. Fielding, C., Varga, A., Bennani, S., Selier, M. (eds.): Advanced Techniques for Clear-
ance of Flight Control Laws. Springer, Heidelberg (2002)
19. Bodson, M., Groszkiewicz, J.E.: Multivariable adaptive algorithms for reconfigurable
flight control. IEEE Transactions on Control Systems Technology 5(2), 217–229 (1997)
20. Kale, M.M., Chipperfield, A.J.: Stabilized MPC formulations for robust reconfigurable
flight control. Control Engineering Practice 13(6), 771–788 (2005)
21. Pachter, M., Huang, Y.-S.: Fault tolerant flight control. Journal of Guidance, Control, and
Dynamics 26(1), 151–160 (2003)
22. Kanev, S.: Robust Fault-Tolerant Control. PhD thesis, University of Twente, Enschede,
The Netherlands (2004)
23. Zhang, Y., Rong Li, X.: Detection and diagnosis of sensor and actuator failures using
IMM estimator. IEEE Transactions on Aerospace and Electronic Systems 34(4), 1293–
1313 (1998)
24. Hallouzi, R., Verhaegen, M., Kanev, S.: Multiple model estimation: a convex model
formulation. International Journal of Adaptive Control and Signal Processing (2008),
doi:10.1002/acs.1034
25. Hallouzi, R.: Multiple-Model Based Diagnosis for Adaptive Fault-Tolerant Control. PhD
thesis, Delft University of Technology, Delft, The Netherlands (2008)
26. Lovera, M., Gustafsson, T., Verhaegen, M.: Recursive subspace identification of linear
and non-linear Wiener state-space models. Automatica 36, 1639–1650 (2000)
10 Subspace Predictive Control Applied to Fault-Tolerant Control 317
27. Marcos, A., Balas, G.J.: Development of linear-parameter-varying models for aircraft.
Journal of Guidance, Control and Dynamics 27(2), 218–228 (2004)
28. Smaili, M.H., Mulder, J.A.: Flight data reconstruction and simulation of the 1992 Am-
sterdam Bijlmermeer airplane accident. In: AIAA Modelling and Simulation Technolo-
gies Conference and Exhibit, Denver, Colorado USA (August 2000)
29. Breeman, J.: Quick start guide to AG 16 benchmark model. Technical report, NLR
(2006)
30. SIMONA. TU Delft - SIMONA research simulator (2007) (last checked October 8, 2007)
31. Van Paassen, M.M., Stroosma, O., Delatour, J.: DUECA - data-driven activation in dis-
tributed real-time computation. In: Proceedings of the AIAA Modeling and Simulation
Technologies Conference and Exhibit, Denver, CO, USA (August 2000)
Chapter 11
Fault-Tolerant Control through a Synthesis of
Model-Predictive Control and Nonlinear
Inversion
11.1 Introduction
By itself reconfigurable and fault-tolerant control is a challenging task. In general
fault-tolerant control requires mechanisms to detect and identify a failure, further-
more, it must be flexible as to accommodate such a failure. In the more specific case
of fault-tolerant flight control, several specific challenges exist according to [1]:
• flight control is a multi-variable control problem with strong cross-couplings,
especially appearing after an asymmetric failure occurs;
• flight control is a nonlinear problem which means that trim values change with
operating conditions, requiring continuous use of nonlinear or adaptive algo-
rithms;
• an aircraft may become highly unstable after occurrence of a failure, leaving little
time for reconfiguration;
In order to tackle these challenges, we will introduce a control method that is
globally valid, easily reconfigurable and above all, constrained. The solution that
is presented here is a synthesis between model-predictive control (MPC) and a non-
linear dynamic inversion method (NDI). Section 11.2 provides the motivation for
D.A. Joosten
Delft University of Technology, Delft, The Netherlands
e-mail: d.a.joosten@tudelft.nl
T.J.J van den Boom
Delft University of Technology, Delft, The Netherlands
e-mail: a.j.j.vandenboom@tudelft.nl
M. Verhaegen
Delft University of Technology, Delft, The Netherlands
e-mail: m.verhaegen@tudelft.nl
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 319–336.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
320 D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
this setup, and furthermore, the section provides a clear introduction as to how both
methods interact. Section 11.2.2 and 11.2.3 provide a discussion of the theory of
MPC and dynamic inversion, whereas Section 11.2.4 on control allocation, and the
mapping of constraints, provides the theory that is required to make the proposed
combination of MPC and dynamic inversion interact correctly. Subsequently Sec-
tion 11.3 introduces the relevant equations of motion of the benchmark aircraft and
applies NDI theory to these. The chapter continues with the introduction of sim-
ulation results in Section 11.4 and wraps up with a discussion and conclusions in
Section 11.5.
FDI
fnew , gnew , Unew , Xnew
Fig. 11.1 Overview of the complete FTFC loop and the individual components. Additionally,
the FDI block is shown to stress the importance of a failure detection method that delivers a
new system description and a new set of constraints after the introduction of a failure.
robust MPC and feedback linearisation is evaluated in [9]. The theory presented
in this chapter differs from existing literature in two aspects; the first of which is
that the combination of NDI and MPC is not only applied as a form of globally
valid and constrained nonlinear control, but also as a reconfigurable method; the
second difference lies in the fact that it is assumed here that the system has control
effector redundancy in the nominal and fault-free case, i.e. that it is over-actuated.
The latter is not the case in the previously mentioned references [7], [9]. Next to
these [10] provides an application of robust MPC so as to achieve reconfigurable
behaviour, linear subspace identification and predictive control are synthesized into
one in [11], NDI and online identification of the aerodynamic derivatives of the
aircraft are combined in [12]. An example that considers the use of MPC, without
NDI, in a simulation of the Bijlmermeer accident scenario is to be found in [13].
Figure 11.1 provides an overview of how MPC and NDI are combined in this
chapter. The concept of a combination between NDI and MPC such as to form a
reconfigurable, globally valid, nonlinear, and constrained controller seems intuitive,
but there are several interconnection issues that require attention. Such issues are
caused by the fact that the number of system inputs is in general much larger than
the number of states that are to be controlled, which is actually a prerequisite for
FTFC. The latter forces us to include control allocation in between the NDI block
and the aircraft. This will be elabortated upon in Section 11.2.4. Furthermore, it is
not a priori clear how the constraints on the inputs relate to the constraints of the
MPC controller.
Subsection 11.2.1 introduces the model structure and Section 11.2.2 introduces
dynamic inversion. The next subsection provides the details of the MPC strategy that
has been applied. Finally, subsection 11.2.4 provides details on how to distribute the
desired control effort over the physical inputs.
For reasons of clarity, several assumptions, mainly because of simplicity, are
posed here that hold throughout the entire chapter. It is assumed that a new model
will become available through online identification of the aerodynamic parameters
based on the work presented in Chapter 13 and [14]. Other assumptions that are
made are that full-state information is assumed to be available, and more impor-
tantly, we assume that there are redundant control effectors, such that these can be
322 D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
applied in case a primary actuator fails. Finally, it is noted that this method is best
suited for failures of actuators/control surfaces and structural failures of the air-
frame. Sensor failures are not considered here, and furthermore, it is assumed that
the current position of control surfaces is measured for purposes of control.
where x(k) ∈ Rn is the state vector, u(k) ∈ Rm is the vector of inputs, and k indicates
that this system is a discrete-time system with sampling-interval T . Furthermore,
f (x) ∈ Rn×1 , g(x) ∈ Rn×m . Both the input u ∈ U and x ∈ X belong to a polyhedral
set, i.e. they can be written as
U = {u ∈ Rm | A u ≤ b}, (11.3)
X = {x ∈ Rn | Ax x ≤ bx }, (11.4)
for some matrices A, Ax and vectors b, bx . Furthermore, it is assumed that the output
y(k) = x(k), is such that h(x(k)) = x(k).
It must be remarked that it is also possible to apply FBL to the system in con-
tinuous time. This, however, leads to issues with respect to the control allocation
problem such as depicted in Figure 11.1. The control allocation will consist of a
constrained quadratic programming problem and will necessarily be performed in
discrete-time. It is therefore more logical to perform all steps in discrete-time, and
as such, to discretise the nonlinear system before applying FBL.
where z(x(k), u(k)) is assumed to be a virtual input of the system that can be used
for linearisation purposes. This relation between z(x(k), u(k)) and u(k), and how to
make use of the freedom therein, is the topic of Section 11.2.4 on control allocation.
It is clear to see that in order to invert the nonlinear dynamics, a choice
where ν (k) ∈ Rn is a new input to the inverted system. Optionally, through proper
selection of z(k) one can incorporate some desired dynamics such that x(k + 1) =
Ades x(k) + ν (k). The latter equation shows that the chosen control law decouples
the system, such that the closed-loop constitutes a series of integrators in parallel.
Furthermore, it is clear to see that when the number of inputs m is smaller than
the number of states n, provided that we wish to linearize all n states, it will be
impossible to invert the entire dynamics. When m = n there will exist a unique
solution to equation (11.6) and when m > n then there will exist a whole set of
solutions u(k) to this equation. It is necessary to make the remark that it is assumed
in this chapter that m > n, and hence input redundancy exists. Therefore, the input
u(k) will have to be allocated at every discrete-time step. The latter is commonly
called nonlinear dynamic inversion (NDI) instead of FBL.
In summary, the input-state linearisation that is presented in this section leads to
LTI behaviour that relates ν (k) to x(k), and retains freedom in the allocation of u(k).
A restrictive result of the above is that the original input constraints on u(k) must now
be mapped into constraints on ν , since ν (k) will be controlled using model predictive
control (see Figure 11.1). The next section will introduce an MPC algorithm that has
been tailored to this situation, such that this issue can be avoided to a large extent.
x(k + 1) − x(k)
ẋ = f (x) + g(x)u ≈ x (11.8)
T
⇔,
x(k + 1) ≈ T f (x(k)) + x(k) + T g(x(k))u. (11.9)
324 D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
The authors acknowledge that the Euler method, which is a first-order method,
is typically associated with an integration error that is proportional to the sampling
interval T . This makes the Euler method less accurate than higher order methods
such as the Runge-Kutta method. There are two specific reasons why Euler’s method
is applied here. For one, use of higher order methods would complicate the dynamic
inversion of the nonlinear aircraft model in Section 11.3 unnecessarily. Next to that,
and more importantly, the simulation settings for the benchmark model are such that
the Euler method is applied in the simulation. Hence, the Euler method is chosen
over higher-order methods for discretization.
where e(k + i|k) = x̂(k + i|k) − xr (k + i|k), and x̂(k + i|k) is the predicted value of
x(k + i) at time k. r(k) ∈ Rn is the reference signal and Q 0 is a state weighting
matrix, respectively.
We introduce the following variables
⎡ ⎤ ⎡ ⎤
x(k + 1|k) xr (k + 1|k)
⎢ x(k + 2|k) ⎥ ⎢ xr (k + 2|k) ⎥
⎢ ⎥ ⎢ ⎥
x̃ = ⎢ .. ⎥, x̃r = ⎢ .. ⎥,
⎣ . ⎦ ⎣ . ⎦
x(k + N|k) xr (k + N|k)
⎡ ⎤ ⎡ ⎤
u(k|k) ν (k|k)
⎢ u(k + 1|k) ⎥ ⎢ ν (k + 1|k)r ⎥
⎢ ⎥ ⎢ ⎥
ũ = ⎢ .. ⎥, ν̃ = ⎢ .. ⎥,
⎣ . ⎦ ⎣ . ⎦
u(k + N − 1|k) ν (k + N − 1|k)r
(11.11)
11 FTFC Using MPC and Model Inversion 325
and
Q̃ = IN ⊗ Q, (11.12)
where IN is an identity matrix of size N, and where the operator ⊗ indicates the Kro-
necker product of two matrices.1 Now, using relationship (11.7) the above objective
function (11.10) can be expanded into
and
T
(IN ⊗ A) ũ(k) ≤ 1 1 . . . 1 ⊗ b . (11.16)
, -. / , -. /
=Ã =b̃
T T
ũ 0 0 ũ 0 ũ
min + , (11.17)
ν̃ ,ũ ν̃ 0 Q̃ ν̃ −2x̃Tr Q̃ ν̃
ũ
s.t. C̃ | − INn = b̃eq , (11.18)
ν̃
ũ
à 0 ≤ b̃. (11.19)
ν̃
The minimisation of (11.17), subject to (11.18) and (11.19) leads to a feasible ũ∗
and an optimal ν̃ ∗ . Note that equation (11.18) incorporates the relationship between
the virtual input z, the physical input u, and the variable ν (see remark). The lat-
ter may be interpreted as if the dynamic inversion were embedded into the MPC
problem. It must be noted, however, that it is not possible to weight the input ũ(k)
during this phase because that impairs the state-tracking capability of the controller.
The argument of the optimisation ũ∗ is not unique, since g(x(k)) is a wide matrix.
Hence, it is possible to pose a second optimisation problem in the form of a control
allocation problem, which will be the subject of the next section.
One issue, that was already mentioned in the previous paragraph, is that the equal-
ity constraint (11.18) depends on the state in a nonlinear fashion. This constraint
therefore has to be approximated such that it is either constant or linearly dependent
on the state at time k. Several possible approximations are:
1. assume that x(k) is constant over the horizon such that
T
C̃ ≈ In ⊗ g(x(k)), b̃eq ≈ 1 1 . . . 1 f (x(k));
2. apply the input that was computed for the previous time-step to predict the evo-
lution of the state over the horizon;
3. assume that the system state will follow the reference state according to a stable
and linear time-invariant (LTI) reference system;
4. exploit a Jacobian linearization of f (x(k)) and g(x(k)) to obtain a local LTI
model that can be applied to predict the evolution of the state over the horizon.
The authors acknowledge that what is presented in this section is a tailor-made MPC
implementation, and suggest referring to [6] for an in-depth investigation of MPC
and its properties in general.
Remark: The addition of ũ(k) in (11.17) may seem redundant, but it avoids the
complex and computationally expensive mapping of the polytope U that bounds
u(k) to a polytope that bounds ν (k) via the relationship
This must be done every time-step and is very closely related to the subject of com-
putational geometry. It is however well-known that projection methods, as described
in [17], are computationally very intensive and therefore not suitable for this ap-
plication. Even the more advanced and much faster methods like the equality set
11 FTFC Using MPC and Model Inversion 327
min uT Qu u + Δ uT Ru Δ u, (11.21)
u
∗
s.t. g(x(k))u(k) = g(x(k))u (k),
Au ≤ b,
A total number of four states will be linearised using the NDI method. These
states are the roll attitude φ , the pitch angle θ , the yaw angle ψ and the indicated
airspeed V , respectively. With these four states it is possible to control both the ori-
entation and the velocity of the aircraft. Through the application of NDI we strive
for linearisation of these four state equations. In order to arrive at the required con-
trol laws we split the problem in two separate stages. First, we model the discretised
but nonlinear equation for the airspeed V of the benchmark aircraft and linearise
this. Subsequently, we perform the same actions for the equations that belong to the
three attitude states. Additionally, in the first instance we will assume that the forces
(X,Y, Z) and moments (L, M, N), that enter the system equations, are inputs to the
system.
The nonlinear and discretised state equation for the airspeed is given as follows:
⎡ ⎤
X(k)
T
V (k + 1) = V (k) + [cos α cos β sin β sin α cos β ] ⎣Y (k) ⎦ , (11.22)
m
Z(k)
where α and β are the angle of attack and sideslip angle, respectively. The variable
T is introduced here to represent the sampling interval. Hence, the time between
two time-steps k and k + 1 is T seconds. Then, using the notational convention of
Section 11.2.2 we introduce the virtual input z1 as
⎡ ⎤
X(k)
T
z1 (k) = [cos α cos β sin β sin α cos β ] ⎣Y (k) ⎦ , (11.23)
m
Z(k)
Performing NDI for the attitude states requires some additional steps, whilst they do
not depend on the external forces and moments directly. We model the behaviour of
the attitude states as
⎡ ⎤ ⎡ ⎤⎡ ⎤ ⎡ ⎤
φ (k + 1) 1 sin φ tan θ cos φ tan θ p(k) φ (k)
⎣ θ (k + 1) ⎦ = T ⎣0 cos φ − sin φ ⎦ ⎣ q(k) ⎦ + ⎣ θ (k) ⎦ , (11.26)
sin φ cos φ
ψ (k + 1) 0 cos θ cos θ
r(k) ψ (k)
where p, q, r are the roll-, pitch- and yaw rate. In order to apply NDI we shift these
equations one step in time in order to arrive at
11 FTFC Using MPC and Model Inversion 329
⎡ ⎤ ⎡ ⎤ ⎡ ⎤
φ (k + 2) 1 sin φ tan θ cos φ tan θ p(k + 1)
⎣ θ (k + 2) ⎦ = T ⎣0 cos φ − sin φ ⎦ (k + 1) ⎣ q(k + 1)⎦ ,
sin φ cos φ
ψ (k + 2) 0 cos θ cos θ
r(k + 1)
⎡ ⎤
φ (k + 1)
+ ⎣ θ (k + 1) ⎦ , (11.27)
ψ (k + 1)
such that we may plug in the equations that govern the states p, q, r,
⎡ ⎤ ⎛ ⎡ ⎤ ⎡ ⎤⎞ ⎡ ⎤ ⎡ ⎤
p(k + 1) 0 −r q 100 p(k) L(k)
⎣ q(k + 1)⎦ = ⎝−T J −1 ⎣ r 0 −p⎦ J − ⎣0 1 0⎦⎠ ⎣ q(k) ⎦ + T J −1 ⎣M(k)⎦ ,
r(k + 1) −q p 0 001 r(k) N(k)
where
⎡ ⎤
Ixx 0 −Ixz
J = ⎣ 0 Iyy 0 ⎦ (11.28)
−Ixz 0 Izz
Using the same method that was applied for the airspeed, we choose the virtual input
⎡ ⎤
L(k)
z2 (k) = T J −1 ⎣M(k)⎦ . (11.30)
N(k)
where Ades ∈ R3×3 is the desired linear time invariant behaviour and where ν2 is the
input to the linearised system. At this stage we may conclude that when z1 and z2
satisfy equation (11.24) and (11.31) that the linear state behaviour equals
⎡ ⎤ ⎡ ⎤
V (k + 1) V (k)
⎢ φ (k + 2) ⎥ ades 0 ⎢ ⎥
⎢ ⎥ ⎢ φ (k + 1) ⎥ ν1 (k)
⎣ θ (k + 2) ⎦ = 0 Ades ⎣ θ (k + 1) ⎦ + ν2 (k) . (11.33)
ψ (k + 2) ψ (k + 1)
What remains now is to introduce expressions for the forces F = [X,Y, Z]T and
moments M = [L, M, N]T . The forces are the sum of the external forces and the con-
tribution of the aerodynamics, and the moments are dependent of the aerodynamics
only, which leads to the expressions:
where the subscripts indicate the contribution of gravity, the wind and the aerody-
namic model, respectively. We model the aerodynamics as follows
T
1 2
Faero = ρV S CFx 1 α α 2 α 3 β β 2 β 3 2V
pb qc rb
2V 2V
+C Fu u , (11.36)
2
⎡ ⎤
b00 T
1 2 ⎣
Maero = ρV S 0 c̄ 0⎦ CMx 1 α α 2 α 3 β β 2 β 3 2Vpb qc rb
2V 2V
+CMu u ,(11.37)
2
00b
where ρ is the air density, S, b, c̄ are the wing area, wing span and wing chord,
respectively. The input variable u is a vector composed of the control surfaces and
engines of the aircraft. In this chapter we make use of a subset of these control
effectors. In this particular case we apply our controller to the four elevator surfaces,
the four ailerons, the two rudder halves and the four engines, hence u ∈ R14 .
The aerodynamic parameters CFx ,CMx ∈ R3×10 and CFu ,CMu ∈ R3×14 are deter-
mined online through a recursive identification method, using the approach pre-
sented in Chapter 13 and [14]. Although not strictly required in the nominal and
failure-free case, the identification method is applied in both the nominal and the
failure case. Because of the fact we apply data from recursive identification, we do
not have to model failures explicitly. As an example one might consider a rudder
that has become stuck. Such a failure will result in a change in the basic aero-
dynamic parameters to account for the static aerodynamic moment that this cre-
ates. Furthermore the effectiveness of the rudder itself will be reduced to zero.
Additionally, although not applied here, it is possible to include direct knowledge
11 FTFC Using MPC and Model Inversion 331
of actuator failures in the controller. The uncertainty caused by failures of the air-
craft structure or actuators is considered to be small because of the relatively fast
response of the identification algorithm.
In summary, we may apply MPC to the linear system of equation (11.33), pro-
vided that the input u from (11.36)-(11.37) is allocated such that the virtual inputs
z1 , z2 in (11.23) and (11.30) satisfy equations (11.24) and (11.31). Additionally,
the physical constraints are entered into the problem to arrive at the MPC problem
(11.17,11.18,11.19) and the control allocation and weighting problem (11.21) from
Section 11.2.
0.1
roll rate p [rad/s]
measurement
reference
0
-0.1
0 5 10 15 20 25 30 35
0.1
pitch rate q [rad/s]
-0.1
0 5 10 15 20 25 30 35
0.1
yaw rate q [rad/s]
-0.1
0 5 10 15 20 25 30 35
time [s]
Fig. 11.2 Simulation result for the body rates p, q, r with respect to a reference after intro-
duction of a stabiliser runaway fault at t = 10 [s]
in spite of the failure of the stabiliser, it is still possible to track a reference on the
pitch rate. It is assumed that extensive tuning of parameters like the state- and input
weighting matrices Q, Qu , Ru , the selected sampling interval T , and the prediction
horizon N will lead to greatly improved tracking behaviour.
What remains to be said about this example is that the computational complexity
of the control method is quite high. It is expected that this can be greatly improved
upon through a more efficient implementation of the controller. Furthermore, al-
though not visible in the provided results, the online identification algorithm suffers
from lack of excitation when the system is controlled to be in steady-state for ex-
tended periods of time. Both of these issues are not addressed in this chapter, but
will be the topic of future research.
LOCvalid
0 0.5
λ
-5 0
0 50 100 150 200 0 100 200 300
100 40
20
VTAS
φ
90 -20
-40
0 50 100 150 200 0 50 100 150 200
2 2
0 0
p
q
-2 -2
0 50 100 150 200 0 50 100 150 200
2 15
10
0
α
r
5
-2 0
0 50 100 150 200 0 50 100 150 200
10
2
0 nz
β
0
-10 -2
0 50 100 150 200 0 50 100 150 200
2
0
ny
-2
0 50 100 150 200
Fig. 11.3 Overview of several aircraft states during a right-hand turn and subsequent localiser
intercept. The top left and top right graph in the figure depict the angle λ with respect to the
localiser beam and the signal that indicates whether the localiser signal is valid.
the quality of the initial estimate of the aircraft parameters is high. Furthermore, the
aerodynamic model of the benchmark may basically be regarded to be a black-box
system, hence it is not possible to use exact knowledge of this model for testing pur-
poses. This, combined with the fact that the control method is particularly sensitive
to tuning of the weighting matrices in both MPC and the control allocation method,
makes it difficult to achieve proper results for flying full manoeuvres from the list
of assessment criteria. In order to show the applicability of the method, provided
that the uncertainty of the aerodynamic model is not too high and that the tuning
of the controller is appropriately chosen, we show an example manoeuvre that was
obtained through simulation of the benchmark where the aerodynamics have been
replaced by a static but, still nonlinear model.
Figures 11.3, 11.4 and 11.5, which are included at the end of the chapter, show
the results when the aircraft is made to fly a turn to the right followed by a localiser
intercept. Figure 11.3 shows a subset of the aircraft states and the angle between the
aircraft heading and the localiser beam λ during this particular simulation example.
Also indicated in the figure, are the assessment specifications. Figure 11.4 and 11.5
show the accelerations of the aircraft and the horizontal trajectory of the aircraft.
The results presented here consider a flight in a fault-free scenario, but given the
simplified aerodynamic model, different failure scenarios, with stuck control sur-
faces perform equally well. What may be concluded from this simulation is that the
combination of MPC and the inversion of the nonlinear aircraft kinematics through
334 D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
[ms−2 ] 2
0
axb
-2
2
[ms−2 ]
0
ayb
-2
2
[ms−2 ]
0
azb
-2
Fig. 11.4 Overview of the accelerations of the aircraft body during the right turn and localiser
intercept.
horizontal trajectory
0
1000
2000
3000
4000
ye (East)
5000
6000
7000
8000
9000
10000
-2.2 -2 -1.8 -1.6 -1.4 -1.2 -1
xe (North)
Fig. 11.5 Representation of the horizontal trajectory that was flown by the aircraft during the
right hand turn and localiser intercept manoeuvre.
11 FTFC Using MPC and Model Inversion 335
NDI is valid for FTFC purposes, provided correct knowledge of the aerodynamics
of the aircraft is available.
11.5 Conclusion
This chapter has presented the combination of MPC and FBL into a constrained and
globally valid control method and is as such an evolution of previous work ([19]).
Using the proposed control method, it is possible to implement a reconfigurable
flight control-law that is valid throughout the flight envelope. The reconfigurable
properties are a result of efficient distribution of the desired control effort over the
remaining and redundant control inputs. Furthermore, the method can take into ac-
count various input, state and output constraints. The latter is particularly useful
when actuators get stuck in a certain position.
An example has been provided that shows that the combination of the proposed
control strategy an online and recursive identification can retain a trim state as well
as track a reference when the body states of the benchmark model are controlled.
Practical issues that will be the topic of future research are related to the construc-
tion of a more computationally efficient adaptation of this controller. Additionally, it
will have to be taken into account that the recursive identification scheme is applied
in a closed-loop setting whilst this is not explicitly accounted for at the moment.
From a theoretical point of view an interesting subject for future research is the
addition of robustness to the FTFC method whilst it is well-known that feedback lin-
earisation and dynamic inversion methods are not particularly robust to modelling
uncertainties. Such modelling uncertainties particularly arise in situations where
FDI information is not available instantaneously. In order to achieve this, it is nec-
essary to include theory for determination of the uncertainty in a model after having
performed feedback linearisation, as discussed in [20]. The same holds for the de-
velopment of theory that explains the effect of discretisation on model uncertainty
so as to obtain an uncertain discrete-time feedback linearised system that is suitable
for control with robust model predictive control methods like [21].
Increased robustness of the FTFC method will be of great importance in applica-
tions where there is latency in the FDI system. Robustness with respect to modeling
uncertainty is required to guarantee stability until new and accurate FDI information
becomes available after a failure has occurred.
References
1. Bodson, M.: Identification with modeling uncertainty and reconfigurable control. In: Pro-
ceedings of the 32nd IEEE Conference on Decision and Control, pp. 2242–2247 (1993)
2. Jones, C.N.: Reconfigurable flight control. Technical report, Engineering Dept., Univer-
sity of Cambridge (2002)
3. Mayne, D.Q., Rawlings, J.B., Rao, C.V., Scokaert, P.O.M.: Constrained model predictive
control: stability and optimality. Automatica 36(6), 789–814 (2000)
4. Bemporad, A., Morari, M.: Robustness in identification and control, 245 (1999)
336 D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
5. Qin, S.J., Badgwell, T.A.: A survey of industrial model predictive control technology.
Control Engineering Practice 11(7), 733–764 (2003)
6. Maciejowski, J.M.: Predictive control: with constraints. Pearson Education, Harlow
(2002)
7. van Soest, W.R., Chu, Q.P., Mulder, J.A.: Combined feedback linearization and con-
strained model predictive control for entry flight. Journal of Guidance, Control and Dy-
namics 29(2), 427–434 (2006)
8. van Eduard Oort, Q.P., Chu, J.A.: Robust Model Predictive Control of a Feedback Lin-
earized F-16/MATV Aircraft Model. In: Proceedings of the AIAA Guidance, Navigation,
and Control Conference and Exhibit, AIAA-2006-6318 (2006)
9. van den Boom, T.J.J.: Robust nonlinear predictive control using feedback linearization
and linear matrix inequalities. In: Proceedings of the American Control Conference, June
1997, pp. 3068–3072 (1997)
10. Kale, M.M., Chipperfield, A.J.: Stabilized MPC formulations for robust reconfigurable
flight control. Control Engineering Practice 13(6), 771–788 (2005)
11. Hallouzi, R., Verhaegen, M.: Reconfigurable fault tolerant control of a boeing 747 using
subspace predictive control. In: AIAA Guidance, Navigation and Control Conference
and Exhibit, AIAA 2007-6665 (2007)
12. Huisman, H.: Fault tolerant flight control based on real-time physical model identifica-
tion and nonlinear dynamic inversion. Master’s thesis, Delft University of Technology
(2007)
13. Maciejowski, J.M., Jones, C.N.: MPC fault-tolerant flight control case study: Flight
1862. In: IFAC Safeprocess Conference (2003)
14. Lombaerts, T., Chu, Q., Mulder, J., Joosten, D.: Real time damaged aircraft model identi-
fication for reconfiguring flight control. In: Proceedings of the AIAA Atmospheric Flight
Mechanics Conference and Exhibit, AIAA-2007-6717 (2007)
15. Isidori, A.: Nonlinear control systems. Springer, Heidelberg (1995)
16. Slotine, J.J.E., Li, W.: Applied nonlinear control. Prentice Hall, Englewood Cliffs (1991)
17. Preparata, F.P., Shamos, M.I.: Computational geometry: an introduction. Springer, New
York (1985)
18. Jones, C.N., Kerigan, E.C., Maciejowski, J.M.: Equality set projection: A new algorithm
for the projection of polytopes in halfspace representation. Technical Report CUED/F-
INFENG/TR.463, Department of Engineering, University of Cambridge (2004)
19. Joosten, D.A., van den Boom, T.J.J., Lombaerts, T.J.J.: Effective control allocation in
fault-tolerant flight control with MPC and feedback linearization. In: Proceedings of the
European Conference on Systems and control, Kos, Greece, July 2007, pp. 3552–3559
(2007)
20. Juliana, S., Chu, Q., Mulder, J., van Baten, T.: The analytical derivation of nonlinear
dynamic inversion control for parametric uncertain system. In: AIAA Guidance, Nav-
igation, and Control Conference and Exnhibit, AIAA-2005-5849, San Francisco, CA
(August 2005)
21. Kothare, M.V., Balakrishnan, V., Morari, M.: Robust constrained model predictive con-
trol using linear matrix inequalities. Automatica 32(10), 1361–1379 (1996)
Chapter 12
A FTC Strategy for Safe Recovery against
Trimmable Horizontal Stabilizer Failure with
Guaranteed Nominal Performance
12.1 Introduction
The need for increased flight safety and aircraft reliability leads to the design of
reconfigurable fault tolerant control systems. Such systems are meant to manage
faulty situations and help the crew to recover control capabilities quickly. Fault Tol-
erant Control (FTC) is one solution to tackle this problem and has received consid-
erable attention from the control research community and aeronautical engineering
researchers in the past couple of decades (for a survey, see for instance [1, 2, 3]).
The main objective of fault tolerant control is to maintain a specified performance
level in the presence of faults. Two approaches can be distinguished in this area:
passive and active. In the passive approach, the control algorithm is designed so that
the system is able to achieve its given objectives, in healthy as well as faulty situ-
ations. Unfortunately, achieving robustness to certain faults is only possible at the
expense of decreased nominal performance. Active approaches react to fault events
by using a reconfiguration mechanism and, in certain cases, this ensures nominal
performance in fault free situations. This is a great benefit of active FTC approaches.
Active FTC is characterized by an on-line Fault Detection and Isolation (FDI) and
a reconfiguration mechanism. This scheme requires the control law to react to faults
through reconfiguration and FDI modules [4]. Many studies, based on a potentially
known fault scenario, have contributed to the development of active FTC strategies
Jérome Cieslak
IMS laboratory, Bordeaux 1 University, 351 cours de la libération, 33405 Talence cédex
e-mail: jerome.cieslak@laps.ims-bordeaux.fr
David Henry
IMS laboratory, Bordeaux 1 University, 351 cours de la libération, 33405 Talence cédex
e-mail: david.henry@laps.ims-bordeaux.fr
Ali Zolghadri
IMS laboratory, Bordeaux 1 University, 351 cours de la libération, 33405 Talence cédex
e-mail: ali.zolghadri@laps.ims-bordeaux.fr
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 337–361.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
338 J. Cieslak, D. Henry, and A. Zolghadri
for aeronautical systems (see for instance [3, 5, 6, 7]). The goal is to maintain overall
system stability and acceptable performance in spite of the occurrence of faults by
reconfiguring the nominal control law when a fault is detected by the FDI unit.
The FDI mechanism is supposed to detect and diagnose any relevant failures which
could lead to flight performance degradation. This must be done sufficiently early
and in compliance with the stringent operational and flight dynamics constraints, to
set up timely safe recovery actions and to improve the situation and awareness of
the crew.
The main difficulty that appears when integrating the different units to build a
reliable active FTC law is that each individual subsystem is assumed to operate cor-
rectly: its output is instantaneously available to provide decisions/actions to other
subsystems. This implies some interactions between the reconfigurable controller
and the FDI unit as mentioned for instance in [8, 2, 9, 10]. To take into account this
interaction, one solution could be the progressive accommodation scheme as pro-
posed in [11]. The goal is to find in one step a stabilizing solution and to iterate step
by step to refine the solution to determine an optimal solution (in the LQ sense).
However, in this case, computational burden could be a critical factor. Some work
combines a fault tolerant controller with a diagnostic filter. In [12], the authors use
the standard H∞ setting to design a nominal controller and a robust detection filter.
In this configuration, the Youla parametrization of all stabilizing controllers is se-
lected to ensure fault compensation, with the assurance that closed-loop stability is
maintained in the presence of a fault. In [13, 14, 15], the dual Youla parametrization
is used for determining the set of all faulty processes which can be stabilized by the
(nominal) control law. It is shown how both fault diagnosis and fault tolerant control
can be combined in the same architecture and this is an interesting framework for
analyzing the relationship between FDI and FTC. However, in order to cope with
performance degradation when faults are not detected by the FDI part, the authors
proposed to activate the fault tolerant controller all the time. As a consequence, their
approach is equivalent to a passive FTC scheme. Other work in the literature is based
on Linear Parameter Varying (LPV) techniques [16, 17, 18]. The idea is to use the
residual output of the FDI scheme jointly with some subspace of the system states,
as scheduling parameters of the LPV fault tolerant controller.
In this chapter, an attempt is made to provide an active FTC strategy which ad-
dresses the aforementioned issues, i.e. the development of a FTC scheme that takes
into account within the design procedure:
• the FDI scheme performance: the final goal is to design simultaneously the FDI
and the FTC units so that they attain a guaranteed performance level when they
operate together.
• the nominal autopilot and the nominal Flight Control System (FCS) are already
in place. (This way, stability is proved and flying qualities are maintained, despite
the presence of faults and uncertainties, e.g. mass and center of gravity variations)
The proposed approach is based on H∞ control theory. This aspect is an important
issue in this contribution. The H∞ setting has been chosen since it can be extended
12 Recovery against THS Failure with Guaranteed Nominal Performance 339
to the LPV cases using the L2 -induced vector norm. In this work, the LTI setting has
been revealed to be sufficient to address the FTC problem.
12.2 Nomenclature
Throughout this contribution, the following notations are used:
The Euclidean norm is always used and is written without a subscript; for exam-
ple x . Similarly in the matrix case, the induced vector norm is used: A = σ (A)
where σ (A) denotes the maximum singular value of A. Signals, for example w(t)
or w, are assumed to be of bounded energy, and their norm is denoted by w 2 , i.e.
∞ 1/2
w 2 = −∞ ||w(t)||2 dt < ∞. Linear models, for example, P(s) or simply P, are
assumed to be in RH∞ , i.e. real rational functions with ||P||∞ = supω σ (P( jω )) < ∞.
Block diagrams are used to represent interconnections of systems. For example,
the structure shown in Fig. 12.1 represents the equations
η = Δε
ε = P11 η + P12u (12.1)
y = P21 η + P22u
In terms of the input u and output y, this can be expressed as the upper linear frac-
tional representation (LFR) y = Fu (P, Δ )u that is deduced from (12.1) using some
linear algebra manipulations:
where P11 , P12 , P21 , P22 are deduced from the partition of P as illustrated in Fig. 12.1.
Similarly, the lower LFR Fl (PK) is defined according to
Δ = {block diag(δ1r Ik1 , ..., δmr r Ikmr , δ1c Ikmr +1 , ..., δmc c Ikmr +mc , Δ1C , ..., ΔmCC ),
(12.4)
δir ∈ R, δic ∈ C, ΔiC ∈ C}
Δ
η ε
u y
P
Fig. 12.1 The interconnection structure of systems.
340 J. Cieslak, D. Henry, and A. Zolghadri
where δir Iki , i = 1, ..., mr , δ jc Ikmr + j , j = 1, ..., mc and ΔlC , l = 1, ..., mC are known re-
spectively as the ‘repeated real scalar’ blocks, the ’repeated complex scalar’ blocks
and the ‘full complex’ blocks.
The following classical notations are used when dealing with aircraft character-
istics (the notation ”•” refer to indices):
p, q, r = roll, pitch, yaw rate.
VTAS = true air speed.
α , β = angle of attack and the side slip angle.
φ , θ , ψ = roll, pitch, yaw angle.
xe , ye , h = ground position of the aircraft.
δa • •, δe • •, δr • = aileron, elevator, rudder deflection.
δsp •, δ f • =spoiler and flap deflection.
ih = stabilizer deflection.
EPR• = thrust engine position.
Following the basic ideas presented in [19], the design of the FTC loop is tackled
according to the block diagram of Fig. 12.3. The proposed reconfigurable flight
control scheme is made-up of three parts: a FDI part represented by the dynamical
filters Hy (s), Hu (s) and a decision making rule, a FTC part represented by K̃(s)
which generates an additional control signal ũ to be added to the nominal control
signal uo in faulty situations, and a FTC activation mechanism to activate the FTC
strategy. Once again, the overall FTC strategy works in such a way that, in a fault
free situation, the FTC loop is not activated leaving the aircraft only controlled by
the autoflight control system. When the FTC strategy is activated, the control law is
reconfigured by adding the signal ũ to the nominal control signal uo . The activation
of this loop is done by using a switching logic, i.e. the autoflight control system is
not removed when no fault is present, and consequently the overall scheme ensures
nominal flight performance in fault free situations. The activation of the switch is
done by the decision making rule coming from the FDI unit.
The proposed architecture implies some important issues. The first question con-
cerns the activation delay of the strategy FTC. During this time interval, the faulty
system is controlled by the nominal control law which has not been designed for
faulty situations. This problem is also highly related to the time delay detection of
the FDI part. In this contribution, a method is discussed to address this problem ef-
ficiently. From Fig. 12.3, in a fault free situation, the FTC scheme is in open loop.
Consequently, an important requirement is that the interconnection of Hy (s), Hu (s)
and K̃(s) must be stable.
Since Hy (s) and Hu (s) are, by definition, stable detection filters since they gener-
ate a residual signal vector r(t), this problem is equivalent to a stability requirement
on K̃(s). This will be discussed and clarified in section 12.6.
Fig. 12.3 The benchmark setup associated to the proposed FTC strategy
342 J. Cieslak, D. Henry, and A. Zolghadri
Another important aspect is the availability of the FDI mechanism. In the case
of analytical redundancy, the representations of the filters Hy (s) and Hu (s) are also
available. The decision making rules that activate the FTC strategy are then moni-
tored by the residual signal r. The diagram in Fig. 12.3 can be then represented by
the diagram of Fig. 12.4 where Kn (s) is the autoflight control system and G(s) is the
model of the aircraft. The FTC design problem is now equivalent to the design of a
dynamical fault tolerant controller K̃(s) that ensures in some sense, input/output
insensitivity against the fault. This problem can be formulated in the following
manner:
Problem 12.1. Suppose that the faulty system is stabilisable. The goal is to design
a stable controller K̃(s) to produce the new control signal
such that the stability of the aircraft and the required control objectives are guar-
anteed for the THS fault. Using an H∞ formulation [20, 21], this means that K̃(s)
should satisfy
Fl P1 , K̃ ∞ < γ1 (12.6)
where P1 (s) is deduced from Kn (s), G(s), Hy (s) and Hu (s) using standard algebraic
γ1denotes some FTC performance level to be achieved.
manipulations. The scalar
In this formulation, Fl P1 , K̃ corresponds to the lower LFT (linear fractional trans-
formation) of P1 (s) by K̃(s).
When the FDI mechanism is available on-board, the FTC problem can be seen as
the design of a new dynamical filter denoted by K(s), as seen in Fig. 12.5. The
on-board FDI unit is also used to manage the activation switch. In this case, the
synthesis Problem 12.1 can be formulated as follows:
12 Recovery against THS Failure with Guaranteed Nominal Performance 343
Problem 12.2. Suppose that the faulty system is stabilisable. The goal is to design
a stable controller K(s) to produce the new control signal
y(t)
u(t) = u0 (t) + K(s) (12.7)
u0 (t)
such that the stability of the aircraft and the required control objectives are guaran-
teed for the THS fault. This means in the H∞ framework that K(s) should satisfy:
Fl P2 , K ∞ < γ2 (12.8)
Here, P2 (s) is deduced from Kn (s) and G(s) after some straightforward alge-
braic manipulation. Again, the scalar γ2 represents some performance level to be
achieved.
Some key features of the proposed method are:
• the simultaneous design of the FDI unit and the FTC mechanism so that they
provide a guaranteed performance level when they operate together.
• the existing systems that are available on-board are retained to reduce the certi-
fication process. This includes the flight controller Kn and a FDI unit, if available.
Remark 12.2. In Figs. 12.4 and 12.5, it is natural to ask about the stability of the FTC
loop in the presence of the switch. Here, we assume that once a fault is detected, the
switch is definitively activated and the compensation signal ũ remains active for all
subsequent time. The remaining problem concerns the transient behaviour of ũ. To
avoid ‘bumps’, a solution to manage this problem is given in the appendix.
The matrices A11 , A12 , B1 ,C1 ,C2 and D22 are deduced from the aforementioned
state-space representations according to:
⎛ ⎞
A+ BM D̃DyC BMC̃ BM D̃Cy
A11 = ⎝ B̃Dy C + DM D̃DyC Ã + B̃Dy DMC̃ B̃ I + Dy DM D̃ Cy ⎠ (12.10)
By I + DM D̃Dy C By DMC̃ Ay + By DM D̃Cy
⎛ ⎞ ⎛ ⎞
BM D̃Cu BM(I + D̃Du )
A12 = ⎝ B̃ I + Dy DM D̃ Cu ⎠ B1 = ⎝ B̃ Du + Dy DM(I + D̃Du ) ⎠ (12.11)
By DM D̃Cu By DM(I + D̃Du )
C1 = C + DM D̃DyC DMC̃ DM D̃Cy C2 = DM D̃Cu (12.12)
−1
D22 = DM I + D̃Du M = I − D̃Dy D (12.13)
The augmented state vector xc is xc = (xT x̃T xTy )T
where x, x̃, xy and xu are the state
vectors associated with G(s), K̃(s), Hy (s) and Hu (s) respectively.
