Aerospace Mission Application Examples

The fault detection, isolation and recovery techniques currently used for in flight critical functions rely on hardware/software redundancy associated with simple con-sistency checks or voting mechanisms, or simple estimation techniques such as Kalman filters. Fixed thresholds, once validated with all the known delays in the signals propagation (acquisition, frequency, filtering, ...) are used for rapid recogni-tion of out-of-tolerance condirecogni-tions. These acrecogni-tions (fault detecrecogni-tion and isolarecogni-tion) are

Fig. 3.6 NLGA-PF and NLGA-NF residuals for throttle actuator FDD.

often done by operators using telemetry data collected by ground stations. This data are usually elaborated using on-board functions based on, e.g. hardware redundancy like IMUs placed in a pyramidal structure, cross checks using many star-trackers or short rendezvous sensors, limit value checking with regard to certain tolerances of normal values. However, the potential lack of communication between the system and the stations and/or the time used to analyse the collected data, could lead the missions to be aborted. This problem becomes crucial e.g. during the hypersonic phase of an atmospheric re-entry and specially during the well known blackout phase where no communication between the vehicle and the ground stations ex-ist due to excessive thermic flow. In such cases, only on-board fault detection and isolation solutions can be considered for aerospace systems.

Model-based methods applied to aerospace example systems can be considered today as a mature and structured field of research. Significant progress has been made during the past two decades to address the problem of robustness and perfor-mances assessment. However, except within the Livingstone system [88] which flew on the Deep Space One spacecraft as part of the Remote Agent Experiment, such techniques have not been used so far in on-board computers for aerospace missions.

The principal reason is related to the fact that any new technique should provide a solution having well-defined real-time characteristics and well-defined error rates.

The selection of an advanced model-based fault diagnosis solution at a local or global level, necessarily includes a trade-off between the best adequacy of the tech-nique and its implementation level for covering an expected fault profile, as well as its industrialisation process with support tools for its design/tuning and valida-tion. Very attractive advanced algorithmic solutions would not be accepted, without such industrial framework capability, e.g. for easy parameter tuning and validation by non specialist operators. A classical approach could therefore be preferred de-spite its smaller fault coverage, because classical methods are well industrially mas-tered and well characterized, without risk of excessive false alarms. It follows that a good balance between physical redundancy and model-based techniques could be the right solution, leading to more efficient health monitoring systems based on less redundant elements. See discussion in [9, 10].

This section presents the results achieved when several diagnosis techniques, that are designed exploiting both hardware and system redundancy, are applied success-fully to aerospace missions.

3.3.3.1 The Microscope Satellite

MICROSCOPE is a satellite to be launched on a circular, quasi-polar, sun-synchronous orbit at an altitude of 700km with ascending and descending nodes at 6:00 and 18:00, respectively. To control its trajectory, MICROSCOPEuses the cou-pling of six ultra-sensitive accelerometer sensors, a stellar sensor and a very precise electric propulsion system composed by twelve Field Emission Electric Propulsion (FEEP) thrusters. The mission can be in danger if a FEEP thruster fault occurs, since the satellite may not compensate for non-gravitational disturbances which are indispensable prior conditions for testing the Equivalence Principle.

To overcome this problem, an FDI scheme that consists of a bank of 12 H∞/H−

residual generators is proposed in [72]. The design is done so that the sensitiv-ity level of the i− th residual with respect to the i − th FEEP thruster fault fi is maximised in the H₋-norm sense, whilst guaranteeing robustness against measure-ment noises n and spatial disturbances h(ϖα,ϖspin) in the H∞-norm sense. Fig. 3.7 illustrate the behaviour of the residuals ri(t),i = 1,...,12, the behaviour of the de-cision test and the isolation criteria, for some faulty situations. As can be seen in the figures, after a small transient behaviour, all faults are successfully detected and isolated by the FDD unit.

3.3.3.2 The HL-20 RLV

The RLV vehicle shown in Fig. 3.8 was defined as a component of the Personnel Launch System (PLS) mission. This has initially been designed to support several manned-space missions including the orbital rescue of astronauts, the International Space Station (ISS) crew exchange and some satellite repair missions.

A typical atmospheric re-entry for a medium or high L/D vehicle consists of performing three successive flight phases, namely the Hypersonic phase from about 120 km high down to TAEM (Terminal Area Energy Management) handover, the TAEM phase from Mach 2 gate down to Mach 0.5 gate and the auto-landing phase from Mach 0.5 gate down to the wheel stop on the runway. After having achieved the hypersonic path, the vehicle initiates the TAEM phase characterized by an entry point called TEP (Terminal Exit Point), typically defined when crossing Mach 2 gate, and an exit point called NEP (Nominal Exit Point) which is defined in terms of altitude, velocity and distance to the runway. Finally, the landing path is defined in terms of desired altitude from the runaway threshold and is composed of three successive sections, i.e. a steep outer glideslope, a parabolic pullup manoeuver and a shallow inner glideslope.

The work presented in [89, 90, 56] focuses on any type of faults in the wing flap actuators during the landing phase. The strategy proposed by the authors consists of a bank of two H_∞/H−fault detection filters that are designed so that a given filter is

Fig. 3.7 Fault-free and faulty residuals with the decision test (left) and the isolation criteria (right).

made robust against measurement noise, winds turbulence, the guidance reference signals and faults in a given wing flap actuator, whilst remaining sensitive to all faults in the other wing flap actuator. For the purpose of estimating the position of the faulty control surfaces, the nonlinear EKF method presented in Section 3.2.3 is used. Fig. 3.8 illustrates the results for some nonlinear simulations in the presence of wind and atmospheric turbulence. As it can be seen, the faults are successfully detected, isolated and estimated by the FDI unit.