TuA02-3 Proceedings of the 2005 IEEE International Symposium on Intelligent Control Limassol, Cyprus, June 27-29, 2005 Actuator Fault Diagnosis and Accommodation for Improved Flight Safety Xiaodong Zhang, Marios M. Polycarpou, Roger Xu, and Chiman Kwan Abstract— This paper presents an adaptive fault diagnosis and accommodation scheme for aerodynamic actuators. The fault-tolerant control architecture consists of three main components: an online nonlinear fault detection and isolation scheme, a controller suite, and a reconfiguration supervisor which performs controller reconfiguration and control reallocation using online diagnostic information. The proposed scheme provides a unified architecture for fault detection, isolation and accommodation of actuator failures. Simulation studies using a nonlinear ‘Beaver’ aircraft model have shown the effectiveness of the proposed scheme. I. INTRODUCTION Aerodynamic actuator failures have become a significant concern for flight safety. Recent accidents have been caused by a single actuator failure or a complete loss of the whole hydraulic actuation system [1]. A fault-tolerant control system is capable of automatically compensating for the effects of faults and of maintaining the performance of the control system, at some acceptable level, even in the presence of faults. A traditional approach to fault-tolerance is to use robust control designs for anticipated faults, which is, in general, a conservative approach and may sacrifice achivable performance under normal operating conditions [2]. In contrast, an active fault-tolerant control system that automatically detects and identifies component failures and adapts to such failures as they occur has the potential to achieve superior performance throughtout the full flight operations. Moreover, a truly fault-tolerant control system must also be able to accommodate new and unanticipated faults. In addition, the dynamics of vehicles are usually highly nonlinear and poorly modeled or rapidly changing over different flight conditions. Traditional model-based fault diagnosis and flight control designs employing linearization and gain scheduling techniques tends to be rather tedious. Moreover, when the effect of various faults has to be taken into account, the size and complexity of the scheduling table is significantly increased, which makes it very difficult for design and real-time implementation. Therefore, future fault-tolerant flight control system will benefit from more advanced methods, which are directly based on intrinsic nonlinear dynamics of the vehicle. The design and analysis of fault diagnosis algorithms based on the model-based analytical redundancy approach have received significant attention during the last two decades [3], [4], [5]. Recently there has also been a lot of research activity on fault diagnosis and accommodation of nonlinear systems [5], [6], [7], [8], [9], [10]. The fault information generated by the detection and isolation procedures can be very useful to fault-tolerant control design. In this paper, we present a unified nonlinear framework for detection, isolation, and accommodation of aerodynamic actuator faults. It is an application of the fault diagnosis and accommodation architecture presented in previous papers [9], [10]. The proposed architecture consists of three components: a fault diagnosis scheme, a controller suite, and a reconfiguration supervisor. The first part of this research work, i.e.., detailed design and analysis of the controller suite, has been described in our previous paper [11] and will only be briefly summarized here. A nonlinear DHC-2 ‘Beaver’ aircraft [12] is used to illustrate the effectiveness of overall fault-tolerant control design. II. FAULT DIAGNOSIS AND ACCOMMODATION ARCHITECTURE Reconfiguration supervisor reference inputs control inputs Controller suite Manuscript received December 5, 2004. This work was supported in part by NASA Ames Research Center under Grant NAS2-03104. X. Zhang, R. Xu, and C. Kwan are with Intelligent Automation, Inc, 15400 Calhoun Dr., Suite 400, Rockville, MD 20855, USA. (phone: 301294-5269; fax: 301-294-5201; e-mail: xzhang@i-a-i.com). Marios M. Polycarpou is with Department of Electrical and Computer