From (12.9), it can be seen that the poles of GFTC (s) are given by the eigenval-
ues of A11 and Au . Note that the expression for A11 does not contain the Au , Bu ,Cu
12 Recovery against THS Failure with Guaranteed Nominal Performance 345
and Du matrices. It follows that Hu (s) (stable filter) does not impact on the stabil-
ity of GFTC (s). This property justifies the choice to take the signal uo for the FDI
part instead of u in which case, an internal loop appears affecting the stability of
GFTC (s).
Now, consider the diagram in Fig. 12.5 and let the state-space realizations of
the transfer function matrices Kn (s) and GFTC (s) (see equation (12.9)) be given by
(An , Bn ,Cn , Dn ) and (AG , BG ,CG , DG ) respectively. By definition
A11 A12 B1
AG = BG = CG = C1 C2 DG = D22 (12.14)
0 Au Bu
Let xn be the state vector of Kn (s) and denote by xG the augmented vector so that
xG = (xT x̃T xTy xTu )T . Direct calculations lead to the following closed loop state-
space model ⎧
⎪
⎪ ẋG xG
⎨ = AT + BT yre f
ẋn xn
(12.15)
⎪
⎪ xG
⎩ y = CT + DT yre f
xn
where AT , BT ,CT and DT are given by:
AG − BG Dn NCG BGCn − BG Dn NDGCn BG Dn (I − NDG Dn )
AT = BT =
−Bn NCG An − Bn NDGCn Bn (I − NDG Dn )
(12.16)
CT = NCG NDGCn DT = NDG Dn N = (I + DG Dn )−1 (12.17)
Expression (12.15) shows that the stability of the overall loop depends on the stabil-
ity of the FDI filter. This is an expected and rather evident result. Then, expression
(12.15) reveals that the FDI and FTC dynamics are highly coupled.
where L denotes the observer gain. Now, suppose without loss of generality that
D = 0, i.e. G(s) is a strict proper transfer function. Then, equation (12.15) becomes
⎧⎛ ⎞ ⎛ ⎞⎛ ⎞
⎪ ẋ A − BDnC BCn BC̃ BD̃C x ⎛ ⎞
⎪
⎪ ⎜ ẋ ⎟ ⎜ BDn
⎪ ⎟ ⎜ ⎟
⎪
⎪⎜
⎪ n⎟ ⎜ −BnC An 0 0 ⎟ ⎜ xn ⎟ + ⎝ Bn ⎠ yre f
⎪
⎪ ⎝ x̃˙ ⎠ = ⎝ 0 0 Ã B̃C ⎠ ⎝ x̃ ⎠
⎪
⎨ 0
ζ̇ ⎛ ⎞0 0 −BC̃ A + LC − BD̃C ζ
⎪
⎪ x
⎪
⎪ ⎜ xn ⎟
⎪
⎪
⎪
⎪ y = (C 0) ⎜ ⎟
⎝ x̃ ⎠
⎪
⎪
⎩
ζ
(12.20)
where 0 and ζ denote the null matrix of appropriate dimension and the estimation
error x − x̂ respectively.
Noting that the A-matrix in (12.20) is upper block triangular, it follows that the
stability of the global FTC scheme depends on the local FTC loop K̃(s) and the
nominal control law Kn (s). In other words, (12.20) reveals a separation principle.
This suggests a very interesting design procedure that is well known in the LQG
(Linear Quadratic Gaussian) control theory namely: the local FTC and the observer-
based FDI schemes can be designed separately.
Proposition 12.1. Consider the diagrams depicted in Figs. 12.4 and 12.5. Let S, R, T
denote respectively the (nominal) sensitivity function, the sensitivity function of the
controlled input and the complementary sensitivity function, i.e.
Simplified models for the longitudinal and lateral modes can then be derived to
obtain a better physical insight into the modes and their interactions. These models
are widely used in aeronautical engineering and are not developed here. Since the
fault considered here acts only on the longitudinal motion of the aircraft (see Remark
12.1), only the longitudinal mode is considered. This boils down to the following
state space model:
ẋ(t) = Ax(t) + Bu(t)
(12.29)
y(t) = Cx(t) + v(t)
where x denotes the longitudinal state vector which is defined by x =
(q VTAS α θ h)T . The vector u = (δe•• ih )T is the control input and y =
(q θ ḣ h VTAS )T is the measured output vector.
Taking into account the THS fault and after some abuse of notation, the following
linear state-space model is derived:
ẋ(t) = Ax(t) + Be u(t) + B f fT HS (t)
(12.30)
y(t) = Cx(t) + v(t)
The input signals u = δe•• correspond to the elevator defections, and fT HS = ih de-
notes the THS fault. The state space matrices A, Be , B f and C are defined according
to
⎛ ⎞
−6, 7926.10−1 −8, 6.10−6 −8, 856.10−1 0 −3, 45.10−6
⎜ −1, 6179.10−1 −7, 588.10−3 4, 9965 −9.8 4, 59.10−5 ⎟
⎜ ⎟
A=⎜ ⎜ 1, 0084 −1, 0036.10 −3 −6, 735.10−1 0 5, 9.10−6 ⎟
⎟
⎝ 1 0 0 0 0 ⎠
0 0 −1, 338.10 1, 338.10
2 2 0
⎛ ⎞ (12.31)
−4, 965.10−3 −4, 965.10−3 −4, 794.10−3 −4, 794.10−3
⎜ 0 0 0 0 ⎟
⎜ ⎟
Be = ⎜⎜ −1, 86.10 −4 −1, 86.10−4 −1, 9.10−4 −1, 9.10 −4 ⎟
⎟ (12.32)
⎝ 0 0 0 0 ⎠
0 0 0 0
12 Recovery against THS Failure with Guaranteed Nominal Performance 349
⎛ ⎞
−4, 5944.10−2
⎜ 0 ⎟
⎜ ⎟
⎜
B f = ⎜ −1, 912.10 ⎟ −3
⎟ (12.33)
⎝ 0 ⎠
0
⎛ ⎞
10 0 0 0
⎜0 0 0 1 0⎟
⎜ ⎟
C=⎜
⎜ 0 0 −1, 338.10 2 1, 338.102 0⎟⎟ (12.34)
⎝0 0 0 0 1⎠
01 0 0 0
Note that this model is clearly an approximation of the real faulty behaviour of the
aircraft. To validate the above linear model, nonlinear simulations were performed
versus linear ones. For easy reference, measurement noises have been removed in
the simulations. Figure 12.6 shows linear and non linear simulation results. It can be
seen that the linearized model responses are close to the responses of the nonlinear
model given in (12.26).
Fig. 12.6 Dynamic behaviour of the outputs predicted by the linear and nonlinear models for
the considered THS fault
350 J. Cieslak, D. Henry, and A. Zolghadri
To this end, the ‘mixed sensitivity’ H∞ approach is used [20, 22]. The setup used
for the design problem is given in Fig. 12.9. W 1 (s) and W 2 (s) are the weighting
functions used to shape the transfer functions SFTC (s) and RFTC (s) given by
−1
SFTC (s) = I + C(sI − A)−1 Be K(s)M C(sI − A)−1B f (12.35)
Fl (P, K) ∞
<γ γ <1 (12.37)
where P(s) is deduced from Fig. 12.10 by including W 1 (s) and W 2 (s) within
Gu (s) = C(sI − A)−1Be and G f (s) = C(sI − A)−1 B f .
ARE (Algebraic Riccati Equation) solutions exist in the literature that address this
problem, see for instance [24].
As an alternative, the following technique which has been revealed to be compu-
tationally powerful, is proposed. It is based on the Youla parametrisation (the Youla
parameter is denoted Q(s)) that facilitates the definition of the set of all controllers
satisfying (12.37):
352 J. Cieslak, D. Henry, and A. Zolghadri
Proposition 12.2. Assume that a solution to the optimal H∞ problem above exists
for a γ < 1, i.e. there exists K(s) = Fl (K̂(s), Q(s)) with Q ∈ RH∞ and ||Q||∞ < γ
such that (12.37) holds. Denote by Fl (K̂(s), Q(s)) the set of all controllers satisfying
(12.37). Then, there exists a solution to the H∞ strong stabilization Problem 12.3 if
Aq Bq
and only if there exists Q = of some suitable order with ||Q||∞ < γ such
Cq Dq
that
 + B̂2R̂−1 DqĈ2 B̂2 R̂−1Cq
A= (12.38)
Bq Ŝ−1Ĉ2 Aq + Bq Ŝ−1 D̂22Cq
is stable, where R̂ = I − Dq D̂22 and Ŝ = I − D̂22 Dq . The matrix A denotes the system
matrix associated with K(s) and Â, B̂1 , B̂2 , Ĉ1 , Ĉ2 , D̂11 ,⎡
D̂12 , D̂21 and D̂
⎤22 denote the
 B̂1 B̂2
state space matrices associated with K̂(s), i.e. K̂(s) = ⎣ Ĉ1 D̂11 D̂12 ⎦.
Ĉ2 D̂21 D̂2 2
This proposition shows that Problem 12.3 is equivalent to finding a suitable Youla
parameter such that A is stable and ||Q||∞ < γ . In particular, the central controller
K(s) = Fl (K̂(s), 0) = K̂(s) is a suitable solution if a stable  is found.
The weighting function W 1 (s) has been chosen to impose a small damping ratio
on the altitude h (m) and the pitch angle θ (rad) in the faulty situation. Moreover
an integral component is introduced in W 1 (s) to ensure rejection of the THS fault.
The transfer function W 2 (s) has been fixed to take into account actuator saturation
−1
phenomena. More precisely, W 2 (s) is a low pass filter. This choice is required
to attenuate the energy of the control signal applied to the elevator surfaces such
that the control signal behaviour remains smooth (high frequency filter action). The
transfer functions W 1 (s) and W 2 (s) are defined according to
0.5s + 1 50s + 1
W 1 (s) = diag(Wθ (s),Wh (s)) = diag 18 , (12.39)
5.10−2s + 1 10−7 s + 1
0.1s + 1
W 2 (s) = 0.1 I4 (12.40)
2.5.10−4s + 1
From this choice, it is assumed that GFTC (s) will be ‘close’ to G(s) despite the
presence of the THS fault. Thus, following section 12.5, stability of the FTC law
is proved and nominal performance is preserved. This will be a posteriori verified
using a singular values analysis (see Fig. 12.11).
The transfer function K(s) is then synthesized applying proposition 12.2. Note
that the central solution K = Fl (K̂, 0) = K̂ is retained since  is stable. The computed
controller K̂ is given in its state-space form in the appendix. Figure 12.11 shows the
frequency responses obtained for the computed solution K(s). It can be seen that
σ T fT HS →θ ( jω ) < σ Wθ−1 ( jω ) ∀ω (12.41)
σ T fT HS →h ( jω ) < σ Wh−1 ( jω ) ∀ω (12.42)
and
σ T fT HS →δe•• ( jω ) < σ W2−1 ( jω ) ∀ω (12.43)
indicating that the FTC controller K(s) achieves the desired performance level.
Moreover, the small gap between the singular values and the associated weighting
functions shows definitively that the nominal performance of the benchmark control
law are preserved.
354 J. Cieslak, D. Henry, and A. Zolghadri
q [deg/s]
0
0
−10
−20 −5
0 200 400 0 200 400
10 10
theta [deg]
hdot [m/s]
5
0
0
−5 −10
0 200 400 0 200 400
1500 135
[m/s]
1000
h [m]
134
TAS
faulty situation
0 133
0 200 400 0 200 400
Time (s) Time (s)
Fig. 12.13 Behavior of h(t), q(t),VTAS (t), θ (t), ḣ(t) - Landing approach
Fault−free trajectory
With FTC strategy in faulty situation
1.6
1.5
1.4
1.3
Nz [g]
1.2
1.1
0.9
0.8
0 50 100 150 200 250 300 350 400 450 500
Time (s)
Figure 12.14 illustrates the behaviour of the load factor nz (t). It can be seen that
the magnitude of the undesirable transients on nz caused by the occurrence of faults
is reduced. From a practical point of view, the aircraft exhibits smaller excursions
in altitude, airspeed, etc.
Remark 12.3. Following Remark 12.2, the activation of the switch may cause some
undesirable transient behaviours of both the input/output signals u/y. These phe-
nomena, known as ‘bumps’, are due to discontinuities between the two switched
control laws. To overcome this problem, a solution is discussed in the appendix A.
Here, such a ‘bumpless’ solution has been revealed not to be necessary.
where τ denotes the input signal from K(s) before the switch, x is the state vector
of K(s) and Fs is the static design gain.
Different approaches can be used to design Fs . Here, we propose to use the idea
initially suggested by [25].
To compute Fs , the following quadratic criterion is minimized:
0
T
1 ∞ T y y
J(ũ, τ ) = ũ Wu ũ + τ − We τ − dt (12.45)
2 0 u0 u0
M = (A + Π B)−1 (12.47)
−1
T
N = − D Wu D + We (12.48)
The matrix Π is the positive definite stationary solution of the following ARE:
Π A + AΠ + Π BΠ + C = 0 (12.49)
Remark 12.4. Using this strategy, we assume that Fs has access to the controller
states x. This is a modest assumption because most modern controllers are realized
in software form, so the states are computer variables.
Remark 12.5. The proposed scheme is an unidirectional solution that reduces the
undesirable bump effects during the switch from the nominal situation to the failure
situation. If ts2 is the time at which the switch from the failure situation to the nom-
inal situation is done, just before the switch at time ts−2 , the controller K(s) satisfies
the following equation:
⎧ ⎛ ⎞
⎪
⎪ x
⎪
⎪ ũ = K ⎝ y ⎠
⎪
⎪
⎨
⎛ u0 ⎞ (12.52)
⎪
⎪ x
⎪
⎪ τ = Fs ⎝ y ⎠
⎪
⎪
⎩
u0
Then the control signal applied to the system at ts−2 is given by
After the switch, at time ts+2 , the controller K(s) is derived from equation (12.44).
Then, we have u(ts+2 ) = u0 (ts+2 ). Hence, to avoid undesirable ‘bumps’, the suffi-
cient and necessary condition is that ũ(ts−2 ) → 0 . Unfortunately, because at time
ts−2 the FTC strategy is activated, it is not possible to modify the controller K(s).
The discontinuity due to the switch from the failure situation to the nominal situa-
tion is thus related to the dynamics of the FTC loop that would be activated at the
switching time.
12 Recovery against THS Failure with Guaranteed Nominal Performance 359
Appendix B: Computed Controller K̂(s) = ĈK (sI − ÂK )−1 B̂K + D̂K
⎛
−1, 7162 3, 3565 −1, 185.10−1 6, 811.10−1 −7, 7.10−1
⎜ 2, 9558.101 −3, 7388.101 −7, 8587 −1, 7738
⎜ 1, 2848
⎜ −7, 788.10−1 9, 774.10−1 −3, 37.10−2 2, 058.10−1 7, 5.10−2
⎜
⎜ 1, 1398 −3, 4239 1, 174.10−1 −7, 375.10−1 −6, 838.10−1
⎜
⎜ −2, 339.101 2, 329.101 −3, 271.10−1 −1, 6779 3, 7997.101
⎜
⎜
ÂK = ⎜ −8, 95.10−2 2, 43.10−2 −3, 954.10−4 −1, 62.10−2 1, 052.10−1 ...
⎜
⎜ −2, 86.10−2 2, 3.10−3 −7, 8845.10−6 −2, 2.10−3 9, 5.10−3
⎜
⎜ −2, 82.10−1 1, 62.10−2 −5, 1039.10−4 −1, 75.10−2 6, 45.10−2
⎜
⎜ −1, 656.101
⎜ 1, 5729 −8, 04.10−2 6, 244.10−1 −5, 1504
⎝ 8, 11.10−2 4, 52.101 −1, 3291 7, 6391 −9, 4739
−1, 57.101 −4, 8599 1, 212.10−1 −7, 662.10−1 −4, 814.10−1
⎞
4, 78.10−4 −1, 8435.10−4 −6, 782.10−4 9, 5556 −9, 9179 1, 32.102
3, 9454.10−4 −3, 1287.10−4 −1, 4.10−3 1, 787.101 −2, 631.101 −3, 0634.102⎟ ⎟
−3, 0156.10−5 6, 363.10−6 3, 0341.10−5 −4, 226.10−1 8, 68.10−1 6, 4394 ⎟ ⎟
5, 389.10−4 1, 635.10−5 8, 234.10−5 3, 179.10−1 −5, 07 −4, 9275 ⎟ ⎟
−3, 96.10−2 −2, 8.10−3 −1, 89.10−2 5, 296.101 2, 8089.102 −3, 6264.103⎟ ⎟
⎟
... −1, 0014.101 −1, 0293.10−7 1, 9424.10−5 −3, 49.10−2 5, 067.10−1 1, 2117.101 ⎟
⎟
−4, 6584.10−6 −1, 0021.10 3, 0821.10
1 −6 −3, 14.10 −2 6, 66.10 −2 −1
8, 467.10 ⎟
⎟
−3, 4045.10−5 1, 1915.10−6 −1, 0036.101 −2, 009.10−1 4, 902.10−1 5, 9173 ⎟
⎟
4, 5.10−3 7, 026.10 −4 3, 5.10 −3 −3, 4859.10 −1, 667.10
1 1 2, 48.10 ⎟
2
⎟
7, 6.10−3 5, 0864.10 −4 3, 3.10 −3 −8, 123 −5, 3855.10 6, 9177.10 ⎠
1 2
References
1. Zhang, Y., Jiang, J.: Bibliographical review on reconfigurable fault-tolerant control sys-
tem. In: Proceedings of SAFEPROCESS 2003, Washington DC, USA, pp. 265–276.
IFAC (2003)
2. Zhang, Y., Jiang, J.: Issues on integration of fault diagnosis and reconfigurable control in
active fault-tolerant control systems. In: Proceedings of SAFEPROCESS 2006, Beijing,
China. IFAC (2006)
3. Steinberg, M.: Historical overview of research in reconfigurable flight control. Proceed-
ings of the Institution of Mechanical Engineers, Part G - Journal of Aerospace Engineer-
ing 219(4), 263–275 (2005)
4. Staroswiecki, M.: From control to supervision. Annual Reviews in Control 25, 1–11
(2001)
5. Moerder, D., Halyo, N., Broussard, J., Caglayan, A.: Application of precomputed control
laws in a reconfigurable aircraft flight control system. Journal of Guidance, Control and
Dynamics 12(3), 325–333 (1989)
6. Huzmezan, M., Maciejowski, J.: Reconfigurable flight control of a high incidence re-
search model using predictive control. In: International Conference on Control, Piscat-
away, NJ, pp. 1169–1174. Inst. of Electrical and Electronics Engineers (1998)
7. Chen, J., Patton, R.: Fault tolerant control using LMI design. In: Proceedings of European
Control Conference, Porto, Portugal. IEEE, Los Alamitos (2001)
8. Maki, M., Jiang, J., Hagino, K.: A stability guaranteed active fault-tolerant control sys-
tem against actuator failures. In: International Conference on Control, Piscataway, NJ,
pp. 1893–1898. Inst. of Electrical and Electronics Engineers (1998)
9. Cieslak, J., Henry, D., Zolghadri, A.: A methodoly for the design of active fault tolerant
systems. In: Proceedings of SAFEPROCESS 2006, Beijing, China. IFAC (2006)
10. Cieslak, J., Henry, D., Zolghadri, A.: Development of an active fault tolerant flight con-
trol strategy. AIAA Journal of Guidance, Control, and Dynamics 31(1), 135–147 (2007)
11. Staroswiecki, M., Yang, H., Jiang, B.: Progressive accomodation of aircraft actua-
tor faults. In: Proceedings of SAFEPROCESS 2006, Beijing, China, CD–ROM. IFAC
(2006)
12. Campos-Delgado, D., Palaciosa, E., Espinoza-Trejo, D.R.: Fault accomodation strategy
for LTI systems based on the gimc structure: Additive faults. In: Proceedings of Con-
ference on Decision and Control and the European Control Conference, Seville, Spain,
CD–ROM. IEEE, Los Alamitos (2005)
13. Niemann, H., Stoustrup, J.: Fault tolerant feedback control. In: Proceedings of European
Control Conference, Porto, Portugal. IEEE, Los Alamitos (2001)
14. Niemann, H., Stoustrup, J.: Reliable control using the primary and dual youla
parametrizations. In: Proceedings of Conference on Decision and Control, Las Vegas,
USA. IEEE, Los Alamitos (2002)
15. Niemann, H., Stoustrup, J.: An architecture for sampled-data fault tolerant controllers.
Int. Journal of Nonlinear Control (2004)
16. Ganguli, S., Marcos, A., Balas, G.: Reconfigurable LPV control design for boeing 747-
100/200 longitudinal axis. In: Proceedings of American Control Conference, Anchorage,
USA, pp. 3612–3617 (2002)
17. Gaspar, P., Szaszi, I., Bokor, J.: Reconfigurable control structure to prevent the rollover
of heavy vehicles. Control Engineering Practice 13(6), 699–711 (2005)
18. Gaspar, P., Bokor, J.: A fault-tolerant rollover prevention system based on a LPV method.
International Journal of Vehicle Design 42(3-4), 392–412 (2006)
12 Recovery against THS Failure with Guaranteed Nominal Performance 361
19. Zhou, K., Ren, Z.: A new controller architecture for high performance, robust and fault-
tolerant control. IEEE Transactions on Automatic Control 46(10), 1613–1618 (2001)
20. Doyle, J., Glover, K., Khargonekar, P.P., Francis, B.A.: State-space solutions to standard
H2 and H∞ control problems. IEEE Transactions on Automatic Control 34(8), 831–847
(1989)
21. Gahinet, P., Apkarian, P.: A linear matrix inequality approach to H∞ control. Int. Journal
Robust Nonlinear Control 4, 421–428 (1994)
22. Zhou, K., Doyle, J., Glover, K.: Robust and optimal control. Prentice Hall, Englewood
Cliffs (1996)
23. Packard, A., Fan, M., Doyle, J.: A power method for the structured singular value. In:
Proceedings of Conference on Control Decision, pp. 2132–2137. IEEE, Los Alamitos
(1988)
24. Campos-Delgado, D.U., Zhou, K.: A parametric optimization approach to H∞ and H2
strong stabilization. Automatica 39(7), 1205–1211 (2003)
25. Turner, M., Walker, D.: Linear quadratic bumpless transfer. Automatica 36(8), 1089–
1101 (2000)
Chapter 13
Flight Control Reconfiguration Based on Online
Physical Model Identification and Nonlinear
Dynamic Inversion
13.1 Introduction
There are many control approaches possible in order to achieve fault tolerant flight
control. An important aspect of these algorithms is that they should not only be ro-
bust, but even adaptive in some way, in order to adapt to the faulty situation, see
Ref. [1] and [5] in the literature. In the category of adaptive control algorithms,
a distinction is made between indirect adaptive control and direct adaptive con-
trol. Indirect adaptive control involves two stages. First, an estimate of the plant
model is generated online. Once the model is available, it is used to generate con-
troller parameters. Instead of estimating a plant model, a direct adaptive control
algorithm estimates the controller parameters directly in the controller. This can be
done via two main approaches: output error and input error. Of both main cate-
gories mentioned here, indirect adaptive control is preferable due to its flexibility
and its property of being model based. In both categories, there are also two sub-
versions, namely model reference adaptive control (MRAC) and self-tuning control
(STC). In the former, one relies on a reference model and works on minimizing
the tracking error between plant output and reference output (such as the concept
of sliding mode control). With model reference indirect adaptive control it is feasi-
ble to achieve three important goals, namely trim value adjustment for the inputs,
Thomas Lombaerts
Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1,
2629 HS Delft, The Netherlands
e-mail: t.j.j.lombaerts@tudelft.nl
Ping Chu
Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1,
2629 HS Delft, The Netherlands
e-mail: q.p.chu@tudelft.nl
Jan Albert (Bob) Mulder
Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1,
2629 HS Delft, The Netherlands
e-mail: j.a.mulder@tudelft.nl
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 363–397.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
364 T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
decoupling of inputs and outputs and closed loop tracking of pilot commands, see
Ref. [1]. Self-tuning control focuses on adapting the (PID) control gains of the con-
troller by making use of the estimated parameter values and is known to be more
flexible, see Ref. [21]. Currently, much research is performed in the field of indi-
rect adaptive control, where the adaptation is more extensive than only tuning the
PID control gains. One of these new indirect control possibilities is adaptive model
predictive control (AMPC), which is an interesting algorithm thanks to its nature to
deal with (input) inequality constraints. These constraints are a good representation
for actuator faults. It should be noted that there have been already some successful
applications of MPC in the field of fault tolerant flight control, see Ref. [10] and
[14]. An alternative indirect adaptive nonlinear control approach is discussed in this
chapter, which allows to develop a reconfigurable control routine placing emphasis
on the use of physical models, and thus producing internal parameters which are
physically interpretable at any time.
This chapter discusses the combination of the two step method as an identifi-
cation procedure, and nonlinear dynamic inversion as a control method in order to
obtain a model based fault tolerant flight controller for the benchmark simulation
model used in this research project. This approach can deal with component failures
as well as structural failures. An overview of fault scenarios for which this method
is valid can be found in Table 13.1, building on a similar table with failure scenar-
ios from [9] and [7]. It should be noted that this method is not explicitly valid for
the structural loss of engine(s) and severe structural damage. However, experiments
have shown that the method is implicitly valid for these scenarios. Current research
is investigating the possible extension of the explicit validity of this method for these
failure scenarios.
The structure of this chapter is as follows. First the consecutive steps of this
two step method are discussed: Aircraft State Estimation (ASE) and Aerodynamic
Model Identification (AMI) in sections 13.2.1 and 13.2.2. Section 13.3 discusses
briefly the real time computer based aerodynamic model identification tool which
has been developed. Thereafter, as an illustration, some preliminary identification
results are shown for damaged aircraft models, see Section 13.4. The NDI based
reconfiguring control method is discussed in Section 13.6 , after the selected trigger
for reconfiguration which is briefly introduced in Section 13.5. Finally, the most im-
portant conclusions and some topics for future work will be introduced in Sections
13.8 and 13.9.
Table 13.1 Overview of fault scenarios and effects in vehicle and aerodynamic model, ✓
indicates explicit validity of the method, (✓) points out implicit validity.
method validity
structural
actuator
sensor
identification (MLI) and other one step identification routines, but not all of them
are applicable on line. One of the few procedures which can be implemented in real
time is the so-called filtering method developed at DLR, see Ref. [8]. This is a joint
state and parameter estimation algorithm, but very complex. The advantage of the
two step method is that it is easier to implement on-line. Key concept of the two
step method, is that the identification procedure has been split into two consecutive
366 T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
steps, as substantiated in Ref. [4]. One of the major advantages of the two step
method, is the decomposition of a global non-linear one step identification method
in two separate steps, where the nonlinear part is isolated in the aircraft state estima-
tion step. Consequently, the aerodynamic model parameter identification procedure
in the second step can be simplified to a linear procedure. The aim is to update an
a priori aerodynamic model (obtained by means of windtunnel tests and CFD cal-
culations) by means of on-line flight data. The first step is called the Aircraft State
Estimation phase, where the second one is the Aerodynamic Model Identification
step. In the Aircraft State Estimation procedure, an Iterated Extended Kalman Fil-
ter is used to determine the aircraft states, the measurement equipment properties
(sensor biases) and the wind components, by making use of the nonlinear kinematic
and observation models, based upon redundant but contaminated information from
all sensors (air data, inertial, magnetic and GPS measurements). By means of this
state information, the input signals of the pilot and the earlier measurements, it is
possible to construct the combined aerodynamic and thrust forces and moments act-
ing on the aircraft, and by means of a recursive least squares operation, finally the
aerodynamic derivatives can be deduced. Validation tests by means of batch process
identification, least squares innovation analysis and reconstruction of velocity and
angular rate components using these aerodynamic derivatives have shown that this
method is very accurate.
However, it should be realized that these components are airspeed related, where
the inertial velocity components concern the ground speed. Comparing both sets
leads to the derivation of the wind components. Table 13.2 gives information about
the instrumentation errors which occur for each kind of measuring equipment men-
tioned above. By making use of the kinematic and observation model of the aircraft,
it is possible to estimate part of the instrumentation errors, which will be discussed
in more detail below.
where equation (13.1) is known as the kinematic state equation with input noise
vector w and expression (13.2) is called the observation equation with output noise
vector v. The nonlinear vector functions f and h may depend both implicitly (via x
and um ) and explicitly on t and it will be assumed that both f and h are continuous
and continuously differentiable with respect to all elements of x and um . The system
equation variables are defined as follows:
x = [x y z ub vb wb φ θ ψ ]T (13.3)
um = u + λ + w = [Ax Ay Az p q r] + [λx λy λz λ p λq λr ] + w
T T
(13.4)
θ = [λ wwind ] = [λx λy λz λ p λq λr uwind vwind wwind ]
T T
(13.5)
zm = [xGPS yGPS zGPS uGPS vGPS wGPS φINS θINS ψINS
VTAS αADS βADS ]T (13.6)
where the aircraft state vector x in (13.3) contains inertial position, body air veloc-
ity components and aircraft attitude angles. The measured input vector um in (13.4)
consists of specific forces and angular rates, perturbed with sensor biases and input
noise, where the sensor biases and wind ground speed components are collected in
vector θ in (13.5), which contributes to the augmented state vector xaug = [x, θ ].
Finally, there is the measured output vector zm in (13.5), consisting of GPS-aided
INS measurement data of position and velocity components (navigational frame of
reference) and INS supplied attitude angles as well as air data system (ADS) mea-
surements for true airspeed, angle of attack and angle of sideslip. Also the measured
output vector is contaminated with output noise.
Additionally, the input noise vector w(t) is a continuous time white noise process
and the output noise vector v(ti ) is a discrete time white noise sequence. Both are
mutually uncorrelated as well as between the different input and output channels
individually. Moreover, based upon the known on-board measurement equipment
368 T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
v(ti ) = [ vx vy vz vu vv vw vφ vθ vψ vV vα vβ ]T (13.7)
w(t) = [wx wy wz w p wq wr ] T
(13.8)
& '
E w(t)w (τ )
T
= Qδ (t − τ ) (13.9)
& '
E v(ti )vT (t j ) = Rδi j (13.10)
& '
E w(t)vT (ti ) = 0, f or t = ti , i = 1, 2, . . . (13.11)
where
As mentioned in the introduction and apparent from the structure above, a Kalman
Filter can be used in order to estimate the aircraft states, inertial sensor biases and
wind velocity components.
• dimensionless moments:
L ṗIxx + qr (Izz − Iyy ) − (pq + ṙ) Ixz
Cl = 1/2ρ V 2 Sb
= 1/2ρ V 2 Sb
M q̇Iyy + rp (Ixx − Izz) + p2 − r2 Ixz
Cm = 1 = (13.15)
/2ρ V 2 Sc̄ 1/2ρ V 2 Sc̄
At this moment mass and inertia are considered as known constants. In the absence
of a structural failure, real time mass and inertia can be calculated by integrating
fuel flow and subtracting it from the total take off values. Future research is aimed
at taking into account changing masses and inertia in the presence of structural
failures. Air density can be deduced from altitude measurements. The rotational
accelerations are obtained by differentiating the noisy rotational rates, which have
been corrected for their biases. It should be noted that current generation ring laser
gyroscope noise levels are low enough (σ pqr = 0.001◦/s) to permit differentiating
these signals.
+CXδe δeol + CXih ih + CXδsp δsp1 + ... + CXδsp δsp12 + CXδ δ fo + CXδ δ fi
ol 1 12 fo fi
pb rb
+CXEPR1 EPR1 + ... + CXEPR4 EPR4 + CXβ β + CXp + CXr (13.16)
2V 2V
370 T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
qc̄
CZ = CZ0 + CZα α + CZq + CZδe δeir + CZδe δeil + CZδe δeor + CZδe δeol +
V ir il or ol
pb rb
+CZEPR1 EPR1 + ... + CZEPR4 EPR4 + CZβ β + CZ p + CZr (13.17)
2V 2V
qc̄
Cm = Cm0 + Cmα α + Cmq + Cmδe δeir + Cmδe δeil + Cmδe δeor + Cmδe δeol +
V ir il or ol
pb rb
+CmEPR1 EPR1 + ... + CmEPR4 EPR4 + Cmβ β + Cm p + Cmr (13.18)
2V 2V
pb rb
CY = CY0 + CYβ β + CYp + CYr + CYδa δair + CYδa δail + CYδa δaor
2V 2V ir il or
+CYδa δaol + CYδr δru + CYδr δrl + CYδsp δsp1 + ... + CYδsp δsp12
u
ol l 1 12
qc̄
+ CYα α + CYq + CYEPR1 EPR1 + ... + CYEPR4 EPR4 (13.19)
V
pb rb
Cl = Cl0 + Clβ β + Cl p + Clr + Clδa δair + Clδa δail + Clδa δaor + Clδa δaol +
2V 2V ir il or ol
qc̄
+Clδr δru + Clδr δrl + Clδsp δsp1 + ... + Clδsp δsp12 + Clα α + Clq +
u l 1 12 V
+ ClEPR1 EPR1 + ... + ClEPR4 EPR4 (13.20)
pb rb
Cn = Cn0 + Cnβ β + Cn p + Cnr + Cnδa δair + Cnδa δail + Cnδa δaor
2V 2V ir il or
+Cnδa δaol + Cnδr δru + Cnδr δrl + Cnδsp δsp1 + ... + Cnδsp δsp12
u
ol l 1 12
qc̄
+ Cnα α + Cnq + CnEPR1 EPR1 + ... + CnEPR4 EPR4 (13.21)
V
From the above expressions, it is clear that the aerodynamic model parameters,
also known as the aerodynamic derivatives, apply on states as well as control in-
puts, namely control surface deflections and engine settings. It should be noted that
the contributions indicated in boxes are the aerodynamic consequences of possi-
ble cross-couplings: they represent the contributions of longitudinal states on lateral
forces and moments and vice versa. They appear due to asymmetries after failures.
Moreover, also the aerodynamic derivatives related to the inputs have cross coupling
effects, but these are assumed to be limited by the hardware constraints of the ac-
tuator hardware of each control surface type independently, present in the hardware
logic block of the RECOVER simulation model: for example differential deflection
of flaps is not possible. For the benchmark model as given, the only valid cross
coupling control inputs feasible in reality are the engine settings. Conventionally,
13 Online Physical Model Identification and NDI 371
Fig. 13.1 Overview of the two step method: measurements serve for ASE step, which esti-
mates the aircraft states. These states, combined with the measurements, allow the calculation
of the forces and moments. The latter are used, together with the estimated states and control
surface deflections, for the AMI step, which produces the estimated aerodynamic and control
derivatives.
all are identical and give only longitudinal steering capability, but they can provide
also some lateral degree of controllability if differential thrust is applied. However,
in a general perspective, this kind of cross couplings is completely dependent on the
aircraft model concerned.
The validation tests have shown that the identification results obtained with this
procedure are representative, accurate and reliable. These validation tests can be
found in Ref. [13]. Now that it has been confirmed that the procedure works sat-
isfactorily for nominal non-damaged aircraft, the next challenge is to analyse the
performance of this identification procedure for damaged aircraft. This will be the
subject of section 13.4.
Finally, figure 13.1 gives a high-level logical structure overview of the two step
method algorithm, pointing out the inputs and outputs of each macro-step.
Fig. 13.2 Overview of the operator information screen for real time identification. The left
and middle columns in the screen give the aerodynamic derivative values, the right column
gives (from top to bottom) aircraft attitude, trajectory and covariances for symmetrical (left)
and asymmetrical (right) estimates.
has been chosen deliberately in this set-up to implement both control inputs con-
secutively. The reason for this is the fact that a simultaneous implementation may
lead to undesirable correlations in the identification results. For each scenario, the
identification result of the damaged simulation model is compared with the nomi-
nal non-damaged one, which is supplied in red in each graphic as a benchmark. It
should be noted that the damaged identification result for the horizontal stabilizer
runaway does not last longer than 20 seconds of the total time span. The reason for
this is the fact that the aircraft crashes after these 20 seconds, as illustrated by its
trajectory in Fig. 13.3.
0
0
−0.1
−0.2
0 10 20 30 40 50 60
1 −0.5
0.5
ih
CZih
−0.5 −1
−1
0 10 20 30 40 50 60
0.2
−1.5
nominal
0.1 stabilizer runaway
Cmih
−0.1
−2
5 10 15 20 25 30 35 40 45 50 55 60
−0.2 time[s]
0 10 20 30 40 50 60
Fig. 13.4 Identification of stabilizer related aerodynamic derivatives for damaged Boeing
747 simulation model, horizontal stabilizer runaway scenario
374 T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
6
nominal
aerodynamic derivatives, asymmetric contributions rudder
0.01 loss of vertical tail
5
0
CYdr 4
−0.01
3
−0.02
0 10 20 30 40 50 60
−3 2
x 10
10
dr
1
5
Cldr
0 0
−5 −1
0 10 20 30 40 50 60
−3
x 10
5 −2
nominal
0 loss of vertical tail
−3
Cndr
−5
−10
−4
0 10 20 30 40 50 60
−15 time[s]
0 10 20 30 40 50 60
(a) identification of rudder related (b) rudder deflections for vertical tail
aerodynamic derivatives loss scenario
0.16
nominal
loss of vertical tail
0.14
0.12
0.1
0.08
Cnb
0.06
0.04
0.02
−0.02
0 10 20 30 40 50 60
Fig. 13.5 Identification of rudder related aerodynamic derivatives for damaged Boeing 747
simulation model, vertical tail loss scenario
no rudder anymore in the situation of a vertical tail loss, the loss of yawing control
should be visible in the identification result. For the nominal situation, the rudder
makes a doublet movement. Note that this doublet is not perfect, since the com-
pensating influence of the yaw damper appears in this channel. In the vertical tail
loss scenario, no deflection is visible anymore since the rudder is lost. Note that
each control surface has redundant deflection sensors, and the absence of any mea-
surement signal leads effectively to the ‘no deflection conclusion’, as shown in this
figure. Taking a closer look at the identification results, it is clear that no conver-
gence is possible in the tail loss scenario, where the nominal scenario clearly leads
to a better convergence behaviour. Another obvious consequence of the tail loss
scenario is the huge reduction in lateral static stability. This can be seen in the be-
haviour of the aerodynamic derivative Cnβ , as shown in Fig. 5(c). A positive value
for Cnβ , also known as Weathercock stability, indicates static directional stability.
From Fig. 5(c), it is clear that the nominal aircraft is stable, but the damaged aircraft
is observed to be lightly directionally statically unstable, as would be expected for
a tailless 747 aircraft. This simulation also shows that there is no rudder deflection
necessary to observe this, even a doublet on the roll channel (ailerons) induces some
sideslip in order to make a static stability analysis. Summarizing, analysing both
13 Online Physical Model Identification and NDI 375
results, it is clear that the loss of the tail surface can be identified by means of these
identification results.
In order to perform a validation of the accuracy of the identification results in
both applications presented above, the innovations can be calculated again. This
clearly shows that the least squares result is accurate. Also the reconstruction of
linear velocity components and angular rates confirms the trustworthiness of the
identification results.
Fig. 13.6 Example of visualization of control effector effectiveness for the pilot, this in-
formation is based upon control effector effectiveness parameters, like Cmδe , Clδa , Cnδr and
CXEPR .
376 T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
in which Δ (k) is the innovation, z (k) is the state measurement from the actual air-
craft, X (k) is the data matrix and θ̂ LS (k) is the vector of estimated parameters. The
faults, which change the system dynamics, also change the characteristics of Δ (k)
and make it different from white noise. Two criteria, namely the autocorrelation
criterion πk and the innovation average value Δ (k), have been analysed to decide
whether this innovation is dominated by white noise, or contains a residual of an in-
correct aerodynamic model. If the latter is the case, the reconfiguration of the model
should be triggered. The former should be ignored in order to prevent false alarms.
Analysis has revealed that the average value of the innovation of a period of
time, calculated in (13.23) is the preferable criterion. This calculation reveals the
mean value of the residual, which will deviate from zero once the model becomes
inaccurate.
1 nav
Δ (k) = ∑ Δ (k − i)
nav i=0
(13.23)
13 Online Physical Model Identification and NDI 377
Δ (k) stands for the average innovation, nav is the number of samples over which this
average is taken (a proper range appears to be 25 − 100, corresponding to 0.5s − 4s).
For the triggering of the re-identification a threshold value has been chosen based
on several simulated test flights, with and without failure.
Besides use of the residual mean value, it is possible to rely also on other criteria,
like spectral analyses. This is the subject of further research. Once this monitor-
ing criterion has suggested the current model contains errors, the re-identification
will take place. The covariance matrix P of the RLS procedure gives a measure for
quality of the data that has entered the identification. Without forgetting factor, this
data richness can only improve, since all information from previous measurements
is retained. This results in a gradual freezing of the parameter values since every
new datapoint is weighted less in the parameter identification. When it is concluded
that the real-life situation has changed to such an extent that the identified model is
not valid anymore, this old data should be disregarded. By artificially returning the
covariance matrix to its initial state - a diagonal matrix with very large values (in the
order of 106 ) - the parameters are more influenced by new measurements and can be
identified based on the flight data of the aircraft in its new, changed situation. Since
each of the six dimensionless forces and moments [CX CY CZ Cl Cm Cn ]T has a
separate innovation channel, the reconfiguration can be focused on the respective pa-
rameter set that triggers the reconfiguration. For this reason, six covariance matrices
P are stored and updated separately. When for example the criterion value of roll-
moment parameters Cl exceeds the threshold, only these parameters are triggered
for re-identification. This prevents unnecessary destabilizing the aircraft model parts
that are used in the control system.
The general idea of nonlinear dynamic inversion is as follows. Consider the non-
linear MIMO system dynamic model, which is assumed to be affine in the input:
The output y of the system is then expressed as a function h of the aircraft state
vector x:
y(x) = h(x) (13.25)
Defining the matrix ∇h (x) as the Jacobian matrix:
∂ h(x)
= ∇h(x) (13.26)
∂x
the time derivatives of the outputs (13.25) can be expressed as:
dy
= ∇h (x) [f(x) + G(x) · u] = L1f h (x) + Lg h (x) u (13.27)
dt
where L1f h (x) = ∇h (x) f(x) denotes the first order Lie derivative vector and the
Lg h (x) = ∇h (x) G(x). If the second term of eq. (13.27) is zero, more time deriva-
tives of eq. (13.27) are required, generally until the second term of eq. (13.27) is
nonzero. This nonzero time derivative order is defined as ”relative degree”. In gen-
eral, as the elements within the output vector y(x) may have different relative de-
grees, it is convenient to write the time derivative for each output as:
d ri y i d ri hi (x) m
dt ri
=
dt ri
= Lri
f h i (x) + ∑ Lg j Lrfi −1 hi (x) u j (13.28)
j=1
In eq. (13.28), ri is the relative degree for the ith output. A collection of all differen-
tiated (rith order) outputs yields:
with: ⎡ ⎤
d r1 h1 (x)
⎢ dt r1 ⎥
yr (x) = ⎢
⎣
..
.
