Analytic Redundancy Management for Systems with Appreciable Structural Dynamics

C:()P~

right

© 1FAC .-\,h·anced

FAL' LT DETECTION ,\ NIl DIAGNOSIS

Inf ormatioll

Pr()lt~ss illg ill AUlomalit COlltrol. :\alH \. Frallcl'

I'IH'I

ANALYTIC REDUNDANCY MANAGEMENT FOR SYSTEMS WITH APPRECIABLE STRUCTURAL DYNAMICS R. C. Montgomery and

J.

Shenhar

.\'ASA L fllIgll',\' R I'.II' fll ·('/i CI'IIII'I'. ,\l flil ,';Iop 161. II oII/PlulI. 1':\ 23(,(,5. L'S.4

Abstract. This paper deals with analytic redundancy management of systems that have appreciable structural dynamics and require active control. Specifically. the class of systems considered is large, light weight spacecraft that have large numbers of distributed sensors and actuators. The principal subject treated is on-line failure detection, identification, and recovery for control system component failures. An analytic redundanc y management system has been proposed based on testing the residual sequence of a single Kalman filter. The NASA Langley Spacecraft Control Laboratory Experiment research facility (SCOLE) is used to evaluate the system. SCOLE is an experimental facility at the Langley Research Center which was designed for research in the control of large, flexible structures. The experimental apparatus is a functional model of the space shuttle with a large, flexible, offset-feed antenna attached. Keywords. Failure detection; identification; structural dynamics ; co ntrol systems, analytic redundancy management, Kalman filter, sequential probability ratio test.

I NTRODUCTI ON

ON-LINE FDI&R USING ANALYTIC REDUNDANCY

Future space missions may involve very large and highly flexible spacecraft that require active structural dynamics control. Long life requirements, large numbers of sensors and actuators, and heavy dependence on the proper operation of the control system dictate that the control system must operate acceptably in the presence of component failures. The option of hardware duplication may not be feasible when large numbers of physically distributed components are attached to a light weight , highly flexible spacecraft. Hence, sensors which measure dynamically different quantities and actuators which have different effects on the system need to be managed using analytic models. This analytic redundancy management is the subject of this paper.

Reconfiguration can generally be accomplished by switching to a control system designed for a specific failure mode once the failure is identified. Detection and identification of the particular failure is, of course, the fundamental problem . Popular methods for detecting failures involve signals from three or more identical devices that sense the same physical quantity. This allows detecti on and identificati on of failures at the expense of added components. In some cases, the sensor set consists of signals from components whose generi c type or lo cation is different. Therefore, it is a redundant set on ly if the analytic relationships between the signals can be adequately modeled. This enables an Analytic Redundancy Management (ARM) among sensors that have generically different outputs .

To effectively incorporate reliability into the design of spacecraft control systems, both the preliminary design and the on-orbit operation of the system must be considered. Preliminary design stUdies must be made on the effects of component placement on the probability of mission success [11. Also, since hardware duplication may not be viable, on-line automatic Failure Detection, Identification, and control system Reconfiguration (FDI&R) algorithms based on analyti c al models need to be developed. This design process, involving the placement of actuators as well as on-line design considerations, is illustrated in [21.

The literature is ri c h in reports relating to theory applicable to ARM for systems that do not involve flexibility. A comprehensive literature survey is provided in reference [31. For large flexible spacecraft, ARM must both detect and identify failures of physically distributed sensors which produce signals relat ed through more complex structural dynamics. One of the early uses of optimal decision theory to accomplish ARM is reported in reference [41 . The system was computationally intensive, requiring a bank of Kalman filters. It still cannot be implemented in real time with the current state of the art in computer technology . To get an appreciation of this limitation, the SCOLE apparatus, described in a later section, uses a microcomputer-based system that has a computational capability similar to space-qualified control computers. As presently configured, the system can process a single steady-state LQG algorithm that uses three rate gyro and two accelerometer sensors to estimate the five lowest frequency modes of motion of the SCOLE mast, and commands three torque

To develop these topics this paper is organized as follows. First, the FDI&R theory to be evaluated is described. Next, the apparatus used for the evaluation is described along with the simulator which is being developed. The simulation has not been completed, however, preliminary SCOLE Simulation results are presented. So that the reader may appreciate various elements of the theory presented, typical results from a similar experiment conducted on the Langley Grid apparatus [21, will be presented .

