A MONTE CARLO ANALYSIS AND DESIGN FOR FDI OF A SATELLITE ATTITUDE CONTROL SYSTEM

A MONTE CARLO ANALYSIS AND DESIGN FOR FDI OF A SATELLITE ATTITUDE CONTROL SYSTEM Ron J. Patton ∗ Faisal J. Uppal ∗ Silvio Simani ∗∗,1 Bernard Polle ∗∗∗ ∗

Department of Engineering, University of Hull, Cottingham Road, Hull, HU6 7RX, UNITED KINGDOM. Email: [email protected] ∗∗ Dipartimento di Ingegneria, Universit` a di Ferrara. Via Saragat, 1. 44100 Ferrara (FE). ITALY. [email protected] ∗∗∗ EADS-Astrium, Rue des Cosmonautes, 31402 Toulouse cedex 4, FRANCE. Email: [email protected]

Abstract: This paper deals with the reliability and performance evaluation of two methods for FDI of on–board sensors and thrusters for attitude control of the Mars Express (MEX) orbiter spacecraft. The study makes use of a detailed non– linear simulation of the MEX, and the FDI performance is evaluated subject to disturbance signals, model uncertainty and measurement noise processes. The two methods are based on robust dynamic observers or filters, used as estimators, which generate the FDI residual signals. When organised into an estimator bank excellent fault isolation properties are achieved upon suitable design. Carefully selected performance criteria indices are used together with Monte Carlo robustness tuning and performance evaluation. These constitute the FDI design methodology, realising a reliability approach for real application of FDI in future spacecraft. c 2006 IFAC. Copyright
Keywords: Reliability analysis and evaluation, fault detection and isolation, sensor faults, satellite control application, Monte Carlo simulation.

1. INTRODUCTION

processes and fault rates acting on the monitored system can be described by known probability distribution functions. Then, the estimation of the number of faults that can be detected and isolated by the diagnosis algorithms can solve the software reliability measurement problem (Baca, 1993).

The reliability analysis of designed Fault Detection and Isolation (FDI) schemes and their performance evaluations are of paramount importance, as they have to be finally applied to real engineering processes. Traditional approaches to reliability modelling assume that a known analytical model describes the overall system under diagnosis. It is also commonly assumed that all uncertainty 1

In this paper, we propose a framework relying on detailed simulation techniques for incorporating the effects of disturbance signals, model uncertainty and measurement noise acting on the monitored process. In particular, the proposed

Corresponding Author

1318

reliability analysis methodology is based on carefully selected performance criteria indices, that depend on the residual functions generated by the diagnosis schemes. The FDI scheme considered is based on the use of robust dynamic observers or filters, as estimators, which generate the residual signals. When organised into a group, these estimators provide excellent fault isolation properties. By considering the available FDI literature, two robust fault diagnosis methods have been selected and compared. This work deals with the performance evaluation of these two methods, when applied to the FDI of on–board sensors and thrusters of the Mars Express (MEX) spacecraft. Economic cost software algorithms to determine the overall performances of the proposed FDI methods are described and implemented in r environment. They the MATLAB/SIMULINK
exploit detailed simulation of the attitude control of the MEX, subject to disturbance signals, model uncertainty and measurement noise processes. The overall FDI scheme uses Monte Carlo simulations for both the design and tuning of the robust FDI techniques tuning and their final performance evaluation. This comprehensive methodology constitutes a reliability approach for real application of FDI in future spacecraft.