⎥
⎦ (13.30)
d rm hm (x)
dt rm
⎡ ⎤
Lrf1 h1 (x)
⎢ Lrf2 h2 (x) ⎥
⎢ ⎥
l (x) = ⎢ .. ⎥ (13.31)
⎣ . ⎦
rm
L f hm (x)
and
13 Online Physical Model Identification and NDI 379
⎡ ⎤
Lg1 Lrf1 −1 h1 (x) Lg2 Lrf1 −1 h1 (x) · · · Lgm Lrf1 −1 h1 (x)
⎢ L Lr2 −1 h (x) L Lr2 −1 h (x) · · · Lgm Lrf2 −1 h2 (x) ⎥
⎢ g1 f 2 g2 f 2 ⎥
M (x) = ⎢
⎢ .. .. .. .. ⎥
⎥ (13.32)
⎣ . . . . ⎦
Lg1 Lrfm −1 hm (x) Lg2 Lrfm −1 hm (x) rm −1
· · · Lgm L f hm (x)
Solving for u if the total relative degree r = r1 + r2 + . . . + rm = n, with n the
number of states of the system, by introducing a virtual outer loop control input
vector ν , which consists of time derivatives of control variables cvi (x) up to the
corresponding relative degree ri :
with: ⎡ ⎤
d r1 cv1 (x)
⎢ dt r1 ⎥
ν (x) = ⎢
⎣
..
.
⎥
⎦ (13.34)
d rm cvm (x)
dt rm
then this results in a closed-loop system with a linear and decoupled input-output
relation: ⎡ r1 ⎤ ⎡ r1 ⎤
d h1 (x) d cv1 (x)
⎢ dt r1 ⎥ ⎢ dt r1 ⎥
yr (x) = ⎢
⎣
..
.
⎥=ν =⎢
⎦ ⎣
..
.
⎥
⎦ (13.35)
d rm hm (x) d rm cvm (x)
dt rm dt rm
Thus the control law for tracking tasks
d ri cvi d ri hid
= − k0i e − k1i ė − . . . − k(ri−1)i e(ri −1) with e = yid (t) − yi (t) (13.36)
dt ri dt ri
for i = 1, . . . , m with the k j s chosen so that pn + kn−1 pn−1 + . . . + k1 p is a stable
polynomial, leads to the exponentially stable tracking dynamics for i = 1, . . . , m:
T T
where p q r are the rotational rates and L M N the angular moments acting
on the aircraft. The inertia matrix I stands for:
⎡ ⎤
Ixx −Ixy −Ixz
I = ⎣−Iyx Iyy −Iyz ⎦ (13.39)
−Izx −Izy Izz
where the moments of inertia Ixy , Iyx , Iyz and Izy are assumed to be zero. As outlined
in Section 13.2.2, these angular moments can be seen as a combination of different
state and control variables. With the model described here, a controller has a com-
plete overview of aircraft behaviour as a function of states and control settings. NDI
cancels out all non-linear parts, in order to obtain a system which behaves as a pure
integrator, regardless of the state. This pure integrator can be controlled by a lin-
T
ear controller which produces the virtual control input ν p νq νr . Relying on the
information given in (13.15), (13.18) and (13.21), the aircraft dynamics in (13.38)
can be rewritten in the form of (13.33). Here it should be noted that (13.18) and
(13.21) can be split into a part describing the contribution of the states and a contri-
bution of the control surface settings, where thrust, stabilizer and flaps are grouped
together with the states in the airframe/engine model. Moreover, the individual con-
trol derivatives of the different aileron, elevator, rudder and spoiler surfaces from
the identification step have been combined into equivalent global control derivatives
which are used in the effector blending model of the control phase.
Inserting this into (13.38) yields
⎡ ⎤ ⎛⎡ ⎤ ⎡ ⎤ ⎡ ⎤⎞
ṗ bClstates bC̃lδa 0 bC̃lδr δa
1
ẋ = ⎣ q̇⎦ = ρ V 2 SI−1 ⎝⎣cCmstates ⎦ + ⎣ 0 cC̃mδe 0 ⎦ ⎣δe ⎦⎠ +
2
ṙ bCnstates bC̃nδa 0 bC̃nδr δr
⎡ ⎤ ⎛ ⎡ ⎤⎞
p p
−1 ⎣ ⎦ ⎝ ⎣ ⎦⎠
−I q × I q (13.40)
r r
where:
C̃lδa = −Clδa +Clδa −Clδaor +Clδa −Clδsp ... −Clδsp +Clδsp ... +Clδsp (13.41)
ir il ol 1 5 8 12
C̃nδa = −Cnδa +Cnδa −Cnδaor +Cnδa −Cnδsp ... −Cnδsp +Cnδsp ... +Cnδsp (13.42)
ir il ol 1 5 8 12
and
⎡ ⎤ ⎡ Cl0 + Clβ β + Cl p 2V
pb
+ Clr 2V
rb
+ CTc Tc
⎤
Clstates
⎣Cmstates ⎦ = ⎢ ⎥
⎣Cm0 + Cmα α + Cmq V + Cmih ih + Cmδ fo δ fo + Cmδ fi δ fi + CmTc Tc ⎦
qc̄
Cnstates C + C β + C pb + C rb + C T
n0 nβ n p 2V nr 2V nTc c
(13.46)
13 Online Physical Model Identification and NDI 381
In order to obtain rate control, the rotational rates of the aircraft are selected to be
the control variables. T
cv(x) = p q r (13.47)
Differentiation of this results in the virtual inputs:
dcv(x) T
= ẋ = ν p νq νr (13.48)
dt
T
At this point, equation (13.40) can be solved for the control inputs δa δe δr ,
resulting in a similar structure as in (13.33):
⎡ ⎤ ⎡ ⎤−1
δa bC̃lδa 0 bC̃lδr
⎣δe ⎦ = ⎣ 0 cC̃m 0 ⎦ ·
δe
δr bC̃n 0 bC̃n
⎧ δa ⎛⎡ ⎤δr ⎡ ⎤ ⎛ ⎡ ⎤⎞⎞ ⎡ ⎤⎫
⎨ I νp p p bClstates ⎬
⎝⎣νq ⎦ + I−1 ⎣ q ⎦ × ⎝I ⎣ q ⎦⎠⎠ − ⎣cCmstates ⎦ (13.49)
⎩ 12 ρ V 2 S ⎭
ν r r r bC nstates
The first part of (13.49) performs the control inversion, while the second part con-
tains the state inversion.
Subsequently, the different aileron, elevator, rudder and spoiler surfaces are cou-
pled and deflect in a fixed coordinated way. The development of a more flexible
control allocation algorithm is part of the future work. Nevertheless, the results
shown here prove that this simplification has no serious detrimental effect on the
performance of the FTFC module.
The classical weakness of NDI, its sensitivity to modelling errors which leads
to erroneous inversion and thus a possibly unstable result, is circumvented here by
making use of the real time identified physical model, which has a greater accu-
racy than an off-line model. As a result, one does not only obtain an adaptive NDI
routine which renders the aircraft behaviour like a pure integrator in nominal situa-
tions. In failure situations, the modified aircraft model is identified by the two step
method and immediately applied in the model-based adaptive NDI routine, which
allows reconfiguring for the failure in real time. The NDI routine is composed of
two loops. The inner loop allows for rate control on roll and pitch steering. Yaw
control is achieved by sideslip control. This is an optimal way of manual control
for the human pilot. The outer loop adds another NDI routine for angle control on
heading, flight path angle and sideslip. This is the so-called concept of angle control,
where it should be noted that the angles of the groundspeed velocity vector and not
the aircraft angles are controlled. These three quantities form an ideal basis for the
design of the classical autopilot modes (under development), which can be designed
in the final overall outer loop by making use of classical feedback or alternatively
NDI control. Classical feedback control can be sufficient in this outer loop, since the
closed middle and inner loop system relying on NDI twice has a linear input-output
relation.
382 T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
Research has revealed that this adaptive model based control approach has an
important advantage since a very representative aerodynamic model is available by
means of the two step method described earlier. In this way, a fault tolerant control
scheme has been obtained which is virtually capable of handling any aircraft failure,
as long as it is identified and represented correctly by the on-line aircraft model.
Despite the promising impression of adaptive NDI, there are still some issues and
risks in development and implementation. Especially for fault tolerant flight control
using NDI, two issues arise. First of all, there is the problem of robustness: if the real
time identification routine is not able to make an accurate fit of the aircraft model,
the possibility exists that classical NDI leads to an unsatisfactory result. Therefore,
robust NDI should be considered for application in this context, but real time appli-
cability is a major concern here. Moreover, the risk of singularity needs precautions.
Since inversion of the effector blending model b(x) is needed, singularity require-
ments apply to this model. This is the domain of control allocation, which still needs
further investigation.
For the applications in this Garteur context, some assumptions have been made.
Namely, a sufficiently accurate aircraft model should be supplied by the identi-
fication procedure, such that NDI can be applied successfully. Generally, this is
not a problem for the two step method considering the failure cases which have
been investigated in this research project. Secondly, after the failure, every channel
(roll/pitch/yaw) of the crippled aircraft still needs to be controllable in some way,
otherwise no effector blending model inversion is possible.
The principle of Adaptive NDI (ANDI) has been applied on two levels. The lower
level is manual control, which has been verified by means of workload evaluation
runs in the SIMONA Research Simulator and is discussed extensively in Chapter
17. The upper level is full automatic autopilot control, which has been evaluated by
the previously defined assessment criteria. For both control alternatives, the same
inner loop has been established, which focuses on pure body fixed angular rate con-
trol as elaborated in equation (13.49) and as illustrated in Fig. 13.7. The distinction
between the inner and outer loop has been based upon the time scale separation
principle. Mind that in each approach, the two step method is operational and sup-
plying the real time identified model parameters, including failure characteristics
when relevant.
First, in order to obtain roll angle control, an equation needs to be found which
expresses the change in roll angle in terms of the required rotational rates. Reference
[17] provides:
dφ
= φ̇ = p + (q sin φ + r cos φ ) tan θ (13.50)
dt
T
Separating the rotational rates p q r yields:
⎡ ⎤
p
φ̇ = 1 sin φ tan θ cos φ tan θ ⎣ q ⎦ (13.51)
r
Second, the angle of attack must be represented in a similar way, in terms of the
required rotational rates. Since:
α̇ ≈ θ̇ − γ̇ (13.52)
this problems boils down to finding equations for θ̇ and γ̇ . The glideslope angle γ
is the angle between the total velocity vector and its vertical component in the earth
fixed reference frame:
we
sin γ =
V w
e
γ = arcsin (13.53)
V
A descent (we > 0) results in a positive glideslope angle. Differentiating (13.53)
results in:
1 ẇe ẇe
γ̇ = ! =7
w V
2
1 − V e2 V 2 − w2e
1
= 7 · [−Ax sin θ + Ay sin φ cos θ + Az cos φ cos θ + g] (13.54)
V − w2e
2
384 T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
This equation is obtained by rotating the vertical acceleration Az from the earth into
the body reference frame. Note that no rotational rates can be found in this equation.
On the other hand, the time derivative of the pitch angle θ̇ depends on the rates in
the following way:
θ̇ = q cos φ − r sin φ (13.55)
Separating the rates yields:
⎡ ⎤
p
θ̇ = 0 cos φ − sin φ ⎣ q ⎦ (13.56)
r
Combining (13.52), (13.54) and (13.56) results in the NDI equation for the angle of
attack α :
1
α̇ ≈ θ̇ − γ̇ = − 7 · [−Ax sin θ + Ay sin φ cos θ + Az cos φ cos θ + g] +
V 2 − w2e
⎡ ⎤
p
+ 0 cos φ − sin φ ⎣ q ⎦ (13.57)
r
It now becomes clear that the rotational rates can be found in this overall equation
and thus NDI can be applied.
The last outer loop is needed in order to convert the yaw rate r towards a sideslip
β command. This loop must also be NDI-based, where the feedback path makes use
of the lateral specific force Ay (which is related to the sideslip angle), the roll angle
φ and the pitch attitude angle θ .
The control law can be deduced, where a relationship must be found between the
sideslip angle β and the body fixed angular rates. From [17], the sideslip angle β
can be written as follows:
v = V sin β (13.58)
Rewriting for β and differentiating and inserting the equation for v̇ from the nonlin-
ear aircraft kinematics yields:
d v 1
β̇ = arcsin =√ · v̇
dt V V 2 − v2
1
= √ · [Ay + g cos θ sin φ + pw − ru]
V − v2
2
⎡ ⎤
1 w −u
p
= √ · [Ay + g cos θ sin φ ] + √V 2 −v2 0 √V 2 −v2 ⎣ q ⎦ (13.59)
V 2 − v2 r
The different controls for roll angle φ , angle of attack α and sideslip angle β can
now be combined in the following equation:
13 Online Physical Model Identification and NDI 385
⎡ ⎤
⎡ ⎤ 0
φ̇ ⎢ ⎥
⎣α̇ ⎦ = ⎢− √V 2 −w2e · [−Ax sin θ + Ay sin φ cos θ + Az cos φ cos θ + g]⎥ +
1
⎣ ⎦
β̇ √ 1 · [Ay + g cos θ sin φ ]
V −v
2 2
⎡ ⎤⎡ ⎤
1 sin φ tan θ cos φ tan θ p
⎢ cos φ − sin φ ⎥ ⎣q ⎦
+⎣ 0 ⎦ (13.60)
√w 0 √ −u r
2 V −v
2 2V −v
2
The equation can now be rewritten for the required rotational velocities:
⎡ ⎤ ⎡ ⎤−1
p 1 sin φ tan θ cos φ tan θ
⎣ q⎦ = ⎢
⎣ 0w cos φ − sin φ ⎥ ⎦ ·
√ √ −u
r 0
V −v
2 2 V −v
2 2
⎧ ⎡ ⎤⎫
⎪ ⎡ ⎤ 0 ⎪
⎪ φ̇
⎨ ⎪
⎢− √ 1 · [−A θ + φ θ + φ θ + ⎥⎬
⎣α̇ ⎦ − ⎢ 2 −w2 x sin A y sin cos A z cos cos g]⎥
⎪ ⎣ V e ⎦⎪
⎪
⎩ β̇ √ 1 · [Ay + g cos θ sin φ ] ⎪
⎭
2 V −v
2
(13.61)
The outer loop quantities to be controlled in this setting are the true airspeed VTAS ,
the flight path angle γ and the course χ . It should be noted that these quantities allow
total control over the velocity vector, respectively regarding magnitude, elevation
and azimuth in the polar coordinates. Ref. [12] explains the conventional coupling
between the course χ and the roll angle φ . Regarding the demanded flight path angle
γcomm , this can be rewritten in terms of the required angle of attack α . Unfortunately
the expression α ≈ θ − γcomm is not accurate enough for this purpose, and therefore
a more elaborate expression is deduced from Ref. [22]:
For thrust control, an NDI loop has been added parallel to the middle loop which
inverts the velocity VTAS . This velocity can be expressed as:
!
VTAS = u2b + v2b + w2b (13.64)
Differentiating (13.64):
1
V̇TAS = ! (2ub u̇b + 2vbv̇b + 2wb ẇb )
u2b + v2b + w2b
1
= ! (ub (−g sin θ + rvb − qwb + Ax ) +
ub + v2b + w2b
2
and therefore
1 ρV 2S
V̇TAS = ! ub −g sin θ + rvb − qwb + C̃x + CxT Tc +
u2b + v2b + w2b 2m
ρV 2S
+vb g cos θ sin φ + pwb − rub + C̃y + CyT Tc +
2m
ρV 2S
+wb g cos θ cos φ + qub − pvb + C̃z + CzT Tc
2m
1
= ! (g (−ub sin θ + cos θ (vb sin φ + wb cos φ )) +
u2b + v2b + w2b
ρV 2S
+ ubC̃x + vbC̃y + wbC̃z +
2m
1 ρV 2S
+! (ubCxT + vbCyT + wbCzT ) Tc (13.65)
u2b + v2b + w2b 2m
−1
ρV S
= (u Cx + vbCyT + wbCzT ) ·
2m b T
g
V̇TAS − (−ub sin θ + cos θ (vb sin φ + wb cos φ )) +
V
ρV S
+ ubC̃x + vbC̃y + wbC̃z (13.66)
2m
wherein:
qc̄
C̃x = CX0 + CXα α + CXα 2 α 2 + CXq + CXδe δeir + CXδe δeil + CXδe δeor
V ir il or
pb rb
C̃y = CY0 + CYβ β + CYp + CYr + CYδa δair + CYδa δail + CYδa δaor
2V 2V ir il or
+CYδa δaol + CYδr δru + CYδr δrl + CYδsp δsp1 + ... + CYδsp δsp12 (13.68)
ol u l 1 12
qc̄
C̃z = CZ0 + CZα α + CZq + CZδe δeir + CZδe δeil + CZδe δeor + CZδe δeol +
V ir il or ol
As a result, Fig. 13.8 shows the autopilot control outer loop architecture. In this
set-up the outer loop quantities VTAS , γ and χ can provide the connection to the
Mode Control Panel, operated by the human pilot, on which he can set up specific
values for these quantities to be tracked. Alternatively, and as used in the exper-
iments considered here, the same quantities can be used to implement waypoint
control, where these quantities can be calculated from the distance between the last
and next waypoint in the three cartesian coordinate components using trigonometry.
Finally, two more remarks must be added concerning Fig. 13.8. The acronym ‘LC’
stands for linear controller. Moreover, some requirements have been implemented
on the roll angle, which is limited between +45◦ and −45◦ . These maximum roll
angles should be adapted in post failure conditions, dependent upon the extent of
the damage suffered by the aircraft, and thus how far the safe flight envelope has
been reduced.
In order to have some commonality in the evaluation of the different FTFC strate-
gies, it has been decided to focus on three cases for the off-line evaluation, namely
stabilizer runaway, rudder loss and the engine separation Bijlmermeer accident. In
order to save space, the first two scenarios are discussed jointly below.
Fig. 13.8 NDI autopilot outer loop, featuring VTAS , γ and χ control
of the post-failure safe flight envelope. Currently, these manoeuvre limits have been
defined heuristically following evaluating simulation runs for this analysis. Future
research will investigate the use of safe flight envelope prediction in order to derive
these manoeuvre limits based on the model estimation parameters. Two benchmark
trajectory phases have been analysed for this control setup, namely straight flight
and right hand turn. The straight flight is the time span between the failure oc-
currence and the first waypoint. The phase between first and second waypoint is
classified as the right hand turn manoeuvre. Besides, the beneficial influence of the
repeated identification procedure after failure is illustrated in Fig. 9(b). As can be
seen in this figure, the NDI controller is not capable of flying properly from the
second waypoint towards the third one without identifying the new aircraft dynam-
ics. As a matter of fact, loss of the rudder is a drastic structural failure, as already
illustrated in section 13.4.2, and the NDI controller is not able to fulfil the mission
profile with the new aircraft configuration if the mathematical model used by the
controller is not updated post-failure.
Concerning the straight flight phase, the states as well as the specific forces have
been analysed in Fig. 13.10. The state requirements are clearly all satisfied, and
also the specific forces seem acceptable. It is apparent that there is no significant
influence from the stabilizer runaway in any of the graphs. The rudder loss effect
is clearly visible in the lateral specific force Ay time history. However, the force
scale shows that this is not a significant issue. Also for the right turn, the state re-
quirements are satisfied as can be seen in Fig. 13.11. Due to the more stringent
roll angle limitation from 30 to 20 degrees after rudder loss, it takes a longer time
to execute the turn in the different scenarios, which explains the time difference in
figures 11(a) and 11(b). The same issue holds for the kinematic acceleration require-
ments in Fig. 13.12. Only body roll and yaw rates together with sideslip angle suffer
small violations of the specifications; this is connected to the behaviour explained
13 Online Physical Model Identification and NDI 389
2000
NDI no failure
4000 NDI stabilizer runaway
NDI rudder loss
6000
failure
waypoint8000
10000
8000
12000
6000
14000 4000
16000 2000
0
(a) aircraft trajectory with FTFC autopilot (b) part of aircraft trajectory with FTFC au-
along three waypoints in the scenario’s un- topilot between two final waypoints in the
failed, stabilizer runaway and rudder loss scenario rudder loss without identification
Fig. 13.9 Aircraft trajectory with FTFC autopilot along three waypoints
below, together with the analysis of the lateral kinematic acceleration. Analysing
the kinematic accelerations in Fig. 13.12 shows that only the lateral kinematic ac-
celeration ay is not satisfied. This is caused by the directional stability problem, due
to the missing rudder surface. This missing rudder eliminates directional stability,
as shown in Fig. 5(c). Consequently, lateral damping is insufficient during the turn,
and after ending the right hand turn, the aircraft also has the tendency to continue
a slipping flight, which is indicated by the time history of this quantity. This prob-
lem can be solved by incorporating differential thrust in order to promote artificial
lateral damping. This is one of the points for further work.
The control surface deflections are shown and compared hereafter. Fig. 13.13
shows the control surface deflections commanded by the fault tolerant flight control
system in a nominal unfailed scenario. On the contrary, Fig. 13.14 gives the same
140
chi [deg]
54
Axb [m/s2]
135 1.5
VTAS
130
52
1
40 50 60 70 40 50 60 70
0.5
2 15 40 45 50 55 60 65 70
[deg]
gamma [deg]
10
0 0.1
5
alpha
0 0.05
Ayb [m/s2]
−2
40 50 60 70 40 50 60 70
0
10
[deg]
−0.05
2
nz [−]
0 −0.1
0 40 45 50 55 60 65 70
beta
−10 −2 −9
40 50 60 70 40 50 60 70
time [s] NDI no failure
NDI stabilizer runaway
Azb [m/s2]
−40 −10
40 50 60 70 40 45 50 55 60 65 70
time [s] time [s]
Fig. 13.10 Straight flight phase performance check with assessment criteria for stabilizer
runaway and rudder loss
390 T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
States with specs right turn and LOC intercept States with specs right turn and LOC intercept
[m/s]
[m/s]
[deg]
[deg]
140 40 140 40
20 20
135 0 135 0
[deg/s] VTAS
VTAS
130 −20 130 −20
phi
phi
−40 −40
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
[deg/s]
[deg/s]
[deg/s]
2 10 2
10 5
0 0 0
0
pbody
[deg] qbody
[deg/s] pbody
[deg] qbody
−10 −2 −5 −2
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
[deg/s]
2 15 2 15
10
0 0 10
5
alpha
alpha
rbody
rbody
−2 0 −2 5
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
[deg]
[deg]
10 10
nz [−] 2 2
nz [−]
0 0 0 0
beta
beta
−10 −2 −10 −2
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
time [s] time [s]
2 2
ny [−]
ny [−]
0 0
−2 −2
80 100 120 140 80 100 120 140 160
time [s] time [s]
(a) states nominal and stabilizer runaway (b) states rudder loss
Fig. 13.11 Right turn flight phase states performance check with assessment criteria for sta-
bilizer runaway and rudder loss
2 2
axb [m/s2]
axb [m/s2]
0 0
−2 −2
70 80 90 100 110 120 130 140 150 70 80 90 100 110 120 130 140 150 160
4
2
2
ayb [m/s2]
ayb [m/s2]
0
0
−2
−2
−4
−4
−6 −6
70 80 90 100 110 120 130 140 150 70 80 90 100 110 120 130 140 150 160
2 2
azb [m/s2]
azb [m/s2]
0
0
−2
−2
−4
70 80 90 100 110 120 130 140 150 70 80 90 100 110 120 130 140 150 160
time [s] time [s]
(a) states nominal and stabilizer runaway (b) states rudder loss
Fig. 13.12 Right turn flight phase kinematic accelerations performance check with assess-
ment criteria for stabilizer runaway and rudder loss
deflections in the stabilizer runaway scenario. In this figure, it can be seen that the
elevators compensate for the disturbing stabilizer failure. Finally, Fig. 13.15 repre-
sents the control surface deflections in the vertical tail loss scenario. Here, it is clear
that there are no rudder deflections anymore after the failure, since the aircraft lacks
the complete rudder. On the contrary, aileron and spoiler deflections indicate that
they are more active compared to the unfailed scenario, since they are compensat-
ing for the lack of rudder input.
20 20
0 15
δ [deg]
10
δ [deg]
−20 outer elevator right
outer aileron right
outer elevator left
outer aileron left
e
−40 5
0 20 40 60 80 100 120 140 160 180 200
0
30
−5
spoiler #1 0 20 40 60 80 100 120 140 160 180 200
δsp [deg]
20
spoiler #2
spoiler #3
10
spoiler #4
10
spoiler #5
0 spoiler #6180
0 20 40 60 80 100 120 140 160 200 5
60
i ; δ [deg]
0
r
spoiler #7
δsp [deg]
40 −5
h
spoiler #8
spoiler #9 stabilizer angle
20 −10 upper rudder
spoiler #10
lower rudder
spoiler #11
0 spoiler #12180 −15
0 20 40 60 80 100 120 140 160 200 0 20 40 60 80 100 120 140 160 180 200
time [s] time [s]
20 20
15
0
δ [deg]
δ [deg]
−40 0
0 20 40 60 80 100 120 140 160 180 200
−5
30
−10
spoiler #1 0 20 40 60 80 100 120 140 160 180 200
δsp [deg]
20
spoiler #2
spoiler #3
10
spoiler #4
10
spoiler #5
0 spoiler #6180
0 20 40 60 80 100 120 140 160 200 5
60
i ; δ [deg]
0
r
spoiler #7
δsp [deg]
40 −5
h
spoiler #8
spoiler #9 stabilizer angle
20 −10 upper rudder
spoiler #10
spoiler #11 lower rudder
0 spoiler #12180 −15
0 20 40 60 80 100 120 140 160 200 0 20 40 60 80 100 120 140 160 180 200
time [s] time [s]
20 20
0 15
δ [deg]
10
δ [deg]
−40 5
0 20 40 60 80 100 120 140 160 180 200
0
60
−5
spoiler #1 0 20 40 60 80 100 120 140 160 180 200
δsp [deg]
40
spoiler #2
spoiler #3
20
spoiler #4
10
spoiler #5
0 spoiler #6180
0 20 40 60 80 100 120 140 160 200 5
60
i ; δ [deg]
0
r
spoiler #7
δsp [deg]
40 −5
h
spoiler #8
stabilizer angle
spoiler #9
20 −10 upper rudder
spoiler #10
lower rudder
spoiler #11
0 spoiler #12180 −15
0 20 40 60 80 100 120 140 160 200 0 20 40 60 80 100 120 140 160 180 200
time [s] time [s]
Fig. 13.15 Vertical tail loss scenario flight control surface deflections
392 T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
600
400
200
0
10000
8000
12000
6000
14000 4000
16000 2000
0
Fig. 13.16 Aircraft trajectory with autopilot along three waypoints in the scenario’s FTFC
controlled no failure, FTFC controlled with failure, classically controlled with failure
tolerant controller clearly can. Despite its failure accommodation qualities, it is clear
that there is a difference in the trajectory between the unfailed and the NDI failed
situation. The reason for this is again that the maximum safe roll angle with right
wing damage, lost right wing engines and only half the hydraulics is limited to 20◦ ,
again due to the post-failure safe flight envelope. The same two benchmark trajec-
tory phases have been analysed for this scenario too. The straight flight is the time
span between the failure occurrence and the first waypoint. The phase between first
and second waypoint is classified as the right hand turn manoeuvre.
175
chi [deg]
64
Axb [m/s2]
170
VTAS
62 0.5
165
40 45 50 55 60 65 40 45 50 55 60 65
0
2 15 35 40 45 50 55 60 65 70
[deg]
gamma [deg]
10
0 1.5
5
alpha
0 1
Ayb [m/s2]
−2
40 45 50 55 60 65 40 45 50 55 60 65
0.5
10
[deg]
0
2
nz [−]
0 −0.5
0 35 40 45 50 55 60 65 70
beta
−10 −2 −9
40 45 50 55 60 65 40 45 50 55 60 65
time [s] NDI no failure
−10 NDI failure
Azb [m/s2]
40 classic failure
[deg]
NDI no failure
20 −11
NDI failure
0
classic failure −12
−20
phi
−40 −13
40 45 50 55 60 65 35 40 45 50 55 60 65 70
time [s] time [s]
Fig. 13.17 Straight flight phase performance check with assessment criteria for the three
engine separation scenarios
13 Online Physical Model Identification and NDI 393
States with specs right turn and LOC intercept right turn and LOC intercept right turn and LOC intercept
[m/s]
[m/s]
[deg]
[deg]
40 40
170 20 150 20
165 0 0
[deg/s] VTAS
VTAS
160 −20 −20
phi
phi
−40 100 −40
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
[deg/s]
[deg/s]
[deg/s]
2 10 2
10 5
0 0 0
0
pbody
[deg] qbody
[deg/s] pbody
[deg] qbody
−10 −2 −5 −2
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
[deg/s]
2 15 2 15
10 10
0 0
alpha
alpha
5 5
rbody
rbody
−2 −2
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
[deg]
[deg]
10 10
nz [−] 2 2
nz [−]
0 0 0 0
beta
beta
−10 −2 −10 −2
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
time [s] time [s]
2 2
ny [−]
ny [−]
0 0
−2 −2
80 100 120 140 80 100 120 140 160
time [s] time [s]
Fig. 13.18 Right turn flight phase states performance check with assessment criteria for the
three engine separation scenarios
Concerning the straight flight phase, the states as well as the specific forces have
been analysed in Fig. 13.17.
The state requirements are satisfied, and also the specific forces seem acceptable
in Fig. 13.17. In the state graphs, it can be seen that proper energy management is
important in this failed situation as explained in chapter 6; only altitude or speed can
be maintained. The choice has been made to increase speed up to 170m/s and then
to allow the speed to decrease down to 133.8m/s, after which the throttle is opened.
From figs. 13.18 and 13.19, the same conclusions can be drawn. Due to the more
stringent roll angle limitation from 30 to 20 degrees after the engine separation fail-
ure, it takes a longer time to execute the turn in the failed scenario, which explains
the time difference. All requirements in figs. 13.18 and 13.19 are satisfied. In the
2 2
axb [m/s2]
axb [m/s2]
0 0
−2 −2
80 90 100 110 120 130 140 150 80 90 100 110 120 130 140 150 160 170
4
2
2
ayb [m/s2]
ayb [m/s2]
0
−2 0
−4 −2
−6 −4
80 90 100 110 120 130 140 150 80 90 100 110 120 130 140 150 160 170
2 2
azb [m/s2]
azb [m/s2]
0
0
−2
−2
−4
80 90 100 110 120 130 140 150 80 90 100 110 120 130 140 150 160 170
time [s] time [s]
(a) kinematic accelerations nominal run- (b) kinematic acceleration engine separa-
away tion
Fig. 13.19 Right turn flight phase kinematic accelerations performance check with assess-
ment criteria for the three engine separation scenarios
394 T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
20 15
10
inner aileron right 10 inner elevator right
δ [deg]
δe [deg]
outer elevator right
a
−20
0 20 40 60 80 100 120 140 160
0
15
−5
spoiler #1 0 20 40 60 80 100 120 140 160
δsp [deg]
10
spoiler #2
spoiler #3
5
spoiler #4 4
spoiler #5
0
0 20 40 60 80 100 120 spoiler 140
#6 160 2
ih; δr [deg]
40 0
30 spoiler #7
δsp [deg]
−2
20 spoiler #8
stabilizer angle
spoiler #9
−4 upper rudder
10 spoiler #10
lower rudder
spoiler #11
0 −6
0 20 40 60 80 100 120 spoiler #12
140 160 0 20 40 60 80 100 120 140 160
time [s] time [s]
20 15
0 10
δ [deg]
5
δ [deg]
−40 0
0 20 40 60 80 100 120 140 160 180
−5
60
−10
spoiler #1 0 20 40 60 80 100 120 140 160 180
δsp [deg]
40
spoiler #2
spoiler #3
20
spoiler #4
15
spoiler #5
0
0 20 40 60 80 100 120 140spoiler #6
160 180 10 stabilizer angle
upper rudder
60
i ; δ [deg]
5 lower rudder
r
spoiler #7
δsp [deg]
40 0
h
spoiler #8
spoiler #9
20 −5
spoiler #10
spoiler #11
0 spoiler #12 −10
0 20 40 60 80 100 120 140 160 180 0 20 40 60 80 100 120 140 160 180
time [s] time [s]
Fig. 13.21 Engine separation scenario with fault tolerant controller flight control surface
deflections
20 15
10
10 inner elevator right
δ [deg]
15
−5
spoiler #1 0 10 20 30 40 50 60 70 80
[deg]
10
spoiler #2
spoiler #3
sp
5
δ
spoiler #4 4
spoiler #5
0 spoiler #6
0 10 20 30 40 50 60 70 80 2
ih; δr [deg]
40 0
30 spoiler #7
[deg]
−2
20 spoiler #8
stabilizer angle
spoiler #9
sp
−4 upper rudder
δ
10 spoiler #10
lower rudder
spoiler #11
0 −6
0 10 20 30 40 50 60 spoiler #12
70 80 0 10 20 30 40 50 60 70 80
time [s] time [s]
Fig. 13.22 Engine separation scenario with classic controller flight control surface deflec-
tions
13 Online Physical Model Identification and NDI 395
failed situation the requirements on the lateral kinematic acceleration ay are not
completely met. This is due to the asymmetric damage. A certain non-zero roll an-
gle φ , sideslip angle β and thus lateral kinematic acceleration ay are needed to keep
the aircraft in equilibrium.
The control surface deflections are shown and compared hereafter. Fig. 13.20
shows the control surface deflections commanded by the fault tolerant flight con-
trol system in a nominal unfailed scenario. Fig. 13.21 gives the same deflections in
the engine separation scenario. In this figure, it can be seen that quite some control
surfaces are inoperative due to the partial loss of hydraulics. However, the remain-
ing operative control surfaces, like two of the four elevators and a small subset of
ailerons and spoilers, are able to steer the aircraft along the predefined waypoints.
Finally, Fig. 13.22 represents the control surface deflections for the same engine
separation scenario, but with the classical controller with less control authority. The
simulation ends considerably sooner compared with figs. 13.20 and 13.21, this is
because the aircraft hits the terrain.
13.8 Conclusions
Summarizing, it can be stated that, following numerical as well as physical experi-
ments on the Simona Research Simulator, the fault tolerant flight control approach
based upon the real time physical model identification integrated with nonlinear dy-
namic inversion is successful in recovering damaged aircraft. The designed methods
396 T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
are capable of accommodating the damage scenarios which have been investigated
in this project.
Another important result is that model identification using the two step method
has proven to be real time implementable in practice. Experiments have shown that
even a real time static stability analysis is possible with this method.
As already stated, experiments have been performed on desktop computers and
on the Simona Research Simulator. The analysis of manual control in Simona has
demonstrated superior handling qualities, the pilot workload is reduced dramatically
in failure conditions. Also autopilot control, which has been verified numerically,
shows satisfactory performance. The crippled aircraft is kept in the air and satisfies
almost all criteria which have been defined as an evaluation standard for the FTFC
strategies.
References
1. Bodson, M., Groszkiewicz, J.E.: Multivariable adaptive algorithms for reconfigurable
flight control. IEEE Transactions on Control Systems Technology 3(2) (March 1997)
2. Campa, G., Seanor, B., Gu, Y., Napolitano, M.R.: Nldi guidance control laws for close
formation flight. In: American Control Conference, Portland, OR, USA, June 8-10
(2005)
13 Online Physical Model Identification and NDI 397
3. Chu, Q.P.: Lecture Notes AE4-394, Modern Flight Test Technologies and System Iden-
tification. Delft University of Technology, Faculty of Aerospace Engineering (2007)
4. Chu, Q.P., Mulder, J.A., Sridhar, J.K.: Decomposition of Aircraft State and Parameter
Estimation Problems. In: Proceedings of fhe 10th IFAC Symposium on System Identifi-
ation, vol. 3, pp. 61–66 (1994)
5. Groszkiewicz, J.E., Bodson, M.: Flight control reconfiguration using adaptive methods.
In: Proceedings of the 34th Conference on Decision & Control, New Orleans, LA, De-
cember 1995. IEEE, Los Alamitos (1995)
6. Hajiyev, C., Caliskan, F.: Fault Diagnosis and Reconfiguration in Flight Control Systems.
Cooperative Systems, vol. 2. Kluwer Academic Publishers, Dordrecht (2003)
7. Huisman, H.O.: Fault tolerant flight control based on real-time physical model identifi-
cation and nonlinear dynamic inversion. Master’s thesis, Delft University of Technology,
Faculty of Aerospace Engineering, Control and Simulation Division, June 20 (2007)
8. Jategaonkar, R.: Flight Vehicle System Identification: A Time Domain Methodology, 1st
edn. Progress in Astronautics and Aeronautics Series, vol. 216. AIAA (2006)
9. Jones, C.N.: Reconfigurable flight control first year report. Technical report, Control
Group Department of Engineering, University of Cambridge (2005)
10. Kale, M.M., Chipperfield, A.J.: Stabilized mpc formulations for robust reconfigurable
flight control. Control Engineering Practice 13, 771–788 (2004)
11. Laban, M.: On-Line Aircraft Aerodynamic Model Identification. Ph.D. thesis, Delft Uni-
versity of Technology (May 1994)
12. Lombaerts, T.J.J., Chu, Q.P., Mulder, J.A.: Lecture Notes AE4-301, Automatic Flight
Control System Design. Delft University of Technology, Faculty of Aerospace Engi-
neering, Delft, The Netherlands (January 2005)
13. Lombaerts, T.J.J., Chu, Q.P., Mulder, J.A., Joosten, D.A.: Real time damaged aircraft
model identification for reconfiguring control. In: Proceedings of the AIAA AFM con-
ference, number AIAA-2007-6717, Hilton Head, SC (August 2007)
14. Maciejowski, J.M.: Modelling and predictive control: Enabling technologies for recon-
figuration. Annual Reviews in Control 23, 13–23 (1999)
15. Mulder, J.A.: Design and evaluation of dynamic flight test manoeuvers. PhD thesis, TU
Delft, Faculty of Aerospace Engineering (1986)
16. Mulder, J.A., Chu, Q.P., Sridhar, J.K., Breeman, J.H., Laban, M.: Non-linear aircraft
flight path reconstruction review and new advances. Progress in Aerospace Sciences,
PIAS 35, 673–726 (1999)
17. Mulder, J.A., van Staveren, W.H.J.J., van der Vaart, J.C., de Weerdt, E.: AE3-302 Flight
Dynamics, Lecture Notes. Delft University of Technology, Faculty of Aerospace Engi-
neering, Delft, The Netherlands (January 2006)
18. Ostroff, A.J., Bacon, B.J.: Enhanced ndi strategies for reconfigurable flight control. In:
Proceedings of the American Control Conference, Anchorage, AK, May 8-10 (2002)
19. Ramakrishna, V., Hunt, L.R., Meyer, G.: Parameter variations, relative degree, and stable
inversion. Automatica 37, 871–880 (2001)
20. Reiner, J., Balas, G.J., Garrard, W.L.: Flight control design using robust dynamic inver-
sion and time-scale separation. Automatica 32(11), 1493–1504 (1996)
21. Slotine, J.-J.E., Li, W.: Applied Nonlinear Control. Prentice Hall, Englewood Cliffs
(1991)
22. Stevens, B.L., Lewis, F.L.: Aircraft Control and Simulation, 2nd edn. Wiley Europe,
Chichester (2003)
Chapter 14
A Combined Fault Detection, Identification and
Reconfiguration System Based around Optimal
Control Allocation
14.1 Background
The approach to the fault tolerant control problem presented here is based on many
years of research into the topic. The primary focus of this research has always
been military combat aircraft, though the application to a civil transport platform
has proved useful to further enhance the algorithms for both civil and military
application.
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 399–422.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
400 N. Swain and S. Manickavasagar
3 controls 6 controls
Pitch Moment 5000 5000
Pitch Moment
0 0
−5000 −5000
−5000 0 5000 −5000 0 5000
Roll Moment Roll Moment
Fig. 14.1 Illustration of the attainable moments for a 2 dimensional moment demand with 3
(on the left) and 6 (on the right) control surfaces
future aircraft the design drivers often require a less conventional layout, perhaps
with multiple trailing edge surfaces and no tail-plane or rudder. Such arrangements
mean that traditional approaches to control allocation are no longer ideal or, indeed,
possible, thus an alternative approach is necessary. With multiple (more than three)
control surfaces, each capable of generating moments in each rotational axis, there
is, in general, an infinite number of combinations of control surface deflections that
meet a given set of moment demands. It seems natural in this situation to seek a
‘best’ combination of deflections from the multiple (infinite) solutions to the control
allocation problem. This, in turn, suggests the use of some form of optimisation
method.
Initial work looked at an existing approach to this problem developed by Durham,
who had been working on a technique called direct control allocation (DCA) [1].
This approach was concerned with identifying the point where a vector intersected
the surface of a convex hull. The convex hull represented the attainable moment set
generated under the assumption of a linear transformation between the set of achiev-
able control surface deflections and the set of moments produced. The method em-
ployed by Durham searched around the outside of the convex hull to identify the
point at which a vector (representing the moment demands) intersected this hull.
This approach was effective with a small number of control surfaces, and a working
system which accommodated both rate and position limits of the available control
surfaces was quickly developed. With this system, optimal control that extracted
maximum performance in both the nominal cases (when all the surfaces were avail-
able) was demonstrated. When one or more surfaces had failed, the optimal control
allocation helps to minimise the impact of the failure [2].
As can be easily appreciated, the mapping from the set of control surfaces to the
set of attainable moments becomes much more complex as the number of control
surfaces increases, and consequently the associated convex hull becomes much more
complex. Fig. 14.1 shows two example mappings from attainable control deflec-
tion sets to a two dimensional attainable moment. In the first case, with only three
14 A Combined FDIR System Based around Optimal Control Allocation 401
control surfaces, the attainable moment set is fairly simple, being the projection of
a cube onto the plane producing an attainable moment set bounded by a hexagonal
convex hull. However, it can be seen in Fig. 14.1 that, even with as little as six con-
trol surfaces, mapping the convex hull can become very complex. This means that
even with a modest number of control surfaces, the original DCA algorithm is com-
putationally expensive and thus is not practical for real-time simulation. Therefore,
an alternative method of identifying the intersection of the demand vector and the
boundary of the attainable moment set was developed.
This alternative approach was based on the simplex linear programming tech-
nique originally developed by Dantzig [3]. The advantage of this approach was that
the algorithm was significantly faster than the original DCA algorithm. Additionally
the computational cost with the new algorithm increased in an approximately linear
fashion with increasing number of control surfaces, as opposed to the exponential
increase of the original algorithm. By implementing this modified DCA algorithm
it was possible to create a real-time system that was practical for simulation testing.
The method was tested on a combat aircraft conceptual design, with and without
failures, and the performance was compared against more conventional control allo-
cation strategies [4, 5]. This testing demonstrated the potential performance benefits
of using an optimal control allocation method that made best use of the available
control surfaces.
Though the initial testing of the modified DCA algorithm was very promising
it soon became apparent that the linear programming optimisation method was not
flexible enough to enable more complex designs to be developed. Specifically there
were two main problems:
• the three components of the moment demand could not be independently consid-
ered (and weightings applied to allow trade-off between roll, pitch and yaw)
• it was not possible to add secondary requirements into the optimisation such as
minimising overall surface deflections to improve drag or radar cross-section
These two issues suggested the introduction of a quadratic cost function. Since
the linear programming technique was no longer applicable, the move to a quadratic
programming technique was investigated.