45

.j(j

K.

c:.

;\(OIll!i0lIlCr\·

wheel actuators, at a sample rate of only .1 sec. Indeed, this is disappointing to the modern control theorist, but it is the current situation. Unlortunately, high computational requirements are characteristic of optimal decision theoretic ARM . Thus, practical ARM failure detection and identification systems are suboptimal. Optimal decision theory is important, however, since it provides the basis of evaluation of the performance of various suboptimal ARM systems. The suboptimal system reported in references [5] and [6] has been selected for presentation. Therein, the residual sequence of a single operating Kalman filter is used to detect and identify failures. After a failure has been identified, a Kalman filter previously designed for the remaining sensor set is used. The residual sequence of this filter is then processed to identify any further failures. The technique is suboptimal since only the residual from one Kalman filter is used and the failure hypotheses are tested sequentially. Also, herein, only bias type sensor failures are considered. The technique is amenable, however, to handling any sensor failure that has a recognizable effect on the innovations (or estimated residuals) of the Kalman filter. Following the diagram of figure I, the sensor measurements are sampled at uniform intervals and processed by one of the Kalman filters selected by the failure state estimate H. The filters are 1

designed for each anticipated failure condition. This enables the scheme to handle multiple simultaneous failures. The decision as to whether or not a failure has occurred is made by processing each scalar element of the innovations of the selected filter using Wald's Sequential Probability Ratio Test, SPRT [7]. Wald's SPRT algorithm was designed to determine which of two statistical processes generated the input to the algorithm. Thus, it is a binary hypothesis test wherein the hypotheses (for our case) correspond to failure and no failure. At a specific sample time, insufficient data may have been accumulated to make a good decision. Thus, the possible outputs of the SPRT algorithm are: failure detected, no failure detected, and no decision. Returning to figure I, since a failure of a single sensor affects more than one sensor innovations sequence, an interpreter is required to examine the innovations of the operating filter for the appropriate failure signature. Thus, after a failure detection is made, the SPRT output interpreter produces the estimate of the failure mode. Now, elements of Kalman filter theory needed to implement the FDI&R strategy will be presented; this is followed by a presentation and discussion of Wald's sequential probability ratio test; finally, simulation of a functional model of the space shuttle, the SCOlE experimental apparatus, intended to illustrate the practical implementation of the strategy, will be presented and discussed. A SUMMARY OF ESSENTIAL lQG THEORY Herein, a finite element model is assumed given for the purpose of control system design. Such a model can be cast in the form

x

= Ax +

Bu

(1)

where x is an n-dimensional vector consisting of pairs of modal amplitude and velocity elements and u is an m-dimensional input vector conSisting of actuator forces and moments.

alld

J.

Shcllhar

Most modern control systems use a digital computer to generate torque and moment commands to actuators; hence, a difference equation form of the model is most appropriate:

where x is the state at t=t and k k control over the time interval [t ,t k

u k+l

k ].

is the The

matrices ~ and 1 are constant if a uniform sample interval, T = t + -t , is used and are given by k1 k e

AT

and

1

One measure of performance for vibration suppression is T

J

J(X'QX + u'Ru)dt o

with matrices Q = Q'>O and R = R'>O . This performance equation can be written in a form that is convenient for the use of the difference equation model: N

J =k~O(x~Qxk + x~Wuk + ukRu k )

(2)

The term involving W can be eliminated using the control variable transformation u = -Fx + v and k k k appropriately selecting the matrix F [8]. This results in the model equation

together with the performance measure equation N

J = L (x'Qx + v Rv ) (3) k=0 k k k k The discrete optimal linear regulator problem is the problem of determining the control sequence v k that minimizes J. In our application, the only element of concern is ~he resulting optimal performance measure, J , which is of the form J'=x'Xx o 0 0 where and

x X

(4)

is the initial value of the state at t=O

o

is the solution of the discrete Riccati

o

equation at stage X

wherein

F = k

o.