With reference to the MEBM, Figure 1 depicts the Inertial Measurement Unit (IMU) management. On the MEX, the IMU configuration consists of 2 3–axis IMU units. In normal mode, these units are used with hardware redundancy (cold redundancy). A gyro fault is suspected for example in case of over rate detection or in case of non– coherence between star tracker measurements and gyro measurements. These surveillances are classified as Emergency Surveillance in normal mode, reconfiguration on the cold redundant unit requiring a switch to backup mode. In MEBM, the star tracker is switched off to minimise the risk of false alarm, the two IMU are switched on in hot redundancy and in case of over-rate, the same mode is continued after reconfiguration using the redundant unit, following the best effort strategy suitable in such a critical phase. One specific problem on MEX is related to thruster management in MEBM. Referring to Figure 1, the thrusters are arranged in a classical configuration in 2 separate independent branches of 4 thrusters. Each set of 4 thrusters is arranged on the z–face corners to control the high level main engine disturbing torque. In a nominal situation, only 4 thrusters can cope with worst-case disturbance torques. However, few situations can arise during the mission, where the 8 thrusters have been used simultaneously. This specific mode, using the 2 propulsion branches simultaneously, has been developed for contingency cases. Use of this mode leads to loss of the simple nominal fault isolation strategy already implemented in the MEX system. Clearly, in case of failure of one thruster branch, the increased torque capacity provided by the 2 branches is lost, but is required only in the worst case. It thus makes sense to use the remaining thrusters.

2. MEX SATELLITE DESCRIPTION In most phases of the missions, Mars Express safety requirements are not very stringent and the fault diagnosis of the vehicle is designed using inactive hardware redundancy schemes (the so–called “cold redundancy”). In the Mars Orbit Insertion Phase (MOI) the requirements become much more stringent and require specific FDI strategies. Classical diagnosis procedure implemented on-board the MEX follows a hierarchical FDI and Reconfiguration (FDIR) architecture, with three levels: • Local monitoring: Tests at unit level; • Functional monitoring: Comparison between several units; • Global monitoring: Survival level.

The criticality of surveillance in a dedicated mode is described by the capability of continuing the current operations after reconfiguration. Non Emergency Surveillance enables the current mission mode to be continued. “Emergency Surveillance” leads to switch to a backup mode after the reconfiguration. In the Main Engine Boost Mode (MEBM) used during the MOI, specific supervision logic is used, due to the criticality of the manoeuvre: • The number of active surveillances is reduced to a minimum; • The active surveillances are classified as Non Emergency Surveillance; • Specific reconfiguration procedures are activated at DMS level to ensure meeting the maximum duration of Main Engine switch off (10 seconds).

Fig. 1. MEX IMU and thruster configurations.

1319

Two solutions are suggested to cope with this situation:

could be represented reasonably well by a given linear model for which the parameters are known with some certainty. It should be noted that a more advanced non-linear method might improve results at the cost of computational complexity. However, this approach is not considered at this stage. (3) Fault detectability & isolability. For clear isolation, a structured set of residual signals is required, comprising a set of residuals with each residual made less sensitive to certain faults whereas other faults have larger effect. The observer-based methods, particularly the unknown input observers, have the ability to generate a structured residual set. (4) Efficiency of real–time realisation and computation. Due to limitations of the available computational power onboard MEX, the FDI implementation along with other functions must require minimal resources.

• Detect the failed thruster, an then isolate the failed branch; • Continue to thrust with the failed thruster.

Indeed, a robust controller may still behave correctly even with one failed thruster (open or close), and the fuel loss may be acceptable given the fact that the thruster participates to the manoeuvre. Given the lack of fault isolation methods at functional level available on-board of the MEX system, suitable FDI strategies have to be implemented. In particular, model-based FDI techniques represent the most promising method that can handle such faults in real time. They are also able to provide the correct isolation of the failed thrusters branch, which can be used after reconfiguration.