There are many existing quadratic programming techniques available of which a
method called active set optimisation was chosen as appropriate to the task [6]. A
standard active-set algorithm was implemented in C using a combination of bespoke
components and existing published algorithms [7]. Though the resulting algorithm
worked as desired, there were again problems with real-time implementation due to
its complexity. Through application of the algorithms on many different simulation
models (including the benchmark aircraft from the GARTEUR action group) a re-
fined algorithm has been developed that is more robust and has increased efficiency
by using an optimisation algorithm that is tuned specifically to the control allocation
problem. The result is an algorithm capable of calculating the optimal control sur-
face deflections in real-time at appropriate frame rates (100Hz) on a model with a
large number of surfaces (the implementation of the benchmark used in this research
402 N. Swain and S. Manickavasagar
assumes 20 independent control surfaces) and has been tested on systems with very
modest computational power (see Section 14.1.3).
sensor noise. But, as the reference model deviated from the ‘true’ performance of
the model, and as sensor noise was introduced, the performance was greatly re-
duced; consequently, this approach proved to be impractical.
In order to address this, a general survey of other techniques for online parameter
identification was carried out. Kalman filters were identified as a possible way to
increase robustness, by decreasing sensitivity to model uncertainty and sensor noise.
A new FDI system that used a Kalman filter to identify a ‘mean’ gain on the control
surface effectiveness was created. Testing proved that this approach had increased
robustness, but with increased detection times. However, increased robustness and
stability is felt to be more important in this identification task; if responsiveness
proves to be an issue, then a dual system, which includes a fast component and a
slower, more robust component, may need to be developed.
14.2 Introduction
A modern aircraft will have a range of possible force and moment generators that
can be used to alter its trajectory. These shall be referred to as control effectors
or more simply as controls. These control effectors can be anything that is able
to generate a change in the total force and/or torque acting on the aircraft. Some
examples are listed below but the list is not exhaustive
• Moving flaps such as elevators, rudders ailerons, leading or trailing edge flaps
• Moving aerofoils such as tailplanes, canards, twisting/morphing wings, moving
wings or rotary wings/blades
404 N. Swain and S. Manickavasagar
acting in the x, y and z directions respectively and L, M and N for the moments acting
about the x, y and z axes respectively. By utilising the control effectors it is possible
to create changes in the six forces and moments, each control having an effect on
each of the forces and moments (these effects may be independent or coupled with
the effect of the other controls).
14.3.1 Sensors
The FDI system requires specific information to successfully identify faults that
have occurred. In addition to the more typically available sensor data, information
such as achieved actuator deflections, feedback for the Actuator FDI and rotational
acceleration data for the NDI system have been included in the aircraft model. The
achieved actuator deflection sensors are not necessarily utilised by current flight
control systems but this information is often present within the actuator’s own in-
ternal control and could be made available to the FCS. Also, it may be uncom-
mon to find rotational acceleration sensor data in legacy aircraft, but this could be a
This relates the pitch acceleration q̇ to the pitch moment M, taking into account
the inertial cross coupling of the roll rate p and yaw rate r. This form assumes that
the aircraft has lateral symmetry such that the products of inertia Ixy and Iyz are
zero [12].
14 A Combined FDIR System Based around Optimal Control Allocation 407
Equation 14.1 enables a relationship between a pitch acceleration demand q̇d and
the pitch moment to be derived. However, rotational acceleration is not a practical
parameter to control directly, it is far more useful for the inner-loop control to be
driven by rotational rate demands such as qd . Therefore the NDI controller derives
the pitch acceleration demand from the pitch rate demand such that
where bq is a constant, referred to as the pitch bandwidth. The bandwidth is the only
part of the derived control system that has to be tuned for the specific platform. If
the bandwidth is set too low the response of the closed-loop system will be sluggish,
whilst if it is set too high there is a risk of large-scale oscillatory transients in the
response of the system. In practice, however, it is an easy task to set an appropriate
value for the bandwidth for the chosen aircraft based on the size of the aircraft and
the response rate of the actuation system.
A complete control system for roll, pitch and yaw can easily be derived based on
these simple concepts to create a simple but powerful control strategy [13]. The only
deviation from the standard NDI implementation is the addition of limit blocks on
the roll, pitch and yaw rate demands, and acceleration demands. These limit blocks
were added to allow the envelope protection system to limit the demands placed on
the aircraft.
∂ mi
Bi, j = (14.4)
∂uj
Fig. 14.5 The role of DCA. The demanded changes in moments (with suffix ‘dem’) are
mapped to a change in control surface by the DCA block. The intention is that the achieved
change in moments (indicated with the suffix ‘ach’) caused by the new surface deflections
will be as close to the demand as possible
The specific role of the DCA is to find an optimal change in surface positions
that minimises an appropriate cost function. The exact nature of the cost function
used is dependent on the optimisation criterion that is chosen. It is perhaps obvi-
ous that minimising the change in control surface deflection used to meet a given
demand is beneficial, since excessive changes in control surface deflection increase
power requirements and actuator wear. However, testing with a control allocation
algorithm that only minimises the change in surface deflection identifies a flaw with
this approach. Though each change in surface deflection is minimised to require the
smallest amount of actuator usage, the accumulative effect with time of each indi-
vidual change in surface deflection can lead to large control deflections where the
individual surfaces can be cancelling out the effect of each other, and so providing
no net benefit to the control of the aircraft. This is not acceptable since it increases
the risk of surface saturation and can adversely affect the total drag or radar cross-
section of the aircraft. For this reason an optimisation criterion called the biased
minimum deflection criterion was proposed. Again, the basis of this criterion is to
minimise the change in control surface deflection, but not relative to the current sur-
face deflections. Instead the change in surface deflection is minimised about a sur-
face deflection biased towards a preferred control surface deflection. This preferred
deflection could simply be zero for all surfaces or could be chosen to optimise for a
secondary effect such as reduction of drag or radar cross-section.
The combined task of best meeting the change in moment demand whilst min-
imising the change in deflection relative to a preferred deflection can be formulated
as a quadratic programming task of the form,
1
min C = ν H ν + f ν (14.5)
ν 2
subject to an equality constraint (that encompasses the change in moment demand)
Aν = 0 (14.6)
and an inequality constraint that accounts for the position and rate limits of the
actuators
ν L ≤ ν ≤ νU (14.7)
14 A Combined FDIR System Based around Optimal Control Allocation 409
There are many ways to solve such a quadratic programming problem. The DCA
algorithm uses an active set method approach that has been formulated for the spe-
cific task to increase computational efficiency. Since H in (14.5) is positive definite
then the cost function is convex and so there is a unique solution. The algorithm
will generally find this minima in a few iterations (generally less than or equal to
the number of control effectors). In a few rare situations the algorithm will run on
beyond this and it can enter a cycle. Though, theoretically, this cycle can continue
indefinitely in practice it is easy to guard against. In this state there is generally only
slight variation in the value of the cost function and for the real-world control allo-
cation problem it is acceptable to use a very near optimal solution (sensor noise and
disturbances are likely to be far more significant than a small variation away from
the optimal solution).
The function of the DCA algorithm can be seen in Fig. 14.6.For this illustration,
total moment rather than change in moment is being tested, and the demand is only
for roll and pitch moment (i.e. yaw moment demand is ignored) since it is easier to
visualise what is happening in the two dimensional case. Additionally, in this case,
the results are based on a subset of nine of the controls surfaces from the benchmark
model (two ailerons, four spoilers, two elevators and the stabiliser), with surface ef-
fectivenesses and surface deflection limits sampled at a single flight condition. Fig.
14.6 shows the output of three control allocation schemes to a range of different
moment demands as indicated by the circle (labelled ‘Moment Demand’). For any
given point on the moment demand locus, each allocation scheme will generate a set
of control surface deflections that will generate an achieved moment. Ideally the de-
manded surface deflections will generate the required moment demand, however the
surface deflections are bounded by the actuator deflection limits and so the demand
is not necessarily achievable.
The three traces (for DCA and two basic control allocation schemes BCA1 and
BCA2) show the respective loci of moments achieved for three different control
allocation schemes in response to different moment demands that generate the Mo-
ment Demand locus. DCA is the optimal control allocation algorithm that is the
basis of the FTC system being presented here. BCA1 is a simple allocation scheme
that assigns each surface a distinct role for delivering either roll or pitch moments
(in this case the two ailerons and four spoilers are used for roll control and the two
elevators and the stabiliser are used for pitch control). The strategy utilised in BCA1
is very simple, but is similar to control allocation approaches on many production
and experimental aircraft, especially when the control allocation task is embedded
in the overall inner-loop control task. BCA2 is a slightly more sophisticated version
of BCA1 that makes use of the actuator position limits. It can be easily seen that
the DCA produces a significantly larger proportion of the moment demand for the
majority of possible demands. BCA1 and BCA2 both produce much smaller pro-
portions of the moment demand, though BCA2 does cover a slightly larger area that
suggests better performance. However, there is a small region where the achieved
moment is larger than the demanded moment, which is unlikely to be acceptable.
The reason this occurs is that both BCA1 and BCA2 assume that an individual sur-
face only generates moments in one of the two axes i.e. the ailerons and spoilers
410 N. Swain and S. Manickavasagar
6
x 10
5
2
Pitch Moment (N.m)
−1
−2
Attainable Moments
Moment Demand
−3 DCA Achieved
BCA1 Achieved
BCA2 Achieved
−4
−5
−14 −12 −10 −8 −6 −4 −2 0 2 4 6
Roll Moment (N.m) 6
x 10
Fig. 14.6 A comparison of the moment generation capability of several control allocation
schemes.
only generate roll moments and the elevators and stabiliser only generate pitch mo-
ments. In reality, all surfaces will generate some moments in all rotational axes, and
it is the fact that these additional effects have been ignored that allows the achieved
moments to exceed the demands. Again, it is quite common for these secondary mo-
ment generation effects to be ignored in existing control allocation strategies except
in certain specific cases such as the roll-yaw coupling of rudders.
The shaded region in Fig. 14.6 indicates the total set of attainable moments for
combinations of control surface deflections within the limits of the actuator position
limits (this region being the convex hull, similar to that illustrated in Fig. 14.1). It
can be seen that DCA spans the entire shaded region that lies within the loci of
moment demands. This indicates that DCA is generating the maximum attainable
moments for any given demand, as should be expected from an optimal control
allocation scheme.
The Control Allocation algorithm is dependent on several pieces of information
being provided. The required inputs for the control allocation algorithm are:
• Demanded changes in roll pitch and yaw moments
• Control deflections
• Control effectiveness matrix
• Control rate limits
• Control position limits
The first of these is provided by the dynamic inversion component of the control
system and the second is provided by position sensors. The final three are not easily
obtained. In the nominal case, values for these three inputs can be generated from
14 A Combined FDIR System Based around Optimal Control Allocation 411
knowledge of the actuator dynamics (for the positional and rate limits) and from a
reference model or schedule (for the effectiveness matrix). However when the air-
craft is damaged, some or all of this information will be different from the nominal
case and so it is desirable to ascertain the new values of these inputs. The higher
the accuracy of this new information, the more efficient and accurate the control
allocation can be. The identification of this information is the role of the FDI sys-
tem, which consists of two main components referred to as aerodynamic FDI and
actuator FDI.
where λi is the surface effectiveness of the ith control effector, ui is the deflection of
the ith control effector and m is the moment vector. If no failure has occurred and
there is a perfect reference model then the surface effectiveness gains are expected
to be unity. An imperfect reference model or sensor noise will mean that the value of
λ will vary even when there are no failures. Since the effectiveness values that form
the reference model are also used to drive the DCA component, then this variation
412 N. Swain and S. Manickavasagar
Fig. 14.7 Estimation of force and moment errors and change in force and moment errors
in λ is used to correct for errors in the reference model, but there is an assumption
that such variations are small. It is only in the presence of failures that the values of
λ are assumed to greatly vary from unity.
The advantage of this approach is that, although the error is modelled as a linear
relationship, the reference model can account for non-linearity in the aircraft aero-
dynamics. As long as the percentage loss of effectiveness is not highly sensitive to
flight condition, the gain will not change rapidly with time. The obvious exception
to this is when a failure occurs. At the time of the failure a step change in one or
more of the effectiveness gains is assumed.
If the error between the reference model and actual aircraft is large and highly
non-linear then the above assumptions will no longer be valid. For this reason a
reasonably accurate model is required.
1 1
0.8 0.8
0.6 0.6
λ
λ
0.4 0.4
No Failure Case
0.2 0.2 Failure Case
0 0
0 50 100 150 200 250 0 50 100 150 200 250
Time (s) Time (s)
Right Outboard Aileron Left Outboard Aileron
1 1
0.8 0.8
0.6 0.6
λ
λ
0.4 0.4
0.2 0.2
0 0
0 50 100 150 200 250 0 50 100 150 200 250
Time (s) Time (s)
The structure of the system is illustrated in Figs. 14.7 and 14.8. The Kalman
filter uses errors in the predicted change in forces and moments to estimate a gain
on the surface effectiveness for each surface. This gain is zero when there are no
failures (since the system is based on change in forces and moments) and so λ
values are equal to the output of the filter plus one. The filter uses an error generated
between the estimated forces and moments that the aircraft has currently acting on
it and the forces and moments predicted by the reference model for the current
flight condition. The achieved forces and moments are calculated by inverting the
rigid body equations of motion though this is only approximate when the incoming
sensors signals are noisy.
Fig. 14.9 shows the results for a fault of a 40% reduction in the control surface
effectiveness of the left outboard aileron. It can be seen that the control surface
effectiveness for the first three ailerons, are at its nominal level (i.e. close to 1)
where a slight deviation can be seen in the measure of the control effectiveness.
As discussed earlier in the section, this can be attributed to small discrepancies
within the reference model and noise in the signals. However, for the left outboard
aileron, the control surface effectiveness shows a larger difference due to the fault
and settles out at approximately 55%. The nominal control surface effectiveness of
this surface is approximately 90%. In comparison to the reduced control surface
effectiveness, results in a decrease of 39% which shows both an accurate detection
and identification of the fault. The reduced control surface effectiveness takes a
414 N. Swain and S. Manickavasagar
significant length of time to settle out. In order to increase the robustness of the
FDI component the Kalman Filter has its sensitivity set at a fairly low level. There
is always a trade-off to be made between robustness and sensitivity but the overall
response time of the system could be increased by a higher fidelity reference model
or better sensors. This said, the current system seems to fly well in most failure
cases due to an inherent robustness within the inner-loop control. If it is required
to increase overall detection times of aerodynamic faults then it may be necessary
to modify the sensitivity of the FDI algorithm. This may be possible with a two
component aerodynamic FDI system that consists of a fast component with low
authority and a slower component with higher authority.
Though simple, this system can detect many different faults such as:
• Control restrictions caused by a loss of hydraulic power or a physical restriction
on the surface due to damage or icing will be detected as a change in the upper
and/or lower limits to new, non-equal values.
• Surface jams caused by total failure of a stepping actuator or physical restriction.
Detected as a change of upper and/or lower position limits to new, equal, values.
• Reduced rate limits due to partial loss of actuation power. Detected as new upper
and/or lower rate limits.
• Surface runaway caused by an error in the signal driving the actuator or an inter-
nal malfunction in the actuator. Detected initially as a change in upper and lower
rate limits to the same value (that being the rate at which the surface is ‘run-
ning’ away). Once the actuator has saturated, the fault will change to the surface
jam case.
In the case of physical damage that causes the surface to become disconnected
from the actuator (and possibly in the case of a total loss of hydraulic power), the
surface will float freely. How this fault is detected depends on what signal is fed
back to the actuator FDI system; either surface deflection or actuator deflection. In
the former case the actuation system could detect the failure as zero upper and lower
rate limits, but it would not detect the latter case. However, a floating surface tends
to have a greatly reduced aerodynamic effect on the aircraft dynamics, and so the
latter case could be detected as an aerodynamic fault rather than an actuator fault.
There are other possible actuator failures such as oscillatory errors, offsets and
intermittent sticking. These failures are not accommodated by the current actuator
FDI system since such failures have not been a feature of any simulation models
investigated to date. The system could be augmented to accommodate these failures
with an extension to the logic within the actuator FDI algorithm or by separate pre-
processing of the actuator errors.
Fig. 14.11 shows the time history of two aileron surface deflections subject to a
fault (control restriction of control surface deflection of ±5 degrees) at 0 seconds.
A bank angle demand is used as an input to excite the control surfaces. The actu-
ator FDI system accurately detects and identifies the fault after 0.29 seconds of it
reaching the 5 deg deflection limit for the right outboard aileron. It can be seen that
416 N. Swain and S. Manickavasagar
0 5
−10
4.5
−20
4
0 10 20 30 40 50 22 22.5 23 23.5 24
Fig. 14.11 Control Restriction on Aileron Deflection (Right-hand plots show detail of left
hand-plots)
the actuator position limits are reduced to the aileron control restriction limits (of
±5 degrees) which ensures that the new deflection limits are used by the DCA. It
takes 0.45 seconds before the upper position limit for the right inboard aileron is
reduced compared to the 0.1 seconds detection time for the right outboard aileron.
The delay in detection time can be attributed to the sensitivity of the algorithm be-
ing limited by specified tolerances that allow greater robustness in the presence of
noise. The noisier the system the lower the sensitivity will be, if higher sensitivity is
required then a change in the sensor suite would be necessary either through using
less noisy sensors or introducing redundancy in the sensors to allow better approxi-
mation of the true signal. However, the small delays in detection time seen here are
not significant to cause a problem in maintaining control of the aircraft.
30 4
15 2
1.5
10
1
5
0.5
0 0
40 45 50 55 60 40 45 50 55 60
Time (s) Time (s)
Fig. 14.12 Flight envelope protection output for bank angle demand limit and roll control
gain in presence of failure (at 50 seconds)
and maintain ‘carefree’ handling. This is the aim of the flight envelope protection
(FEP) component of the FDI system.
Ideally the FEP system will be able to perform online stability and control as-
sessment of the damaged aircraft’s flying qualities across the flight envelope or, at
the very least, at the current flight condition. Additionally, to protect the structure,
online stress analysis would need to be performed for various aerodynamic loadings
to identify the integrity of the platform. Obviously this involves a huge amount of
computational capability to perform in real-time and so is currently impractical.
Research into FEP is still underway to find practical methods of approximating
the new limits online but a basic system has been developed using a combination of
heuristics and interpolation/extrapolation of offline assessment results. The current
system that has been developed has two main components: the health and inner-loop
limit estimation system, and the outer-loop limit estimation system.
The health system calculates a percentage health for each of the three rotational
axes based on the platform’s current ability to deliver moments in that axis. This
takes into consideration loss of control surface effectiveness, reduced rate limits
and control surface saturation. The current health for each of roll, pitch and yaw is
used to set limits for the inner-loop rate control system (the NDI component). In the
current system, the demands on rotational rate, rotational acceleration and the rate
control bandwidth are all limited. The values used for these limits decrease as the
health in the respective channel (roll, pitch or yaw) decreases. There are two levels
of limit applied: the recovery limit and the reinforcement limit. The recovery limit
is applied if the current rotational rate demand is tending the aircraft back towards
steady-state, whilst the reinforcement limit is applied if the rotational rate demand
is moving the aircraft further away from steady-state. These two limit levels can be
set at the same value, but testing suggests that the reinforcement limit should be
lower than the recovery limit thus allowing more conservative limits on demands
that could increase the risk of departure, whilst not reducing the aircraft’s ability to
reach, or recover to, steady state.
The outer-loop estimation system uses the failure information from the other FDI
system components to identify limits for the demands in the outer-loop control such
418 N. Swain and S. Manickavasagar
as bank angle, angle of attack, speed, linear acceleration and height rate. These are
all higher order effects whose limits are not directly linked to the moment gener-
ation ability of the aircraft but are more to do with preserving stability. It is not
currently possible to calculate these values online due to the high computational
cost, but research is currently looking for appropriate means to estimate these limits
online. In the meantime, a system based on offline assessment has been developed.
Various failure cases were tested in simulation to identify appropriate limits on the
outer-loop parameters, and a series of look up tables were generated. For partial fail-
ures the limits from the tables were interpolated from the non-failure and complete
failure cases. For multiple failures the limits from the tables were extrapolated.
The full system as outlined above was applied to a UCAV (Unmanned Combat
Air Vehicle) concept as part of our research but time constraints have meant that a
full version of the system has not been applied to the benchmark model. However,
testing with the benchmark has highlighted the importance of the flight envelope
protection system, and a reduced system that limited the bank angle and roll rate de-
mands was necessary to prevent departure (see El-Al benchmark example in 14.4.3).
The Fig. 14.12 illustrates the output from the simplified FEP system implemented
on the benchmark model. The time history is for the full El-Al failure case, with the
failure occurring at 50 seconds. The FEP system is specifying a limit for bank angle
demand and a gain for the roll rate demands between the autopilot and the inner-
loop control. Before the failure occurs the limits remain at their nominal values (29
degrees and 3 respectively). After the failure has occurred the parameters reduce
over a period of about 1.8 seconds to reach the post-failure values of approximately
14 degrees and 1.5. The reduction is not instantaneous, since the failure detection
system takes a finite time to identify the nature of the failure and the output from
the FEP system changes as the various failed actuators are identified.
Heading (deg)
Sideslip (deg)
0.01 90.005 0.005
0 90 0
−0.01 89.995 −0.005
−0.02 89.99 −0.01
0 50 100 0 50 100 0 50 100
93 6 981
Speed (m/s)
Height (m)
AoA (deg)
92.8
5.8 980
92.6
5.6 979 No Failure
92.4 Failure
92.2 5.4 978
0 50 100 0 50 100 0 50 100
Time (s) Time (s) Time (s)
Fig. 14.13 Time history for the longitudinal failure case, stabiliser runaway occurring at 40
seconds. The time history for the case with no failure is provided for comparison
only by a few centimetres. The most marked difference is in angle of attack. With
the displacement of the stabiliser the trim condition is at a slightly increased angle
of attack.
Overall, though potentially very problematic, the stabiliser runaway is handled
with practically no noticeable effect on the response of the aircraft.
30 220 15
200
20 10
180
Bank angle (deg)
Heading (deg)
Sideslip (deg)
10 5
160
140
0 0
120
−10 −5
100
−20 80 −10
0 50 100 150 200 250 0 50 100 150 200 250 0 50 100 150 200 250
94 9 1100
No Failure
93.5 8
1050 Failure
Speed (m/s)
93 7
Height (m)
AoA (deg)
1000
92.5 6
950
92 5
91.5 4 900
0 50 100 150 200 250 0 50 100 150 200 250 0 50 100 150 200 250
Time (s) Time (s) Time (s)
Fig. 14.14 Time history for the lateral control failure case, loss of vertical tail occurring at
20 seconds. The time history for the case with no failure is provided for comparison
420 N. Swain and S. Manickavasagar
the aircraft until the turn is initiated to change the heading from 90 degrees to 210
degrees. It can be seen that the turn is performed in a controlled fashion but that the
turn rate is lower than the case in which there is no failure. This is due to the flight
envelope protection system requiring the reduction in bank angle limit to prevent
departure. This is demonstrated in the full El-Al case next.
Fig. 14.15 Time histories for the full El-Al benchmark failure case. The Failure occurs at
20 seconds. The aircraft then performs a right-hand turn followed by a left-hand turn. Time
histories of the no failure case and the failure case with no flight envelope protection are
included for comparison
14 A Combined FDIR System Based around Optimal Control Allocation 421
The case with an active flight envelope protection system does not depart but,
as in the lateral control failure case, has a lower turn rate. This is again due to the
reduced limits from the FEP system that have limited the maximum bank angle
demand and the roll rate control gain that reduces the demand entering the inner-
loop control system.
After the aircraft has settled on a heading of 268 degrees a left-hand turn is de-
manded from a heading of 268 degrees to a new heading of 180 degrees at 400
seconds. This extra turn is added to test whether the port-wise turn performance
is also acceptable since an asymmetric failure such as this can impact port-wise
and starboardwise performance differently. The reduced bank angle has reduced the
turn rate again but the aircraft is capable of making the turn and attaining the new
heading. Altogether this time history demonstrates that the full FTC system enables
even the extreme failure case of the full EL-Al scenario to be accommodated. After
the failure the aircraft is still able to manoeuvre, accurately acquire new headings
and would be able to proceed to and perform the landing. The time history for the
case without the FEP system highlights the importance of having an active flight
envelope protection as part of fault tolerant control.
14.5 Conclusion
A system has been successfully developed for fault tolerant control based around
non-linear dynamic inversion and optimal control allocation. This system has been
extensively tested in simulation with different aircraft models including the El-Al
747 benchmark model used in the GARTEUR action group. This testing has demon-
strated that the system provides excellent flying qualities without failures and allows
a graceful degradation of performance if the aircraft experiences failures. The spe-
cific application to the benchmark model proved very useful since it features a vali-
dated model of a real-life failure case. The experience from this testing has allowed
a more robust system to be developed.
One key lesson from this research is the importance of a flight envelope protec-
tion system. The testing with the full El-Al failure case and the ‘loss of vertical tail’
case demonstrates that failures can mean that the nominal limits in the inner-loop
or outer-loop control are no longer appropriate to prevent departure. In these cases
it was necessary to reduce the bank angle demand limit and the roll gain limit to
prevent the aircraft crashing. More extensive testing on other models has suggested
that combinations of faults can require adjustment in several control limits, not only
to prevent departure but also to maintain acceptable flying and handling qualities.
Overall, the combined FDIR system based around optimal control allocation has
allowed a full FTC system to be rapidly applied to various aircraft models, and
has demonstrated the potential of FTC to improve aircraft safety. However, there
is potential for improvements, especially in the aerodynamic and actuator FDI, and
the flight envelope protection. It is the aim that these will be investigated in future
research.
422 N. Swain and S. Manickavasagar
Acknowledgement. The work documented here is based on many years of research into
Fault Detection, Identification and Reconfiguration, the vast majority of which was carried
out on behalf of the Ministry of Defence. The authors would like to acknowledge the support
and guidance of the Ministry of Defence and Defence Science and Technology Laboratories
(DSTL) in this work.
References
1. Durham, W.C.: Attainable Moments for the Constrained Control Allocation Problem.
Journal of Guidance, Control and Dynamics 17(6), 1371–1373 (1994)
2. Swain, N.J.N.: Developments in direct control allocation for aeronautical vehicles. Un-
published DERA report (September 1999)
3. Fraleigh, J.B., Beauregard, R.A.: Linear Algebra, 2nd edn. Addison-Wesley Publishing,
Reading (1990)
4. Berry, A.J., Swain, N.J.N.: A comparison of several control allocation schemes for re-
configurable flight control. Unpublished QinetiQ report (July 2001)
5. D’Mello, G.W., Hegarty, S.A., King, J., Swain, N.J.N.: Reconfigurable control: A sim-
ulation study of flight control system tolerance to airframe battle damage and actuator
failures. Unpublished QinetiQ report (March 2002)
6. Optimization Toolbox 3, Eighth Printing, Matlab User’s Guide (September 2007)
7. Press, W.H., Teukolsky, S.A., Vettering, W.T., Flannery, B.P.: Numerical Recipes in C.
The Art of Scientific Computing, 2nd edn. (1992)
8. Napolitano, M.R., Neppach, C., Casdorph, V., Naylor, S., Innocenti, M., Silvestri, G.:
Neural Network Based Scheme for Sensor Failure Detection, Identification and Accom-
modation. Journal of Guidance, Control and Dynamics 18(6), 1280–1286 (1995)
9. Napolitano, M.R., Neppach, C., Casdorph, V., Naylor, S., Innocenti, M., Silvestri, G.:
Online Learning Neural Architectures and Cross-correlation Analysis for Actuator Fail-
ure Detection and Identification. International Journal of Control 63(3), 433–455 (1996)
10. Swain, N.J.N.: Research into Realisable Fault Tolerant Control. In: 19th Interantional
Unmanned Air Vehicle Systems Conference (March 2004)
11. Smith, P.R., Berry, A.J.: Flight test experience of a non-linear dynamic inversion control
law on the VAAC Harrier, AIAA-2000-3914 (August 2000)
12. Stevens, B.L., Lewis, F.L.: Aircraft Control and Simulation, 2nd edn. Wiley, Chichester
(2003)
13. Smith, P.R., Burnell, J.J.: Non-linear dynamic inversion (NDI): a top down approach to
control law design. Unpublished DRA Report (March 1994)
14. Kalman, R.E., Bucy, R.S.: New Results and Methods in Linear Filtering and Prediction
Theory. Transactions of the ASME - Journal of Basic Engineering 83, 95–107 (1961)
Chapter 15
Detection and Isolation of Actuator/Surface
Faults for a Large Transport Aircraft
Andras Varga
15.1 Introduction
In this chapter we address the problem of detection and isolation of actuator faults
for a Boeing 747-100/200 from the perspective of fault tolerant control (FTC). The
main goal of FTC is to allow, after a successful identification of faults, the applica-
tion of appropriate control reconfiguration to ensure safe operation of the aircraft in
the presence of identified failures or, in extreme cases, to guarantee a safe landing
to the nearest airport. The most relevant faults for our analysis are related to four
categories of primary control surfaces: elevator, stabilizer, rudder, and ailerons.
In numerous studies, the occurrence of actuator faults for the Boeing 747-
100/200 aircraft has been addressed in a simplistic way, by assuming that all faults
related to a surface category occur simultaneously [1, 2]. For example, it is usu-
ally assumed that all four elevators are simultaneously affected by the same fault
or, equivalently, each elevator fault is assimilated with a global fault on all elevator
surfaces. As a consequence, the typical approach to compensate for elevator faults is
to use the stabilizer for the aircraft altitude control and ignore the possibility of em-
ploying, for the same purpose, the remaining healthy elevator surfaces. For the pur-
pose of FTC, such a simplifying assumption of simultaneous elevator faults prevents
exploiting the existing freedom in using healthy surfaces which could compensate
(fully or partially) the disturbance induced by the faulty surfaces.
This way of addressing the fault occurrence aspect is clearly not appropriate
for the purpose of FTC, where precise information on the available healthy actu-
ators/surfaces and faulty ones could be vital for an appropriate control reconfigura-
tion. The existing redundancy in the control surfaces makes it easier to cope with
Andras Varga
German Aerospace Center, DLR - Oberpfaffenhofen
Institute of Robotics and Mechatronics
D-82234 Wessling, Germany
e-mail: Andras.Varga@dlr.de
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 423–448.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
424 A. Varga
partial failures providing an increased overall safety. Thus, handling only complete
surface failures is not a realistic option for FTC.
In this chapter we focus on the design of residual generators with least dynam-
ical orders to solve actuator fault detection and isolation problems for the Boeing
747-100/200 aircraft. The main result of our analysis is the proof of feasibility of
the complete isolation of all primary actuator/surface faults in the nominal case
by using a minimal number of additional surface angle sensors. The analysis of
the nominal case provides residual filter specifications which can be employed in a
more realistic design, where robustness aspects with respect to external noise (gusts,
measurements) and parametric/flight condition uncertainties are also considered.
The paper is organized as follows. First we briefly review the solution of the
fault detection problem using scalar output detectors with least dynamical order.
The corresponding design procedure is based on the nullspace method in combina-
tion with dynamic cover techniques. This method is the basis for the design of a
bank of residual generators to solve the more involved fault detection and isolation
problems, where a given fault-to-residual influence structure must be achieved. The
design methods of residual generators for fault detection and isolation have been re-
cently implemented as robust numerical software, which extends the Fault Detection
Toolbox [3] of DLR. The new tools were used to study the feasibility of complete
fault detection and isolation of actuator faults for a Boeing 747-100/200 aircraft.
Fault detection both at component (actuator) level as well as at the system level are
discussed. Residual synthesis results are presented for detecting and isolating both
longitudinal and lateral axis failures for several influence structures of increasing
complexity. The main result of our study is the solution of the complete isolation
problem by employing a minimum number of additional surface sensors.
where y(s), u(s), d(s), and f(s) are Laplace-transformed vectors of the p-dimen-
sional system output vector y(t), mu -dimensional control input vector u(t), m f -
dimensional fault signal vector f (t), and md -dimensional disturbance vector d(t),
respectively, and where Gu (s), G f (s) and Gd (s) are the transfer-function matrices
(TFMs) from the control inputs to outputs, fault signals to outputs, and disturbances
to outputs, respectively.
To detect faults, residual generator filters (or fault detectors) having the general
form
y(s)
r(s) = R(s) (15.2)
u(s)
are employed, where r(t) is the residual signal generated from the available mea-
surements y(t) and control inputs u(t). A residual generator must fulfill two basic
15 Detection and Isolation of Actuator/Surface Faults 425
requirements: 1) to generate zero residuals in the fault-free case, for arbitrary con-
trol and disturbance inputs; 2) to generate nonzero residuals when any fault occurs
in the system. These requirements can be made precise as follows:
Fault Detection Problem (FDP): Determine a proper and stable linear residual
generator having the general form (15.2) such that:
(i) r(t) = 0 when f (t) = 0 for all u(t) and d(t);
(ii) r(t) = 0 when fi (t) = 0, for i = 1, . . . , m f .
In addition to the above requirements, it is often necessary for practical use that the
TFM of the detector R(s) has the least possible McMillan degree. Note that as a
fault detector, we can always choose R(s) as a rational row vector.
The fulfilment of requirement (ii) ensures that faults produce non-zero residual
responses. When designing fault detectors this requirement for fault detectability
is usually replaced by the stronger request that persistent (constant) faults produce
asymptotically persistent (constant) residuals. This requirement is known as strong
fault detectability and has a special importance for practical applications [22].
Let G fi (λ ) be the ith column of G f (λ ). A necessary and sufficient condition for
the existence of a solution of the FDP is the following [4, 5]:
Theorem 15.1. For the system (15.1) the FDP is solvable iff
The requirements (i) and (ii) of the FDP can be easily transcribed into equivalent
algebraic conditions. Condition (i) is equivalent to
R(s)G(s) = 0 (15.4)
where
Gu (s) Gd (s)
G(s) = , (15.5)
Imu 0
while the detectability condition (ii) is equivalent to
R fi (s) = 0, i = 1, . . . , m f (15.6)
G f (s)
R f (s) := R(s) (15.7)
0
y(s)
ri (s) = Ri (s) , i = 1, . . . , q (15.9)
u(s)
Theorem 15.2. For the system (15.1) the FDIP with given fault signature matrix S
is solvable if and only if for each i = 1, . . . , q, we have
i i
rank [ Gd (s) Gf (s) G f j (s) ] > rank [ Gd (s) G f (s) ] (15.10)
The standard approach to determine R(s) is to design for each row i of the fault
signature matrix S, a detector Ri (s) which generates the ith residual signal ri (t), and
thus represents the ith row of R(s). For this purpose, the nullspace method can be
applied with G(s) in (15.5) replaced by
" #
i
Gu (s) Gd (s) Gf (s)
G(s) =
Imu 0 0
and has a total McMillan degree which is bounded by the sum of the McMillan
degrees of the component detectors. Note that this upper bound can be effectively
achieved, for example, by choosing mutually different poles for the individual de-
tectors.
Using the least order design techniques described in this paper, for each row of
S we can design a scalar output detector of least McMillan degree. However, even
if each detector has the least possible order, there is generally no guarantee that the
resulting order of R(s) is also the least possible one. To the best of our knowledge,
the determination of a detector of least global McMillan degree for a given fault
signature S is still an open problem. A solution to this problem has been recently
suggested in [11] and is summarized in the following synthesis procedure:
It was conjectured in [11] that the McMillan degree of R(s) resulting from this
procedure is the least possible one.
We describe now an enhanced two step approach to design a bank of detectors,
which for larger values of q, is potentially more efficient than the above standard
approach. In a first step, we can reduce the complexity of the original problem by
decoupling the influences of disturbances and control inputs on the residuals. In a
second stage, a residual generation filter is determined for a system without control
and disturbance inputs which achieves the desired fault signature.
Let Nl (s) be a minimal left nullspace basis for G(s) defined in (15.5) and define
a new system without control and disturbance inputs as
y(s) := N f (s)f(s), (15.12)
where
G f (s)
N f (s) := Nl (s) . (15.13)
0
15 Detection and Isolation of Actuator/Surface Faults 429
The system (15.12) has generally a reduced McMillan degree [12] and also a re-
duced number of outputs p − rd , where rd is the normal rank of Gd (s).
For the reduced system (15.12) with TFM N f (s) we can determine, using the FDI
Synthesis Procedure, a bank of q scalar output least order detectors of the form
such that the same conditions are fulfilled as for the original FDIP. The TFM of the
final detector can be assembled as
⎡ 1 ⎤
R (s)
⎢ .. ⎥
R(s) = ⎣ . ⎦ Nl (s) (15.15)
R (s)
q
with the n-dimensional state vector x(t). The corresponding TFMs of the model in
(15.1) are
Here the value of K is determined taking into account the physical rate limits of
the respective surface, and represents an average value applicable to all flight con-
ditions. Typical choices for the Boeing actuators are: 37/(s + 37) for the elevators,
0.5/(s + 0.5) for the stabilizer, 50/(s + 50) for the ruders and ailerons. The task
of the fault detection at the actuator level is to identify typical actuator faults like
‘stuck actuator’ (also called lock-in place failure), ‘actuator runaway’ (also called
hard-over failure), ‘free-play’ (also called float-type failure), or loss of actuator ef-
fectiveness. In what follows we discuss some aspects of fault detection and isolation
for a generic actuator.
Consider the actuator model (15.18) for which we would like to design a fault
detector able to identify the fault types mentioned previously. For this purpose, a
simple detector which estimates the deviation of surface position on the basis of
measured control surface position and commanded control surface position is given
by the simple observer-like structure
R(s) = 1 −gu (s)
Note that the dynamics of the filter can be arbitrarily assigned by replacing R(s)
with m(s)R(s), where m(s) is an arbitrary stable transfer function.
With such a detector, an actuator fault can be easily detected by checking the
condition r(t) = 0. The stationary value of the residual signal r(∞) can also be
used to estimate the actual DC-gain of the actuator, say g0 , and thus the actuator
effectiveness. Since g0 = 1 − r(∞), in the fault-free case we have g0 = 1. DC-gain
values in the range [ 0, 1 ] indicate a loss of actuator effectiveness with a zero gain
indicating ‘free-play’. Values outside this domain indicate either a ‘stuck actuator’ in
a certain position or even an ‘actuator runaway’ (i.e., stuck in an extreme position).
The main weakness of this simple fault detection scheme is that it does not
work properly in the case of surface position sensor failures. This lack of reliability
against combined actuator and sensor failures could be a source of false alarms. An-
other potential problem is when the actuator is fault free but the corresponding con-
trol surface is damaged. The associated loss of effectiveness of the actuation/control
surface system can not be detected in this way.
A typical approach to overcome the first weakness is to add hardware redundancy
by increasing the number of sensors to a level which ensures a satisfactory reliability
of measurements. A standard approach is to use three sensors in a voting logic for
validity checking. This is the minimum hardware redundancy to guarantee the re-
liability of monitoring. Interestingly, using model based fault detection techniques,
it is possible to obtain practically the same level of confidence by using only two
sensors (the model based approach provides a third ‘virtual’ sensor).
The actuator system with two identical sensors is described by the transfer-
function matrix
1
Gu (s) = g (s)
1 u
15 Detection and Isolation of Actuator/Surface Faults 433
The fault TFM corresponding to the actuator fault f1 and two sensor faults f2 and
f3 is
G f (s) = [ Gu (s) I2 ]
A possible least order detector for this setup can be chosen as
⎡ ⎤
1 −1 0
R(s) = ⎣ 0 1 −gu (s) ⎦
1 0 −gu (s)
and can be realized as a first order system. The resulting fault detection system
achieves the following fault signature
⎡ ⎤
011
S =⎣1 0 1⎦
110
Assuming that the actuator fault and sensor faults occur one at a time, this influ-
ence structure provides a complete isolation of a single fault by using the following
isolation logic:
– actuator fault occurred if r1 = 0, r2 = 0, and r3 = 0;
– first sensor failed if r1 = 0, r2 = 0, and r3 = 0;
– second sensor failed if r1 = 0, r2 = 0, and r3 = 0.
In this way, the occurrence of each fault can be reliably detected. For fault identifi-
cation, the information provided by either residual signal r1 or r2 can be employed.
To address the second aspect of loss of control surface effectiveness a system
level analysis could be appropriate (see next section).
For component level diagnosis more detailed actuator models can be used, by
explicitly modelling the dynamics of all actuator components. Such an approach
based on physical parametric models is also suitable for health monitoring purposes.
Another application of potential interest is to detect the so-called ‘oscillatory
failure’ (e.g., of a rudder) as a result of limit cycle oscillations. This type of failure
can trigger an aeroelastic resonance behaviour of the aircraft with unacceptably high
loads. To identify this type of fault, the detection scheme above can be supplemented
with an additional signal analysis based oscillation detection system (e.g., sub-band
filtering followed by Fourier analysis).
The study of the nominal case has as its main purpose getting a clear understand-
ing of the intrinsic limitations in solving the FDIP in an idealized situation. Further-
more, the achieved fault-to-residual specifications can serve as reference models for
a model-matching formulation of the FDIP [19], where system variabilities (para-
metric, flight conditions) are fully considered.
Actuator fault diagnosis for the whole aircraft can be done in several ways. An
approach advocated by several authors is to use so-called multi-models describing
the aircraft in normal flight conditions as well as in several faulty situations. A bank
of model detection filters can be designed to ensure a desired model-to-residual
signature allowing the application of simple decision logic to identify the current
model (normal or faulty). The main advantage of this approach is its simplicity, both
because of a simple design of the detectors as well as because of the simple residual
evaluation scheme. The main disadvantage is the need for a large number of models
(and thus detectors) to cover many faults and combinations of faults. Moreover,
different levels of actuator efficiency loss are usually represented as separate models,
thus making the number of necessary detectors increase exponentially.
The approach we follow in our study is to model actuator faults as additive dis-
turbances. The linearized fault model of the aircraft corresponding to a given set of
parameter values and a specific flight condition (e.g., straight-and-level flight) has
the standard input-output form (15.1) and the detector is designed in the filter form
(15.2). The linearized models which have been employed were determined using the
nominal values of the parameters in Table 15.5.2. In what follows we summarize the
results of designing fault detectors for the nominal case.
The longitudinal and full order linearized state space models of the aircraft are
given in Appendices A and B. These models correspond to the following parameter
values: mass = 317,000 kg, center of gravity coordinates: Xcg = 25%, Ycg = 0, Zcg =
0. The chosen flight condition is a straight-and-level flight at altitude 600 m, with
a speed of 92.6 m/s, with a flap setting at 20o and with landing gear up. For more
details on the employed model see [18].
15 Detection and Isolation of Actuator/Surface Faults 435
and thus B f = Bu (:, 1 : 5) and D f = Du (:, 1 : 5). For this study of the nominal case
we consider no disturbance inputs for the model.
The achievable fault signature is
⎡ ⎤
1 1 1 1 1
⎢ 0 0 1 1 1⎥
⎢ ⎥
⎢ 1 1 0 0 1⎥
⎢ ⎥
S=⎢ ⎢ 1 1 1 1 0⎥
⎥
⎢ −1 −1 0 0 0 ⎥
⎢ ⎥
⎣ 0 0 −1 −1 0 ⎦
0 0 0 0 −1
From the last three lines of S it can be observed that the isolation of faults grouped
in three groups ( f1 , f2 ), ( f3 , f4 ) and f5 is achievable, although all groups are only
weakly detectable.