That is, with +

k

(R

+

F'Rr k k

XN=O, +

r' Xk1)-l r , Xk+l ~ and

Qk ~k= ~ - lF · k

Equation (4) provides a measure of the best realizable performance of a control system assuming that the m actuators making up u are functional. Computational algorithms for constructing the coefficient matrices needed in equations (2) and (3) and for solving for Xo in (4) can be found in the ORAClS computer-aided design package [8] . Now consider the estimation of the state x required to implement the regulator control law. With additive noise, the state model for designing the estimator is of the form: Xk + 1 =

~Xk

+

lU k

+

nk

with a measurement model: Yk = HX k + vk where n

k

and v

k

are Zero-mean Gaussian white noise

sequences with nontrivial variances N and V, respectively. The filter used herein is the optimal

Analytic Rcdundanc\'

Kalman filter that minimizes the function J=~~ E(e~ e ) ,where the estimation error is defined k as e. = y. - Hx.. The filter state x. satisfies: Xk+1

~Xk

G(Yk - Hx k )

+

wherein the filter gain G is given by: ~PH'

G and P satisfies: P

~P~

(R + HPH')

variance u

2

, whereas the failure hypothesis, H , is 1 characterized by the residual signal being Gaussian, 2

having mean m with the same variance, u . Such a failure condition is likely based on the electrical characteristics of available control system components. Assuming the sensor noise is Gaussian , the residual sequence of the Kalman filter will also be Gaussian. Under these assumptions the sequential probability ratio test becomes

-1 +

exp[-1I2U21~1 (r 1-m)2]

GRG' + N

and ~

B<

- GH

~

47

r-.lalla~el1lcnt

2

The matrix P represents the steady state variance of the state estimation error of the filter. The mean square of the estimation error for all states, trace(P), is a measure of the expected performance of the filter. Computational algorithms for determining the matrix performance indicators, X and P, are inc luded in the ORACLS computer-aided design package [8J. They have been used herein to predict the performance of an advanced redundancy management control system for the SCOLE apparatus discussed in the sequel.

k

exp [-1 / 2U L

< A

r~]

1= 1

The value of the test mean m is the designer's choice and may reflect robustness considerations [9J.

For real-time analysis, one would prefer to eliminate the need for exponentiation . Wald notes that by taking the logarithm of the last equation, the above simplifies to In B <

-m ---2

2cr

k

L

[

1=1

m-2r

]

1

< In A

WALD'S SEQUENTIAL PROBABILITY RATIO TEST Sequential testing of a sample was developed by Wald during World War 11 as a means to economize on the number of observations required in a test procedure. The method's primary feature is that the number of observations required to make the decision is not determined a prif[i. Whether a decision can be reached on the n sample is based on the outcome of the previous observations. The number of observations required to reach a decision is on the average less than that required for a similar test with a fixed number of observations. The SPRT algorithm decides in favor of one hypothesis, Ho' over another, H , by sequentially 1 calculating the ratio of the probability of the input data sequence assuming one hypothesis to that assuming the other . Thus, L

P(r 1,r 2 , · · · ,r k IH ) 1 k

P(r 1,r 2 , · · · ,r.IHo)

where r'=(r ,r , . . . ,r.) is the 1 2 associated with one sensor and density function. To determine hypothesis for the sequence, an formed: B < L

k

sample of residuals P( · ) represents the the most probable inequality is

< A

As sample data are taken, the magnitude of the SPRT decision variable, L , is checked. If it is less k than a predetermined threshold B, a decision is made in favor of the no failure hypothesis Ho and the test is terminated. If it is greater than a threshold A, the decision is made in favor of failure hypothesis H1 and, again, the test is terminated.