As outlined above, the work deals with the presentation of two methods for residual generator design and evaluation for the FDI of the satellite system on–board sensors and thrusters subject to disturbance signals, model uncertainty and measurement noise processes. The system under diagnosis is modelled in terms of an uncertain statespace description, i.e. by partially known state– space matrices (Ap (θ), Bp (θ), Cp (θ)) and known input–output discrete–time signals {uk , yk }. The unknown vector θ represents the uncertainty acting on the monitored process that can affect some entries of the state–space matrices. In this way, strategies for the design of residual generators able to minimise the effect of disturbance, are necessary. The methods have some features in common. They are based on the use of dynamic observers or filters, used as estimators, which generate the residual signals rk :

It is interesting to note that the MEX system is also a good benchmark for evaluation of robust and reliable FDI techniques. The FDI methods have to be robust with respect to only one gyro fault. However, no isolation of the faulty gyro is required, as its identification is provided by reconfiguration of the whole 3–axis IMU.

3. ROBUST FDI METHOD SELECTION Here we deal with the selection and design of methods which can combine good ability to achieve demonstrable FDI robustness with quantifiable and deterministic computational cost. FDI methods available in the current literature (Patton and Chen, 1994; Chen and Patton, 1996; Chen and Patton, 1999; Isermann, 1997) and recent experience of some of the authors (Simani et al., 2002) have led to the selection of the following methods:

ˆ k + B uk + H (yk − C x ˆk ) ˆ k+1 = A x x ˆk ˆk y = Cx ˆk ) rk = W ek = W (yk − y


(1)

ˆ k represents the estimate of the process where y output. (A, B, C) are the state–space matrices of the linear model used to approximate the process behaviour under diagnosis. If organised into a bank structure these estimators provide a good way of achieving fault isolation. This is the case as the residuals of each observer in the bank will have a different sensitivity properties with respect to faults, depending on the design matrices H and W.

• Method–I: Dynamic System Identification and Observer Design for Robust Residual Generation and FDI (Simani et al., 2002); • Method–II: Optimal Robust Disturbance Decoupling Observer (ORDDO) for Fault Detection and Isolation (Chen and Patton, 1996).

Brief details of these methods have been given in the remainder of this section. Key criteria for selection of these methods can be summarised as follows:

In the Method–I, a linear model (A, B, C, H) is identified (from process inputs and outputs uk and yk ) able to describe, with certain accuracy, the behaviour of the monitored process. This identified linear state–space model is described by its innovation form (Simani et al., 2002):

(1) Robustness: One of the main criteria for selection is the robustness to modelling uncertainties, parameter variations and noise (see above for definition). Real application systems suffer from disturbances, noise and varying operating conditions, leading to challenging modelling requirements. The model–reality differences have associated uncertainty and the FDI scheme should be insensitive to the modelling errors, system non–linearity and external disturbances. (2) Availability of suitable linear model. Methods– I & II have been selected as the system considered

ˆ k + B uk + H ek ˆ k+1 = A x x ˆ k + ek ˆk = Cx y ˆk ek = yk − y

1320


(2)

Then, each residual generator can be developed by following the Kalman filter design technique. It can be shown how these residual generators can achieve good robustness properties with respect to the disturbance signals acting on the system. ˆ k are orThese estimators of the output vector y ganised into a bank structure to achieve good fault isolation. As shown in Section 5, an appropriate choice of their parameters (observer gains H and fault evaluation thresholds ε) enables the robustness with respect to both measurement noise and modelling errors to be maximised, whilst optimising fault sensitivity characteristics.

observer in the group is designed (using unknown input de–coupling techniques) to be sensitive to a subset of faults (that have to be detected and isolated). A specially designed augmented observer is also used for estimating the disturbance torque, which is treated as a known input to the observer. It is worth noting that the disturbance estimated this way also includes the un–modelled dynamics. Therefore, by considering the estimated disturbance as a known input for the residual generating group of observers it is also expected that the FDI design will be robust against modelling uncertainty. It is an important point that the state estimation obtained by this method is an improvement over the results obtained using a standard Kalman filter, when un–modelled disturbances act upon the system (the unknown inputs). This general modification to the Kalman filter was made by Chen & Patton (Chen and Patton, 1996) in an award–winning paper (gaining the IEE Kelvin Premium) and this is an important tool for the design of robust FDI residuals. There have been several studies based on this modified Kalman filter, and summarised in (Chen and Patton, 1999).