System level monitoring can be used as a complementary tool to device level
monitoring in the case when sensor fault monitoring is not additionally provided.
The simplest fault detection task is to determine if any actuator fault in the pitch
axis has occurred. This comes down to the design of a fault detector achieving the
trivial signature corresponding to the first row of S
S0 = 1 1 1 1 1
by using the lowest order dynamics. To design such a detector, the function fdsyn
has been used. Using the least order design option, a first order residual generator
can be determined. The resulting fault-to-residual dynamics are
1111 0
S1 =
0 0 0 0 −1
436 A. Varga
with the second row having only a weak detectability structure. If we assume that
elevator and stabilizer faults can not simultaneously occur, we can achieve elevator
and stabilizer fault isolation by using the specification matrix
11111
S2 =
11110
can be used for weak isolation using the following decision logic:
– inner elevator fault occurred if r1 = 0, r2 = 0, and r3 = 0;
– outer elevator fault occurred if r1 = 0, r2 = 0, and r3 = 0;
– stabilizer fault occurred if r1 = 0, r2 = 0, and r3 = 0.
Using the least order design option, three first order detectors can be obtained
using the function fdsyn leading to a detector of total order 3. Note that without
the least order design option, a detector of total order 10 results, while using the
standard observer based approach (see for example [20]), a detector of total order
15 is to be expected. The resulting fault-to-residual dynamics are
⎡ 10 10 862.7s − 1889 ⎤
0 0
⎢ s + 10 s + 10 s + 10 ⎥
⎢ ⎥
⎢ 10 10 −835.1s + 2028 ⎥
R f (s) = ⎢ 0 0 ⎥
⎢ s + 10 s + 10 s + 10 ⎥
⎣ ⎦
10 10 10.74 10.74
0
s + 10 s + 10 s + 10 s + 10
The step responses associated with the faults are presented in Fig. 15.1.
A more realistic setting is to add actuator dynamics to each input actuator-surface
channel [2]. As already mentioned, the elevator dynamics can be approximated by
transfer functions of the form 37/(s + 37), while for the stabilizer dynamics we take
0.5/(s + 0.5) as suggested in [2]. The resulting model has now order 10 and we can
achieve the same fault signature with a bank of three detectors of total order 6. The
step responses from the faults are presented in Fig. 15.2.
15 Detection and Isolation of Actuator/Surface Faults 437
4
2
0
−2
Residuals
0
2
To: r
−5
−10
0.5
3
To: r
−0.5
−1
0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1
Time (sec)
and thus to isolate the inner elevator, the outer elevator and the stabilizer faults. The
above specification can be achieved using a bank of three detectors of total order 5.
The step responses from the faults are presented in Fig. 15.3.
Finally, for complete fault isolation it is to be expected that measurements from
all surfaces are necessary. Solving the fault detection and isolation problem corre-
sponds to achieving the specification S5 = I5 using the function fdsyn or employ-
ing directly the specially devised function fdi, available in the FAULT D ETECTION
toolbox [3]. This latter function is based on the method proposed in [9]. Using this
function, we obtain a detector of order 5 which solves the complete fault detection
and isolation problem. Interestingly, this detector is the same as that one obtained by
using single surface monitoring schemes. This remarkable result also illustrates the
real strengths of the recently developed minimal degree design techniques [9]. In
contrast, the methods traditionally used (e.g., using a bank of 5 observer based de-
tectors [20]) could lead to detectors of total order up to 70 in the case when actuator
dynamics are included.
Interestingly, complete isolation can also be achieved by choosing a minimal
number of three surface measurements: two from the left elevators and one from the
438 A. Varga
0
To: r1
−1
−2
2
Residuals
To: r2
−1
0.5
To: r3
−0.5
−1
0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1
Time (sec)
Fig. 15.2 Step responses from the faults (included actuator dynamics): f 1 = 1, ..., f4 = 1,
f5 = 0.01.
0.5
To: r1
−0.5
−1
1
Residuals
0.5
To: r2
−0.5
−1
1
0.5
To: r3
−0.5
−1
0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1
Time (sec)
Fig. 15.3 Step responses from the faults with stabilizer angle measurement.
stabilizer. The resulting bank of five detectors has a total order of 7 and the resulting
fault-to-residual TFM is
10 370 10 370 10
R f (s) = diag , , , ,
s + 10 s2 + 47s + 370 s + 10 s2 + 47s + 370 s + 10
15 Detection and Isolation of Actuator/Surface Faults 439
The step responses from the faults are presented in Fig. 15.4.
0.5
To: r1
−0.5
−1
1
0.5
To: r2
−0.5
−1
1
Residuals
0.5
To: r3
−0.5
−1
1
0.5
To: r4
−0.5
−1
1
0.5
To: r5
−0.5
−1
0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1
Time (sec)
Fig. 15.4 Step responses from the faults with left elevators and stabilizer angles measure-
ments.
and thus B f and D f are formed from the columns {1, 2, 3, 4, 10, 11} of Bu and Du ,
respectively.
For the two inner aileron faults { f1 , f2 }, two outer aileron faults { f3 , f4 }, and two
rudder faults { f5 , f6 }, the FDIP with the fault signature
⎡ ⎤
110000
S1 = ⎣ 0 0 1 1 0 0 ⎦
000011
440 A. Varga
is achievable using a bank of three detectors with global order 3. The resulting fault-
to-residual TFM is
⎡ 10 10 ⎤
0 0 0 0
⎢ s + 10 s + 10 ⎥
⎢ ⎥
⎢ 10 10 ⎥
R f (s) = ⎢ 0 0 0 0 ⎥
⎢ s + 10 s + 10 ⎥
⎣ ⎦
11.85 10
0 0 0 0
s + 10 s + 10
The step responses from the faults are presented in Fig. 15.5.
0.5
To: r1
−0.5
−1
1
Residuals
0.5
To: r2
−0.5
−1
0.5
To: r3
−0.5
−1
0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1
Time (sec)
Fig. 15.5 Step responses from the aileron and rudder faults.
We include now the actuator models and add three surface angle sensors for the
two right ailerons and for the upper rudder. With this sensor location the complete
FDIP with S2 = I6 can be solved to isolate all aileron and rudder failures. The re-
sulting detector has order 9 and the achieved fault-to-residual TFM is
10 100 10
R f (s) = diag , , ,
s + 10 s2 + 20s + 100 s + 10
100 10 −0.0002566s + 100
, ,
s2 + 20s + 100 s + 10 s2 + 20s + 100
The step responses from the faults are presented in Fig. 15.6.
15 Detection and Isolation of Actuator/Surface Faults 441
−1
1
To: r2
−1
1
To: r3
0
Residuals
−1
1
To: r4
−1
1
To: r5
−1
1
To: r6
−1
0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1
Time (sec)
Fig. 15.6 Step responses from the aileron and rudder faults.
1. Surface angle sensor faults. To achieve complete reliability of the fault moni-
toring system, it is important to also consider possible faults in the surface angle
sensors. For example, by adding sensors to all surfaces, the complete isolation
of all actuator faults is possible, while additionally the isolation of a sensor fault
(e.g., stabilizer angle sensor) can be achieved. With three sensors (e.g., two for
left elevators and one for stabilizer), to achieve the isolation of one sensor fault,
we have to assume that sensor and actuator faults do not occur simultaneously.
A complete analysis of sensor location and assignment aspects is important for
practical applications (see also Part II of [21] for a recent survey).
2. Robustness against noisy inputs and noisy measurements. The effect of noisy
inputs and noisy measurements must be considered in a realistic design. Typical
noisy inputs for aircraft are gust turbulences, which can be taken into account
by feeding white noise into the system via stable and minimum-phase Dryden
spectra filters. Colouring filters driven by white noise can be used to model noise
in sensor measurements. For further details see [2] and the literature cited therein.
3. Robustness against parametric uncertainties. The robustness of the designed
detectors against parametric uncertainties is important for practical applicability.
Typical uncertain parameters to be considered for robustness studies are mass, the
coordinates of the center of gravity, as well as flight conditions (speed, altitude).
There are many possibilities to enforce the robustness of the designed detectors
[22] and this challenging aspect will be considered in further studies. The results
provided in this work can be seen as realistic specifications of what can be aimed
to be achieved in the most favourable situation.
References
1. Szászi, I., Ganguli, S., Marcos, A., Balas, G.J., Bokor, J.: Application of FDI to a nonlin-
ear Boeing-747 aircraft. In: Proc. Mediterranean Conference on Control and Automation,
Lisbon, Portugal (2002)
2. Marcos, A., Ganguli, S., Balas, G.J.: An application of H∞ fault detection and isolation
to a transport aircraft. Control Engineering Practice 13, 105–119 (2005)
3. Varga, A.: A FAULT DETECTION toolbox for M ATLAB. In: Proc. of CACSD 2006, Mu-
nich, Germany (2006)
4. Ding, X., Frank, P.M.: Frequency domain approach and threshold selector for robust
model-based fault detection and isolation. In: Proc. of IFAC Symposium SAFEPRO-
CESS 1991, Baden-Baden, Germany (1991)
5. Nyberg, M.: Criterions for detectability and strong detectability of faults in linear sys-
tems. Int. J. Control 75, 490–501 (2002)
6. Frisk, E., Nyberg, M.: A minimal polynomial basis solution to residual generation for
fault diagnosis in linear systems. Automatica 37, 1417–1424 (2001)
7. Varga, A.: On computing least order fault detectors using rational nullspace bases. In:
Proc. of IFAC Symp. SAFEPROCESS 2003, Washington D.C (2003)
8. Gertler, J.: Fault Detection and Diagnosis in Engineering Systems. Marcel Dekker, New
York (1998)
15 Detection and Isolation of Actuator/Surface Faults 443
9. Varga, A.: New computational approach for the design of fault detection and isolation
filters. In: Voicu, M. (ed.) Advances in Automatic Control. The Kluwer International
Series in Engineering and Computer Science, vol. 754, pp. 367–381. Kluwer Academic
Publishers, Dordrecht (2004)
10. Gertler, J.: Designing dynamic consistency relation for fault detection and isolation. Int.
J. Control 73, 720–732 (2000)
11. Varga, A.: On designing least order residual generators for fault detection and isolation.
In: Proc. 16th Internat. Conf. on Control Systems and Computer Science, Bucharest,
Romania, pp. 323–330 (2007)
12. Varga, A.: On computing nullspace bases – a fault detection perspective. In: Proc. IFAC
2008 Word Congress, Seoul, Korea (2008)
13. Yuan, Z., Vansteenkiste, G.C., Wen, C.Y.: Improving the observer-based FDI design for
efficient fault isolation. Int. J. Control 68(1), 197–218 (1997)
14. Varga, A.: Reliable algorithms for computing minimal dynamic covers. In: Proc. of CDC
2003, Maui, Hawaii (2003)
15. Varga, A.: Computation of coprime factorizations of rational matrices. Lin. Alg. &
Appl. 271, 83–115 (1998)
16. Varga, A.: A D ESCRIPTOR S YSTEMS toolbox for M ATLAB. In: Proc. CACSD 2000
Symposium, Anchorage, Alaska (2000)
17. Varga, A.: Linear FDI-Techniques and Software Tools. FAULT D ETECTION Tool-
box V0.8 – Technical Documentation, German Aerospace Center (DLR), Institute of
Robotics and Mechatronics (2008)
18. Marcos, A., Balas, G.J.: A Boeing 747-100/200 Aircraft Fault Tolerant and Fault Diag-
nostic Benchmark. Technical Report AEM-UoM-2003-1, Department of Aerospace and
Engineering Mechanics, University of Minnesota, USA (2003)
19. Varga, A.: Numerically reliable methods for optimal design of fault detection filters. In:
Proc. of CDC 2005, Seville, Spain (2005)
20. Patton, R.J., Hou, M.: Design of fault detection and isolation observers: a matrix pencil
approach. Automatica 34(9), 1135–1140 (1998)
21. Commault, C., Dion, J.-M.: Sensor location for diagnosis in linear systems: a structural
analysis. IEEE Trans. Automat. Control 52, 155–169 (2007)
22. Chen, J., Patton, R.J.: Robust Model-Based Fault Diagnosis for Dynamic Systems.
Kluwer Academic Publishers, London (1999)
444 A. Varga
State-model matrices
⎡ ⎤
−0.4861 0.000317 −0.5588 0 −2.04 · 10−6
⎢ 0 −0.0199 3.0796 −9.8048 8.98 · 10−5 ⎥
⎢ ⎥
⎢
A = ⎢ 1.0053 −0.0021 −0.5211 0 9.30 · 10−6 ⎥⎥
⎣ 1 0 0 0 0⎦
0 0 −92.6 92.6 0
⎡
−0.1455 −0.1455 −0.1494 −0.1494 −1.2860
⎢ 0 0 0 0 −0.3122
⎢
Bu = ⎢
⎢ −0.0071 −0.0071 −0.0074 −0.0074 −0.0676
⎣ 0 0 0 0 0
0 0 0 0 0
⎤
0.0013 0.0035 0.0035 0.0013
0.1999 0.1999 0.1999 0.1999 ⎥ ⎥
−0.0004 −0.0004 −0.0004 −0.0004 ⎥
⎥
0 0 0 0⎦
0 0 0 0
⎡ ⎤
0 0 1 0 0
⎢ 0 −0.0199 3.0796 −9.8048 8.98 · 10−5 ⎥
⎢ ⎥
⎢0 0 0 1 0⎥
⎢
C =⎢ ⎥
⎢1 0 0 0 0⎥⎥
⎣0 0 −92.6 92.6 0⎦
0 0 0 0 1
⎡ ⎤
0 0 0 0 0 0 0 0 0
⎢0 0 0 0 −0.3122 0.1999 0.1999 0.1999 0.1999 ⎥
⎢ ⎥
⎢0 0 0 0 0 0 0 0 0⎥
Du = ⎢
⎢0
⎥
⎢ 0 0 0 0 0 0 0 0⎥⎥
⎣0 0 0 0 0 0 0 0 0⎦
0 0 0 0 0 0 0 0 0
446 A. Varga
State-model matrices
⎡
−.8226 0 0.1666 0 0 −1.4189 0.000471
⎢ 0 −0.4861 0 0.000317 −0.5588 0 0
⎢
⎢ −.1303 0 −0.0199 0 0 0.2387 −0.00166
⎢
⎢ 0 0 0 −0.0199 3.0796 0 0
⎢
⎢ 0 1.0053 0 −0.0021 −0.5211 0 0
A=⎢
⎢ 0.139
⎢ 0 −0.9867 0 0 −0.0819 0.10505
⎢ 1 0 0.1265 0 0 0 0
⎢
⎢ 0 1 0 0 0 0 0
⎢
⎣ 0 0 1.008 0 0 0 0
0 0 0 0 −92.6 0 0
⎤
0 0 0
0 −2.04 · 10−6 ⎥
0 ⎥
0 0 0⎥⎥
0 8.98 · 10−5 ⎥
−9.8048 ⎥
0 9.30 · 10−6 ⎥
0 ⎥
0 0 0⎥⎥
0 0 0⎥⎥
0 0 0⎥⎥
0 0 0⎦
92.6
0 0
⎡ ⎤
0 0 0 0 1 0 0 0 0 0
⎢0 0 0 −0.0199 3.0796 0 0 −9.8048 0 8.98 · 10−5 ⎥
⎢ ⎥
⎢0 0 0 0 0 0 0 10 0 0⎥
⎢ ⎥
⎢0 1 0 0 0 0 0 0 0 0⎥
⎢ ⎥
⎢0 0 0 0 −92.6 0 0 92.6 0 0⎥
⎢ ⎥
C=⎢
⎢0 0 0 0 0 0 0 0 0 1⎥⎥
⎢1 0 0 0 0 0 0 0 0 0⎥
⎢ ⎥
⎢0 0 1 0 0 0 0 0 0 0⎥
⎢ ⎥
⎢0 0 0 0 0 1 0 0 0 0⎥
⎢ ⎥
⎣0 0 0 0 0 92.6 −11.6213 0 92.6 0⎦
0 0 0 0 0 0 1 0 0 0
448 A. Varga
⎡
−0.0629 0.0629 −0.1819 0.1819 0 0 0
⎢ 0.0107 0.0107 −0.0676 −0.0676 −0.1455 −0.1455 −0.1494
⎢
⎢ −0.0142 0.0142 −0.0128 0.0128 0 0 0
⎢
⎢ 0 0 0 0 0 0 0
⎢
⎢ 0 0 −0.0098 −0.0098 −0.0071 −0.0071 −0.0074
Bu = ⎢
⎢
⎢ 0 0 0 0 0 0 0
⎢ 0 0 0 0 0 0 0
⎢
⎢ 0 0 0 0 0 0 0
⎢
⎣ 0 0 0 0 0 0 0
0 0 0 0 0 0 0
⎤
0 0 0.0652 0.0185 0.0034 0.0019 −0.0019 −0.0034
−0.1494 −1.2860 0 0 0.0013 0.0035 0.0035 0.0013 ⎥ ⎥
0 0 −0.1272 −0.0929 0.0195 0.0111 −0.0111 −0.0195 ⎥ ⎥
0 −0.3122 0 0 0.1999 0.1999 0.1999 0.1999 ⎥ ⎥
−0.0074 −0.0676 0 0 −0.0004 −0.0004 −0.0004 −0.0004 ⎥
⎥
0 0 0.0078 0.0066 0.0001 0.0001 −0.0001 −0.0001 ⎥ ⎥
0 0 0 0 0 0 0 0⎥⎥
0 0 0 0 0 0 0 0⎥⎥
0 0 0 0 0 0 0 0⎦
0 0 0 0 0 0 0 0
⎡ ⎤
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
⎢0 0 0 0 0 0 0 0 −0.3122 0 0 0.1999 0.1999 0.1999 0.1999 ⎥
⎢ ⎥
⎢0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎥
⎢ ⎥
⎢0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎥
⎢ ⎥
⎢0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎥
⎢ ⎥
Du = ⎢
⎢0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎥⎥
⎢0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎥
⎢ ⎥
⎢0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎥
⎢ ⎥
⎢0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎥
⎢ ⎥
⎣0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎦
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Part IV
Real-Time Flight Simulator Assessment
Chapter 16
Real-Time Assessment and Piloted Evaluation of
Fault Tolerant Flight Control Designs in the
SIMONA Research Flight Simulator
16.1 Introduction
Desktop-based simulations are extremely useful tools for the development of new
controller applications and techniques as is evident from the theoretical sections of
this book. But, in addition to testing the new controllers in an off-line, desktop-based
benchmark simulation, an online piloted moving-base simulator evaluation can give
new insights into real-time performance issues, applicability in an operational en-
vironment and if applicable, handling qualities of different aircraft configurations.
It can serve as a proof-of-concept and allows the assessment of the benefits of the
controllers in terms of compensation for impaired aircraft control, performance im-
provements in failed configurations and lowering of pilot workload. For this pur-
pose, the aircraft model and the fault-tolerant controllers can be implemented in a
pilot-in-the-loop flight simulator. Pilots with operational experience on the aircraft
in question can be used to assess the efficiency of the controllers and their influence
Olaf Stroosma
Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1,
2629 HS Delft, The Netherlands
e-mail: o.stroosma@tudelft.nl
Thomas Lombaerts
Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1,
2629 HS Delft, The Netherlands
e-mail: t.j.j.lombaerts@tudelft.nl
Mark Mulder
Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1,
2629 HS Delft, The Netherlands
e-mail: mark.mulder@tudelft.nl
Hafid Smaili
National Aerospace Laboratory NLR, P.O. Box 90502, 1059 CM Amsterdam,
The Netherlands
e-mail: smaili@nlr.nl
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 451–475.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
452 O. Stroosma et al.
on the handling of the aircraft. Ideally the pilot should not be aware of any differ-
ences in handling with the controller engaged for the normal fault free and damaged
aircraft, and be able to perform normal flying tasks with satisfactory performance in
both cases. To ensure an acceptable level of validity of this assessment, the fidelity
of the simulator must be sufficiently high. In addition to the dynamic behaviour of
the simulated aircraft model, aspects that influence the fidelity are the appearance
and functionality of the flight displays, the feel in the flight controls, the presence
and field of view of an outside visual system, and the characteristics of any motion
system. To increase reproducibility of the evaluation, these parameters should be
documented together with the assessment results. Integration of the controllers in a
real-time aircraft simulation environment, which is necessary to perform the piloted
evaluation, can help identify implementation issues which would forbid practical
introduction in an actual aircraft flight control system. Reliance on physical pa-
rameters which are not measured in the aircraft (e.g. sideslip angle), sensitivity to
noise and delays in measurements and excessive computational loads are examples
of such problems. These issues can usually be evaluated without a pilot actively in
control and lead to relatively deterministic results. A more operationally oriented
evaluation with a human pilot in the loop introduces variability in the results. To re-
duce this variation, the experiment design benefits from a well defined test scenario,
appropriate performance measures and other human factors related measurement
variables. To select the appropriate scenario and measurements, the intended goal
of the evaluation has to be taken into account. For a general impression of the flying
qualities, a procedure such as an approach and landing can be suitable. If a more
detailed insight is required in lateral and/or longitudinal performance or handling
qualities, more stylized manoeuvres can be performed. Examples of these include
altitude captures, speed and trim changes, bank and heading captures, as well as lo-
calizer and glideslope capture and tracking. Apart from the achieved performance,
which can be objectively determined, pilot feedback in the form of comments or
rating scales for handling qualities (e.g. Cooper-Harper [2]) and Pilot-in-the-Loop
Oscillations (PIO) can be valuable subjective results.
Within the GARTEUR FM-AG(16) Action Group a number of fault-tolerant
flight control (FTFC) algorithms were developed as described in Part III of this book.
Their underlying principles ranged from H∞ (chapter 12), sliding mode control allo-
cation (chapter 8) and model-predictive control (chapter 10) to parameter estimation
and nonlinear dynamic inversion (chapter 13). As part of the Action Group’s work,
a real-time assessment and piloted evaluation was performed for several of these
algorithms. The objectives of this evaluation can be summarized as follows:
• Analyzing real-time performance and integration issues of the reconfigurable
fault tolerant flight control algorithms by integrating them in the complete air-
craft environment.
• Qualitative assessment of the FTFC algorithms in terms of aircraft handling qual-
ities in both nominal and failed conditions.
• Quantitative assessment of the FTFC algorithms benefits in terms of pilot work-
load to substantiate the handling qualities ratings.
16 Real-Time Assessment and Piloted Evaluation 453
Table 16.1 GARTEUR FM-AG(16) fault tolerant flight control algorithms (* evaluated in
piloted simulation)
modelled after the real aircraft. In the other configurations, all control surfaces apart
from the flaps, landing gear and engines, were commanded via the respective FTFC
algorithm.
Following integration of the FTFC algorithms in the simulator, the second eval-
uation stage consisted of a preliminary assessment of a variety of controllers from
different participants in the group, as summarized in Table 16.1. The goal here was
to receive feedback on all controllers from pilots flying them in a realistic setting.
The most mature manual (FTFC-7) and auto-flight (FTFC-1) controllers were se-
lected to be demonstrated at the group’s final workshop on 21st November 2007.
The experiment results of these two reconfigurable control schemes are fully de-
scribed in chapters 18 and 13.
In the third and final evaluation stage, the manual controller (FTFC-7) went
through a more in-depth evaluation, in which handling qualities were rated by sev-
eral professional airline pilots, in April 2008.
In the preliminary evaluation, all controllers were evaluated with the failures they
were designed for. The evaluation pilot first flew the scenario with the failure in the
classical aircraft, followed by the same scenario with the fault-tolerant controller
activated. For the final evaluation, the order of classical and fault-tolerant controller
was randomized over the pilots and two failure scenarios were flown: a runaway
failure of the rudder surfaces and the engine separation failure (Flight 1862). The
controller was also assessed in the nominal case with no failure.
16 Real-Time Assessment and Piloted Evaluation 455
Adequate: Adequate:
The wording on the scale is geared towards use during the development program
of a new aircraft type. For an aircraft with structural or mechanical failures, it is
sometimes tempting to take the degradations into account in the rating and not rate
it as a fully functional aircraft ready to go into production. In such a case, the pilot
may be willing to give a low (good) rating, even though the required workload and
degraded performance would be totally unacceptable in daily operations. It must
be stressed that the rating should be given to the aircraft ‘as is’ without taking the
mitigating circumstances of the failure into account. Only in this way can a fair
comparison be made between the nominal aircraft and the failed aircraft, as well as
between the classical and fault-tolerant control schemes. To increase the validity of
the rating, especially for inexperienced pilots, they were advised for every evalua-
tion to explicitly follow the decision tree of the rating scale and correlate the attained
performance with the experienced workload. Winning time by directly choosing a
pilot rating number or not relating the rating with the actual performance would have
seriously degraded the quality of the recorded ratings. In the FM-AG(16) evaluation,
a number of tasks and performance criteria were defined. In general, the lateral and
longitudinal handling qualities were given separate ratings. Also, in some cases the
task direction would be influenced by the specific failure, so these were split up as
well, e.g. right and left bank angle captures or up and down altitude captures. Ta-
ble 16.2 summarizes the tasks that were to be rated, along with the adequate and
required performance criteria.
The pilots were given feedback on their performance before filling in the rating
scales, as described in section 16.2.5.
16.2.3 Participants
Familiarity with the flown aircraft is one of the main requirements for the partici-
pants in a piloted evaluation. Some flight test or evaluation experience is also ben-
eficial, especially when using standard rating scales. In the FM-AG(16) simulator
campaign six professional airline pilots with an average experience of about 14.000
flight hours, participated in the evaluation. Five pilots, who conducted the handling
qualities evaluation, were type rated for the Boeing 747 aircraft while one pilot was
rated for the Boeing 767 and Airbus A330 aircraft. Some of the pilots had engi-
neering flight testing experience. Table 16.3 shows information on the individual
background and experience of the evaluation pilots.
Fig. 16.1 The SIMONA (SImulation, MOtion and NAvigation) Research Simulator (SRS) at
Delft University of Technology, (courtesy of Delft University)
16 Real-Time Assessment and Piloted Evaluation 459
Fig. 16.2 SRS flight deck in Boeing 747 configuration for the GARTEUR FM-AG(16) sim-
ulator campaign
actuated sidestick (first officer’s position, not used in this experiment), a Boeing 777
control pedestal, four Liquid Crystal Display (LCD) screens to display the flight in-
struments and a Boeing 737 mode control panel (MCP).
The displays were based on the Boeing 747-400 Electronic Flight Instrumenta-
tion System (EFIS, see Fig. 16.3). They were shown on the LCD panels mounted
in front of the pilot at the ergonomically correct locations. Although not all dis-
play functionality was incorporated, the pilot had all the information available to
fly the given trajectory. One notable omission was the Flight Director (FD), which
normally gives steering commands to the pilot. Especially during the localizer and
glide slope capture and tracking, the use of “raw” ILS (Instrument Landing System)
data instead of the FD added somewhat to the pilot workload. To help the pilots as-
sess the reconfigurable controller’s actions, the surface deflections of the elevators
(left/right), ailerons (left/right, inner/outer) and rudders (upper/lower) were shown
in the upper right hand corner of the Engine Indication and Crew Alerting System
Display (EICAS).
(a) Primary Flight Display (PFD) (b) Engine Indicating and Crew Alert-
ing System (EICAS) Display showing en-
gine parameters and flight control sur-
face deflections for reconfiguration status
(aileron (AIL), elevator (ELEV) and rud-
der (RUD)) respectively
Fig. 16.3 The SRS flight deck displays representing the Boeing 747-400 Electronic Flight
Instrumentation System (EFIS)
1024 pixels per projector. The update rate of the visual was the same as the main
simulation at 100 Hz, while the projector refresh rate was 60 Hz. The display latency
was around 30 ms.
For this evaluation, a visual representation of Amsterdam Airport Schiphol was
used. All runways and major taxiways were in their correct location, complemented
with the most important buildings on the airfield. The surrounding area was kept
simpler, with a textured ground plane showing a rough outline of the Dutch coast
and North Sea.
pitch roll
arm 0.714m 0.17m
spring constant 474Nm/rad 5.416Nm/rad
inertia 5.577Nms2 /rad 0.478Nms2 /rad
damping 195.3Nms/rad 1.116Nms/rad
break-out 11.1Nm 0.1313Nm
stiction/friction 11.1Nm 0.1313Nm
failures
manual pilot
FTC or actuator output data
inputs aircraft model
classical FCS data
I/O I/O
FDI
Fig. 16.4 Integration of fault tolerant control algorithms in the SIMONA real-time simulator
environment
16 Real-Time Assessment and Piloted Evaluation 463
The aircraft model was validated against simulator and flight test data according
to the procedures in [3] and [1]. The Digital Flight Data Recorder (DFDR) of the
Flight 1862 accident aircraft was used for the validation of the aircraft dynamics and
performance characteristics representing the physical loss of two right-wing engines
[4], [3]. Information regarding the general characteristics and operational data of the
Boeing 747-100/200 aircraft can be found in chapter 6.
To ensure the validity of the real-time simulation, a validation step was included
in the development phase. Both the online model implementation and the different
controllers were checked to conform to the offline analysis versions by means of
proof-of-match. Any differences between the two implementations were considered
small enough not to be noticeable by the pilot. The baseline aircraft model, control
feel system and Flight 1862 controllability and performance characteristics were
finally validated using pilot-in-the-loop simulation.
16.2.5 Procedure
The scenario of the FM-AG(16) piloted evaluation was designed to resemble an
operational flight profile, based on the flight path of Flight 1862 in the Amsterdam
Airport Schiphol terminal area (Fig. 16.5) [4], [3].
Each pilot would start to fly the classical control system mode in unfailed con-
dition to familiarise himself with the baseline aircraft handling qualities. This pro-
cedure was repeated several times until the pilot felt confident to proceed. The pilot
would rate if the unfailed baseline aircraft model exhibited at least Level 1 handling
Fig. 16.5 Experiment scenario and tasks of the GARTEUR FM-AG(16) piloted simulator
assessment
464 O. Stroosma et al.
qualities (CHR 1-3). The same procedure was conducted to familiarise the pilot
with the fly-by-wire configuration in unfailed conditions. Apart from a general eval-
uation of the aircraft’s behaviour during the approach, additional test manoeuvres
were introduced in a number of flight phases to examine the specific performance
and handling qualities of the (damaged) aircraft.
The first flight phase was started at an altitude of 2000 feet near the airport on an
outbound course at a speed of 260 KIAS and a northerly heading of 360 degrees.
In this phase, the controller should stabilize the aircraft, identify and correct any
deviations from the nominal trimmed aircraft condition, and give the pilot a sense
of its non-failed handling qualities.
When stabilised on the outbound course, the pilot was cleared to turn 90 degrees
to an easterly heading and accelerate from 260 to 270 knots to allow a minimum
control speed margin for the Flight 1862 scenario. The experiment coordinator then
notified the pilot of the nature and timing of a failure before applying it. This was
done to consistently remove the aspect of surprise and pilot troubleshooting from
the evaluation. The evaluation’s objective was not to take these into account, but
to focus on the relative performance and workload levels of the augmented and
unaugmented aircraft configurations in a best-case scenario (i.e. the pilot being fully
aware of the failure). It is expected that an unprepared and unaware pilot will have
much greater difficulty in controlling the failed aircraft without the fault tolerant
controller, leading to an even higher observed benefit of the controller in such a
scenario. Appendix 1 provides a complete list of the simulated failure modes, their
reconfiguration strategy and assessment.
During the recovery phase, after the failure was introduced, the pilot’s task was
to bring the aircraft back from any adverse flight condition to a stable state at an al-
titude of 2000 feet and 270 knots. In this phase, the pilot was allowed to familiarise
himself with the aircraft behaviour and try different strategies to bring the aircraft
manually back under control. The recovery phase allowed any FTFC algorithm that
was active to identify the problem, determine a new dynamic model of the damaged
aircraft and reconfigure itself to the new situation. Following a succesful recovery
to a stable condition, an optional identification phase was introduced during which
the flying capabilities of the aircraft could be assessed. This allowed for a com-
plete parameter identification of the model for the damaged aircraft as well as the
identification of the safe flight envelope. The knowledge gained during this identi-
fication phase could be used by the controller to improve the chances of a safe and
survivable landing. For the control algorithms evaluated in FM-AG(16), no explicit
identification phase was necessary, because the controllers were able to identify the
failure and reconfigure the flight control system during the initial recovery. If neces-
sary, this could be done continuously during later phases. When fully reconfigured,
the flight control system would allow continuous safe flight after the identification
phase.
After the recovery phase, a straight and level flight phase was initiated during
which the pilot could assess the workload necessary to maintain the aircraft in a
stable condition. Once stabilised at 2000 feet, and selecting a flap setting of one
16 Real-Time Assessment and Piloted Evaluation 465
degree1, the pilot was asked to initiate a climb and a rapid and precise altitude
capture to 2500 feet. During the climb, airspeed and heading had to be kept constant.
This manoeuvre was meant to examine the longitudinal handling qualities of the
damaged aircraft configuration. When leveled off at 2500 feet, the pilot was asked
to perform a roll capture task that consisted of capturing 20 degrees of bank angle
to the left and right. Again, the goal was to make these captures as rapid and precise
as possible, while maintaining altitude and speed. Banking the aircraft in this way
was expected to expose any undesirable lateral handling qualities.
When the bank angle capture task was completed, the pilot would start a descent
for a new altitude capture to bring the aircraft back to 2000 feet. Speed and heading
were maintained during the descent. Finally, a right-hand turn towards a heading of
240 degrees was performed which brought the aircraft on an intercept course to the
ILS localizer of runway 27 at Amsterdam Airport Schiphol. For all failures, except
the Flight 1862 scenario, the pilot was asked to decelerate to 174 knots, which was
the reference speed for a flap setting of 20 degrees (Vref20 ) at the chosen weight
configuration (317.000 kg). Once stabilised on the new heading and airspeed, the
simulator was paused to give the pilot the opportunity to rate the altitude and bank
angle capture tasks using the Cooper-Harper rating scale and fill in a questionnaire.
To assist in providing the Cooper-Harper ratings, the pilot was presented with time
histories of the relevant flight parameters. The adequate and desired performance
boundaries for the test manoeuvres, as referenced in the Cooper-Harper scale, have
been defined according to Table 16.2 and were shown in the time histories. Fig-
ures 16.6 and 16.7 illustrate an example of time histories for a simulation run that
includes the different task manoeuvres and their performance boundaries.
To maintain a consistent geometry for the final approach phase across different
runs, the aircraft was then repositioned at a point before the localizer intercept. To
allow some time for re-stabilization after the simulator ‘unfreeze’, a point 5NM
along track from the intercept point was used. This intercept point was also moved
back 5 NM from the standard intercept point to allow for more time to capture the
localizer. Especially for the Flight 1862 failure case this was helpful because the
intercept was performed with high speeds (270kts as opposed to 174kts). For the
approach and landing phase, the tasks consisted of intercepting and capturing the
localiser to align with the runway and intercepting and capturing the glide path for
the final approach. The tasks were performed using raw ILS data presented on the
primary flight display.
The localizer was captured at an altitude of 2000 feet with an airspeed of 174
knots for all failure scenarios except for the Flight 1862 case. For this scenario, a
higher speed of 270 knots was used to maintain sufficient directional control margins
for level flight (minimum speed is about 260 knots according to the DFDR). When
the aircraft was stabilised on the localizer, the pilot would intercept the glideslope
for the final descent. During the descent, airspeed was further reduced to 220 knots
for the Flight 1862 case or 169 knots (Vref25 ) for all other scenarios. For most failure
cases the normal configuration changes of flaps up to 25 degrees and landing gear
1 The Flight 1862 aircraft model was validated for a flap setting of 1 degree. For consistency,
all evaluations were therefore performed in this configuration
466 O. Stroosma et al.
Fig. 16.6 Handling qualities task performance as shown after each run to the pilot (dashed
lines: desired performance, dotted lines: adequate performance)
16 Real-Time Assessment and Piloted Evaluation 467
Fig. 16.7 Handling qualities task performance as shown after each run to the pilot (dashed
lines: desired performance, dotted lines: adequate performance)
468 O. Stroosma et al.
Table 16.6 Aircraft configurations and flight conditions for the GARTEUR FM-AG(16) pi-
loted evaluation test scenario (* Flight 1862 scenario)
were made. For the Flight 1862 scenario, however, the landing phase was conducted
with the approach configuration (flaps 1 degree and gear up) because this was the
only available configuration from the DFDR which was used for the validation of
the model.
At an altitude of 50 feet the run was stopped and the pilot was again asked to fill
in the rating scales and questionnaires for the localiser and glideslope capture tasks
using the specified performance metrics.
The landing itself was not part of the experiment, because a realistic aerodynamic
model of the damaged aircraft in ground effect and with the gear extended was not
available. However, it was assumed that if the aircraft was brought to the threshold
in a stable condition and within the runway boundaries, the pilot would likely have
been able to perform the final flare and landing as well.
The aircraft configurations and flight conditions, as used in the test scenario, are
summarised in Table 16.6.
16.3 Results
From the implementation and piloted evaluation, a number of results were obtained
for several of the FM-AG(16) reconfigurable control algorithms. In several cases,
these resulted in adjustments or partial redesigns of the controllers to improve their
practical applicability. One of the controllers was redesigned to be able to cope with
additional time delays in the online sensor simulation. Another was split up in a
fast (time critical) and slow (computationally intensive) part to allow real-time op-
eration. Due to the pilots entering previously untested parts of the flight envelope
(airspeeds, angles of attack), hitherto unknown instabilities were sometimes discov-
ered. Based on pilot comments, the designers of the controllers were also able to
fine-tune the outer control loops to achieve acceptable tracking behaviour.
Pilot comments also indicated that future work should include the determination,
presentation and possibly protection of the remaining safe flight envelope. Although
the fault tolerant controllers can effectively support the pilot in bringing the aircraft
safely to the ground, they cannot overcome the inherent physical limitations of the
damaged vehicle. At some point in the flight envelope, the remaining control options
16 Real-Time Assessment and Piloted Evaluation 469
Table 16.7 Computational load measured as time needed for a single integration step on a
desktop processor
will still be exhausted and the aircraft will become uncontrollable. A drawback of
the currently investigated controllers is the abrupt loss of control when the safe flight
envelope is abandoned, because the controller has up to that point been actively
providing the pilot with acceptable handling qualities or tracking performance. In
the classical flight control configuration, the pilot would be more aware of nearing
the limits of maximum control deflections by his own direct actions on the controls.
He would be better able to ‘back off’ somewhat to retain control than when he is
flying more detached from the physical world with the controller engaged. A way
to give the pilot back his ‘situational awareness’ would be a valuable addition to a
fault tolerant flight control scheme.
In the course of the integration process, the computational burden of the different
controllers was assessed according to the method described in section 16.2.2.1. The
required times to complete a single frame or integration step are summarized in
Table 16.7.
As can be seen from these results, the structure of the algorithm has a large in-
fluence on the computational load. The third control algorithm, for instance, added
very little computational overhead to the classical flight control system by using a
fixed linear filter. On the other hand, the seventh control algorithm employed real-
time state reconstruction using an iterated extended Kalman filter at every time step,
leading to a much larger demand on the processor.
Handling qualities and workload results were collected for the manually flown
Real-Time Model Identification and Nonlinear Dynamic Inversion Controller
(FTFC-7). From the preliminary evaluations this controller was deemed the most
interesting manual control algorithm because it allowed the collection of opera-
tional data for a number of failures. A full discussion of the evaluation results for
this controller can be found in chapter 13, but to illustrate the evaluation method,
some results are discussed here. In general, the handling qualities results for this
algorithm show that for the Flight 1862 scenario normal flight control was restored
470 O. Stroosma et al.
Fig. 16.8 Localizer capture task handling qualities ratings for classical control and fault tol-
erant control
0
roll [rad]
−1
−2
0 200 400 600 800 1000 1200
0.2
0.1
pitch [rad]
−0.1
−0.2
0 200 400 600 800 1000 1200
0.1
0.05
0
0 200 400 600 800 1000 1200
time [s]
Fig. 16.9 Measured pilot control activities for engine separation failure mode
to acceptable levels while physical and mental workload were reduced significantly.
This is illustrated in Fig. 16.8 showing the lateral handling qualities pilot ratings
for the localizer capture task. It can be seen that, for this task, both the baseline
and fault-tolerant fly-by-wire (FBW) aircraft were rated Level 1 (Rating 1-3). After
16 Real-Time Assessment and Piloted Evaluation 471
separation of the right-wing engines the lateral handling qualities of the conven-
tional aircraft with the classical flight control system degraded to Level 2. The
reconfigured aircraft (FBW) still shows Level 1 handling qualities after incurring
significant damage due to the loss of the right-wing engines. This was substantiated
by the measured pilot control activities, representative of workload, which indi-
cated that the pilot did not need to compensate for the failure after reconfiguration
(Fig. 16.9). For the rudder runaway failure, the pilots rated the augmented aircraft
as Level 2, the same as the unaugmented configuration. Based on the ratings, pi-
lot comments, and recorded control activities, an investigation was performed on
the causes and possible solutions to this problem. Chapter 13 describes how this
process helped in identifying future research areas for this particular algorithm and
failure type.
16.4 Conclusions
The GARTEUR FM-AG(16) piloted simulator campaign provided a unique oppor-
tunity to assess novel fault tolerant flight control techniques and pilot performance
under flight validated failure mode scenarios and operational conditions. Taking the
extra step of applying the designed reconfigurable control algorithms in a pilot-
in-the-loop simulator has shown to provide new insights above those gained in an
offline analysis. Implementing the control algorithms to work with available sensor
data and in real-time requires smart design decisions and optimizations. With feed-
back from pilots, the ultimate users of the system, a new work domain is entered
where pure aircraft performance characteristics are supplemented with the need for
good handling qualities and a good pilot-vehicle interface.
The piloted assessment on the SIMONA Research Simulator, as part of the ac-
tion group’s goals, has shown to be a highly effective way of quickly producing new
versions of the reconfigurable control schemes which were better flyable and con-
formed more to pilot expectations. Therefore, having a realistic motion simulator
at hand for development and evaluation can be particularly useful if the aircraft’s
handling qualities in nominal and failed conditions must be taken into account in
the design.
From a piloting perspective, the evaluated fault tolerant control designs were
shown to add much to the survivability of a damaged aircraft. The simulation cam-
paign demonstrated that the reconfigurable fault tolerant controllers exhibited better
performance than achievable by an unsupported pilot, especially after failures. This
improved performance consisted of a reduction of pilot (physical/mental) workload,
increase of safety and a higher probability of a successful landing. Also the identi-
fication of the failure and the selection of a suitable recovery strategy were handled
better by the fault tolerant control systems. The GARTEUR FM-AG(16) experi-
ments demonstrated that future work in the area of faul tolerant flight control should
not only include a continued focus on the aircraft’s handling qualities in nominal
and failed conditions, but in particular investigate innovative methods for the deter-
mination and protection of the aircraft’s safe flight envelope.
Failure mode Aim Description Reconfiguration Assessment Criticality
472
0. No failure
1. Stuck elevators Detection of actuator / surface failure All elevator surfaces are stuck in a faulty Remaining surfaces: Major
position with an offset from trim.