Engineering, University of Cyprus, Nicosia 1678, Cyprus, and also with the Department of Electrical & Computer Engineering and Computer Science, University of Cincinnati, Cincinnati, OH 45221-0030, USA. 0-7803-8936-0/05/$20.00 ©2005 IEEE Fault information fault diagnosis scheme Nonlinear aircraft measurements Fig. 1 the fault diagnosis and accommodation architecture A block diagram of the proposed fault diagnosis and accommodation scheme is shown in Fig. 1. The fault diagnosis scheme performs on-line fault detection and isolation (FDI). The controller suite consists of a nominal 640 controller used under normal conditions (without faults) and a neural network based adaptive controller. The adaptive fault-tolerant controller is activated after fault detection to compensate for the effects of faults. The reconfiguration supervisor makes two types of decisions using on-line diagnostic information, including reconfiguration decision between the nominal controller and adaptive fault-tolerant controller defined in the controller suite and control reallocation decision in the presence of failures of primary actuators. The proposed fault-tolerant control scheme provides a unified framework for fault detection, isolation, and accommodation. The basic idea is as follows. Under normal operation conditions, the nominal controller guarantees stability and tracking performance. Meanwhile, the fault diagnosis module monitors the system to detect the occurrence of any faults. Once a fault is detected, the adaptive fault-tolerant controller is activated. Although at this stage the particular type of fault that has occurred has not yet been determined, the fault-tolerant controller employing a neural network approximator is able to learn the unknown fault function and automatically compensate for its effect. At the same time, the fault diagnosis module proceeds to determine the particular type of fault that has occurred. Finally, if the fault is isolable, then the fault information can be used to further improve flight safety by control reallocation in the case of a failure of primary aerodynamic actuators. III. AIRCRAFT MODEL In this work, we use the DHC-2 ‘Beaver’ aircraft model [12] to evaluate the feasibility of the fault-tolerant control scheme. The state vector describing the motion dynamics of the ‘Beaver’ aircraft model consists of twelve elements: three linear velocities, three angular velocities, three Euler angles, the true speed, angle of attack, and sideslip angle. Here we only consider the fault-tolerant control design for the ( p, q, r ) dynamics of the ‘Beaver’ aircraft model, because the dynamics of this ( p, q, r ) inner loop are much faster than other outer loops. However, all the aerodynamic variables and their effects on flight dynamics were simulated in our simulation studies. Other variables were initialized at a certain flight condition and then kept open loop. The ( p, q, r ) dynamics of the DHC-2 ‘Beaver’ aircraft are described by the following differential equations: p = f p ( p, q, r ) + Pn N + Pl L q = f q ( p, q, r ) + Qm M (1) r = f ( p, q, r ) r + Rn N + Rl L where f p , f q , f r are polynomial functions of ( p, q, r ) , Pn , Pl , Qm , Rn , and Rl are constants, and the aerodynamic moment functions L , M , and N are given by [12]: § · L = qdyn Sb ¨¨ Cla + Clδα 1 + Clδα 2 α δα + Clδ r δ r ¸¸ § ¨¨ © © ( ) M =qdyn Sc Cma + Cmδ δ e + Cmδ δ § ¨ © e f ¹ · f ¸¸ ¹ N =qdyn Sb Cna + Cnδα δα + Cnδ r δ r ·¸ ¹ where, pb rb +C +C C =C +C β +C la l l l 2V l 2V lp 0 β p r qc rb =C +C α +C +C +C α2 + C β2 +C C ma m m m m V m m 2V mp 0 2 2 α q r α β pb rb qc +C +C +C β 3 +C C =C +C β + C na n n n 2V n 2V n V n np 0 3 p r q β β By combing the above equations and using some simple algebraic manipulations, we have p = f p = f p + Pn qdyn SbCna + Pl qdyn SbCla + qdyn Sb( Pn Cnδα + Pl (Clδα 1 + Clδα 2 α ))δ α + qdyn Sb( Pn Cnδ r + PC l lδ r )δ r q = f q = f q + Qm qdyn ScCma + Qm qdyn Sc (Cmδ δ e + Cmδ δ f ) e f (2) r = f r = f r + qdyn Sb( Rn Cna + Rl Cla ) + qdyn Sb( Rn Cnδα + Rl (Clδα 1 + Clδα 2 α ))δ α + qdyn Sb( Rn Cnδ r + Rl Clδ r )δ r For more details of the aircraft model (e.g., definitions of some notations in (2)), we refer to [12]. We assume that the primary