An alternative approach makes direct use of the linear satellite model provided. Instead of identifying a linear state–space dynamic model, the Method–II uses the nominal model (θ = θ0 ) provided (Ap (θ0 ), Bp (θ0 ), Cp (θ0 )) = (A0 , B0 , C0 ) to facilitate the design of an output observer for residual generation. This method manages the effect of uncertainty and faults directly at the observer design stage, thus designing residuals signals using the system model together with data from the simulation. The highlights of MethodII design are: (a) Development of a comprehensive methodology incorporating disturbance estimation, step by step parameter tuning and MC simulation in the design loop, (b) Different adjustable thresholds designed for different satellite phases, (c) Successful detection and isolation of the MEX thruster faults with high probability, and (d) minimization of computational complexity by only running the “Fault Detection Observer” prior to fault detection and switching the group of Fault Isolation Observers only after detection. This Method consists of a group of decoupling observers (ORDDO) for generating a number of residuals for fault detection and isolation. The residual generator for the Method–II has the following structure:  i i i i i i zik+1 = F k zk + TkBk uk + Kk yk  (3) ri = I − C Hi y − C z i k

k

k

k

k

The Method–I achieves the required robustness properties, with respect to the uncertain monitored MEX system, during the estimation (or identification) phase of the linear state–space model (Simani et al., 2002). The “optimal models” are identified using criteria taking account of (a) modelling errors and (b) noise and disturbance signals in order to reproduce accurately the input– output system dynamic behaviour. Following the identification stage, a traditional design of an output estimation observer is made to generate the appropriate residual signals. The Method II exploits a special form of a state space observer, which is based on a so–called “optimal observer” in the sense of minimum state estimation error of a Kalman filter. The estimated output satisfies disturbance de–coupling and therefore has an additional feature to the standard Kalman filter. The modification to the (time-varying) Kalman filter that depends on the matrices (Fk , Tk , Kk , Hk ) is an important tool for the design of robust FDI residuals (Chen and Patton, 1996). An advantage of using a full order observer/Kalman filter is that having achieved the disturbance de-coupling, the remaining design freedom can be used to ensure minimal state estimation variance when noise, with known statistics acts upon the system. The “optimal residual” (or error) signal for FDI is then the output estimation error, which will be robust against disturbance and having minimum output estimation error variance. In this context the “disturbance” has a more general significance in that it can also include certain faults (e.g. as components in the overall vector of disturbance signals). Each of the proposed methods achieves

k

where i = 0 for detection observer, i = 1 . . . number of faults for isolation observers, Fik is designed to have stable eigenvalues, K2k i = Fik Hik , i 1i 2i parameter vectors are: Kki = Kk + Ki k and the Hk Ck − I Ek = 0, Tik = I − Hik Ck , and Fik = Ak − Hik Ck Ak − K1k i Ck . The ORDDO is a special form of the state observer that is designed in the sense of minimum estimation error variance. The main advantage is that it can be used to detect faults in the presence of modelling/parameter uncertainty, noise and disturbance. The optimality refers here to an optimal de–coupling of the effects of uncertain signal effects and disturbances, the so–called unknown inputs (Chen and Patton, 1996; Chen and Patton, 1999) from the estimation error (and hence FDI residuals). Each

1321

• Wrong Isolation Rate, rw i: for a particular fault, the number of times it is wrongly or not isolated divided by the total no. of times that fault occurs; • Mean Detection Time, tmd : for each fault, this is an t average of detection time ( n f d ); MC • Mean Isolation Time, tmi : for each fault, this is an tf i ); average of isolation time ( n MC • Computation Time, tC : time taken to detect and isolate a fault, including the residual generation and evaluation time.

