Reliable Flight Control Systems: Components Placement and Feedback Synthesis

(:opn'igilr © IF :\(: 111111 l-ril'lIl1 iai \\'(Irld (:(mgr('~~, """idl. FR(;, I'iHi

RELIABLE FLIGHT CONTROL SYSTEMS: COMPONENTS PLACEMENT AND FEEDBACK SYNTHESIS M. Mariton and P. Bertrand La/iomluirr dn Sigl/(lI/x 1'1 Syslhlln, (;SRS - ESE, Plall'llll dll
,\[0111011,

r-r,

2. RELIABLE FLIGHT CONTROL SYSTEHS

Abstract

To meet increased performance requirements, modern technological systems rely on ever more sophisticated control functions. A well-known example in aeronautics is the emergence of aircraft with negative centering, which trade reduced stability for higher manoeuvering capacities. The system being open-loop unstable, the control has to perform a vital stabilization function in any possible situation. It is then clear that the aircraft is vulnerable to incidents like component failure (actuators , sensors and on-board computers).

For modern spacecraft and aircraft, reli~ble Flight Control Systems must be designed to provide some fault tolerance, The mission has to be carried out in the presence of f~ilures, Jump Linear Quadrati8 systems are proposed as a suit~ble m~them~tical model and it is shown hew control laws can be built with automatic reconfiguration and failure anticip3tion, A global approach to the design of reliable Flight Control Systems is outlined. It incorporates into a single analytical framework the three basic steps of the design , components selection, components location and control l~w synthesis, and provides a cost index th~t is sensitive to both reliability and performance issues.

Large flexible structures in space prov i de another striking example. Solar arrays, mirrors or antennas of future spacecraft will be equipped with hundreds of sensors and actuators spread over their surface, and, to justify the costs involved, very long mission times will be desired (e.g. 20 years for the Nasa Microwave Radiometer). For on-or bit systems, maintenance will be very difficult and rare. Many components operating on long times are bound to experience failure and, for these systems, it is only a slight over-statement to say that the normal mode of operation is a failed mode, meaning that some components have experienced failure.

Keywords Automatic reconfiguration, Fault detection and isolation, Control problems of flexible spacecraft.

1. INTRODUCTION

Modern spacecraft and aircraft rely heavily on digital fly-by-wire systems and mechanical back-up tends to disappear. The power of digital control leads to improved performance but also makes the issue of system reliability more sensitive: for high costS/high performances systems, the mission must be carried out even in the presence of some failures of components like actuators, sensors ...

In this context , mission satisfaction will rely heavily on the Flight Control System (FCS): control can provide some built-in fault tolerance. The basic idea for obtaining fault tolerance is to include some redundancy levels (Van Neuman 1956, Moore 1956). The use of triplex or quadruplex central units is now a common practice to obtain rel iable computers. The name "no-down-time computer" was coined to stress the level of reliability obtained (Bernhardt 1980). For our problem this virtually eliminates the question of on-board computer failure, which is very unlikely with quadruplex processing units. However, for actuators and sensors some specific questions arise. First, the number of actuators and sensors precludes the systematic multiplication of redundant elements. The cost and complexity of a set of 200 quadruplex actuators (=800 components!) is unbearable. It must also be stressed that redundant components cannot be attached to the same spot on the structure: this means that direct physical redundancy is excluded and some dynamic model of the structure must be used to obtai n analytic redundancy between non co-located components.

Methods to design reliable Flight Control Systems are thus needed, and constitute one of the most challenging topics offered to control theorists for the next decade. The purpose of this paper is to discuss some aspects of the problem and to introduce preliminary elements of a global approach. This global approach to the design of reliable Flight Control Systems will include in a one shot analysis the three main steps of the design, namely, components selection, components location and control law synthesis. The rest of the paper is organized as follows. A basic discussion of reliability in Flight Control Systems is first presented. Jump Linear Quadratic systems are next proposed as a suitable mathematical framework and several control law synthes is are presented. I t is shown how a cost index is obtained which incorporates simultaneously performance and reliability considerations. These ideas are finally illustrated by an example with three masses and three springs, which captures some of the features of flexible structures control problems. It is found that the best components location depends on the mission time in a way that is affected by the control law synthesis. The trade-off between component authority and Mean Time Before Failure (MTBF) is quantitively analyzed .

For redundant actuators and sensors, the basic structure of a reliable FCS is presented in Figure 1 . The Redundancy Management System performs Detection and Isolation of the failures and Reconfiguration of the control law . During the last decade , the failure Detection/Isolation problem received considerable attention, and remarkable results were obtained . The main contributions around the C.S. Draper Laboratory (Adams 1984, Gai 1976) followed the work of (Willsky 1976). It also

151

I\\. l\[ariwll and P. Bertrand

152

seems that independently (~ ironovskii

similar ideas were and simultaneous:; in 1980, Mozgalevskii 1978).

developea the USSR

They are hybrid systems; to the continuous state variable, x(t) £ Rn, called the plant state, one appends a discrete variable, r(t) € S= {1 ,2, ... ,N}, called the plant mode or regime. The evolution of the mode describes the occurrence of random events like component failures .... The simplest model of these stochastic dynamics consists of a Markov chai n on S with ~ij6 + 0(6) if i~j Prob{r(t+6) = jl r(t)=i} = { 1+~ .. 6 + 0(6) i f i=j(l) 11

where the matrix IT = (~ij)i,j=l to N is called the matrix of transition rates. The plant state dynamics are described by a linear equation

RedunClenc~ Mllnfl911ment S~stllm

Figure 1 - Reliable Flight Control System For the Reconfiguration problem, one may contrast two approaches. First, one can initiate an on-line identification every time a failure is detected. Once the model of the failed regime is identified, a new control law synthesis is carried out for the model obtained. This approach is illustrated by (Looze 1984, 1985). It is quite demanding in on-line computer time but can respond accurately to failures, since an actualized model is identified. On the other hand, one may choose to single out a limited number of likely failure regimes prior to the mission. Control law synthesis is then conducted off-line for the various regimes. (Birdwell 1978, Siljak 1980) pioneered this idea, which was improved in (Mariton 1986). Some additional aspects of this approach are considered here.