• stabiliser • Transient behaviour (load factor)
• ailerons (symmetric) • Controllability (authority)
• differential thrust • Continued safe flight and landing
2. Stuck aileron Detection of actuator / surface failure All aileron surfaces are stuck in a faulty Remaining surfaces: Major
position with an offset from trim.
• ailerons (other) • Transient behaviour (load factor)
• spoilers • Controllability (authority)
• Continued safe flight and landing
3. Stabilizer runaway* Provide analytical means of identifying The stabiliser surface moves quickly to Remaining surfaces: Critical
safety critical control surface failure an extreme position
• elevator (bad stabiliser) • Transient behaviour (load factor)
• ailerons (symmetric) • Controllability (authority)
• flaps • Continued safe flight and landing
• differential thrust
4. Rudder runaway* Detection of actuator / surface failure All rudder surfaces move quickly to an Critical
extreme position.
Remaining surfaces • Transient behaviour (load factor)
Asymmetric thrust • Controllability (authority)
• Continued safe flight and landing
5. Stuck elevators (with tur- Robust detection of actuator/surface fail- All elevator surfaces are stuck in a faulty Remaining surfaces: Major
bulence) ure position with an offset from trim.
• stabiliser • No false FDI detection
Appendix 1: Failure Mode Test Matrix
6. Stuck aileron (with turbu- Robust Detection of actuator/surface All aileron surfaces are stuck in a faulty Remaining surfaces: Major
lence) failure position with an offset from trim.
• stabiliser • No false FDI detection
• ailerons (symmetric) • Transient behaviour (load factor)
• differential thrust • Controllability (authority)
• Continued safe flight and landing
O. Stroosma et al.
16
8. Rudder runaway (with Robust detection of actuator/surface fail- All rudder surfaces move quickly to an Critical
turbulence) ure extreme position.
Remaining surfaces • No false FDI detection
Asymmetric thrust • Transient behaviour (load factor)
• Controllability (authority)
• Continued safe flight and landing
9. Loss of vertical tail* Detection of actuator/surface failure and The loss of the vertical tail leads to the Catastrophic
loss of directional stability loss of all rudder control surfaces as well
as the loss of all damping in the roll and Remaining surfaces • Transient behaviour (load factor)
yaw axes. Asymmetric thrust • Controllability (authority)
• Continued safe flight and landing
10. Engine separation & re- Detection of flight critical structural and Catastrophic
sulting structural damage system failures in order to
(El Al Flight 1862)* Real time control law reconfigura- • Transient behaviour (load factor)
• continue safe flight and landing tion • Stability
(civil) Remaining surfaces • Controllability (authority)
Remaining engines Continued safe flight and landing
Real-Time Assessment and Piloted Evaluation
References
1. Anonymous. The simulation of a jumbo jet transport aircraft. Modeling data, vol. ii. Tech-
nical Report D6-30643, Boeing (September 1970)
2. Cooper, G.E., Harper Jr., R.P.: The use of pilot rating in the evaluation of aircraft handling
qualities. Technical Report TN D-5153, NASA (1969)
3. Smaili, M.H.: Flight data reconstruction and simulation of El Al flight 1862. Master’s
thesis, Delft University of Technology (November 1997)
4. Smaili, M.H.: Flight data reconstruction and simulation of the 1992 amsterdam bijlmer-
meer airplane accident. In: AIAA Modeling and Simulation Conference and Exhibit,
AIAA-2008-4586. AIAA (August 2000)
5. Stroosma, O., Van Paassen, M.M., Mulder, M.: Using the simona research simulator for
human-machine interaction research. In: AIAA Modeling and Simulation Conference and
Exhibit, AIAA-2003-5525. AIAA (August 2003)
6. Van Paassen, M.M., Stroosma, O.: Dueca - data-driven activation in distributed real-time
computation. In: AIAA Modeling and Simulation Conference and Exhibit, AIAA-2000-
4503. AIAA (August 2000)
Chapter 17
Piloted Evaluation Results of a Nonlinear
Dynamic Inversion Based Controller Using
Online Physical Model Identification
17.1 Introduction
As the survey of major aircraft accidents and incidents in Chapter 1 has shown, it is
sometimes still physically possible to control a damaged aircraft while components
such as control surfaces, engines or parts of the structure have failed. In some cases,
(differential) engine control was used by the pilot to replace conventional control via
the ailerons and elevators due to loss of the hydraulic system. In other cases, some
control surfaces may still be operating to replace the failed ones. This redundancy
can be exploited by an automated reconfigurable system which identifies the re-
maining control options and drives the available surfaces. Ideally, the system would
Thomas Lombaerts
Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1,
2629 HS Delft, The Netherlands
e-mail: t.j.j.lombaerts@tudelft.nl
Ping Chu
Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1,
2629 HS Delft, The Netherlands
e-mail: q.p.chu@tudelft.nl
Hafid Smaili
National Aerospace Laboratory NLR, P.O. Box 90502, 1059 CM Amsterdam,
The Netherlands
e-mail: smaili@nlr.nl
Olaf Stroosma
Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1,
2629 HS Delft, The Netherlands
e-mail: o.stroosma@tudelft.nl
Jan Albert (Bob) Mulder
Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1,
2629 HS Delft, The Netherlands
e-mail: j.a.mulder@tudelft.nl
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 477–499.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
478 T. Lombaerts et al.
also be able to cope with unforeseen failures and adapt itself accordingly. If the
system takes the form of a manual fly-by-wire flight control algorithm, as opposed
to a fully automatic system, the requirements on the (degraded) handling qualities
also need to be taken into account. The system must provide the pilot with good
handling qualities in normal flight conditions and acceptable handling qualities in
failed conditions.
This chapter discusses the results of a piloted simulator evaluation, conducted
in the SIMONA Research Simulator of the Delft University of Technology, of the
combination of the two-step method as an identification procedure, and nonlinear
dynamic inversion as discussed in Chapter 13. The objectives of the piloted evalu-
ation are to assess the real-time aircraft failure mode accommodation capabilities,
following a potentially catastrophic failure mode. This will be done in terms of
aircraft failure recovery capabilities, stabilisation, controllability and required pilot
workload to conduct a survivable approach and landing. As with the other fault tol-
erant control algorithms tested in the simulator, the same flight scenarios, failure
modes and subtasks were used.
The measurement of the performance of the designed NDI based control algo-
rithm with online physical model identification has been conducted in two ways:
• Qualitative: by means of subjective handling qualities ratings
• Quantitative: by means of objective pilot workload measurements
These measurements allow an initial assessment of the achieved performance of
the adaptive NDI control algorithm in a real-time operational environment using
(subjective) pilot ratings that are correlated with objective (quantitative) data of pilot
control activity as a measure of workload.
Pilot evaluations of fault tolerant control algorithms have been organised before,
as discussed in [2] and [3]. In [2], handling qualities evaluations have been dis-
cussed for a reconfigurable control law on the X-36 tailless advanced fighter aircraft
(TAFA) for a pitch capture, bank capture and a 360 degrees roll manoeuvre task.
In [3], handling qualities as well as workload have been analysed for a pitch down
manoeuvre in order to evaluate fault detection, isolation and reconfiguration algo-
rithms for a civil transport aircraft. However, the handling qualities and workload
assessment in this chapter are based upon a more elaborate experiment, involving a
realistic complete approach manoeuvre. Chapter 16 provides a complete description
of the experiment setup and the simulator equipment used in order to put the results,
as presented in this chapter, in the correct perspective.
where a certain steady non-zero sideslip angle β and/or roll angle φ are necessary to
compensate for the asymmetry. Therefore, this loop must also be NDI-based, where
the feedback path makes use of the lateral specific force Ay (which is related to the
sideslip angle), the roll angle φ and the commanded roll rate pcomm .
The control law can be deduced analogously as for the inner loop described ear-
lier, where at this stage a relation must be found between the sideslip angle β and the
body fixed angular rates. From [1], the sideslip angle β can be written as follows:
v = V sin β (17.1)
Rewriting for β and differentiating and inserting the equation for v̇ from the nonlin-
ear aircraft kinematics yields:
d v 1
β̇ = arcsin =√ · v̇
dt V V − v2
2
1
= √ · [Ay + g cos θ sin φ + pw − ru]
V − v2
2
⎡ ⎤
1 w −u
p
= √ · [Ay + g cos θ sin φ ] + √V 2 −v2 0 √V 2 −v2 ⎣ q ⎦ (17.2)
V 2 − v2 r
Since controlling the sideslip β is implemented by the rudder δr via primarily the
yaw rate r, since u w, equation (17.2) can be rewritten for the NDI loop command
for r in the rate control loop where the virtual input is νβ = β̇ and where pcomm is
the commanded roll rate by the pilot, which tracks the cockpit roll wheel deflection:
−1
−u 1
r= √ · νβ − √ [Ay + g cos θ sin φ + wpcomm ] (17.3)
V 2 − v2 V 2 − v2
As a result, fig. 17.1 shows the manual fly-by-wire ANDI control outer loop archi-
tecture. In this setup, the control law provides a conventional attitude rate command
and attitude hold control strategy as applied in modern fly-by-wire transport aircraft.
Control wheel steering supplies a reference roll rate, pitch rate tracks the control col-
umn and the pedals give the commanded sideslip angle, which is limited between
+5◦ and −5◦ . Moreover, in order to ensure comfortable aircraft responses to the
pilot inputs, some first order low pass filters have been added in the input channel.
This manual fly-by-wire control setup provided the baseline for the ANDI recon-
figurable control law evaluation in the SIMONA Research Simulator and has been
flown in three aircraft failure scenarios besides the unfailed flight.
scenarios were selected from the GARTEUR RECOVER benchmark model’s fail-
ure mode library and are based on recent accident cases as surveyed in Chapter 1.
For the Flight 1862 case, digital flight data recovered from the accident site was used
for the validation of the Flight 1862 aircraft dynamics (Chapter 6). Considering the
restricted available time for the experiment, the evaluation phase has concentrated
on these three scenarios.
In every scenario, the pilot starts flying at an altitude of 2000 ft and with a speed
of 260 kts towards the north. After a 90 degree heading change eastward, the fail-
ure is triggered and the pilot’s task is to stabilize the plane and familiarise himself
with the degraded handling qualities and reduced performance. After familiarisation,
several evaluation manoeuvres are flown including altitude captures and bank angle
captures. This allows the pilot to verify the stability and controllability of the aircraft.
After the handling qualities evaluation manoeuvres, a conventional terminal area ap-
proach is flown that includes a right hand turn in order to bring the aircraft onto a
localizer intercept course. Finally, the final approach phase consisting of the local-
izer and glideslope intercept phases concludes the flight. The simulation is ended
at a height of 50 feet above the runway threshold.1 All flights were conducted ac-
cording to the applicable procedures in the Amsterdam Schiphol Terminal Area. The
aircraft trajectory is illustrated in fig. 17.2. Note that altitude captures and bank angle
captures are not visible on this scale. Details of the experiment scenario, including
handling qualities and performance metrics, are further elaborated in Chapter 7.
Experienced airline and engineering pilots, rated for the Boeing 747 aircraft, con-
ducted the evaluation. For the handling qualities and pilot workload analysis, the
experiment data from five pilots has been taken into account for both the Rudder
Hardover and Flight 1862 accident case scenarios. Due to time constraints, no rat-
ings and workload data for the stabiliser runaway failure are available.
1 The landing itself is not part of the benchmark, because a realistic aerodynamic model of
the damaged aircraft in ground effect is not available. However, it is believed that if the
aircraft is brought to the threshold in a stable condition, the pilot would be able to perform
a survivable final flare and landing.
17 Piloted Evaluation Results of an ANDI Based Controller 481
Fig. 17.2 Trajectory of the piloted simulation runs in the SIMONA research simulator
pitch by the column and yaw by the pedals) in order to keep the aircraft under con-
trol in the classical control system configuration. The separation of the right-wing
engines occurs around t = 200s into the flight for both the classical and ANDI con-
trol system. For the classical control system configuration, some pilots were not
able to maintain control of the aircraft while trying to recover and stabilise after the
separation of the right-wing engines. Due to the characteristics of this failure, the
demand for the pilot is dependent upon the speed regime where the damaged aircraft
is flying. At high speed (above approximately 260 KTS) and at a weight of 317.000
kg, the aircraft appears to be controllable, while at lower speeds the handling de-
teriorates significantly until control is lost around 200 KTS in a gliding condition
(almost idle thrust on the remaining engines no. 1 and 2). Several other interest-
ing observations were made for this failure scenario. For all pilots, the separation
of both right-wing engines and the subsequent damage to the aircraft necessitated
the use of both hands on the control wheel throughout most of the flight to keep
the aircraft under control (Figure 5(a)). The sustained control forces, both to con-
trol bank angle and yaw, resulted in significant physical workloads as commented
by the pilots afterwards and confirmed by their ratings. Additionally, most pilots
commented about the obstruction of the primary flight instruments by the control
wheel deflected at large angles required for lateral control (Figure 5(b)). The lateral
control capabilities of the damaged aircraft with the classical control system showed
that approaching approximately 260 knots in level flight, controlling left bank an-
gles towards the operating engines became progressively sluggish requiring up to
almost full control wheel deflection while applying full rudder pedal. For a right
turn into the separated engines, the baseline aircraft had a tendency to overbank up
to the point where control was lost (Figure 17.6). It was furthermore observed that
lateral control capabilities were improved at increasing sink rates while intercept-
ing the glideslope and reducing thrust on the remaining engines to decelerate and
stabilise for a gliding condition towards the runway. However, for a successful land-
ing, the pilot requires knowledge concerning the aircrafts minimum control speed
under the prevailing conditions in order to remain within the degraded safe flight
envelope boundaries. After control reconfiguration by the fly-by-wire ANDI control
law, following a real-time identification of the damaged aircraft dynamics, the ex-
periment showed that conventional control strategies were restored allowing normal
use of the control wheel, column and pedal to conduct a successful landing (Figure
17.7). Aircraft recovery transients and stabilisation by the ANDI fault tolerant con-
trol laws, immediately after the separation of the engines, proved to be acceptable
(almost a non-event as commented by the pilots). Comparing the classical control
system and the fault tolerant control algorithms in Figure 3(c) shows that the ANDI
control laws require no more control effort from the pilot on the roll, pitch and yaw
steering channels than before the failure. Only near the end of this particular simu-
lation run for the FTFC configuration a major pilot control action in the lateral axis
can be seen at about t=900s resulting in a saturation of the ailerons. This appeared
to be a corrective action by the pilot as the damaged aircraft accidently decelerated
below the (unavailable) minimum control speed during final approach. More infor-
mation about this will be given later, see also fig. 17.9. This event highlights how
17 Piloted Evaluation Results of an ANDI Based Controller 483
information about the remaining pilot authority and the restricted safe flight enve-
lope would contribute significantly to the pilot’s awareness.
The rudder runaway is the most challenging failure from the pilot perspective.
The failure occurs shortly before t = 200s. In this scenario, both upper and lower
rudder surfaces are deflected uncommanded towards the aerodynamic blowdown
limit (dependent on airspeed). As can be seen in Figure 3(d), the pilot has to use all
available steering channels (roll by the steering wheel, pitch by the column and yaw
by the pedals) to keep the aircraft under control in the case of classical control. This
is remarkable, since only two channels (roll and pitch) retain their efficiency. Rud-
der demands via the pedal inputs have no use in this failure scenario, nevertheless
it can be seen that the pilot is still tempted to use the pedals as a natural (trained)
reaction, despite being aware of the failure characteristics via the pre-flight brief-
ing. The aircraft failure transient behavior following a sudden rudder hardover of
the classical control system appeared to be rather critical. As can be seen in Fig-
ure 17.8, providing a visualisation of the simulator data, the baseline aircraft attains
an initial large roll upset following a left rudder hardover without immediate pilot
compensation. Most pilots were able to recover and stabilise the aircraft by man-
ually applying differential thrust following the failure (Figure 4(d)). However, the
application of differential thrust to stabilise the aircraft and improve lateral control
margins resulted in difficulties controlling airspeed as commented by some of the
pilots. The ANDI control algorithm, on the other hand, requires no more control
effort from the pilot on these steering channels as before the failure. The pedals for
instance, need no pilot input at all to minimize the sideslip of the aircraft in the case
of FTFC. Only at the very end, a small pedal input is given by the pilot in order to
line the aircraft up with the runway a few seconds before touchdown. It should also
be noted that, to ensure sufficient lateral controllability, differential thrust must be
applied. For the current FTFC control algorithm, differential thrust has been applied
manually by the pilot during the recovery and stabilisation phase which appeared to
be less critical immediately after reconfiguration.
Generally, comparing classical and fault tolerant control in the failure scenarios
above shows that a fault tolerant flight controller requires no more control effort
from the pilot on these steering channels than before the failure. The pedals for
instance, need no pilot input at all to minimize the sideslip of the aircraft in the case
of FTFC. Finally, some comments are given concerning the time scale. No timing
requirements have been given to the pilot, resulting in some variations in time scales,
depending on failure and control system.
Fig. 17.8 and 17.9 show the time histories of a selection of the most important
aircraft states. These confirm the evaluation trajectory as outlined in fig. 16.5. More-
over, altitude and roll angle plots illustrate the altitude and roll angle captures exe-
cuted by the test pilot to evaluate the post-failure handling qualities of the aircraft.
Fig. 17.9 gives some additional information about the situation where the safe flight
envelope boundary has been exceeded. The velocity graph shows that airspeed in the
fault tolerant control case is allowed to reduce significantly lower than for the clas-
sical control case. At some point, the minimum controllable airspeed is exceeded,
slightly above 100 m/s, and the aircraft exhibits a rolling tendency to the right which
484 T. Lombaerts et al.
0.5 0
roll [rad]
roll [rad]
0
−0.5
−0.5
−1 −1
0 100 200 300 400 500 600 700 800 900 1000 0 100 200 300 400 500 600 700 800 900 1000
0.15 0.3
0.1 0.2
pitch [rad]
pitch [rad]
0.05 0.1
0 0
−0.05 −0.1
0 100 200 300 400 500 600 700 800 900 1000 0 100 200 300 400 500 600 700 800 900 1000
−3 pilot pedal deflection
pilot pedal deflection x 10
0.02 0
classic classic
FTFC FTFC
yaw [rad]
yaw [rad]
0.01 −2
0 −4
−0.01 −6
0 100 200 300 400 500 600 700 800 900 1000 0 100 200 300 400 500 600 700 800 900 1000
time [s] time [s]
0
roll [rad]
−1 roll [rad]
0
−2 −1
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200 1400
0.2 0.1
0.1 0.05
pitch [rad]
pitch [rad]
0 0
−0.1 −0.05
−0.2 −0.1
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200 1400
pilot pedal deflection pilot pedal deflection
0.2 0.4
classic classic
0.15 FTFC 0.2 classic failure
yaw [rad]
yaw [rad]
FTFC
0.1 0 FTFC failure
0.05 −0.2
0 −0.4
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200 1400
time [s] time [s]
Fig. 17.3 The pilot control actions during the different scenarios which were flown manually.
Range of available pilot control deflections: roll ±1.536 rad, pitch ±0.221 rad, yaw ±0.244
rad
(a) Aircraft stabilised before failure. Alti- (b) Left rudder hardover to blowdown limit.
tude 2000 feet, Airspeed 260 KTS, Altitude 2000 feet, Airspeed 260 KTS, Max-
Sideslip 0 deg, Bank angle 0 deg imum sideslip excursion 11.8 deg, Maxi-
mum bank angle approximately 30 deg
(c) Pilot standing-by before failure insertion (d) Pilot applies full right-wing down con-
trol wheel deflection and differential thrust
for aircraft recovery
Fig. 17.4 Piloted simulation of left rudder hardover inducing a large upset of the aircraft
without ANDI reconfigurable control laws (flight animation by Rassimtech AVDS) c
(unfailed) and rudder hardover cases as shown in fig. 10(a) and 10(d). The ANDI
algorithm uses the elevator as an ’auto-trim’ feature that automatically compensates
for a mistrimmed stabilizer.
Information regarding control reconfiguration status by the ANDI algorithm was
available to the pilot via the engine indicating and crew alerting system (EICAS)
display in the cockpit. Figures 11(a) and 11(b) illustrate the EICAS display before
and after the separation of the right-wing engines. As shown in the figures, the asym-
metric physical loss of the engines is recovered and compensated by allocation of
control to the remaining surfaces. For this scenario, the inboard ailerons are only
half operational, supported by the remaining spoilers, as indicated by the damage
information in Chapter 6, and this is also visible in fig. 10(c). This figure shows
also that the FTFC algorithm exploits the full control authority of the rudder, where
486 T. Lombaerts et al.
(a) Pilot (left) requiring both hands for (b) Pilot’s head position (left) to scan pri-
lateral control after separation of both right- mary flight instruments while applying left
wing engines without control reconfigura- control wheel deflection to counteract roll
tion without control reconfiguration
Fig. 17.5 Pilot control activity after separation of both right-wing engines for classical hydro-
mechanical control system configuration
the human pilot relies less on rudder control input. As a consequence, slightly less
aileron deflections are needed in the FTFC case compared to classic control. The
balance between aileron and rudder use can be improved by means of further opti-
misation of the control allocation scheme.
The reconfiguration status of the ANDI algorithm for a sudden rudder hardover,
as presented to the pilot, is illustrated in Figures 11(c) and 11(d). Following the fail-
ure, lateral and directional control is allocated to the ailerons and spoilers providing
roll and yaw compensation while any longitudinal trim offsets, due to the failure,
are compensated by the elevators. In fig. 10(d), the faulty rudder behavior illustrates
the aerodynamic blowdown effect which is taken into account in the RECOVER
simulation model. As a result the maximum rudder deflection is slightly below 15◦
for an airspeed around 270 knots, and even close to 25◦ (the physical maximum
deflection limit imposed by the rudder control system structure) for an airspeed of
165 knots.
Based upon these simulation runs, handling qualities as well as pilot workload
have been analysed, as is shown next. Simulations have shown that the stabilizer
runaway was the least challenging from a pilot point of view, as explained ear-
lier. Therefore, the subsequent discussions focus primarily on engine separation and
rudder hardover, since these are the most interesting scenarios from a pilot point
of view.
(c) Aircraft overbanking to the right. Full (d) Loss of lateral control
aileron and rudder applied to compensate
roll
Fig. 17.6 Piloted simulation showing separated right-wing engines and loss of lateral control
due to overbank tendency without control reconfiguration and automatic stabilisation (flight
animation by Rassimtech AVDS) c
Appendix 2 in Chapter 16. Both the rudder runaway scenario and Flight 1862 engine
separation scenario were rated. As a comparison basis, the classical flight control
system and fly-by-wire ANDI control algorithms were rated for the nominal flight
conditions (no failure modes). This also provided the opportunity to familiarise the
pilots with the different baseline control strategies.
The handling qualities analysis results are illustrated in Figures 17.12 and 17.13.
For all evaluation tasks, pilot handling qualities ratings were provided for both lon-
gitudinal and lateral task performance. For the evaluated control algorithm, the pi-
loted evaluation tasks included altitude capture, bank angle acquisition and localizer
capture up to the intercept of the glideslope. The bank angle capture task was sub-
divided into an evaluation of left and right bank acquisition capabilities to account
for asymmetric failure modes. Figures 17.12 and 17.13 show the individual ratings,
horizontally separated as classical (left) and fault tolerant (right), and from top to
488 T. Lombaerts et al.
Fig. 17.7 Piloted simulator demonstration of approach and landing after separation of both
right-wing engines using fly-by-wire ANDI control reconfiguration (courtesy of RTL4 Tele-
vision, The Netherlands)
Selection of aircraft states rudder runaway scenario Selection of aircraft states rudder runaway scenario
0.4 1000
altitude [m]
pitch [rad]
0.2 500
0 0
0 200 400 600 800 1000 1200 1400 0 200 400 600 800 1000 1200 1400
angle of attack [rad]
0.2 5
heading [rad]
0.1 0
0 −5
0 200 400 600 800 1000 1200 1400 0 200 400 600 800 1000 1200 1400
flight path angle [rad] angle of sideslip [rad]
0.5 150
0 100
−0.5 50
0 200 400 600 800 1000 1200 1400 0 200 400 600 800 1000 1200 1400
time [s] time [s]
0.2 1
roll angle [rad]
classic classic
0 FTFC 0 FTFC
−0.2 −1
0 200 400 600 800 1000 1200 1400 0 200 400 600 800 1000 1200 1400
time [s] time [s]
Fig. 17.8 Comparison of a selection of aircraft states for the rudder runaway scenario
bottom the tasks altitude capture, left bank capture, right bank capture and localizer
intercept respectively.
The experiment results show that both the baseline (classical) and fly-by-wire
ANDI (FBW-ANDI) aircraft configuration were rated Level 1 (Rating 1-3) by most
pilots for the unfailed condition. This provides a comparison basis when analysing
pilot performance in degraded conditions for the different flight control system con-
figurations. The trends of the pilot ratings for the ANDI reconfigurable control
algorithm show that, especially for the Flight 1862 engine separation scenario,
17 Piloted Evaluation Results of an ANDI Based Controller 489
Selection of aircraft states engine separation scenario Selection of aircraft states engine separation scenario
0.2 1000
altitude [m]
pitch [rad]
0 500
−0.2 0
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200
angle of attack [rad]
0.4 10
heading [rad]
5
0.2
0
0 −5
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200
flight path angle [rad] angle of sideslip [rad]
150
0
100
−0.1 50
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200
0.2 1
−0.2 −0.5
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200
time [s] time [s]
Fig. 17.9 Comparison of a selection of aircraft states for the engine separation scenario
aileron [deg]
10 10
0 0
−10 −10
−20 −20
0 100 200 300 400 500 600 700 800 900 1000 0 100 200 300 400 500 600 700 800 900 1000
elevator and stabilizer [deg]
10 10
elevator [deg]
0
0
−10
−10
−20
−20 −30
0 100 200 300 400 500 600 700 800 900 1000 0 100 200 300 400 500 600 700 800 900 1000
10 6
classic classic
rudder [deg]
rudder [deg]
−5 −2
0 100 200 300 400 500 600 700 800 900 1000 0 100 200 300 400 500 600 700 800 900 1000
time [s] time [s]
aileron [deg]
0 0
−20 −20
−40 −40
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200 1400
30 10
elevator [deg]
elevator [deg]
20 5
10 0
0 −5
−10 −10
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200 1400
30 30
classic classic
rudder [deg]
20
rudder [deg]
0 0
−10 −10
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200 1400
time [s] time [s]
Fig. 17.10 Time histories of the control surface deflections involved in the different scenarios
which were flown manually
490 T. Lombaerts et al.
(a) EICAS display before failure (b) EICAS display showing control sur-
face reconfiguration after separation of right-
wing engines
(c) EICAS display before failure (d) EICAS display showing control sur-
face reconfiguration after rudder hardover to
blowdown limit
Fig. 17.11 Engine indicating and crew alerting system (EICAS) display providing control
reconfiguration status of ANDI control algorithm
The rudder hardover scenario appears to be more critical from a handling qual-
ities perspective. As with the Flight 1862 case, Level 2 handling qualities were
obtained in most conditions for the classical control system. However, the lateral
control tasks were observed to induce severely coupled longitudinal and lateral dy-
namics resulting in further degradation of the handling qualities to Level 3. For the
reconfigured aircraft, the handling qualities ratings remain about Level 2 after con-
trol reconfiguration despite no required sustained control inputs by the pilot. Most
likely, the main reason for the inferior rating is caused by the fact that the fault toler-
ant controller is a rate controller, it minimizes disturbances in angular rates, but not
the disturbed angle itself. As a consequence, rudder hardover results in a yaw rate to
the left which is eliminated by the controller, but the heading angle change built-up
meanwhile is not eliminated automatically, and is left to the pilot to compensate.
Later on in this chapter, a solution will be proposed for this problem.
5
Longitudinal HQR
Longitudinal HQR
5
4
4
3
3
2
2 1
No Fail Rudder Engine No Fail Rudder Engine
Left Bank Capture Task (Classical) Left Bank Capture Task (FBW)
8 7
6
Longitudinal HQR
Longitudinal HQR
6
5
4 4
3
2
2
No Fail Rudder Engine No Fail Rudder Engine
Right Bank Capture Task (Classical) Right Bank Capture Task (FBW)
8 7
6
Longitudinal HQR
Longitudinal HQR
6
5
4 4
3
2
2
No Fail Rudder Engine No Fail Rudder Engine
5 5
Longitudinal HQR
Longitudinal HQR
4 4
3 3
2 2
1 1
No Fail Rudder Engine No Fail Rudder Engine
Fig. 17.12 Pilot longitudinal handling qualities ratings of classical and FTFC flight control
system configurations for the different aircraft failure scenarios.
17 Piloted Evaluation Results of an ANDI Based Controller 493
6
5
Lateral HQR
Lateral HQR
5
4
4
3
3
2 2
No Fail Rudder Engine No Fail Rudder Engine
Left Bank Capture Task (Classical) Left Bank Capture Task (FBW)
6
8
5
Lateral HQR
6 Lateral HQR 4
4 3
2
2
1
No Fail Rudder Engine No Fail Rudder Engine
Right Bank Capture Task (Classical) Right Bank Capture Task (FBW)
6
8
5
Lateral HQR
Lateral HQR
6 4
4 3
2
2
1
No Fail Rudder Engine No Fail Rudder Engine
5 5
Lateral HQR
Lateral HQR
4 4
3 3
2 2
1 1
No Fail Rudder Engine No Fail Rudder Engine
Fig. 17.13 Pilot lateral handling qualities ratings of classical and FTFC flight control system
configurations for the different aircraft failure scenarios.
494 T. Lombaerts et al.
Scenarios including failures are restricted to the time span after the failure till the
end. The localizer intercept phase work levels are comparable, since the time in-
tervals are almost identical, thanks to the well-defined start and end points and the
prescribed airspeed and trajectory. However, for the total simulation run, there are
considerable variations in the time span from beginning till end, as can be seen in
figures 17.3 and 17.10, which makes the absolute workload values not comparable.
Therefore, average workload levels have been calculated for the total simulation
run. In each graph, a distinction is made between roll, pitch and yaw channel, as il-
lustrated by the three graphs separated vertically. In each control channel, six cases
have been studied, namely unfailed, engine separation and rudder runaway, each
time with classical and fault tolerant control. In each case, the workload figure of
each of the five pilots is represented individually by means of bar plots, after which
the mean and standard deviations are superimposed on these bar plots for every case,
in order to facilitate mutual comparisons. Note that no data are available for pilot
1 in the localizer intercept phase for the engine separation failure with fault toler-
ant controller, this is because the safe flight envelope boundary has been exceeded
before the GS valid flag was raised, leading to unreliable results since they are not
representative.
δctrl 2
RMSdefl = √ (17.4)
n
where δctrl is the pilot control deflection under consideration and n is the length
of the recorded data sample. Note that both measures are set up in such a way
that variations in data sample lengths are automatically taken into account, which
is important for the total simulation run data. Figures 17.14 and 17.15 illustrate
the physical workload analysis results in the presentation as was introduced earlier.
Figure 17.14 depicts the average pilot forces, and figure 17.15 portrays the root
mean square of the pilot control deflections.
Both figures lead to the same observations regarding the measured physical work-
load during the experiment. The unfailed conditions confirm that this is a sound
comparison basis between classic and FTFC, since both have the same ratings. Sig-
nificant physical workload can be seen for the different failure scenarios to maintain
control of the damaged aircraft. Especially for the Flight 1862 engine separation
scenario, the data shows that for the complete duration of the flight and during
the individual tasks, compensation of the failure was required in all control axes
(roll, pitch and yaw). For the rudder hardover scenario, compensation is especially
17 Piloted Evaluation Results of an ANDI Based Controller 495
Average exerted pilot force during localizer intercept phase Average exerted pilot force during complete simulation run
6 6
roll force [Nm]
2 2
0 classic FTFC classic FTFC classic FTFC 0 classic FTFC classic FTFC classic FTFC
no failure no failure engine engine rudder rudder no failure no failure engine engine rudder rudder
separation separation runaway runaway separation separation runaway runaway
60 40
pitch force [Nm]
0 classic FTFC classic FTFC classic FTFC 0 classic FTFC classic FTFC classic FTFC
no failure no failure engine engine rudder rudder no failure no failure engine engine rudder rudder
separation separation runaway runaway separation separation runaway runaway
400 300
pilot 1 pilot 1
yaw force [N]
0 classic FTFC classic FTFC classic FTFC 0 classic FTFC classic FTFC classic FTFC
no failure no failure engine engine rudder rudder no failure no failure engine engine rudder rudder
separation separation runaway runaway separation separation runaway runaway
Fig. 17.14 Total average pilot force during localizer intercept phase (left) and during com-
plete simulation run (right)
Root mean square of pilot control deflections during localizer intercept phase Root mean square of pilot control deflections during complete simulation run
1 0.8
0.6
RMS roll
RMS roll
0.5 0.4
0.2
0 classic FTFC classic FTFC classic FTFC 0 classic FTFC classic FTFC classic FTFC
no failure no failure engine engine rudder rudder no failure no failure engine engine rudder rudder
separation separation runaway runaway separation separation runaway runaway
0.08 0.08
0.06 0.06
RMS pitch
RMS pitch
0.04 0.04
0.02 0.02
0 classic FTFC classic FTFC classic FTFC 0 classic FTFC classic FTFC classic FTFC
no failure no failure engine engine rudder rudder no failure no failure engine engine rudder rudder
separation separation runaway runaway separation separation runaway runaway
0.3 0.2
pilot 1 pilot 1
pilot 2 0.15 pilot 2
RMS yaw
RMS yaw
0 classic FTFC classic FTFC classic FTFC 0 classic FTFC classic FTFC classic FTFC
no failure no failure engine engine rudder rudder no failure no failure engine engine rudder rudder
separation separation runaway runaway separation separation runaway runaway
Fig. 17.15 Root mean square of pilot control deflections during localizer intercept phase
(left) and during complete simulation run (right)
apparent in the roll channel, while the other channels require less compensation. For
the reconfigured aircraft, utilising the ANDI control algorithms, the control forces
are reduced significantly indicating that use of the pilot controls was decreased. Ad-
ditionally, the data shows more consistency amongst the pilots in most cases for the
FTFC configuration as represented by the standard deviations in the graphs. Only
the applied rudder pedal force for the FTFC engine separation case is an excep-
tion to this trend, but it can be seen that this is caused by test pilot 2 who exhibits
significantly higher and above-average control behavior as compared to the other
subjects. This was partly based on a misunderstanding of the pilot regarding the im-
plemented control strategy of the controller in which the pedals directly command
sideslip angle. For the rudder hardover scenario, the data shows that almost all pi-
lots had a natural tendency to react to the failure by applying rudder pedal despite
being briefed that rudder was not available. The minimum overlap of the errorbars
496 T. Lombaerts et al.
Root mean square of pilot control deflection rates during localizer intercept phase Root mean square of pilot control deflection rates during complete simulation run
0.4 0.4
0.3
0.2 0.2
0.1 0.1
0.04 0.04
0.03 0.03
0.02 0.02
0.01 0.01
pilot 2 pilot 2
0.01 pilot 3 0.02 pilot 3
pilot 4 pilot 4
pilot 5 pilot 5
0.005 mean 0.01 mean
Fig. 17.16 Root mean square of pilot control deflection rates during localizer intercept phase
(left) and during complete simulation run (right)
of workload, for the limited number of subjects, between the classical and ANDI
control system confirms that the observed trends are significant.
Summarizing, it can be stated that average absolute force as well as pilot control
deflections RMS confirm that the FTFC reduces the physical workload considerably,
compared to classical control.
0 tend
d δctrl (t)
P= dt F(t) · (17.5)
dtt=t0
0 tend
1 d δctrl (t)
Pav = F(t) · dt (17.6)
Ttot t=t0 dt
0.4
0.4
0.2
0.2
0 classic FTFC classic FTFC classic FTFC 0 classic FTFC classic FTFC classic FTFC
no failure no failure engine engine rudder rudder
separation separation runaway runaway no failure no failure engine engine rudder rudder
separation separation runaway runaway
average pitch power [W]
0.01
pitch power [W]
0.4
0.005
0.2
0 classic FTFC classic FTFC classic FTFC 0 classic FTFC classic FTFC classic FTFC
no failure no failure engine engine rudder rudder no failure no failure engine engine rudder rudder
separation separation runaway runaway separation separation runaway runaway
0.6
average yaw power [W]
0.02
pilot 1 pilot 1
yaw power [W]
pilot 2 pilot 2
0.015
0.4 pilot 3 pilot 3
pilot 4 pilot 4
pilot 5 0.01 pilot 5
0.2 mean mean
0.005
0 classic FTFC classic FTFC classic FTFC 0 classic FTFC classic FTFC classic FTFC
no failure no failure engine engine rudder rudder no failure no failure engine engine rudder rudder
separation separation runaway runaway separation separation runaway runaway
Fig. 17.17 Average pilot power during localizer intercept phase (left) and during complete
simulation run (right)
498 T. Lombaerts et al.
Fig. 17.18 Input structure setup for a rate control attitude hold controller
rate controller, it minimizes disturbed angular rates, but not the disturbed angle it-
self. A possible solution for this is the implementation of a rate control attitude hold
algorithm, as shown in fig. 17.18. The beneficial effect of this feature can possibly
be tested in a new campaign.
17.5 Conclusions
As part of an experimental campaign in the SIMONA Research Simulator, the man-
ually operated Adaptive Nonlinear Dynamic Inversion (ANDI) based controller
using Online Physical Model Identification was evaluated for a damaged aircraft
during a piloted simulator assessment. The scenarios for the evaluation were se-
lected based on their criticality to the operation of the aircraft and available flight
data for the validation of the damaged aircraft dynamics.
The experiment results show that the controller is successful in recovering the
ability to control damaged aircraft after incurring a physical loss of two right-wing
engines or a sudden hardover of the rudder. Simulation results have shown that the
handling qualities of the fault tolerant controller devaluate less for most failures,
indicating improved task performance. Moreover, it has been found that the aver-
age increase in workload after failure is considerably reduced for the fault tolerant
controller, compared to the classical controller. The data shows more consistency
amongst the pilots in most cases for the FTFC configuration. These observations
apply for physical as well as compensatory (mental) workload.
For the rudder runaway scenario, physical workload was reduced with the ANDI
reconfiguration algorithm, but the lack of a rate control/attitude hold control scheme
caused a negative effect on aircraft handling. To allow a fully automatic reconfig-
uration of failure modes that affect the lateral control axes, the fault tolerant flight
control laws should include a rate control/attitude hold control scheme.
Analysis of the control surface deflections has shown that their behavior is similar
for both the conventional hydro-mechanical control system and FTFC control laws.
The major difference is that in the latter situation these commands do not come
17 Piloted Evaluation Results of an ANDI Based Controller 499
from the pilot directly. This is the clear advantage of the physical approach which
has been followed in this method. Future research in control allocation schemes
for the ANDI control algorithm will optimize the balance between the use of the
different control surfaces.
Due to the automatic failure recovery and stabilisation capabilities of reconfig-
urable control, it is expected that the pilot is able to land the aircraft sooner due
to the reduction of the time consuming learning phase for the pilot to understand
the new basic principles of the damaged aircraft’s flying characteristics. Although
control reconfiguration can utilise the control effectors in an optimal manner for
stabilisation, the experiment has shown that information regarding the safe flight
envelope should be an integral part of a fault tolerant flight control scheme to assist
the pilot in controlling the aircraft.
For both the Flight 1862 and rudder hardover case, as part of the scenarios sur-
veyed in this research, the pilots demonstrated the ability to fly the damaged aircraft,
following control reconfiguration, back to the airport and conduct a survivable ap-
proach and landing.
References
1. Mulder, J.A., van Staveren, W.H.J.J., van der Vaart, J.C., de Weerdt, E.: AE3-302 Flight
Dynamics, Lecture Notes. Delft University of Technology, Faculty of Aerospace Engi-
neering, Delft, The Netherlands, January 25 (2006)
2. Brinker, J.S., Wise, K.A.: Flight testing of reconfigurable control law on the X-36 tailless
aircraft. Guidance, Control and Dynamics 24(5), 903–909 (2001)
3. Ganguli, S., Papageorgiou, G., van der Vaart, J.C., Elgersma, M.: Piloted Simulation of
Fault Detection, Isolation and Reconfiguration Algorithms for a Civil Transport Aircraft.
In: AIAA Guidance, Navigation and Control Conference and Exhibit, AIAA-2005-5936,
San Francisco, CA (August 2005)
Chapter 18
Model Reference Sliding Mode FTC with
SIMONA Simulator Evaluation: EL AL Flight
1862 Bijlmermeer Incident Scenario
Halim Alwi, Christopher Edwards, Olaf Stroosma, and Jan Albert (Bob) Mulder
18.1 Introduction
This chapter presents flight simulator results obtained by experienced pilots based
on the EL AL flight 1862 (Bijlmermeer incident) scenario. The results in this chap-
ter are the outcome of a controller evaluation flight testing campaign and the GAR-
TEUR AG16 final workshop at Delft University in November 2007. The results
represent the successful real time implementation of a SMC controller in real time
on the SIMONA 6-DOF flight simulator.
The EL AL flight 1862 incident represents a challenging scenario for any fault
tolerant control strategy. In this chapter, it will be assumed that the controller has
no knowledge of the failure and damage to the airframe, and that there is no FDI or
fault estimation available.
The controller that has been used is a model reference sliding mode controller
– an alternative to the integral action sliding mode controller proposed in Chapter
8. Here, since it is assumed that the controller has no knowledge of the failure and
Halim Alwi
Control and Instrumentation Research Group, Department of Engineering,
University of Leicester, University Road, Leicester, LE1 7RH, UK
e-mail: ha18@le.ac.uk
Christopher Edwards
Control and Instrumentation Research Group, Department of Engineering,
University of Leicester, University Road, Leicester, LE1 7RH, UK
e-mail: chris.edwards@le.ac.uk
Olaf Stroosma
Faculty of Aerospace Engineering, P.O. Box 5058, 2600 GB Delft, The Netherlands
e-mail: O.Stroosma@tudelft.nl
Jan Albert (Bob) Mulder
Faculty of Aerospace Engineering, P.O. Box 5058, 2600 GB Delft, The Netherlands
e-mail: j.a.mulder@tudelft.nl
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 501–517.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
502 H. Alwi et al.
the damage to the airframe, fixed control allocation will be used. In this situation,
there is no control signal redistribution to the healthy control surfaces. Instead, the
fixed and equally distributed control allocation scheme is sufficient to access the re-
maining available control surfaces and ‘passively’ control the aircraft while ensuring
stability and some nominal performance.
An outer loop ILS (inertial landing system) PID scheme described in Chapter 8 is
also used in this chapter in order to provide an outer loop command (roll and flight
path demand) to guide the aircraft to capture the localizer (LOC) and glide slope
(GS), as in a typical landing procedure.
where A ∈ IRn×n and B ∈ IRn×m and K(t) := diag(k1 (t), . . . , km (t)) are the effective-
ness gain. In most control allocation (CA) strategies, the control signal is distributed
equally among all the actuators [8, 9, 28] or distributed based on the limits (position
and rate) of the actuators [5]. In Chapter 8, information about K(t) has been incorpo-
rated into the allocation algorithm through a weighting matrix W , so that the control
is redistributed to the remaining healthy actuators when faults/failures occur. In this
chapter, the CA strategy is based on the widely used approaches from the literature;
i.e. fixed and equal distribution of the control signals. This is motivated by the fact
that the information about K(t) in (18.1) is not always available and mirrors what
happened during the EL AL flight 1862 scenario.