optimality in a different way in order to obtain suitable residual signals for FDI. Once optimal FDI residual signals are designed, a number of well established hypothesis–testing procedures (e.g. simple geometrical analysis):  |rk | ≤ ε, in the fault–free case; (4) |r | > ε, in the faulty case. k

This logic is utilised to examine the residuals for the likelihood of faults, and FDI performance evaluation. Both the methods use the same performance criteria indices, described in Section 4. Monte Carlo simulations have been exploited for the robust identification of the system matrices (A, B, C, H) by the Method–I , whilst the Method– II exploits Monte Carlo runs for the optimal design of the matrices Fk , Tk , Kk and Hk . The full details of the performance evaluation results are given in Section 5. Although the methods outlined here focus to some extent on state–space concepts, the actual algorithms for use in the real– time on–board application is based only on input– output processing of all measurable signals, i.e. all measurements yk as well as control signals uk . The algorithmic simplicity is a very important aspect when considering the limited availability of computational power.

The True Detection Ratio can also be calculated by taking the average of number of times true detection occurs (rtd ) divided by the average of number of times false detection occurs (rf a ). The True Isolation Ratio can also be similarly computed. These indices are computed for a number Monte– Carlo simulations (nM C ) for each fault scenario and each fault commencing time. Note that in order to compare the FDI methods, standard fault scenarios have been considered. The observer design and parameter tuning have been performed again by means Monte Carlo simulations. The tuning methodology and performance evaluation stages are described by Fig. 2. In particular, (i) the residual generator observer parameters are computed i.e., the matrices (A, B, C, H) for the Method–I and the matrices Fk , Tk , Kk and Hk for the Method–II ; (ii) the observer dynamics are designed to be stable and significantly faster than the system; (iii) the fault detection thresholds ε have been settled for optimising the FDI criteria, in particular the false–alarm and missed– fault rates. Finally, all performance criteria listed

4. PERFORMANCE CRITERIA AND RELIABILITY ANALYSIS For performance evaluation and reliability of the FDI schemes, some performance indices motivated by the DAMADICS benchmark study (Bartys et al., 2006) have been used. The performances of each of the FDI methods selected for the MEX system are each evaluated based on probability and rate values for a number of Monte Carlo runs (Baca, 1993). For each simulation, the fault detection time tf d and fault isolation time tf i are the main criteria that are computed. In particular, tf d is the instant when a fault is detected with respect to its actual occurrence time; tf i is the instant when a fault is isolated w.r.t. its actual occurrence time. The number of MonteCarlo simulations (nM C ) carried out to determine further indices are listed below. This includes, for example, the mean detection/isolation time for each fault. Note that this can also be computed for all faults considered together. However, this is not included with the other indices as it can be computed subsequently.

Fig. 2. Design, tuning & performance evaluation. above have been evaluated in simulation and all possible comparisons have been carried out with the classical FDI (i.e. simple limit checking tests) as implemented on MEX. 5. SIMULATION RESULTS

• False Alarm Rate, rf a : the number of wrongly detected faults divided by the total of fault scenarios; • Missed Fault Rate, rmf : for each fault, the total number of undetected faults divided by the total number of times that fault occurs; • True Detection Rate, rtd : for a particular fault, the number of times it is correctly detected divided by total number of times that fault occurs; • True Isolation Rate, rti : for a particular fault, the no. of times it is correctly isolated divided by the total number of times that fault occurs;

The proposed FDI methods have been applied to the linear model of the MEX system. In the case of the Method–II, the residual generators have been designed on the basis of the satellite linearised model. For the Method–I the residual generators are based on identified linear models corresponding to different fault scenarios. The MEX simulator was improved by EADS–Astrium to take

1322

into account the model of the measurement sensors and the stochastic description, involving the model uncertainty. The methods have been partially tested on the fully non–linear MEX model r environment. in the MATLAB/SIMULINK


These indices for the performance and reliability evaluation were computed based on extensive r simulator. simulations of the MEX SIMULINK
Through many Monte Carlo runs, the imperfect process modelling, uncertainty, disturbance and noise can be taken into account, to give more accurate and realistic results. The complete procer dure was implemented by means of a MATLAB
software tool, which is currently under development, to automate the simulation process. The diagnosis feasibility and reliability studies are of paramount importance for real application of FDI once implemented on-board future spacecraft.