aerodynamic actuators are δ a , δ e , and δ r , and δ f is an redundant actuator. So the objectives of our faulttolerant control design are as follows: • Detect the occurrence of any faults; • Isolate and accommodate the failures of these three primary actuators. Moreover, if a fault occurs to δ e , we will reallocate the control to the redundant actuator δ f for improved flight safety. It is worth noting that similar control reallocation schemes can also be designed for actuators δ a and δ r , if secondary • actuation systems in these control channels are available. In the case of a new and unanticipated fault, the fault cannot be isolated. Then the neural network based adaptive fault-tolerant controller activated after fault detection is capable of learning the unknown fault function on-line and providing some minimal performance (e.g., closed-loop stability). IV. FAULT DETECTION AND ISOLATION SCHEME The design of the nonlinear FDI scheme is based on our previous work [9]. The monitoring module consists of a bank of N + 1 nonlinear adaptive estimators operating in parallel, where N is the number of possible fault types in the partially known fault class. One of the adaptive estimators is the fault detection and approximation estimator (FDAE) used to detect and approximate faults. 641 The remaining adaptive estimators are fault isolation estimators (FIEs) activated for the purpose of fault isolation only after a fault has been detected. Each FIE corresponds to a particular type of fault in the fault class. Under normal conditions (without faults), the FDAE is the only estimator monitoring the system. Once a fault is detected, the bank of FIE is activated to further determine the particular type of fault that has occurred. The fault detection decision scheme: The decision on the occurrence of a fault (detection) is made when the modulus of at least one of the estimation error components ε i0 (t ) faults under consideration belong to the fault class F given by ­ ªθ11 g11 ( x, u ) º °« » 0 F  {φ 1 , φ 2 , φ 3 } = ® « », ° «θ 1 g 1 ( x , u ) » ¼ ¯¬ 3 3 δ a , δ e , and δ r , respectively, the functions g11 ( x, u )  qdyn Sb( Pn Cnδα + Pl (Clδα 1 + Clδα 2 α ))δα , g31 ( x, u )  qdyn Sb( Rn Cnδα + Rl (Clδα 1 + Clδα 2 α ))δ α g 22 ( x, u )  Qm qdyn ScCmδ δ e , n time is defined as Td  inf * {t ≥ T0 : ε i0 (t ) > ε i0 (t )} , where e g13 ( x, u )  qdyn Sb( Pn Cnδ r + PC l lδ r )δ r , i =1 and is detected at time Td , where s ∈ {1," , N } , then a set of adaptive thresholds {µis (t ), i = 1,..., n} exist such that the i th component of the residual vector generated by the s th estimator satisfies ε is (t ) ≤ µ is (t ) , for all t ≥ Td . Consequently, for each s = 1," , N , a set of adaptive threshold functions µis (t ) can be associated with the s th fault isolation estimator. In the fault isolation process, for a particular s , if ε is (t ) > µis (t ) for some t > Td and some i = 1," , n , then the possibility of fault s having occurred can be excluded. Based on this intuitive idea, the following isolation decision scheme can be designed. Fault isolation decision scheme: If, for each r ∈ {1, 2,..., N } \{s} , there exists some finite time t r > Td and some i ∈ {1,..., n} , such that ε ir (t r ) > µir (t r ) , then the occurrence of fault s is concluded. The fault isolation time ∆ s is defined as Tisol = max{t r , r ∈ {1,..., N } \ {s}} . Following the formulation given in [9], we can put (2) into the following general form: ª fpº ª p º « q » = « f » + β (t − T )φ + η , (3) 0 « q» « » « » «¬ r »¼ ¬ fr ¼ where φ represents the unknown changes in the system dynamics due to faults, η is the modeling uncertainty, and β is the fault time profile. In this paper, we only consider the case of abrupt faults, i.e., β is a step function given by ­0, if t < T0 ¯1, if t ≥ T0 β (t − T0 ) = ® Based on the aircraft model described by (2), the actuator ªθ13 g13 ( x, u )º ½ « »° , 0 « »¾ «θ 33 g 33 ( x, u )» ° ¬ ¼¿ (4) where φ 1 , φ 2 , and φ 3 represent the failures of actuators exceeds its corresponding bound ε i0 (t ) . The fault detection T0 is the unknown fault occurrence time. The fault isolation decision scheme is based on the following principle: if the fault s occurs at some time T0 0 ª º «θ 2 