As in Chapter 8, assume that the system states can be reordered, and the input
distribution matrix B from (18.1) can be partitioned as:
B1
B= (18.2)
B2
It can be shown that the pseudo-inverse in (18.5) arises from the optimization
problem
min u 2
subject to B2 u = ν (18.6)
u
In terms of the stability analysis which follows, the effect of the exogenous dis-
turbance d(t) from (18.1) is ignored. Clearly this external signal does not formally
affect the stability or otherwise of the closed-loop system associated with (18.1) –
although of course it affects the closed-loop performance of the system. In the real
system, it will directly affect the trim points and flight envelope of the damaged
aircraft.
The development which follows is similar in spirit to Chapter 8 but is different
in detail because of the model reference setting. Using (18.4) and (18.5), it can be
shown that (18.1) can be written as
In the fault free case K = 0 and BKBT2 in (18.7) is zero. Consider a reference model
defined as
ẇ(t) = Am w(t) + Bm yd (t) (18.8)
where yd (t) is the reference signal and Am ∈ IRn×n , Bm ∈ IRn×l with Am is stable.
Define
e(t) = x(t) − w(t) (18.9)
and therefore from (18.7) and (18.8) the error system
The matrices Am and Bm represent the reference model which defines the required
system performance. The control objective is to minimize the error between the
reference model and the ‘virtual’ controlled plant (A, BBT2 ) in (18.7). The matrices
F and G represent the feedback and feed–forward terms which define the refer-
ence model. Sliding mode control (SMC) techniques [10, 4], will now be used to
synthesize ν (t). As in Chapter 8, the so–called switching function s : IRn → IRl
to be
504 H. Alwi et al.
The sliding surface will be designed based on the nominal no fault condition (K =
0). Using (18.11), equation (18.10) can be rewritten as
where
BN2 := (I − BT2 B2 ) (18.16)
Therefore, the last term in (18.15) is zero in a fault free case (K = 0), but is treated
as (unmatched) uncertainty when K = 0. Define
W := I − K (18.17)
and write
B+ T −1
2 := W B2 (B2W B2 )
T
(18.18)
As argued in Chapter 8, there exists a scalar γ0 which is finite and independent of W
such that
B+
2 < γ0 (18.19)
for all W = diag(w1 . . . wm ) such that 0 < wi ≤ 1.
In the ê(t) coordinates, choose
Ŝ = STr−1 = M I (18.20)
where M ∈ IRl×(n−l) represents design freedom [4]. The reduced order system which
governs the sliding motion is
+ N + −1 N + N + −1
2 B2 (I+MB1 B2 B2 ) Ã21)ê1 (t)+B1 B2 B2 (I+MB1 B2 B2 ) νm (t) (18.21)
ê˙1 (t)=(Ã11−B1 BN
where Ã11 := Â11 − Â12M and Ã21 := M Ã11 + Â21 − Â22 M. When W = I (fault free
situation), B+
2 |W =I = B2 and the system in (18.21) ‘collapses’ to ê1 (t) = Ã11 ê1 (t)
T ˙
18 Sliding Mode FTC with SIMONA Evaluation: EL AL Flight 1862 Incident 505
which is the nominal sliding mode reduced order system for which M has been
designed to guarantee stability. However, during fault/failure conditions stability of
the system in (18.21) (which depends on W through B+ 2 ) needs to be established. If
where
γ2 = G̃(s) ∞ (18.23)
and
γ1 := MB1 BN2 (18.24)
then as proven in [2], during a fault or failure condition, for any combination of
0 < wi ≤ 1, the closed-loop system (18.21) will be stable if
γ2 γ0
0≤ <1 (18.25)
1 − γ1γ0
where
νl (t) := −Ã21 ê1 (t) − Ã22σ (t) + νm (t) (18.27)
and Ã22 = M Â12 + Â22. The nonlinear component is defined to be
σ (t)
νn (t) := − ρ (t) + η σ (t) for σ (t) = 0 (18.28)
where l1 and l2 are known positive constants. The gain from (18.28) is defined to be
where r(0) = 0 and a and b are positive design constants. The function Dε : IR → IR
is the nonlinear function
0 if s < ε
Dε ( s ) = (18.32)
s otherwise
where ε is a positive scalar. Here, ε is fixed to be small and helps define a boundary
layer about the surface S , inside which an acceptably close approximation to ideal
sliding takes place. Provided the states evolve with time inside the boundary layer,
no adaptation of the switching gains takes place. If a fault occurs, which starts to
make the sliding motion degrade so that the states evolve outside the boundary layer
i.e. σ (t) > ε , then the dynamic coefficients r(t) increase in magnitude, (according
to (18.31)), to force the states back into the boundary layer around the sliding sur-
face. The choice of the design parameters η , a, b and ε depends on the closed-loop
performance specifications and requires some design iteration. The choice of these
design parameters will be discussed further in Section 18.3. The proposition and
proof that r(t) is bounded and motion inside a boundary layer around S is obtained
is given in [1].
δlat = [δair δail δaor δaol δsp1−4 δsp5 δsp8 δsp9−12 δr e1lat e2lat e3lat e4lat ]T
while the longitudinal control surfaces are δlong = [δe δs e1long e2long e3long e4long ]T .
The controlled outputs are φ and β for lateral control and flight path angle (FPA)
and Vtas for longitudinal control. These linear models of the nominal (damage free)
aircraft have been used to design the control schemes which will be described in the
next sections.
18 Sliding Mode FTC with SIMONA Evaluation: EL AL Flight 1862 Incident 507
which yields
0.5592 −0.8808 −0.6384 0.1010
Flat =
0.0823 1.3729 2.5265 −0.5851
The feed-forward matrix Glat has been designed using the inverse steady-state gain
for the virtual triple system (Alat , Bνlat ,Cclat ): specifically
−0.3078 0.0651
Glat =
0.7310 0.3891
It will be assumed that at least one of the control surfaces for both φ and β tracking
will be available when a fault or failure occurs (i.e. one of either the four ailerons
or the four spoilers will be available and one of either the rudder or the four en-
gine thrusts are available). Based on these assumptions, it can be verified from a
numerical search that γ0lat from (18.19) is γ0lat = 8.1314.
The matrix which defines the hyperplane must now be synthesized so that the
conditions in (18.25) are satisfied. A quadratic optimal design [4] has been used to
obtain the sliding surface Slat which depends on the matrix Mlat in equation (18.20)
where the symmetric positive definite state weighting matrix has been chosen as
Qlat = diag(2, 2, 1, 1). The first and second term of Qlat are associated with the
equations of the angular acceleration in roll and yaw (i.e. the Blat,2 partition) and
thus weight the virtual control term. Thus by analogy to a more typical LQR frame-
work, they affect the speed of response of the closed–loop system. Here, the first
and second terms of Qlat have been more heavily weighted compared to the last two
terms to give a reasonably fast closed–loop system response. The poles associated
with the reduced order sliding motion are {−0.7136 ± 0.0522i}, where
0.0813 −1.9138
Mlat =
1.3455 0.1854
508 H. Alwi et al.
Based on this value of Mlat , simple calculations from (18.24) show γ1lat = 0.0230.
Therefore γ0lat γ1lat = 0.1870 < 1 and so the requirements of (18.25) are satisfied.
Also for this particular choice of sliding surface, G̃lat (s) ∞ = γ2lat = 0.0563 from
(18.23). Therefore from (18.25),
γ2lat γ0lat
= 0.5627 < 1
1 − γ1lat γ0lat
which shows that the closed loop system is stable for all choices of 0 < wi ≤ 1.
For implementation, the discontinuity in the nonlinear control term in (18.28)
has been smoothed by using a sigmoidal approximation where the scalar δlat =
0.05. This removes the discontinuity and introduces a further degree of tuning to
accommodate the actuator rate limits – especially during actuator fault or failure
conditions.
For simplicity, the variables related to the adaptive nonlinear gain have been cho-
sen as l1lat = 0 and l2lat = 1. This removes the dependence of r(t) on x(t) and simpli-
fies the implementation. The parameter ηlat from (18.28) was chosen as ηlat = 1. In
practice, a maximum limit ρmax for the adaptive nonlinear gain in (18.30) has been
imposed to avoid the actuators becoming too aggressive. Here, the maximum gain
was set at ρmaxlat = 5. The adaptation parameters from (18.31) have been chosen as
alat = 100, blat = 0.01 and εlat = 5 × 10−2. The parameter εlat was chosen to be able
to tolerate the variation in slat (t) due to normal changes in flight conditions but
small enough to enable the adaptive gain to be sensitive enough to deviation from
zero due to faults or failures. Here alat has been chosen to be large to enable small
changes in slat (t) to cause significant changes in the gain, so that the control sys-
tem reacts quickly to a fault. The parameter blat dictates the rate at which ρlat (t)
will decrease, after slat (t) has returned below the threshold εlat .
As in the lateral control design, the feed-forward matrix Glong has been designed
using the inverse steady-state gain i.e.
−0.0015 0.0438
Glong =
0.0665 −0.0024
It will be assumed that at least one of the control surfaces for FPA tracking will still
be available when a fault or failure occurs. It is also assumed that at least one of
the four engines is available for V tracking. Based on these assumptions, it can be
verified from a numerical search that γ0long = 8.2913 from (18.19).
As in the lateral controller, a quadratic optimal design has been used to ob-
tain the sliding surface matrix. The weighting matrix has been chosen as Qlong =
diag(2, 2, 1, 1). The first two terms of Qlong are associated with the Blong,2 partition
in (18.2) (i.e. states q and V ) which weight the virtual control term, and have been
more heavily weighted compared to the last two terms. The poles associated with
the reduced order sliding motion are {−1.1157, −0.3737} where
−0.0124 −0.0037
Mlong =
0.4786 0.1247
Based on this value of Mlong , it can be shown from (18.24) that γ1long = 3.0160 ×
10−4 . Therefore γ0long γ1long = 0.0025 < 1 and so the requirements of equation
(18.25) are satisfied. For this choice of sliding surface, G̃long(s) ∞ = γ2long =
0.0066 from (18.23). Therefore from (18.25),
γ2long γ0long
= 0.0551 < 1
1 − γ1long γ0long
which shows that the faulty closed-loop system is stable for all 0 < wi ≤ 1. The
discontinuity in the nonlinear control term in (18.28) has been smoothed by using a
sigmoidal approximation where the scalar δlong = 0.05.
As in the lateral design, the variables related to the adaptive nonlinear gain have
been chosen as l1long = 0 and l2long = 1. This was found to give sufficiently good
performance and removes the dependence of r(t) on x(t). The parameter ηlong from
(18.28) was chosen as ηlong = 1. In practice, a maximum limit ρmax for the adap-
tive nonlinear gain in (18.30) is imposed to avoid the actuators from becoming too
aggressive. Here, the maximum gain was set at ρmaxlong = 2. The adaptation pa-
rameters from (18.31) have been chosen similar to those in the lateral design; i.e.
along = 100, blong = 0.01 and εlong = 5 × 10−2.
To emulate real aircraft flight control capability, an outer loop PID for heading
and altitude control, as well as the EPR control mixing and ILS landing described
in Chapter 8 are also used here.
510 H. Alwi et al.
Controller
States x(t) & sensors
LOC & GS
logic
Aircraft model
LOC & GS Roll
PID FPA
Outputs
APP switch
Roll=0 ν(t)
Roll Linear νl Control u(t)
FPA=0
Command: FPA component allocation
Heading MCP switch
Altitude
PID W
Command:
Roll
FPA Roll Command: νn
Adaptive W=I
Inputs
SIMONA simulator
Data logging
MCP inputs
tested the controller during the flight evaluation campaign before the GARTEUR
FM-AG16 final workshop in November 2007. During the FM-AG16 final workshop,
an experienced A330 pilot, flew the damaged ‘aircraft’ on the SIMONA simulator,
during the presentation to the general public, including the local Dutch press (TV
news, radio and newspapers). The results presented here are from ‘flights’ flown by
an experienced B747 pilot and a test pilot for NLR (National Aerospace Laboratory)
during the pilot evaluation campaign in November 2007.
Even though the controller has been designed based on the linearization using
a weight of approximately 263 000kg, the controller was tested with a heavy trim
weight of 317 000Kg. This removes the advantage of low weight and low speed
maneuverability and higher performance and controllability compared to the heavy
trim weight, which was one of the main findings in [7]. The heavy trim weight for
the flight test also replicates the actual EL AL 1862 scenario and fits with the as-
sumption that the exact damage and condition of the aircraft post-faults is unknown.
800 failure
X
600 X
400
he
X crash
1.5
start 5
4
x 10
glideslope intercept 4
1
3
4
2 x 10
0.5 end
1
0
xe 0 −1 ye
and level first, before a heading change of 90 deg to the east was performed. The
pilot tested the aircraft’s capability to climb to a pre-specified altitude from 600m
to approximately 800m. Then the pilot commands a return to an altitude of 600m
and performs another right turn to capture the LOC. At this stage, the pilot ‘arms’
the APP in order to prepare for an automated landing approach. Once the aircraft
captures the LOC signal, a final turn towards the centreline of Runway 27 is started
and after a while the GS signal is captured and the aircraft descends towards the
runway on a 3 deg glideslope. Note that starting from the moment the pilot activates
the APP button in the MCP and the LOC signal has been captured, the aircraft is on
a fully automated landing mode and no other pilot input is required. (Full pilot au-
thority flight can also be undertaken using heading and altitude changes or manual
roll and FPA commands from the pilot). Figure 18.2 shows a ‘tighter’ manoeuvre
for the nominal SMC controller compared to the classical controller and the SMC
with the EL AL 1862 scenario.
The SMC in the EL AL 1862 failure mode manages to bring the aircraft near
to landing on the desired runway. Figure 18.3 shows the controlled states of the
damaged aircraft with the SMC controller. Note at the beginning of the simulation,
before the failure occurs at around 200sec, the FPA, Vtas and altitude show small
steady state errors due to the mismatch between the designed trim conditions and
the test conditions described earlier. The mismatch between the designed and test
conditions demonstrate the controller coping with uncertainty and allows the pilot
to rigorously test the controller outside its ‘comfort zone’. The steady state error is
small and does not represent any significant loss of overall performance.
Figure 18.3 shows that after the failure occurs, at approximately 200sec, the
climb capability of the aircraft is degraded when the pilot requests an increase in
altitude to 800m (from 600m). On the other hand, the more important descent ca-
pability of the SMC controller is not degraded as it is able to follow the glide slope
of 3deg towards the runway. This is shown in Figure 18.4. The glide slope error
is maintained below 0.5deg. Figure 18.3 also shows that the side slip angle of the
damaged aircraft has been limited to no more than ±1.5 deg which is much better
than the one from the classical controller in Figure 18.3. The heading changes of
the damaged aircraft with the SMC controller in Figure 18.3 also show a more sys-
tematic and higher level of performance compared to the classical controller. This
also shows that the lateral controller is able to deal with the asymmetric change in
CG, weight and the asymmetric thrust conditions and maintains the desired change
in heading. Decreasing the speed to approximately 120m/s does not have the dev-
astating and unstable effect seen in the classical controller. In fact, as suggested in
[7, 3], reducing the speed helps in terms of lateral control. This is seen in terms
of the deviation of the side slip angle in Figure 18.3 which is much smaller than
at higher speed after the failure has occurred. The roll angle tracking again shows
good performance tracking even after the loss of the two engines and the hydraulics
associated with the EL AL 1862 scenario.
Figure 18.4 shows typical signals from the ILS sensors. It represents the DME,
LOC and GS deviation, and the moment when the LOC and the GS are engaged
(valid/engaged) after being ‘armed’ using the APP button on the MCP. As usual, the
18 Sliding Mode FTC with SIMONA Evaluation: EL AL Flight 1862 Incident 513
FPA (deg)
0
0
−5
−10
failure
−20 −10
0 200 400 600 800 0 200 400 600 800
0.5 150
side slip angle (deg)
Vtas (m/sec)
0 140
−0.5 130
states
−1 120
cmd
−1.5 110
0 200 400 600 800 0 200 400 600 800
300 800
heading angle (deg)
200 600
altitude (m)
localizer
100 intercept 400 glideslope
intercept
0 200
−100 0
0 200 400 600 800 0 200 400 600 800
time (sec) time (sec)
4
x 10
6
X
DME (m)
4 LOC
failure GS
engaged engaged
X
2
X
0
0 100 200 300 400 500 600 700 800 900
1
0
LOC dev (deg)
GS dev (deg)
0.5
0
−5
−0.5
−10 −1
0 200 400 600 800 0 200 400 600 800
time (sec)
1 1
LOC valid
GSvalid
0.5 0.5
0 0
Fig. 18.4 EL AL 1862 scenario: SMC controller: LOC and GS deviation angle
514 H. Alwi et al.
LOC is engaged before the GS. The LOC coverage is much further than the GS and
this allows the aircraft to align to the extended centreline of the runway before the
descent starts.
Figure 18.5 shows the control surface deflections of the SMC controller under
the EL AL 1862 scenario. This figure highlights the major difference between the
classical controller (which is mechanically linked) and the FBW aircraft that has
been provided by the GARTEUR FM-AG16 modification. In this figure, the out-
board aileron can be seen to be independently mobile before the occurrence of the
failure. After the failure, the right outboard aileron float due to the loss of hydraulic
system 3 and 4. Independent control can be seen in the spoilers, elevators, rudders
and EPR. The effect of losing the hydraulic system can also be seen in the floating
of the inboard left and outboard right elevators (see Figure 18.5) where a clear dis-
tinction between the control surface deflection can also be seen. The spoilers also
show similar patterns. Before the loss of engines 3 and 4, all the spoilers seem to
be moving independently; but when the failure occurs, only spoilers 2,3,10 and 11
are active, the rest of the spoilers remain at zero deflection. In general, the control
surface deflections of the elevators, ailerons and spoilers are almost half the ones
resulting from using the classical controller (see Figure 18.5). The control surface
deflections from the SMC controller do not reach the saturation limits of the surfaces
and the spoilers and the ailerons are generally less aggressive. Engine EPR shows
that differential thrust has been used to achieve the desired performance, especially
for obtaining small sideslip and roll angles. Note that all the control surfaces are
controlled independently by the control allocation SMC scheme described in the
earlier sections of this chapter. The only pilot input consists of supplying the higher
level commands such as heading and altitude change (or roll and FPA command
through the MCP panel).
Figure 18.6 and 18.7 show the adaptive gain and the associated σ (t) signals
that initiate the adaptation. Before the occurrence of the failure, the sliding signal
σ (t) is below the selected threshold. Once the threshold is exceeded, the gain is
adapted from a minimum of 1 up to the maximum of 5 and 2 respectively for the
lateral and longitudinal axes respectively. High deviation from the sliding surface
σ (t) = 0 shows the severity of the faults. After the failure has occurred and during
manoeuvres, the switching function plot σ (t) deviates away from the ideal slid-
ing surface. However, in the near landing condition, the switching function returns
below the adaptation threshold. During this time, the adaptive gain reduces to the
minimum value of 1.
Although the SMC controller can be implemented in such a way that pilot inputs
(such as column, wheel and pedal) can be used; the purpose here is to show that, as
a proof of concept, the SMC controller is more than able to handle all the rigorous
tests and failures it is subjected to, using the minimal amount of input from the pilot
(thus lowering the workload during an emergency condition). This allows the pilots
to concentrate on higher level decisions.
Figure 18.8 is one of the SIMONA output alternative views and provides the
aircraft position relative to the actual position on a map of the Netherlands. This
18 Sliding Mode FTC with SIMONA Evaluation: EL AL Flight 1862 Incident 515
2 20
rudders (deg)
10 engine 3 & 4 missing
EPR
1
EPR1&2 active
0 ru
engine 3 & 4 missing rl
0 −10
0 200 400 600 800 0 200 400 600 800
sp2&3 active 4
20 sp10&11 active
right (deg)
left (deg)
2
spoilers
spoilers
10
0 0
sp1,4,5&6 inactive sp7,8,9&12 inactive
−10 −2
0 200 400 600 800 0 200 400 600 800
10 air
10
right (deg)
aor
left (deg)
0
ailerons
ailerons
0
−10 aol
ail −10 aor float
−20
0 200 400 600 800 0 200 400 600 800
10 2
elevators (deg)
stabilizer (deg)
0
0
eil & eor float
−5 −2
0 200 400 600 800 0 200 400 600 800
time (sec) time (sec)
0.1
LAT adaptive gain
5
4
Lat ||s(t)||
3 0.05
2
1
0
0 200 400 600 800 0 200 400 600 800
time (sec) time (sec)
2 1
Long ||s(t)||
1.5 0.5
1 0
Fig. 18.8 SIMONA flight trajectory of EL AL 1862 scenario with model reference SMC
controller with control allocation. Google
c Earth
18 Sliding Mode FTC with SIMONA Evaluation: EL AL Flight 1862 Incident 517
figure shows the actual SMC controller trajectory under the EL AL 1862 failure
condition. The overall trajectory shows the aircraft manages to reach Runway 27.
18.6 Conclusions
This chapter has presented piloted flight simulator results associated with the EL
AL flight 1862 (Bijlmermeer incident) scenario. The results represent the suc-
cessful implementation of a FTC SMC controller on the SIMONA 6-DOF flight
simulator configured to represent a large transport aircraft with experienced pilots
flying and evaluating the controller. The results show that not only does the proposed
SMC scheme work in a no-fault condition, but it also facilitates a safe positioning
of the aircraft for landing on the designated runway in EL AL flight 1862 failure
conditions. This is achieved without requiring controller reconfiguration and in the
absence of any information about the failures.
References
1. Alwi, H., Edwards, C., Stroosma, O., Mulder, J.A.: Fault tolerant sliding mode control
design with piloted simulator evaluation. AIAA Journal of Guidance, Control and Dy-
namics 31(5), 1186–1201 (2008)
2. Alwi, H., Edwards, C., Stroosma, O., Mulder, J.A.: Piloted sliding mode FTC simulator
evaluation for the EL AL Flight 1862 incident. In: AIAA Guidance, Navigation, and
Control Conference (2008)
3. Anon. El al flight 1862, aircraft accident report 92-11. Technical report, Netherlands
Aviation Safety Board, Hoofddorp (1994)
4. Edwards, C., Spurgeon, S.K.: Sliding Mode Control: Theory and Applications. Taylor &
Francis, London (1998)
5. Härkegård, O., Glad, S.T.: Resolving actuator redundancy - optimal control vs. control
allocation. Automatica 41(1), 137–144 (2005)
6. Liu, G.P., Patton, R.J.: Eigenstructure Assignment for Control System Design. John Wi-
ley & Sons, Chichester (1998)
7. Smaili, M.H.: Flight data reconstruction and simulation of EL AL Flight 1862. Gradua-
tion Report, Delft University of Technology (1997)
8. Shin, D., Moon, G., Kim, Y.: Design of reconfigurable flight control system using adap-
tive sliding mode control: actuator fault. Proceedings of the Institution of Mechanical
Engineers, Part G (Journal of Aerospace Engineering) 219, 321–328 (2005)
9. Shtessel, Y., Buffington, J., Banda, S.: Tailless aircraft flight control using multiple time
scale re-configurable sliding modes. IEEE Transactions on Control Systems Technol-
ogy 10, 288–296 (2002)
10. Utkin, V.I.: Sliding Modes in Control Optimization. Springer, Berlin (1992)
11. Wells, S.R., Hess, R.A.: Multi–input/multi–output sliding mode control for a tailless
fighter aircraft. Journal of Guidance, Control and Dynamics 26, 463–473 (2003)
Part V
Conclusions
Chapter 19
Industrial Review
19.1 Introduction
The transition of the potentially viable fault tolerant flight control methodologies,
as developed and evaluated within this GARTEUR Action Group, towards practical
applications, requires a critical look at the design and safety issues concerning the
developed adaptive control methodologies as an integrated part of the flight control
system. Therefore, the aim of this chapter is to provide an evaluation by repre-
sentatives from industry to look at the potential of the results of this action group
for industrial application. This also facilitates the necessary knowledge transfer be-
tween academia, research and industry which is one of the main principles of the
GARTEUR framework and of this project. Clearly, the application of fault mitigat-
ing control technologies, or ‘intelligent’ adaptive control, has benefits in a wide area
of industrial domains, but in this research, the evaluation has been focused on the
potential within the aerospace community. It is not the intention to assess which
of the developed fault tolerant control methodologies is the ‘best’, or has the best
performance achieved in the benchmark as compared to other methods. Instead, the
main objective is to assess the achieved maturity level, potential and open issues of
the fault tolerant control designs, as developed in this action group, in terms of ap-
plicability, complexity, compatibility with (future) on-board processor requirements
and overall flight safety. This also includes the innovative aspects of the presented
control solutions to accommodate potentially catastrophic on-board system failures
for recovery of the aircraft and ensure safe continuation of the flight or to improve
Philippe Goupil
Airbus France, EDYC-CC Flight Control Systems, 316 Route de Bayonne,
31060 Toulouse Cedex 09
e-mail: philippe.goupil@airbus.com
Andres Marcos
Advanced Projects Division, Simulation & Control Section, Deimos Space S.L.,
Ronda de Pendente 19, Edifices Fitment VI, Madrid, 28760, Spain
e-mail: andres.marcos@deimos-space.com
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 521–536.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
522 P. Goupil and A. Marcos
the performance and operation of the aircraft in terms of economics and efficiency.
It should be remembered that in this GARTEUR Action Group, adaptive control
design concepts have been assessed on their viability, both from an aircraft per-
formance and human factors aspect, while issues from an industrial design process
perspective, including the required engineering tools, design process efficiency, syn-
thesis and flight clearance have not been taken into account. This could, however,
be the subject of a subsequent research programme in which the fault tolerant flight
control algorithms that have been designed and demonstrated can be used as a start-
ing point. The evaluation of the results of this GARTEUR Action Group, as de-
scribed in this chapter, has been performed by several organisations. These include
Airbus, representing the European aircraft manufacturing industry and Deimos-
Space, an aerospace company specializing in industrialization of innovative guid-
ance, navigation and control solutions.
algorithms to achieve these stronger and stronger requirements. This is why an air-
craft manufacturer like Airbus is very interested to study the viability and capabil-
ities of advanced innovative methodologies, as developed within this GARTEUR
Action Group, in order to bridge the gap between industrial needs and academia.
Also it is interesting to note the continuous trend to use innovative technical so-
lutions in the aeronautical sector to satisfy the aforementioned safety and societal
imperatives: for example the use of Electro-Hydrostatic Actuators (EHA) on the
A380 [7]. Other innovations could also contribute in the future to widen the gap
between the scientific methods advocated by academia and industrial requirements,
justifying collaborative work between both communities. One of the goals of this
chapter is to provide an industrial perspective on the results of this GARTEUR Ac-
tion Group, to assess the maturity level of the developed designs and to evaluate
any missing requirements for a practical certified use on a safety-critical system
such as a large civil aircraft. First, it is useful to start with a brief reminder of the
main current industrial constraints and limitations for a practical real-time algorithm
implementation in a safety-critical environment. In subsequent sections, some com-
ments and recommendations for the possible use of the proposed methodologies in
the EFCS of a large civil aircraft are proposed.
As explained previously in the chapter on industrial practices (Part I), the typi-
cal Airbus Flight Control Computer architecture consists of two separate indepen-
dent channels, each with its own clock. Consequently, there is a time asynchronism
between both units. In particular some data is recorded in one unit but not in the
other.For instance, in Airbus aircraft, dedicated position sensors measure the posi-
tion of some control surfaces in degrees. These sensors are located inside the con-
trol surfaces. A design must be implemented in one unit only and if it requires data
from the other unit, there is a time asynchronism to take into account. Moreover,
the Flight Control Computers are multi-rate time triggered which means that not all
data is processed with the same sampling period, even in the same unit. For exam-
ple, some data is produced every 40 ms. If a FTC design works with a sampling
period of 10 ms then the 40 ms data must be adapted to this faster sampling time,
by using for example some prediction filter. This can have a serious impact on a
design. Similarly, some useful data like the air and inertial information are sent by
other dedicated computers with different sampling periods. This data received in the
Flight Control Computer also presents an asynchronism to take into account. Some
designs could be sensitive to all these asynchronisms and should be able to deal
with it.
The industrial use of innovative and advanced designs requires easy tuning for
possible use on different control surfaces and different aircraft. If the tuning of some
important parameters is too difficult, or requires too specific expertise, then it will
not be useful for an industrialist. For instance, the initial tuning of Q and R matrices
(the covariance matrices of the process noise and the measurement noise in a state
space representation) is a crucial issue for nonlinear filtering (e.g in an Extended
Kalman Filter). A bad choice could lead to diverging behaviour. The use of simple
approaches with restricted high-level parameters which are easy to tune is also very
important to reduce the test phase during the certification procedure. Due to the con-
straints of a safety-critical system, the convergence and the stability of the designs
must be proven to avoid any diverging behaviour that can potentially degrade the
availability of the flight control system (a false alarm leads to a system reconfigura-
tion and degrades the hardware redundancy level and potentially the flight envelope
protection level). Diverging behaviour could also lead to a numeric overflow entail-
ing an automatic switch-off of the related Flight Control Computer. After this brief
reminder of the main industrial limits and constraints for a real-time implementa-
tion, the next section is dedicated to an industrial perspective on the GARTEUR
Action-Group results.
academic exercise but the will to develop realistic designs with a view to bridge
the gap between the innovative scientific methods advocated by the academic com-
munity and industrial needs. A complete industrial assessment was not the initial
goal of this project, and in any case time and means were also limited. Although the
validation goes far, from an industrial viewpoint, it cannot be considered as a com-
prehensive assessment, at least from the perspective of in-service aircraft use. The
following recommendations should be taken into account to complete the validation:
first of all, the advanced designs must be intensively tested in fault-free situations, in
the whole flight domain and for different aircraft configurations (e.g. to explore the
whole weight and balance diagram). One possibility could be to implement a design
as dormant software code on a real aircraft during flight tests in order to explore a
wide set of scenarios. Similarly it is necessary to perform tests in degraded config-
urations to assess the robustness in the case of parametric variations. For instance,
to simulate a bad Trimmable Horizontal Stabilizer (THS, horizontal tail) configura-
tion that does not correspond to the centre of gravity position, representing a human
error in the flight preparation, is a good way to provoke high levels of dynamic be-
haviour on the elevator on some typical manoeuvres (e.g. ”push over”) and to test
the robustness of the design when less deflection is available on the control surfaces.
The next step is to assess the designs in the presence of strong external disturbances
like wind and turbulence. Another key point concerns the robustness of the designs
when they are fed by faulty inputs. For example, the behaviour of the designs must
be studied in the case of uncertainty (offsets, bias, drift, delays, noise) on the input
flight parameters. One other issue to consider concerns the aircraft performance: the
developed designs are supposed to be tolerant to different failures and in particular
they allow recovering a controllable aircraft in an extreme situation. However, the
most typical failures lead fortunately to non-critical situations where it is still pos-
sible to fly. In such a situation, for example a low dynamic control surface runaway,
is it better to reallocate control to the remaining control surfaces or to reconfigure
on a safe redundant actuator? In the first case the robustness of the flight control
system is not degraded in the sense that the redundant hardware is still available, but
the aircraft configuration is not optimized, drag is generated and the whole aircraft
performance is degraded with a risk of becoming non compliant with regulations
like the ETOPS (Extended-range Twin-engine Operation Performance Standards)1.
In the second case, the aircraft performance is maintained, without drag, but the
availability of the flight control system is degraded. The question is: in non-critical
situations, with the current Flight Control System architecture, is it necessary to ac-
tivate a Fault Tolerant strategy or must the hardware redundancy be used? If such
a choice must be made, the switching strategy between both possibilities must be
studied. This implies that one possible solution could be to use the certified base-
line controller in fault-free configuration, the most probable situation, and to switch
on a fault tolerant controller in a faulty situation signaled by the available FDI
(Fault Detection and Isolation) information. Such a configuration could also ease the
1 An international (ICAO) rule that restricts twin-engine aircraft to routes that put them
within 60/90/180 minutes of an emergency or diversion airport in case of an engine failure.
19 Industrial Review 527
certification of the whole design as the nominal controller, which is active the greater
part of the time, is already certified.
Following the previous remark, one comment concerns the integration with the
current state of the art designs. For instance, with the Airbus flight control law phi-
losophy, the aircraft is protected against critical events, like stall or overspeed. How
do the proposed innovative FDI/FTC designs integrate with the current flight con-
trol laws? How to integrate the protection in the proposed advanced algorithms?
The second comment concerns fault detection. Some of the developed designs re-
quire FDI information to be activated. It is useful for industrial use to know if a
design requires FDI information or not. If this is the case, what kind of informa-
tion is needed? Do the designs need already existing FDI information? If it requires
information that is not available, what information could be useful? The piloted
evaluation on the SIMONA Research flight Simulator added a lot of value in the as-
sessment. It is essential for the designs to meet the end-user expectations. It is also
crucial to check that, particularly in a fault-free situation, the controller is ‘flyable’
and that the aircraft handling qualities remain intact. A pilot in the loop is essen-
tial for such an analysis. To illustrate that close cooperation between designers and
pilots is of great interest, and corresponds to an industrial practice, it is useful to
take a concrete example [8]: the Flight Control Law tolerance to engine asymmetry
or failure. On a conventional aircraft, such a failure results in constant sideslip and
roll rate with a very diverging heading, leading potentially to a difficult situation to
manage for the pilots. Before A380, the largest passenger aircraft in the world, FBW
Airbus lateral normal laws include a correction and stabilize the aircraft in a steady
state of constant bank angle and sideslip, with slowly diverging heading. With the
‘super jumbo’ A380, the so-called ”Y*” lateral law is able to compensate automat-
ically for any lateral asymmetry, for example in the case of engine asymmetry or
failure. Initially in the A380 lateral law design, the lateral asymmetry was auto-
matically compensated (passive fault tolerance): sideslip is maintained very close
to zero, with a remaining roll angle of a few degrees. However, because of this
automatic compensation, pilots could miss an engine failure situation: therefore, a
specific means was designed to alert pilots that an engine failure had occurred. Nev-
ertheless, after the first tests, pilots expressed the need to detect an engine failure
through an aircraft movement and not only through an audio warning or a simple
display in the cockpit. So, it has been decided to simulate the effect of the engine
failure through the lateral law by commanding a sideslip in the same sense as the one
resulting from the engine failure: thus, the engine failure is felt by pilots like on any
other aircraft, but sideslip is smaller and much better controlled. Moreover, rudder
and ailerons deflections are calculated in order to minimize the drag while keeping
enough maneuverability to safely continue the flight. This example illustrates the
necessity for an efficient awareness of the pilot about the aircraft state throughout
a movement or a dedicated interface in the cockpit. The professional pilots raised
this last point during the SIMONA evaluation: they felt it was useful to be aware
that a FTC strategy is activated. This is an important topic for a successful trans-
fer of the GARTEUR Action-Group results to the aircraft industry: the techniques’
528 P. Goupil and A. Marcos
integration and cross-communication with the human operator, as well as with other
avionic systems, must be addressed.
19.2.3 Conclusion
The GARTEUR Action-Group 16 results can be considered as a first step toward an
industrial use of modern Fault Tolerant Control. Indeed, a strong focus was made
during the project on the viability of the designs in a real-time environment. The
piloted evaluation is also greatly appreciated from the industrial viewpoint, bring-
ing an operational feedback essential for a representative assessment. From a strict
aircraft manufacturer standpoint, before envisaging an in-service implementation of
these innovative designs, some works remain to be done to complete the assess-
ment. This GARTEUR project did not initially aim at providing such a validation.
Moreover, the time and means allocated did not allow a complete industrial assess-
ment. To complement the assessment, it is necessary to take into account all the
operational constraints and to explore the whole flight envelope, in nominal and
degraded configurations. It must also be honestly confessed that, on the most re-
cent in-service FBW aircraft, the failure scenarios tested in this GARTEUR project
would certainly not have had exactly the same consequences as the ones observed
in this study, even with the non-FTC baseline controllers. However, the relevance
of the FTC strategy is very interesting and promising in some extreme situations
when some elements of the Flight Control System are still available to help the pi-
lot to recover a controllable aircraft and to land safely thanks to a more intelligent
reallocation of the control commands. In the long term, such adaptive FTC meth-
ods, coupled to advanced FDI designs, could potentially help to reduce the number
of discrete low-level control laws, to reduce the hardware redundancy and then to
save weight with a direct impact on the aircraft performance, to develop a more pre-
dictive maintenance and finally, to optimize the tuning of the Flight Control Laws
during the flight tests. From an aircraft manufacturer viewpoint, this collaborative
work was a very good opportunity to make the academic community sensitive to the
industrial constraints and to share current industrial state of the art and practices on
FDI and FTC. For upcoming and future programs, in the frame of the aircraft global
optimization, innovative designs are needed to support the innovative technologies
developed by the aircraft manufacturers to satisfy the evolving safety and societal
requirements. Airbus will continue to have a great interest in all collaborative works
aimed at bridging the gap between the academic design methods and the industrial
requirements.
around e 10,000 to 20,000 for putting one kilogram of payload into space, and by the
lengthier testing and validation processes required to classify any software/hardware
as space-ready, which results in a de facto decade-long technological delay.
The weight limitation directly affects the system decisions related to hardware
redundancy while the computational processing limitation affects those decisions
pertaining to the choice of the control and FDI techniques to be used on-board.
In addressing these limitations space systems typically use (i) geometric solutions,
such as the 4-to-3 inertial measurement units (IMU) configuration found in many
satellite systems where four individual IMUs are positioned to provide redundant
measurements in three axes -see Figure 19.1, or (ii) complete hardware duplication
solution when the criticality of the system is high. An example of the latter is the use
of two (fully independent) thruster sets in failover configuration, where the primary
set is active until an abnormality is detected at which time the secondary set is
activated and the first is switched off -note that in this case, only a fault detection
scheme might be required which helps address the processing limitation. For other
space systems such as winged atmospheric re-entry vehicles (e.g. Space Shuttle,
X33, X38) it was seen in chapter 1 that they have more aircraft-like configurations
where more redundant control actuation architectures, such as those presented in this
book, can be used – capsules, like the Apollo or Soyuz, are similar but again with
more limited weight capabilities compounded, by the more restrictive aerodynamic
and controllability characteristics resulting from their lower Lift-to-Drag ratios.
Fig. 19.1 4-to-3 inertial measurement units (IMU) in Proba 2, Verhaert Space. Kruibeke,
Belgium. Picture: Paul Hopff.
530 P. Goupil and A. Marcos
The space systems’ stringent hardware redundancy limitation has a positive influ-
ence on the consideration of advanced (model-based) FDI/FTC techniques, which
provide redundancy without significant weight increase (analytical redundancy).
Despite this, the processing limitation as well as implementation, performance, reli-
ability and certification issues have all slowed the use of these techniques in space.
Nevertheless, the perspective for the future is bright as there is a growing need to
move towards greater space system autonomy which requires ‘intelligent’ technol-
ogy for self-diagnosis and self-healing. This need is driven by the more challenging
requirements of future space missions, examples of which are the lunar/mars robot
and human campaigns (such as the very successful NASA Mars Exploration Mis-
sion or ESA Exomars and Mars Sample Return, both currently in development), and
the in-the-drawing-board science missions involving multi-craft formation flying,
Near Earth Objects (NEO) or deep space exploration in general (e.g. ESA Proba-
3 and the twelve-spacecraft Cross-scale concept, or the joint NASA/ESA LISA
mission).
either on FDI or FTC as if they were two independent systems. The latter type of
projects typically assume (almost) ideal knowledge on the fault information which
then limits the impact of the associated results as the performance of the FDI filter
is the main limitation for the performance of an active FTC scheme.
Additionally, the evaluation methodology used in GARTEUR 16 involved a very
well defined and realistic simulation benchmark, arising from an already mature
FDI/FTC aircraft model2, as well as pilot-in-the-loop and a renowned 6DoF motion
simulator such as SIMONA, all of which represent a TRL level shift from 3/4 to
5/6. This incremental validation supports the interest of the aeronautics and space
fields in these advanced techniques and greatly increases the significance of the re-
sults. The main complaint on the evaluation and presentation of the results is that
no real examination of the performance versus robustness trade-off is performed for
any technique, with for example no design team including a Monte Carlo campaign
or even a limited (e.g. maximum and minimum uncertainty) validation assessment.
With respect to practical concerns (such as implementation issues, formalization of
2 As indicated in chapter 6, the main aircraft simulation model used in the RECOVER
benchmark is the 2003 FTLAB747 version 6.5 developed at the University of Minnesota
within the context of the NASA Aviation Safety Project (AvSP) – based on the Delft Uni-
versity/NLR DASMAT and FTLAB Matlab version 4.2 models. The FTLAB747v6.5 has
been used in the US during the last 7 years to assess model and data based aircraft FDI and
FTC approaches under the auspices of NASA by many Industry and Universities research
groups, and as shown in this book, it has evolved in Europe under GARTEUR’s impulse
to become a significant and realistic FDI/FTC aircraft benchmark.
532 P. Goupil and A. Marcos
the approaches within an industrial design process, or the addressing of the resulting
designs’ certification) it is well recognized that the FM-AG16 project represents a
first R&D step towards aircraft implementation of advanced FTC/FDI schemes, and
thus sets the path for subsequent more-industrially oriented developments. Never-
theless, it is worth noting that some of the design teams did address the important
industrial aspect of tuning and real-time implementation of the designs.
more computationally demanding than other adaptive techniques, but will require
the usual precautions on numerical integration (of the adaptive gains) and more no-
tably on the selection of the reference models. With respect to this issue, and with
a desire to maintain the no-FDI philosophy, it is noted that it should be perfectly
plausible to use banks of reference (faulty) models in the spirit of model-reference
FDI schemes such as Kalman -although of course this has its own advantages and
disadvantages.
Chapter 10 and 13 form a cohesive conceptual approach, with a mix of subspace-
identification and model predictive control (MPC) for the first approach and of
parametric-identification plus nonlinear dynamic inversion (NDI) for the latter.
This cohesion in the approaches arises from the research interaction of two dis-
tinct groups at Delft University of Technology. Interest in the space community
for MPC-based approaches is increasing due to the nice characteristics of the ap-
proach (optimal command input calculation based in predicted output behaviour,
multi-objective, elegant theoretical underpinning) and the important computational
reductions accomplished in the last few years that address the practical processing
shortcomings of these methods. The situation for parametric and subspace identi-
fication methods is similar as they both need to deal with closed-loop data, noise
and robustness issues in a fast and reliable manner -especially if they are to be used
for on-board FDI/FTC. For deep space and NEO missions, where the system time
constant from a navigation perspective is relatively slow, MPC should be a good
candidate technology to achieve a large degree of autonomy if further improvements
towards computationally light identification approaches can be achieved. Similarly,
the use of NDI as a control technique is also becoming very standard in re-entry
space systems, with for example the Space Shuttle guidance based on inversion
concepts, and is expected to become a popular candidate control technique in the
future (it is noted that it was used for the flight control system of one of the two X35
Joint Strike Fighter candidates [1]).