No decision can be made as long as Lk

is between A and B. In that case more data are required to make a decision and the test continues. The thresholds A and B are selected by the designer and reflect his concern over the risk involved of missing a failure and the nuisance created by sounding a false alarm. In the implementation described here, the no-failure hypothesis, Ho' is characterized by the residual Signal being Gaussian, having a zero mean with a

The threshold constants, A and B, are selected based on how certain one wants to be of making the correct decision. The formulas relating the probability of missed detection, P , the probability of false m

alarm, Pr' and the decision thresholds, A and B, are A=(l-P )/P m

f

and B=P l(l-P). m

f

Figure 2 illustrates

the mechanization of the SPRT algorithm (note sign change so that no failure decision is indicated by passage above the -In B threshold).

SCOLE APPARATUS The SCOLE hardware and support software, described in detail in [10J, have been selected to illustrate the topics developed herein. A photograph of the SCOLE is shown in figure 3. In this report, only those elements of SCOLE used in this research are described. Referring to the schematic diagram displayed in figure 4, SCOLE contains two major structural elements of interest herein: a planar, hexagonal, tubular structure representing an antenna reflector; and a single tubular flexible mast connecting the antenna to the rigid platform. The system actuators consist of three torque wheels that produce torque in three mutually orthogonal directions (figure 4). The sensors used in this report are a three-axis rate sensor located at the tip of the mast that measure angular rates about three mutually orthogonal axes parallel to the spin axes of the torque wheels and two accelerometers located at the cent er of the reflector that measure acceleration in the plane of the reflector. Experiments are run on SCOLE using a control computer. Programming is accomplished in any combination of C and FORTRAN 77 programs. The computer has analog-to-digital converters used to input the sensor data, digital-to-analog converters used to command the torque wheels, and a process timer used to achieve precise timing of the data sampling process. This equipment has been added to the original system along with software drivers which can be evoked from either C or FORTRAN 77 programs. A finite element model of the cantilevered SCOLE mast was used for the design of the Kalman filter and regulator presented in the preceding sections. This model included all components Indicated in figure 4 and the effects of gravity. A modal

-18

R.

c:.

\[OIlI ).(O llll'r\· alld

analysis of this model was conducted. Mode shape and frequency data for fifteen modes are available as inputs to a modal simulator. The frequencies of the first ten are listed in Table 1. The simulator simulates the SCOlE test structure, its sensors and actuators, and the control system of figure 1. (The sampled data nature of the control system is also simulated. 1 Bias fai lures to the sensor data processed by the control system can also be introduced. Table 1 . -