g 2 ( x, u ) » , 2 2 « » 0 ¬« ¼» g33 ( x, u )  qdyn Sb( Rn Cnδ r + Rl Clδ r )δ r , represent the functional structures of the faults, and the unknown parameters θ11 ∈ [0 − 1] , θ 31 ∈ [0 − 1] , θ 22 ∈ [0 − 1] , θ13 ∈ [0 − 1] , and θ 33 ∈ [0 − 1] represent the unknown magnitude of the fault. For instance, the case of θ11 = θ 31 = θ 22 = θ13 = θ 33 = 0 implies that all the actuators are “healthy” and under normal operating conditions, whereas the case of θ11 = θ 31 = θ 22 = θ13 = θ 33 = −1 represents the very extreme case that all the actuators have completely failed, in the sense that there is no control output. Otherwise, it represents a partial failure of the corresponding actuator. By using the FDI methodology described in [9], a bank of four adaptive estimators is designed. One of them is the fault detection estimator, and the remaining are fault isolation estimators. The derivation of adaptive thresholds for fault detection and isolation, fault detectability and isolability, and fault detection and isolation time have been rigorously established in [9], [10]. For instance, the fault isolability condition and the fault isolation time are characterized by a so-called fault mismatch function which gives a certain measure of the difference between faults. Remark: In literature, there exist several types of observer schemes. For example, within the fault isolation framework, the dedicated observer scheme (DOS) and the generalized observer scheme (GOS) are typically used [5]. The fault isolation decision logic used here falls within the GOS framework. V. CONTROLLER MODULE The controller module consists of a nominal controller and an adaptive fault-tolerant controller employing a neural network approximator, which is activated after fault detection to compensate for the effect of faults. The details of controller module design for the DHC-2 ‘Beaver’ aircraft model have been presented in our previous paper [11]. The nominal controller is implemented as a PI controller by 642 using feedback linearization. The adaptive fault-tolerant controller consists of two parts. The first part is designed to deal with partially known faults that cause unknown parametric changes in the aerodynamic moment functions L , M , and N , and the second part is augmented to deal with new or unanticipated faults by using neural network based on-line learning methods. Theoretical analysis regarding the stability of the neural network based adaptive fault-tolerant controller can be found in [11]. VI. RECONFIGURATION SUPEVISOR Compared with traditional robust control approaches which achieve fault-tolerance passively using the worst case scenario, the fault-tolerant control scheme proposed in this research work is an active approach, in the sense that the controller structure is reconfigured online using fault diagnostic information. Next we describe the reconfiguration strategies. First of all, we define three important time instants: T0 ≥ 0 is the time when a fault where Pqr , Q pr , and R pq are known constants defined in the polynomial functions f p , f q , f r , θ p ∈ [−0.25, 0.25] , θ q ∈ [−0.25, 0.25] , and θ r ∈ [−0.25, 0.25] are unknown constants representing up to 25% variation in the nominal values of Pqr , Q pr , and R pq , respectively. The sinusoidal terms represent some high frequency noise. A bounding function on the modeling uncertainty can be easily obtained ª 0.25 Pqr qr + 0.02 º « » as η = « 0.25 Q pr pr + 0.02 » , which is used in the design of « » « 0.25 R pq + 0.02 » pq «¬ »¼ adaptive thresholds for fault detection and isolation [9]. occurs; Td > T0 is the time when the monitoring system (possibly) provides a fault detection decision; Tisol > Td is the time when the monitoring system (possibly) provides a fault isolation decision, that is, which actuator has actually partially or completely failed. Then we propose the following reconfiguration strategies: (1) After fault detection (i.e., for Td ≤ t < Tisol ), the nominal controller is reconfigured to compensate for the effect of the (yet unknown) fault; that is, the nonlinear adaptive fault-tolerant controller is activated to exploit the information that a fault occurred to maintain some acceptable control performance; (2) After