The technique proposed in Chapter 10 is based on subspace predictive control
(SPC), which is a mix of the better-known MPC approach with subspace identi-
fication methods. SPC uses input-output data to obtain a prediction of the future
outputs, which helps to indirectly account for fault effects, and calculates a one-
step-at-a-time control output to optimally achieve the desired objectives. It has the
advantage of using closed-loop data in an unbiased, computationally efficient man-
ner by means of a recursive-updating scheme. Similar to chapter 8 the authors also
acknowledge the practical advantage of using FDI information and thus apply a
multiple-model estimation approach to obtain the required information on the avail-
able control surfaces. The chapter discusses the proposed design approach and pro-
vides insight on the process with the advantage of including a dedicated section on
the real implementation issue (which is a must for MPC-based approaches). The
evaluation results show good responses to all the fault scenarios demonstrating the
potential of the approach despite the computational workload, see 5 of chapter 16,
which in this case is further compounded by the subspace identification component.
Chapter 10 is very complete and has two distinct parts: the first presenting the
parametric identification approach and the second the adaptive NDI control design
534 P. Goupil and A. Marcos
wrapped around the identification results. The proposed approach has been devel-
oped over 20 years at Delft University of Technology, see chapter 4, and as exem-
plified in chapter 13 and subsequently in the SIMONA evaluation, chapter 17, and
consequently it is quite mature. Very detailed insight and comments are given on
the approach and on the key issues, which gives a good perspective on its capa-
bilities. The idea of the approach is to address the robustness problem endemic to
NDI control solutions by including as precise as possible knowledge of the to-be-
inverted aircraft dynamics. This knowledge comes from applying a two-step iden-
tification method composed of a Kalman-based state estimation step, followed by
a least square aerodynamic identification step. The results demonstrate a high level
of accomplishment on par with those for the SMC technique of chapter 8 (both in
the wide array of fault scenarios covered but also in terms of insight on the ap-
proach). From Table 5 of chapter 16, it is seen that the computational load is quite
high, which as noted by the authors is the result of the use of an iterative Extended
Kalman filter.
Chapter 12 uses the well-known robust H∞ approach to design a fault tolerant
controller against horizontal stabilizer faults. The authors discuss some very im-
portant practical issues for the acceptance of FTC schemes such as FDI detection
time delay and switching/activation effects -although the subsequent development
only covers them very informally. The approach presented is based on an architec-
ture stemming from the Youla parameterization (actually the four-parameter con-
troller [2] ), which allows the design of a fault tolerant compensator (following
anti-windup and input saturation nomenclature [3] ) based on the coprime factoriza-
tion FDI technique. The approach presented is important in that it allows retaining
the nominal controller performance in the no-fault case and only activates the fault
tolerant compensator when a fault is unequivocally detected, a property that has
great implications towards the certification of such an FTC scheme. As shown in
Table 5 of chapter 16, the computational load is comparable to that of the classical
baseline controller thanks to the fixed LTI compensator used (and an assumption
that the proper FDI information is readily available). H∞ methods, and their natural
evolution to linear parameter varying (LPV) approaches, are well-matured control
technologies as exemplified by their use in space (Ariane launcher [4]) and aeronau-
tics (an LPV flight control system was the other of the two X35 Joint Strike Fighter
candidates [1]). Although H∞ technology, to the best of the author’s knowledge, has
not been deployed yet specifically for FDI/FTC in an industrial platform there is a
recent flurry of ESA and aeronautical studies aimed at their evaluation within an
industrialized setting, which highlights the relevance and maturity of the techniques
for space.
Chapter 14 presents a combined FDI, NDI and optimal control allocation scheme
matured over several years at QinetiQ. A highly appreciated candid account is
given by the authors of their experiences on the application of different approaches
for each of the three modules from a practical perspective (considering ease of
tuning, implementation problems and other aspects in the control design cycle).
Additionally, the extremely important (for aircraft) issue of flight envelope protec-
tion (FEP) is considered -for space systems this will be relevant possibly only for
19 Industrial Review 535
atmospheric re-entry vehicles and launchers. The results show that the combina-
tion of FDI and optimal control allocation can be effectively used and moreover,
that a systematic FDIR design process, with fast design turn-around and wide sys-
tem coverage, can be obtained when all the key modules have achieved a matured
independent development stage.
Chapter 15 is the only chapter fully dedicated to FDI. The main result is a fea-
sibility proof for complete isolation of actuator faults for the nominal case. The
importance of this proof is in providing a minimal number of surface angle sensors
required to achieve complete fault isolation. As noted in the chapter’s summary, it
is hoped that further research will be performed to develop similar proofs for both
sensor and actuator faults, and considering the robustness and noise issues. The
achievement of such proofs can have potential implications in space, principally for
system design, as it could pave the way to decide early on in the system development
process the number and position of the sensors and actuators.
19.3.3 Conclusion
In summary, a wide array of techniques have been used, by teams spanning several
European countries and backgrounds, in examining the applicability of FDI/FTC
technology to aircraft under the auspices of the GARTEUR FM-AG16 project. A
well-defined and focused objective, rooted and supported by industrialists, was es-
tablished and has led to some of the technologies increasing in their TRL level from
3/4 to 5/6 (the latter corresponding to the piloted evaluation at SIMONA). This
should be the first of a series of steps, increasingly industrially-oriented, required to
further increase the techniques TRL and help bridge the technological gap between
the academic developments and the industrial implementations. Among these steps,
proper evaluation of the results using standard techniques and metrics that indus-
trialists can relate to should be a must, for example application of worst-case and
Monte Carlo analyses leading to a clear understanding of the robustness versus per-
formance trade-off for each technique. From a space application perspective, the
project and results are highly relevant due to the difficult validation and testing of
the approaches under real space environment conditions, which makes these results
a first indispensable step towards their consideration in space.
References
1. Balas, G.J.: Flight control law design: An industry perspective, fundamental issues in
control. European Journal of Control 9(2-3), 207–226 (2003); Special issue
2. Jacobson, C.A., Nett, C.N.: An integrated approach to controls and diagnostics using the
four parameter controller. IEEE Control Systems Magazine 11(6), 22–29 (1991)
3. Marcos, A., Turner, M., Postlethwaite, I.: An architecture for design and analysis of high-
performance robust antiwindup compensators. IEEE Transactions on Automatic Con-
trol 52(9) (September 2007)
536 P. Goupil and A. Marcos
4. Mauffrey, S., Meunier, P., Seillier, F., Ganet, M., Rongier, I.: H-infinity control for ari-
ane 5 plus launcher: The industrialisation of a new technology. In: Proceedings of 5th
International Conference on Launcher Technology, Madrid, Spain (2003)
5. Terui, F., Noda, A., Nakasuka, S.: Sliding mode attitude control of a bias momentum
micro satellite using two wheels. In: Advances in Variable Structure Systems: Analysis,
Integration and Applications, pp. 425–441. World Scientific, Singapore (2000)
6. Goupil, P.: Oscillatory Failure Case detection in the A380 Electrical Flight Control
System by analytical redundancy. To appear in Control Engineering Practice (2009),
doi:10.1016/j.conengprac.2009.04.003
7. Van den Bossche, D.: The A380 Flight Control Electrohydrostatic Actuators, Achieve-
ments and Lessons Learnt. In: Proc. 25th Congress of the International Council of the
Aeronautical Sciences, Hamburg, Germany (2006)
8. Goupil, P.: AIRBUS State of the Art and Practices on FDI and FTC. In: Proc. of the
7th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes,
Barcelona, Spain, June 30 - July 3, pp. 564–572 (2009)
Chapter 20
Concluding Remarks
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 537–539.
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
538 C. Edwards, T. Lombaerts, and H. Smaili
areas of improvement identified during the project, both from a design and real-time
aircraft integration aspect. Close collaboration with industry will also be maintained.
This Action Group in particular demonstrated the importance of protecting the
aircraft’s operational envelope following a failure of a critical onboard system or
degradation of the aircraft handling characteristics. Based on the experimental eval-
uations in this project, it was recognised that protection of the operational envelope
should be an integral part of any new intelligent self-adaptive control system. This
should not only ensure acceptable controllability in degraded conditions, but also
safe control of the aircraft within the remaining performance and controllability
boundaries. Additional issues requiring more extensive investigation include sen-
sor redundancy, and fault detection and identification requirements to ensure that
reliable information is supplied for control reconfiguration and identification of the
aircraft operational boundaries. These topics are currently being studied in follow-
up projects as part of continuing work programmes at the Action Group’s organi-
sations – some of which are supported by the European Commission FP7 project
‘ADDSAFE’.
Within the international aviation community, urgent measures and interventions
are being undertaken to reduce the amount of loss of control accidents caused by
mechanical failures, atmospheric events or pilot disorientation. Within this area, the
application of fault tolerant and reconfigurable control, including aircraft envelope
protection, has been recognised as a possible long term option for reducing the im-
pact of flight critical system failures, pilot disorientation following upsets or flight
outside the operational boundaries in degraded conditions (e.g. icing). Fault toler-
ant flight control, and the (experimental) results of this Action Group, may further
support these endeavors in providing technology solutions aiding the recovery and
safe control of aircraft in degraded or upset conditions. Several organisations within
this Action Group, conducting aircraft upset recovery training and simulation re-
search, will utilise the experience obtained in this project to study future measures
in mitigating the problem of loss of control and upset recovery and prevention.
The members of the GARTEUR Action Group FM-AG(16) hope that the results
of this project will contribute to a further improvement in the safety and quality of
tomorrow’s air travel.
Appendix
Getting Started with the GARTEUR RECOVER
Benchmark
542 Appendix
1 Introduction
The GARTEUR REconfigurable COntrol for Vehicle Emergency Return
(RECOVER) aircraft simulation benchmark was developed to demonstrate, both
offline and in real-time (piloted) simulation, the performance and viability of newly
designed fault tolerant flight control algorithms. The software package, based on the
Delft University Aircraft Simulation and Analysis Tool DASMAT [2], is equipped
with several simulation and analysis tools, all centered around a generic non-linear
aircraft model for six-degrees-of-freedom non-linear aircraft simulations. For high
performance computation and visualisation capabilities, the package has been inte-
grated as a toolbox in the computing environment Matlab R
/SimulinkR
. The tools
of the RECOVER benchmark include trimming and linearisation for (adaptive)
flight control law design, non-linear off-line (interactive) simulations, simulation
data analysis and flight trajectory and pilot interface visualisations. The modularity
of the RECOVER software allows customisation by applying user-generated mod-
els to the generic package for the simulation of any specific aircraft type or fault
scenario. In conjunction with the Matlab R
/Simulink R
Real-Time Workshop R
,
the benchmark model is suitable for integration on simulation platforms for piloted
hardware in the loop testing.
The GARTEUR RECOVER benchmark provides enhanced graphical and
high-resolution aircraft visualisation capabilities, that interface with the Matlab R
environment, to support tool-based advanced flight control system design and eval-
uation. This includes, for instance, the visualisation of flight data, the animation
of fault or aircraft upset recovery scenarios or (real-time) analysis of flight control
system states and performance.
The capabilities of the GARTEUR RECOVER benchmark software are suitable
for any educational or demonstration purposes, providing insight into the design of
adaptive flight control algorithms, aircraft flight dynamics and handling qualities
and human factors interfaces.
This Appendix provides a practical guide to get started with the GARTEUR RE-
COVER Simulation Benchmark software package. It provides the necessary steps
to install the software (Section 3) and get familiar with the model structure (Section
5) and the main features of the benchmark environment (Section 6). Some practi-
cal examples demonstrate the steps necessary to run a benchmark simulation (Sec-
tion 6.2). It is assumed that the user is familiar with the installation and use of
the Matlab R
/SimulinkR
programming environment (references can be found in
[13, 14] or on the website of The Mathworks (www.mathworks.com)). For the
application of the benchmark, the user should have a basic understanding of general
rigid body aircraft dynamics and aircraft simulation modeling. An introduction to
these subjects can be found in several excellent books (e.g. [9, 12]). In this aspect,
the GARTEUR RECOVER benchmark is an ideal tool to complement any studies
on the introduction of flight control and aircraft simulation modeling using chal-
lenging design problems.
The GARTEUR RECOVER benchmark should be regarded as a research tool
providing the flexibility for customisation using a modular structure. As such, the
Getting Started with the GARTEUR RECOVER Benchmark 543
user is encouraged to explore and experiment with the software as much as possible
to obtain insight into the model structure and its features, and adapt it to his or her
own research requirements. Names and descriptions of blocks and signal definitions
in the benchmark model provide a guide for the user on the model interfacing re-
quirements. An introduction to the RECOVER benchmark, including development
background, software achitecture, the main features and the aircraft operational
characteristics has been provided in Chapter 6 of this book. For more details and in-
sight into the generic simulation architecture, including the GARTEUR RECOVER
benchmark mathematical models, applied reference frames, variable definitions and
sign conventions the user may refer to the references [2, 3, 4, 5, 6, 7, 8, 10].
The GARTEUR RECOVER benchmark is distributed as open source software to
accompany this book on fault tolerant flight control design and simulation for civil
transport aircraft. The software package can be downloaded, after registration, from
the GARTEUR project website hosted by NLR (www.faulttolerantcontrol
.nl). Any updates of the GARTEUR RECOVER benchmark, including documen-
tation and release notes, will be made available via the website.
2 System Requirements
The GARTEUR RECOVER benchmark was designed to run under Matlab R
6.5.1
R
and Simulink 5.1 as part of Release 13/Service Pack 1 (R13SP1). This means that
the benchmark model can also be used with higher versions of Matlab R
/Simulink R
.
To install and operate the benchmark model, any PC that complies with the mini-
mum hardware requirements to properly run Matlab R
/SimulinkR
is suitable. The
website of The Mathworks (www.mathworks.com)) provides further details on
the hardware requirements to install and run Matlab R
/SimulinkR
.
The graphical visualisation capabilities of the GARTEUR RECOVER bench-
mark, especially the aircraft animation features, require at least a graphics card
that supports Direct3D. OpenGL compatible hardware acceleration is recommended
to improve the overall graphics quality and hardware performance of the RE-
COVER visualisation features. For customisation of the visualisation tool within
Matlab R
/SimulinkR
, specifically the inputs that drive the graphical displays, a C-
compiler needs to be installed. When running the benchmark within Matlab R
7.1
(Release 14) under Windows XP, the buttons of the benchmark main menu do not
display correctly. This graphics issue does not occur in Matlab R
6.5.1 (R13SP1)
R
and should be solved for later versions of Matlab 7.1 (R14).
The GARTEUR RECOVER benchmark was tested under Windows XP and Win-
dows VISTA. For the current version of the benchmark (version 2.2) no issues, other
then those mentioned in this guide, are known under these operating systems.
After registration, the software can be downloaded as a packed ZIP archive. The
following steps are necessary to download and install the benchmark within the
Matlab R
6.5.1 (R13SP1) environment.
• After registering, download the software package from the GARTEUR project
website (www.faulttolerantcontrol.nl).
• Unzip the package into a temporary directory.
• Copy the unzipped package into a suitable destination directory, preferably into
the Toolbox directory of Matlab R
. Make sure that the directory structure of
the unpacked package is retained.
• Append the RECOVER benchmark directories to the Matlab R
path. The
R
Matlab references provide information on how to configure the path.
• Change the Matlab R
directory to RECOVERv65. Datafiles generated by the
benchmark tools will be made available in the data directory.
• The benchmark can be started by typing recover in the Matlab R
command
window which activates the main user menu. This will provide further steps to
start running any simulations or exploring the features and models of the RE-
COVER benchmark.
The benchmark can be uninstalled by deleting the directory RECOVERv65.
Please make sure that any backup copies are made of the user generated datafiles in
the data directory before deleting.
4 License Agreement
The GARTEUR RECOVER benchmark package is distributed with this book as a
collective work. The Matlab R
/Simulink
R
models of the benchmark are distributed
under the Open Software License (OSL) version 3 or later, whereas the benchmark
visualisation tool remains copyrighted by NLR (although freely distributable with
the RECOVER benchmark). The OSLv3 license allows the user of the software to
modify the models according to his or her own requirements and applications and
re-distribute the software to other users under the OSLv3 licensing terms and con-
ditions and NLR copyright. Any notices and text, including the attribution to the
original developers and the book, should remain in the software package and mod-
els. To facilitate the development or application by other users, developers that have
adapted the software are required to include an appropriate attribution notice in the
source code to inform new users that the original software has changed. The OSLv3
license is available in the file license.txt as part of the GARTEUR RECOVER
software package. Please take notice of the licensing terms and conditions before
using the software.
5 Model Structure
The aim of the following section is to provide an overview of the main model struc-
ture of the GARTEUR RECOVER benchmark. This can be used as a starting point
Getting Started with the GARTEUR RECOVER Benchmark 545
to further explore the model. Reference [2] provides information on all the submod-
els that comprise the generic aircraft simulation in the benchmark including input
and output formats of the individual generic simulation blocks.
The benchmark Matlab R
/SimulinkR
environment has been developed in a mod-
ular and layered structure using (masked) system blocks and subsystem blocks. In
this structure, each block has its specific input and ouput formats and signal defi-
nitions. When customising the RECOVER benchmark simulation for any particular
research application, it is important to maintain the model format and signal rela-
tionships as much as possible to prevent any inadvertent mismatches between the
many subsystems and library components. Due to the complexity of the GARTEUR
RECOVER benchmark model, it is recommended to always make use of a version
control method to track any changes or revert to a working version of the benchmark
if necessary.
Chapter 6 of this book provides an introduction to the model structure of the
benchmark and its components.
Fig. 1 GARTEUR RECOVER benchmark software architecture and analysis tools relation-
ships
be noted that any changes to the interface definitions of the models in the library
should be made carefully. This includes the names of the blocks as the library links
use the block names as a reference.
A basic library (B747 library.mdl) for the simulation of the B747-100/200
aircraft model in the benchmark, contains the basic aircraft, engine and actuator
models, complete with failure models (Fig. 2). For the GARTEUR RECOVER
benchmark, an additional library was developed (ag16 library.mdl), based on
the basic library, that contains the larger and more extensively modified submodels
out of which the top-level benchmark is built (Fig. 3). This extended library contains
models of the aircraft, the actuators, the sensors, the classic flight control system and
the benchmark failure generator.
Fig. 4 GARTEUR RECOVER benchmark main model components (b747 auto g.mdl)
Getting Started with the GARTEUR RECOVER Benchmark 549
Depending on the stick configuration, adaptation of the stick interface model by the
user might be necessary.
Fig. 6, shows the Simulink R
model structure at Level 5 of the benchmark
airframe block. This level shows the main layout of the RECOVER aircraft simu-
lation model consisting of the generic simulation models and aircraft specific mod-
ules. The aircraft specific modules (Airframe model (AFM) block and Engine frame
model (EFM) block indicated with a blue background) can be customised for any
particular aircraft taking into account the interface definitions of the blocks.
The blocks that are not specific for any aircraft and that are part of the generic
simulation models ([2]) are displayed with a white background. The generic simu-
lation blocks consist of:
AIRDATA block
The atmospheric and airdata parameters are calculated in this block. The equations
are compiled in a MEX-type Simulink R
S-function ac.atmos.mex.
WIND/TURBULENCE block
In this block, the wind and gust velocities are calculated based on user-supplied
Simulink R
S-functions of wind and turbulence models. The benchmark simula-
tion uses zero wind and zero turbulence conditions by default. The block includes a
switching capability for the selection of a turbulence model based on Dryden spectra
550 Appendix
or a wind model that includes a wind profile based on meteorological data estimated
at the time of the Flight 1862 aircraft accident.
AFM block
In this block the forces and moments of both the aircraft aerodynamics and turbu-
lence are calculated. The aerodynamic forces and moments are determined from the
aircraft specific aerodynamic model.
EFM block
This block calculates the propulsion forces and moments based on the aircraft spe-
cific engine model.
GRAVITY block
This block calculates the components of the gravity force in the air-path, stability,
body and moving earth reference frames. The gravity force is calculated in the mov-
ing earth reference frame from the aircraft mass and the altitude varying gravity
acceleration.
Getting Started with the GARTEUR RECOVER Benchmark 551
FM SORT block
In this block all forces and moments calculated from the aerodynamic model, tur-
bulence model, propulsion model and gravity model are combined and added.
EQM block
This block includes the aircraft equations of motion and are solved resulting in the
aircraft states and their derivatives. In addition, the aerodynamic and total forces and
moments and their coefficients are corrected for the α̇ - and β̇ - contributions.
OBSERVATIONS block
The observation parameters of the RECOVER benchmark are calculated in this
block. The parameters are arranged in several subgroups, calculated in subblocks,
consisting of accelerations, linear velocity time derivatives, flight-path related pa-
rameters and measurements outside the center of gravity. A complete list of the
benchmark observation output signal formats is provided in Section 8.
The Open-Loop Simulation button (Fig. 8) in the Simulation section of the bench-
mark main menu will activate the initialisation of an open-loop simulation of a
newly designed control algorithm. During initialisation, the calculation of a (user
specified) trim condition is performed, and a particular test scenario and aircraft
failure mode can be selected. Section 6.2 demonstrates the required steps to per-
form a typical open-loop simulation.
552 Appendix
The Closed-Loop Simulation button (Fig. 9) in the main menu activates the initiali-
sation of a closed-loop benchmark simulation. As with the initialisation of an open-
loop simulation, the calculation of a (user specified) trim condition is performed and
a particular test scenario and aircraft failure mode can be selected. It should be noted
that the closed-loop simulation is performed using preset test scenarios as specified
for the GARTEUR fault tolerant control benchmark (Chapter 6 and 7 of the book
provide details on the test scenario specifications based on predefined aircraft opera-
tional requirements). An example in Chapter 6 describes the initialisation procedure
to perform simulations using the closed-loop benchmark model.
Getting Started with the GARTEUR RECOVER Benchmark 553
workspace. Note that the variable Alin is in radians but all control surface de-
flections (except for thrust which is in Newtons) in the matrix variable Blin are in
degrees. For the purpose of designing a controller, it might be better to convert the
Blin matrix back to radians (this can be done by multiplying the columns of Blin ,
associated with the control surface deflections, with 180/π ).
The ordering of the states xlin and the control surfaces ulin of the total linear
model described by the matrices Alin and Blin are as indicated in equation (1).
The spoilers #6 and #7 are ground spoilers and are not used during flight. The
10th and 11th columns associated with these control surfaces can therefore be ne-
glected during design. Also note that the number of columns of the Blin matrix
is 29. The 30th column is associated with the landing gear and has not been in-
cluded in the linear model. An example linear model can be accessed through the
file TESTlin4.lin, available in the benchmark data folder, using the command
load -mat TESTlin4.lin in the Matlab R
window.
554 Appendix
Total model:
⎧
⎨ xlin = pb qb rb VTAS α β φ θ ψ he xe ye
⎪
⎪
⎩ ulin = δair δail δaor δaol δsp1−12 δeir δeil δeor δeol δih δru δrl δ f o δ f i δTN
1−4
(1)
After the completion of the steps in Fig. 12, the quality of the linearisation routine
can be evaluated by comparing the states (around the trimmed flight condition) be-
tween the linear and non-linear model using small actuator deflections. This is done
by running the Simulink R
model called b747 auto g LINcheck.mdl and the
plotting routine plotBENCHMARKtestLINandNL.m. The user needs to make
a selection of the actuator to be used as perturbation input for the comparison de-
pending on which axis is to be tested (e.g. to test the quality of the lateral axis,
1.5deg of right aileron and -1.5deg of left aileron can be used). Any control input
for a particular actuator to excite the linear model can be defined in the airframe for
LINEAR comparison test block within the model b747 auto g LINcheck.mdl.
Fig. 13, 14 and 15 show example plot results allowing the comparison of the lin-
earised model (TESTlin4.lin) and the non-linear model after a spoiler
Fig. 13 Plots showing actuator deflections (spoilers deflected 1.5 degrees at t=1s) for com-
parison of linearised model (TESTlin4.lin) and non-linear model
558 Appendix
Fig. 15 Plots showing lateral states for comparison of linearised model (TESTlin4.lin)
and non-linear model (NL: non-linear model, lin: linear model)
Getting Started with the GARTEUR RECOVER Benchmark 559
deflection input of 1.5 degrees. The aircraft states are given in radians while alti-
tude (he ) and ground distance (xe ) are given in meters.
Fig. 18 Benchmark assessment criteria plots for Right Turn and Localiser Intercept phase
showing aircraft states with evaluation criteria
tolerant control algorithms can be evaluated using the benchmark assessment crite-
ria. The assessment criteria are provided as plots for each phase of the benchmark
scenario (Chapter 6) and can be generated using the Show Assessment Criteria but-
ton (Fig. 17) after a simulation. Fig. 18, 19 and 20 show example plots for the Right
Turn and Localiser Intercept phase of the benchmark scenario. Chapters 6 and 7
provide further details on the benchmark scenario specifications and definition of
the assessment criteria parameters as used in the plots.
Fig. 19 Benchmark assessment criteria plots for Right Turn and Localiser Intercept phase
showing kinematic accelerations in body axes with evaluation criteria
Fig. 20 Aircraft trajectory plots for Right Turn and Localiser Intercept phase
562 Appendix
A graphical pilot interface shows the basic flight instrumentation based on spec-
ifications of the electronic flight instrument system (EFIS) displays as found on
the B747-400 aircraft. The RECOVER EFIS displays are configured to show the
primary aircraft state parameters, flight control system state and engine thrust pa-
rameters. Additional features on the displays, not found on the standard B747-400
instrumentation, are included to assess the human-machine interfacing (HMI) as-
pects of new fault tolerant flight control algorithms. For these design applications,
the RECOVER benchmark primary flight display (PFD) has the capability to dis-
play, for instance, the aircraft’s bank, pitch and airspeed envelope protection limits
Getting Started with the GARTEUR RECOVER Benchmark 563
as calculated by a new self-adaptive control system. The lower display (Engine In-
dicating and Crew Alerting System (EICAS) display) shows the engine parameters,
using Engine Pressure Ratio (EPR) as the main thrust setting reference, inboard
trailing edge flap position and landing gear status. Additional aircraft state informa-
tion on the EICAS display includes angle-of-attack, sideslip and load factor. The
EICAS display also enables monitoring of the activity of the flight control system
and control law performance by presenting all individual control surface deflec-
tions. A basic 3D aircraft model, representing the B747-100/200 aircraft, and the
aircraft’s reconstructed flight path in the out-the-window view allows analysis of
the flight trajectory and maneuvers.
The following features of the interactive simulation window can be controlled by
keyboard and mouse:
• shift -W: switch to aircraft view mode
• shift -A: switch to cockpit view mode
• shift -C: Activate free viewing (aircraft view mode)
• P: Activate/deactivate aircraft flight path (aircraft view mode)
• Left mouse/touch pad button: zoom out (aircraft view mode)
• Right mouse/touch pad button: zoom in (aircraft view mode)
• Mouse or touchpad: Move viewpoint (aircraft view mode)
Fig. 23 shows the information available on the RECOVER benchmark primary
flight display.
Fig. 24 provides a description of the parameters that are available on the RE-
COVER benchmark EICAS display.
For a realistic visualisation of the benchmark scenario, the RECOVER visuali-
sation tool includes a high-resolution geographic rendition of the Amsterdam area
including a detailed layout of the Amsterdam Schiphol Airport runway configura-
tions (Fig. 25). Currently, only runway 27 is configured with an instrument landing
system (ILS) as part of the GARTEUR benchmark scenario. However, further cus-
tomisation of the airport approach and landing aids is possible within the benchmark
model (e.g. an extension of ILS availability).
The aircraft’s flight trajectory can be visualised by pressing P before starting, or
during, a (real-time) simulation. Fig. 26 and Fig. 27 illustrate the flight path visu-
alisation capability in the RECOVER out-the-window view (free viewing mode),
following a simulation of a landing test scenario and in-flight maneuver.
Although not part of the GARTEUR benchmark scenario, runway 06 of the
Schiphol airport scenery is equipped with approach lighting and a visual approach
slope indicator (VASI) (Fig. 28 and 29) to replicate the pilot’s viewpoint during a
typical approach and landing test scenario under visual meteorological conditions
(VMC).
All parameters presented on the RECOVER flight instrumentation displays and
controlling the out-the-window view are available as inputs via a Simulink R
in-
terface in the output & visualisation block (top system level). The RE-
COVER visualisation window input variables, including the signal element number,
variable name, dimension and description are summarised in Tables 1 and 2.
564 Appendix
Fig. 24 GARTEUR RECOVER benchmark engine indicating and crew alerting system
(EICAS) display elements
Fig. 26 Aircraft flight path visualisation during approach and landing test scenario
Fig. 28 Amsterdam Schiphol runway 06 visual landing aids and ground textures
Table 1 Aircraft state and navigation input variables for the GARTEUR RECOVER bench-
mark visualisation tool (output & visualisation block)
Table 2 Flight control system and engine state input variables for the GARTEUR RECOVER
benchmark visualisation tool (output & visualisation block)
Fig. 31: After selecting Open-Loop Simulation in the main menu, the open-loop
initialisation is started in the Matlab
R
command window and the first step is to
define the failure model. For this example, the loss of vertical tail failure case is
chosen (failure mode #9). The aircraft configuration may then be entered including
the weight and balance of the aircraft and initial values for the pilot control inputs
used for trimming. For the initial trim values of the controls, it is usually sufficient
to accept the default values here. For this example, the aircraft is setup in the stan-
dard condition (clean configuration, he =2000ft, VTAS =260kts).
Fig. 32: The next step is to choose the flight condition. The straight-and-level trim
condition is chosen and the flight path angle and rate of climb are set at the default
values. This sets up the trim routine.
Fig. 33: The program continues with the start of the optimisation to determine the
trim condition. For trimming, the b747 trim d.mdl model is used. The trim rou-
tine runs and gives a trim result in terms of stabiliser deflection and thrust. If the
trim results are acceptable, the required EPR setting is derived from the thrust in the
next step.
572 Appendix
Fig. 34: After the trim condition is calculated, the user is first asked to define a test
input signal for an open-loop simulation. Note that the test signals are applied to the
pilot control inputs and not to the separate control surfaces. The simulation is then
performed using the open-loop model b747 funpc d.mdl. Any saved inputs and
outputs are located in the data subdirectory.
Getting Started with the GARTEUR RECOVER Benchmark 573
Finally, a few time responses can be made to show the results. These plots are
generated by the plot sim script. Fig. 35 shows the plotted simulation results of
the aircraft states following an aileron doublet at t=2s . As can be seen in the plots,
the aircraft with missing tail becomes unstable in the lateral axis after the aileron
doublet at t=2s. The pilot control inputs are shown in Fig. 36. The calculated specific
forces are also plotted and are shown in Fig. 37. The effect of the loss of directional
stability due to the missing vertical tail is clearly visible in the lateral acceleration
(Ayb ) response.
8 Signal Formats
This section provides a reference on the signal formats and observation outputs as
available in the top system level (Level 1) of the closed-loop (b747 auto g.mdl)
and open-loop (b747 funpc d.mdl) benchmark models. For all signal formats,
the signal number, name, symbol, dimension and a description are provided. The
GARTEUR RECOVER benchmark observation outputs follow the signal formats
as described in reference [2].
574 Appendix
Fig. 34 Test input signal definition for open-loop simulation (b747 funpc d.mdl)
576 Appendix
Fig. 35 Aircraft state response after an aileron doublet at t=2s with open-loop benchmark
model (b747 funpc d.mdl) and loss of vertical tail failure mode
Fig. 36 Pilot control inputs showing aileron doublet as test signal at t=2s
Getting Started with the GARTEUR RECOVER Benchmark 577
Fig. 37 Aircraft specific forces in body axes after an aileron doublet at t=2s with open-loop
model (b747 funpc d.mdl) and loss of vertical tail failure mode
Fig. 39 Boeing 747-100/200 flight control surface arrangements and body axes and moment
definitions (L̄ = rolling moment, M = pitching moment, N̄ = yawing moment, p = roll rate,
q = pitch rate, r = yaw rate)
Getting Started with the GARTEUR RECOVER Benchmark 579
Table 4 B747-100/200 flight control surface operating limits (positive sign: surface deflec-
tion down / spoiler panel up)
Control surface Symbol Mechanical Two hydraulic sys- One hydraulic sys-
limit (deg) tem rate (Full boost, tem rate (Half boost,
deg/sec) deg/sec)
Inboard elevator δei +17/-23 +37/-37 +30/-26
Outboard elevator δeo +17/-23 +37/-37 +30/-26
Stabiliser ih +3/-12 +/-0.2 to +/-0.5 +/-0.1 to +/-0.25
Inboard aileron δai +20/-20 +40/-45 +27/-35
Outboard aileron δao +15/-25 +45/-55 +22/-45
Spoilers #1 - #4 δsp1−4 +45 +75 0
Spoilers #9 - #12 δsp9−12 +45 +75 0
Spoilers #5, #8 δsp5 , δsp8 +20 +75 0
Spoilers #6, #7 δsp6 , δsp7 +20 +25 0
Upper rudder δru +25/-25 +50/-50 +40/-40
Lower rudder δrl +25/-25 +50/-50 +40/-40
Table 16 Pilot control inputs (top level open-loop model b747 funpc d.mdl)
9 Contributors
The following persons and organisations contributed to the development of the
GARTEUR RECOVER benchmark.
Contact information, organisation details and links can be found on the GAR-
TEUR project site www.faulttolerantcontrol.nl.
References
1. GARTEUR. GARTEUR RECOVER benchmark quickstart guide, GARTEUR Flight
Mechanics Action Group 16 ‘Fault Tolerant Control’ (2009)
2. van der Linden, C.A.A.M.: DASMAT- Delft University Aircraft Simulation Model and
Analysis Tool. Report LR-781, Delft University of Technology, Faculty of Aerospace
Engineering, Delft, The Netherlands (1996)
3. Smaili, M.H.: Flight data reconstruction and simulation of El Al Flight 1862. Final thesis,
Delft University of Technology, Faculty of Aerospace Engineering, Delft, The Nether-
lands (1997)
4. Smaili, M.H., Mulder, J.A.: Flight data reconstruction and simulation of the 1992 Ams-
terdam Bijlmermeer airplane accident. In: AIAA Modeling and Simulation Technologies
Conference and Exhibit, AIAA-2000-4586, Denver, CO (August 2000)
5. Hanke, C.R.: The simulation of a large transport aircraft. Modeling data, vol. II. NASA
CR-114494 (September 1970)
586 Appendix
6. Hanke, C.R.: The simulation of a large transport aircraft. Mathematical model, vol. I.
NASA CR-1756 (March 1971)
7. van Keulen, R.: Real-time simulation and analysis of the automatic flight control sys-
tem of the Boeing 747-200. Final thesis, Delft University of Technology, Faculty of
Aerospace Engineering, Delft, The Netherlands (1991)
8. Marcos, A., Balas, G.J.: A Boeing 747-100/200 aircraft fault tolerant and fault diagnostic
benchmark. Technical Report AEM-UoM-2003-1, University of Minnesota, Minnesota
(June 2003)
9. EL AL Flight 1862, aircraft accident report 92-11. Netherlands Aviation Safety Board,
Hoofddorp, The Netherlands (1994)
10. Boeing 747 Aircraft Operations Manual (1976)
11. Stevens, B.L., Lewis, F.L.: Aircraft control and simulation. John Wiley & Sons Inc., New
York (1992)
12. Etkin, B., Reid, L.D.: Dynamics of flight - stability and control, 3rd edn. Wiley, New
York (1996)
13. Matlab getting started guide. Version 6.5 (Release 13) or later. The Mathworks Inc.,
Natick, MA (USA)
14. Simulink user’s guide. Version 5.1 (Release 13SP1) or later. The Mathworks Inc., Natick,
MA (USA)
Lecture Notes in Control and Information Sciences
Edited by M. Thoma, F. Allgöwer, M. Morari
Further volumes of this series can be found on our homepage:
springer.com
Vol. 399: Edwards, C.; Lombaerts, T.; Vol. 389: Bru, R.; Romero-Vivó, S. (Eds.):
Smaili, H. (Eds.): Positive Systems
Fault Tolerant Flight Control 398 p. 2009 [978-3-642-02893-9]
586 p. 2010 [978-3-642-11689-6]
Vol. 388: Jacques Loiseau, J.; Michiels, W.;
Vol. 398: Willems, J.C.; Hara, S.; Niculescu, S-I.; Sipahi, R. (Eds.):
Ohta, Y.; Fujioka, H. (Eds.): Topics in Time Delay Systems
Perspectives in Mathematical System 418 p. 2009 [978-3-642-02896-0]
Theory, Control, and Signal Processing
Vol. 387: Xia, Y.;
388 p. 2010 [978-3-540-93917-7]
Fu, M.; Shi, P.:
Vol. 397: Yang, H.; Jiang, B.; Cocquempot, V.: Analysis and Synthesis of
Fault Tolerant Control Design for Dynamical Systems with Time-Delays
Hybrid Systems 283 p. 2009 [978-3-642-02695-9]
191 p. 2010 [978-3-642-10680-4] Vol. 386: Huang, D.;
Vol. 396: Kozlowski, K. (Ed.): Nguang, S.K.:
Robot Motion and Control 2009 Robust Control for Uncertain Networked
475 p. 2009 [978-1-84882-984-8] Control Systems with Random Delays
159 p. 2009 [978-1-84882-677-9]
Vol. 395: Talebi, H.A.:
Vol. 385: Jungers, R.:
Neural Network-Based State
The Joint Spectral Radius
Estimation of Nonlinear Systems
144 p. 2009 [978-3-540-95979-3]
appro. 200 p. 2010 [978-1-4419-1437-8]
Vol. 384: Magni, L.; Raimondo, D.M.;
Vol. 394: Pipeleers, G.; Demeulenaere, B.; Allgöwer, F. (Eds.):
Swevers, J.: Nonlinear Model Predictive Control
Optimal Linear Controller Design for 572 p. 2009 [978-3-642-01093-4]
Periodic Inputs
177 p. 2009 [978-1-84882-974-9] Vol. 383: Sobhani-Tehrani E.:
Khorasani K.;
Vol. 393: Ghosh, B.K.; Martin, C.F.; Fault Diagnosis of Nonlinear Systems
Zhou, Y.: Using a Hybrid Approach
Emergent Problems in Nonlinear 360 p. 2009 [978-0-387-92906-4]
Systems and Control
285 p. 2009 [978-3-642-03626-2] Vol. 382: Bartoszewicz A.;
Nowacka-Leverton A.:
Vol. 392: Bandyopadhyay, B.; Deepak, F.; Time-Varying Sliding Modes for Second
Kim, K.-S.: and Third Order Systems
Sliding Mode Control Using Novel 192 p. 2009 [978-3-540-92216-2]
Sliding Surfaces
137 p. 2009 [978-3-642-03447-3] Vol. 381: Hirsch M.J.; Commander C.W.;
Pardalos P.M.; Murphey R. (Eds.):
Vol. 391: Khaki-Sedigh, A.; Moaveni, B.: Optimization and Cooperative
Control Configuration Selection for Control Strategies: Proceedings of the 8th
Multivariable Plants International Conference on Cooperative
232 p. 2009 [978-3-642-03192-2] Control and Optimization
459 p. 2009 [978-3-540-88062-2]
Vol. 390: Chesi, G.; Garulli, A.;
Tesi, A.; Vicino, A.: Vol. 380: Basin M.:
Homogeneous Polynomial Forms for New Trends in Optimal Filtering and Control for
Robustness Analysis of Uncertain Systems Polynomial and Time-Delay Systems
197 p. 2009 [978-1-84882-780-6] 206 p. 2008 [978-3-540-70802-5]
Vol. 379: Mellodge P.; Kachroo P.: Vol. 368: Chee F.; Fernando T.
Model Abstraction in Dynamical Systems: Closed-Loop Control of Blood Glucose
Application to Mobile Robot Control 157 p. 2007 [978-3-540-74030-8]
116 p. 2008 [978-3-540-70792-9]
Vol. 367: Turner M.C.; Bates D.G. (Eds.):
Vol. 378: Femat R.; Solis-Perales G.: Mathematical Methods for Robust and
Robust Synchronization of Chaotic Systems Nonlinear Control
Via Feedback 444 p. 2007 [978-1-84800-024-7]
199 p. 2008 [978-3-540-69306-2]
Vol. 366: Bullo F.; Fujimoto K. (Eds.):
Vol. 377: Patan K.: Lagrangian and Hamiltonian Methods for
Artificial Neural Networks for Nonlinear Control 2006
the Modelling and Fault 398 p. 2007 [978-3-540-73889-3]
Diagnosis of Technical Processes
206 p. 2008 [978-3-540-79871-2] Vol. 365: Bates D.; Hagström M. (Eds.):
Nonlinear Analysis and Synthesis
Vol. 376: Hasegawa Y.: Techniques for Aircraft Control
Approximate and Noisy Realization of 360 p. 2007 [978-3-540-73718-6]
Discrete-Time Dynamical Systems
245 p. 2008 [978-3-540-79433-2] Vol. 364: Chiuso A.; Ferrante A.;
Pinzoni S. (Eds.):
Vol. 375: Bartolini G.; Fridman L.; Modeling, Estimation and Control
Pisano A.; Usai E. (Eds.): 356 p. 2007 [978-3-540-73569-4]
Modern Sliding Mode Control Theory
Vol. 363: Besançon G. (Ed.):
465 p. 2008 [978-3-540-79015-0]
Nonlinear Observers and Applications
Vol. 374: Huang B.; Kadali R.: 224 p. 2007 [978-3-540-73502-1]
Dynamic Modeling, Predictive Control
Vol. 362: Tarn T.-J.; Chen S.-B.;
and Performance Monitoring
Zhou C. (Eds.):
240 p. 2008 [978-1-84800-232-6]
Robotic Welding, Intelligence and
Vol. 373: Wang Q.-G.; Ye Z.; Cai W.-J.; Automation
Hang C.-C.: 562 p. 2007 [978-3-540-73373-7]
PID Control for Multivariable Processes Vol. 361: Méndez-Acosta H.O.; Femat R.;
264 p. 2008 [978-3-540-78481-4] González-Álvarez V. (Eds.):
Vol. 372: Zhou J.; Wen C.: Selected Topics in Dynamics and
Adaptive Backstepping Control of Uncertain Control of Chemical and
Systems Biological Processes
241 p. 2008 [978-3-540-77806-6] 320 p. 2007 [978-3-540-73187-0]
Vol. 371: Blondel V.D.; Boyd S.P.; Vol. 360: Kozlowski K. (Ed.):
Kimura H. (Eds.): Robot Motion and Control 2007
Recent Advances in Learning and Control 452 p. 2007 [978-1-84628-973-6]
279 p. 2008 [978-1-84800-154-1] Vol. 359: Christophersen F.J.:
Vol. 370: Lee S.; Suh I.H.; Optimal Control of Constrained
Kim M.S. (Eds.): Piecewise Affine Systems
Recent Progress in Robotics: 190 p. 2007 [978-3-540-72700-2]
Viable Robotic Service to Human Vol. 358: Findeisen R.; Allgöwer
410 p. 2008 [978-3-540-76728-2] F.; Biegler L.T. (Eds.):
Vol. 369: Hirsch M.J.; Pardalos P.M.; Assessment and Future
Murphey R.; Grundel D.: Directions of Nonlinear
Advances in Cooperative Control and Model Predictive Control
Optimization 642 p. 2007 [978-3-540-72698-2]
423 p. 2007 [978-3-540-74354-5]