Modal Frequencies Obtained from the Finite Element Analysis of SCOlE

Mode Number

Frequency, Hz

1 2 3 4 5 6 7 8 9 10

.443 .447 1.504 2.913 4.345 6.821 10 . 18 13.57 14. 74 22.25

RESULTS AND DISCUSSION The objectives of the simulations are to identify component bias failures and reconfigure the control system to accommodate them. The first task is to determine the effect of failures on the residual sequence of the Kalman filter for the no failure hypothesis . This can be done by simulation of a normal test sequence on the SCOlE apparatus. This sequence is to initiate a test from a quiescent condition and to excite the structure using SCOlE actuators, e.g. the torque wheels of figure 4. Excitation is terminated after a prescribed level of sensor output has been achieved. Failures of the sensors are simulated by biasing the sensor output data. During the simulated failures the Kalman filter residuals and the SPRT decision variables are monitored. Figure 5 illustrates the sequence of events for this simulation. A similar study was done using the grid experiment [5). Figures 6 and 7 are the outputs of that experiment. Figure 6 shows that the residuals are not white as expected from theory. This is attributed to modeling errors in the Kalman filter model. The filter was designed for only five modes whereas the actual structure has a infinite number of modes. These characteristics are expected in residuals from SCOlE tests. A significant difference in this work and that of [5) is the addition of accelerometer data in the sensor set herein. The procedure for starting the SPRT's is to reset it every time a decision is reached. The average number of samples required to re~ch a decisionzcan be approximated by !he formulas k ~ (In Al I(m 12'2) if Ho is true, and k = (In Bl I(- m 12'2) if H1 is true. A typical decision variable time history is sketched in figure 8. Note that the failure decision time will be extended unless the failure occurs immediately after a no-failure decision has been made. The length of this extension may be z approximated by 2·ln(A)/(m /2·2). This time may be used to determine whether a closed loop controller will cause damage before reconfiguration of the filter. Thus, the scheme presented herein is to select the Kalman filter for the no-failure hypothesis and start all SPRT's for component failures to be considered. These SPRT's are reset each time a decisio n is made. If a failure decision is made, t he sensor used as the input to that SPRT is

.1.

Shl'llhar

selected as the failed component and the Kalman filter that was designed for that case is switched in as the active filter. Because failure of a sensor is uniquely reflected in the decision variable associated with that sensor, detection and identification may be accomplished simultaneously based on the outcome of a single decision variable. Reconfiguration of the filter to accommodate the failure of the third sensor is demonstrated in figure 9. The probability for missed detection was set at 0.0001 and the probability for false alarm was set to 0.01. These values were selected on the Judgment that to miss a failure is more detrimental to the system than to generate a false alarm. A bias failure is injected into the rate gyro signal at an arbitrary point in time and the residual immediately reflects the new mean. As can be seen from the figure, the failure decision is made within 2.1 seconds. The reconfiguration of the filter occurs in the same sample period and the estimate again converges in accordance with Kalman filter theory to produce zero-mean residuals.

SUMMARY A methodology that allows on-line failure detection, identification and reconfiguration using Kalman filter based approach has been presented. This FDI&R system involves sequential testing of the residuals of the single, active, Kalman filter using SPRT. The failure is then isolated by examining the residuals for a pattern corresponding to the failure case invol ved. Indi vidual fai lures obviously affect all innovations, but the nature of the filter and SPRT decision process allows trivial detection of the failure. The success of the method is conditioned on whether the theoretical zero-mean character of the innovations sequence can be relied upon as an indicator of a component failure. Unfortunately, component failures are not the only source of corruption to the innovations sequence. Model error is another. Hence, unless one can certify the model and the character of the innovations sequence before attempting on-line failure detection, the scheme will fail. Note that this does not require the model to be exact, only that the statistics of the nominal Kalman filter be known, and that the statistics of the innovations resulting from the failure be sufficiently different from the nominal.

REFERENCES 1.

Montgomery, R. C. and Vander Velde, W. E.: Reliability Considerations in the Placement of Control System Components. Journal of Guidance, Control, and Dynamics, May-June, 1985, pp. 411-413.

2.

Montgomery, R. C.: Analytic Redundancy Management for Systems with Appreciable Structural Dynamics. Proceedings of the 12th lMACS World Congress '88 on Scientific Computation, Paris, FRANCE, July 18-22, 1988.

3.

Montgomery, R. C. : Management of Redundancy in Flight Control Systems Using Optimal Decision Theory. Chapter in AGARDograph No. 251, Theory and Applications of Optimal Control in Aerospace Systems, Ir. Pieter Kant, Editor, pp. 11-1 through 11-12, July 1981 .

4.

Willsky, A. S.: A Survey of Design Methods for Failure Detection in Dynamic Systems. Automatica , Vol. 12, pp. 601-611, Pergamon Press, Great Britain, 1976 .

49

;-\n alni c Redund a ncy Manage lll e lll 5.