the actuator fault is isolated (i.e., for t ≥ Tisol ), alternative actuation modes can be used to provide additional control authority. Note that here the structure of the adaptive fault-tolerant controller remains unchanged, but the control signal is realloated to “healthy” secondary actuation systems. (a) Normal operating condition (b) A partial failure of actuator δ e with VII. SIMULATION RESULTS In this section, we will illustrate the effectiveness of the proposed fault-tolerant control scheme by considering the following two case studies: (1) actuator fault diagnosis and accommodation, (2) the case of a new or unanticipated fault. A. Actuator FDI and control reallocation We assume the modeling uncertainty in the ( p, q, r ) dynamics described by (3) is given by ªθ p Pqr qr + 0.02sin(10t ) º « » η = «θ q Q pr pr + 0.02 sin(15t ) » , « » «¬θ r R pq pq + 0.02sin(10t ) »¼ θ 22 = −0.4 occurs at t = 12 second Fig. 2: Tracking performance of the nominal controller Fig. 2 shows the results when a partial failure of actuator δ e (a fault of type 2 in the fault class defined by (4)) with θ22 = −0.4 occurs at t = 12 second. As shown in bottom and right plot of Fig. 2(a), the nominal controller provides good tracking of the pitch rate reference signal under normal conditions (without fault). However, after a fault occurs at time t = 12 second, the tracking performance significantly deteriorates, as can be seen from bottom and right plot of Fig. 2(b). 643 estimates the ( p, q, r ) state variables and generates three residuals. As shown in Fig. 4, while all of the residuals generated by fault isolation estimator 2 always remain below their thresholds, at least one component of the residuals generated by each of the remaining two estimators exceeds the corresponding threshold almost immediately after the isolation estimators are activated. Therefore, this allows the isolation of a fault of type 2, i.e., a failure of actuator δ e . Fig. 3 fault detection residual and threshold generated by the fault detection estimator; Fig. 5 illustrates the concept of controller reconfiguration and control reallocation using on-line diagnostic information. First, the adaptive fault-tolerant controller is activated to compensate for the fault right after fault detection at approximately t = 10 second. Second, since the fault isolation results (Fig. 4) indicate that it is a failure of the elevator actuator δ e , we might no longer want to use δ e to control the pitch rate for flight safety. Then the redundant actuator δ f is activated to provide the required control authority. It is worth noting that a simple scheme has been used so that the switching between δ e and δ f is carried out continuously to improve the transient performance. The outputs of δ e and δ f are shown in the two upper figures of (a) fault isolation estimator 1 Fig. 5, respectively. The tracking performance of the adaptive fault-tolerant controller with control reallocation is shown in the bottom and right plot of Fig. 5. Acceptable control performance is achieved even in the presence of the fault. Analogous simulation studies corresponding to the occurrence of actuator faults φ 1 and φ 3 (i.e., a failure of δ a or δ r ) have also been performed. Satisfactory faulttolerance performance has been achieved. Due to space limitation, these results are not described here. It is worth noting that only secondary actuation system is considered here. In our future work, we intend to include all the possible actuation systems, including jet engines [13]. (b) fault isolation estimator 2 (c ) fault isolation estimator 3 Fig. 4: Residuals and their corresponding adaptive thresholds generated by fault isolation estimators The results of the fault detection scheme and fault isolation scheme are shown in Fig. 3 and Fig. 4, respectively. As we can see from Fig. 3, the fault is almost immediately detected after its occurrence (within 0.5 second). It is worth noting that each fault isolation estimator 644 Fig. 5: Tracking performance of the adaptive neural controller with controller reconfiguration and control reallocation B. The case of an unanticipated fault As described early, another advantage of the presented fault-tolerant control scheme is