For performance analysis of the designed FDI methods, a number of Monte Carlo simulation tests (nM C ≥ 1000) were carried out and the results are summarised hereafter. Monte Carlo simulations are considered a very effective tool of testing the robustness of the design. As for each run of Monte Carlo simulation, various parameters e.g. the centre of gravity and the thruster configuration etc. are slightly altered (by the simulation) within a specific limit. This facilitates an assessment of the FDI robustness. The performances of the Method–I and the Method-II, together with the current MEX classical FDI scheme, have been analysed. The analysis is based on a large number of Monte Carlo simulation of the MEX model. Table 1 presents the results obtained and a brief comparison showing the MEX simulated thruster faults. It also shows if the FDI methods consideredare able to detect and isolate faults, with the related rates. The results demonstrate that Monte

ACKNOWLEDGMENTS Funding support for this work from the European Space Agency and EADS-Astrium (Toulouse) are gratetfully acknowledged.

REFERENCES Baca, A. (1993). Examples of Monte Carlo methods in reliability estimation based on reduction of prior information. IEEE Trans. on Reliability 42(4), 645–649. Bartys, M., R.J. Patton, M. Syfert, S. de las Heras and J. Quevedo (2006). Introduction to the DAMADICS Actuator FDI Benchmark Study. Control Enginnering Practice 14(6), 577–596. Special Issue ”Fault Diagnosis of Actuator Systems: the DAMADICS Benchmark Problem“. Chen, J. and R. J. Patton (1996). Optimal filtering and robust fault-diagnosis of stochastic systems with unknown disturbances. IEE Proc.–D: Contr. Theory & Appl. 143(1), 31– 36. Chen, J. and R. J. Patton (1999). Robust Model– Based Fault Diagnosis for Dynamic Systems. Kluwer Academic Publishers. Isermann, R. (1997). Supervision, fault detection and fault diagnosis methods: an introduction. Control Engineering Practice 5(5), 639–652. Patton, R. J. and J. Chen (1994). A review of parity space approaches to fault diagnosis for aerospace systems. AIAA J. of Guidance, Contr. & Dynamics 17(2), 278–285. Simani, S., C. Fantuzzi and R. J. Patton (2002). Model-based fault diagnosis in dynamic systems using identification techniques. Advances in Industrial Control. first ed.. Springer–Verlag. London, UK. ISBN 1852336854.

Table 1. Comparison of FDI methods applied to MEX spacecraft with thruster faults. Index rf a rmf rtd rti rwi tmd tmi tC

Classical FDI 0.00 N/A 0.999 N/A N/A 1.1 N/A 0.6

Method– Method– I II 0.0000 0.00 0.0000 0.0000 0.995 0.999 0.995 0.999 0.005 0.001 1.2s. 1.1s. 1.6s. 1.5s. 1s. 1s.

Carlo simulations are an effective tool for testing the design robustness. This simulation technique also facilitates an assessment of the reliability of the applied FDI methods.

6. CONCLUSION The design and performance evaluation of two FDI schemes have been incorporated into the development of reliable diagnosis methods, using extensive Monte Carlo simulation. After a brief description of the MEX satellite orbiter system, two possible approaches to the MEX FDI have been outlined. Various indices for performance evaluation of the two chosen FDI methods where analysed on the monitored MEX system. The Monte Carlo simulation approach to both the FDI scheme design and its performance evaluation exploited here have facilitated more reliable results than the conventional software reliability models.

1323