Hontgomery, R. C. and ~i l li ams , J. P.: Testing of A Fai l ure Accommodation Syste m on A Hi ghly Fl exib l e Grid. Proceedings of t he 1985 Ameri c an Cont r o l Conference, Boston, MA , June 19- 21, 1985 , pp . 98 4- 989.

6.

J. P. and Montgomery, R. C.: Failure Detection and Accommodation i n Struc tural Dynamics Systems Using Analyt i c Redundancy . 24th I EEE Conference on Decision and Contro l , For t lauderdale, Fl, December 11 -1 3, 1985.

7.

~a l d, Abraham: Sequent i al Analysis. Sons, New York, 1947.

8.

Arms trong , E. A. : ORAClS - A Design System for l inear Mul t ivar iabl e Co nt r o l . Marcel Dekker , Inc. , Ne w York, 1980 , pp . 63-66, 83-91 , and 99-1 04 .

9.

Deckert , J . C., Desai, M. N. , . , Deyst, J . J . and ~illsky, A. S. : Re liab l e Dual-Redundant Sensor Failure De t ec t io n and Iden t i ficati on f or the NASA F-8 DF B~ Ai r c r af t. Report No. R-1077, The Char l es Stark Dr ape r l aborat ory, Inc . , Cambridge, Massachuse t ts , May , 1977.

10 .

~illiams ,

~ i ll iams ,

J.

~i le y

&

J. P. and Ra ll o , R. A.: Desc ription of the Spacecraft Co ntro l l aborat ory Experiment (SCOlE) Fac ility . NASA TM-89057, January, 1987 .

- in (B) SPRT Decision Variable

No Failure Threshold - -

0

I· ()

--0

() () () () () () ()

Decision Point

Figure 1. -

Overvie w of t he fa i lur e det ec ti on logic.

Fail ure Threshold

- i n (A)

O'~------~5~--------'1~ O ------~

Sampl e number (k)

Figure 2. -

Be hav i or of t he SPRT decision variable .

RIGID PLATFORM

MAST

REFLECTOR

ACCELEROMETERS THREE AXlS RATE SENSOR

Figure 3 . -

Phot ograph of the Spacecraft Control laborat ory Experime nt - SCOlE .

REACTION WHEELS

Figure 4 . -

Significant components of SCOlE used .

:i()

EXCITRTION OF MODE

F

LBF

':~M -20

l~~ rll,'·

t

,1r~'

I

I

0

10

no

f:1l1

Llil

{:til

r;l tl'

r:tte

I "l'l\~\H 20

flll rat('

:l":~'l·l.

It t'n"...,r .:: I"l'n...;of

:;1

30

50

qO

Residual 2 (rad/sec)

fall

f.111

1 ac..:;c I .

I

60

70

-.

TJ ME . SEC. Figure 5.-

Sequence of events in the SCOlE simulation.

. ' 02 t ~ H ~ Lt-+ i!: ~Vt" . ~ ~ -.02 ....

Kes~dual

3 (rad/sec) 0

.

o Figure 6 .-

500 [

~::::~~:

20

- -'-:-!

.

"

.';

Time

(sec)

60

Effects of bias failures on estimatior

- - I _ .-- - --

m++ ~±

Y SPRT Trigger Points No Failure Threshold -In(B) Injected Here

SPRT

i

Decision Variable

i

I

: !

! 1

I !

!

i

........-r

.--;--

I

i

Decision

i !

Variable In(L )

!

t--r I

i

I

I

o

k

O t-+--t-~:----T-----+--*-

I 50

Time (seconds) -In (A) Figure 7.-

Failure Threshold

A time history of SPRT decision variables.

o

10

Time, sec .

Figure 8.-

~:';: i: :" +~~. I

I 20 Tine

Figure 9.-

( sec )

Reconfiguration of the Kalman filter in response to a failure.

A sketch of the SPRT trigger process