its capability to handle the occurrence of new or unanticipated faults. In this case, the fault will be possibly detected but not isolable, since it does not belong to the fault class under consideration. However, the neural network incorporated in the adaptive faulttolerant controller provides the adaptive structure to learn the unknown fault on-line. In other words, the fault-tolerant controller activated after fault detection is capable of maintaining system stability and acceptable tracking performance before further human intervention. new fault. VIII. CONCLUSION A unified architecture for detecting, isolating and accommodating of aerodynamic actuator faults is presented in this paper. Following failures of primary actuators, redundant actuators are used to provide additional control authority. In our future work, we will extend the presented fault-tolerant control architecture to alternative aerodynamic and propulsion actuations [13], therefore establishing a sequential utilization of all actuation systems available for critical stability and control augmentation tasks. REFERENCES [1] [2] [3] [4] Fig. 6: Tracking performance of the nominal controller when the fault occurs at t = 12 second [5] [6] [7] [8] [9] Fig. 7: Tracking performance of the neural network based adaptive fault-tolerant controller activated after fault detection [10] Fig. 6 and Fig. 7 illustrate this concept. As an example, we consider a fault given by φ = ª« 0 C mα 3 Qm qdyn Sc α 3 0 º» , ¬ ¼ T where C mα 3 = 10 . [11] [12] [13] Obviously, the functional structure of this fault doesn’t belong to the fault class defined in (4). The bottom and right plot of Fig. 6 shows the tracking performance of the nominal controller significantly deteriorates after the fault occurs. The fault is detected within 0.5 second after its occurrence (the FDI plots are not shown here due to space limitation). Fig. 7 illustrates that the neural network based adaptive fault-tolerant controller is capable of maintaining acceptable tracking performance even in the presence of the 645 National Transportation Safety Board. United Airlines Fligth 232. Aircraft Accident Report PB90-910406, NTSB/AAR-90/06, McDonnell-Douglas DC-10, Sioux Gateway Airpot, NTSB, Sioux City, Iowa, July 1989. R. J. Patton, “Fault-tolerant control: the 1997 situation (survey),” Proceedings of the IFAC SAFEPROCESS, pp. 1029-1052, UK, 1997. P. M. Frank, “Fault diagnosis in dynamic systems using analytical and knowledge-based redundancy - a survey and some new results,” Automatica, vol. 26, pp. 459-474, 1990. J. J. Gertler, “Survey of model-based failure detection and isolation in complex plants,” IEEE Control Systems Magazine, vol. 8, pp. 311, 1998. J. Chen and R. J. Patton, Robust Model-Based Fault Diagnosis for Dynamic Systems, Kluwer Academic Publishers, 1999. E. A. Garcia and P. M. Frank, “Deterministic nonlinear observerbased approaches to fault diagnosis: a survey,” IFAC Control Engineering Practice, vol. 5, pp. 663-670, 1997. H. Hammouri, M. Kinnaert, and E. H. El Yaagoubi, “Oberver--based approach to fault detection and isolation for nonlinear systems,” IEEE Trans. on Automatic Control, vol. 44, pp. 1879-1884, 1999. C. De Persis and A. Isidori, “A geometric approach to nonlinear fault detection and isolation,” IEEE Trans. on Automatic Control, vol. 46, pp. 853-865, 2001. X. Zhang, M. M. Polycarpou, and T. Parisini, “A robust detection and isolation scheme for abrupt and incipient faults in nonlinear systems, ” IEEE Trans. on Automatic Control, vol. 47, pp. 576-593, 2002. X. Zhang, T. Parisini, and M. M. Polycarpou, “Adaptive faulttolerant control of nonlinear systems: a diagnostic information-based approach,” IEEE Transactions on Automatic Control, vol. 49, no. 8, pp. 1259-1274, August 2004. M. M. Polycarpou, X. Zhang, R. Xu, Y. Yang and C. Kwan, “A neural network based approach to adaptive fault-tolerant flight control,” Proceedings of ISIC’2004, Taipei, pp. 61-66. M. Rauw, FDC 1.2 – A Simulink Toolbox for Flight Dynamics and Control Analysis, 2nd edition, 2001. F. W. Burcham, J. Burken, T. A. Maine, J. Bull, Emergency Flight Control Using Only Engine Thrust and Lateral Center-Of-Gravity Offset: A First Look, NASA Technical Report TM-4798, 1997.