3. HODELISATION: JUMP LINEAR QUADRATIC SYSTEMS To analyze reliable FCS, one has to begin with a modelization of component failures. They are random, punctual events that affect the structure and the coefficients of the dynamic system equations. Consider for example the duplex system in Figure 2

C9--1. . __p_-'~ Figure 2 - Duplex control system As indicated, this duplex system basically operates under four regimes, or modes, depending on the components which have failed up to the current time. At the present stage, component failures are modelled as a 0/1 switch, but i t is clear that a more accurate description should allow intermediate regimes of partial failure with continuous degradation. However, mathematical problems then become much more intricate and this is left as a subject for future work. To the four modes of Figure 2 (r£ {1,2,3,4}), it is common practice in Reliability Engineering to associate a matrix of transition rates IT; -2), ~

x(t) = A(r(t))x(t) + B(r(t))u(t) (2) yet) = C(r(t))x(t) m with a control u £ R and an observation y £ Rr. Matrices A,B and C depend on the mode r(t) to translate the changes on the system structure and coefficients following the occurrence of failures. Since our objective is to study a closed-loop reconfigurable regulator, the lil'ear approximation (2) is adequate. However, the non-linear nature of the real process must not be forgotten and it may require some special treatment (Sworder 1985, Mariton 1987). The synthesis of the control law will be optimized with respect to an averaged quadratic cost-function

where E{ - } denotes mathematical expectation. The weighting matrices (Q~O,R>O) are also mode dependent to include the fact that the designer may weight differently output excursion and control authority in the different modes. Equations (1), (2) and (3) define the so-called Jump Linear QuadratiC (JLQ) problem. Studies on jump linear systems were initiated around 1960 by (Krasovskii 1961) and (Florentin 1961), and important contributions are attributed to (Wonham 1970, Sworder 1969, 1976, 1983). In the sequel, the current value of the plant mode is often denoted by an index (Ai stands for A(r(t)) when r(t)=i).

4. CONTROL LAW SYNTHESIS For the JLQ problem, research produced several control syntheses depending on the on-line information structure, that is, on the availability of the plant state and mode. The solution with x and r available u * = Arg Min J (4) U(x,r) was obta i ned independently by (Sworder 1969) and (Wonham 1970). It consists of a state feedback with mode dependent gains u*(t) = -R~lB~K. (t) x(t)

0 -(A+~)

0

0

-(A+~)

0

~

~

1

1

when r(t)=i

(5)

where the Ki's, i=l to N, are the solutions of

IT ~

1

coupled set of Riccati equations -1 -2~

which describes the random revolutions of the current mode in {1 ,2,3,4} with), and ~ respectively the failure and maintenance rates. Jump Linear Quadratic (JLQ) systems provide a generalization of the above model together with a tractable mathematical framework to study reliable control law synthesis.

'=l,N { -K i = AjKi + KiAi - \BiRi BiKi

l

N +

L ~iJ·K.

i =1

J

+ Q.

1

(6)

From (5) it is proposed that this solution be called the Optimal Switching State Feedback (OSSF); once the mode jumps from i to j, the optimal regulator switches its state feedback gain from

-R~lB'.K. to -R~iB'.K .. This clearly corresponds to 111

J

J J

153

Re liable Flight Control Systems the desired reconfiguration property of the r"liable FCS: the detection/isolation of a failur e causes a n automatic mod if ication of the control law. But from (6) it appears that, thanks to the modelization of failures by the mode Markov chain, the OSSF control also has an anticipation property: the ith Riccati matrix K. depends through I n . . K. 1

on the ca n be since a and Kj

1J

J

Riccati matrices of the other modes j~i. It seen that this induces cautionary effects probable transition to a degraded mode (n ij large) makes Ki larger in (6), so that the

ith gain is also increased. The interpretation is that the optimal controller "knows" ([rom the model) that the system will eventually switch to a degraded mode (e.g . unstable ) and it increases its ga into ensure that it has hast ily reached the desired output set-point before the transition occurs. To implement (5), the plant state x(t) must be measured. This is rarely the case in practice,and it seems desirable to obtain control laws which would feed back only measured quantities, i . e. the output y(t). The corresponding optimization problem is thus u

•

Arg Min J U(y,r)

(7)

In the restricted class of linear feedback laws, this problem was solved (Mariton 1985) to obtain the Optimal Switching Output Feedback (OSOF)

•

u ( t) = Fi(t) y(t)

when r(t)=i

(8)

If the solution exists, the gains F i' i=l to N, satisfy Fi =

R~lB~AiXiC~(CiXiC~)-l

where the \

and Ai'

i=l

( 9)

to N, matrices are the

solutions of the following necessary conditions

{

N

-Ai=i~Ai+Aiii+ .I1nijAj+Qi+C~F~RiFiCi J=

by component failures as mcdel lqd by the jump l irtear dynamics (1) , (2) . It is thus argued that : 1 ) , ( 2) 3nri ( ~ ) provi·if' .~ '3 ' .I~". qbl-= ':ocl '::> e'/31~3:e

a n FCS on the basis of its r egulat i on rowl t tolerance.

acc ura ~y

and

This is illustrated here with reference to the quest ion of components selcetion and placement: should a deSigner pick up an actuator ... ith large author i ty but small MTBF, or the contrary? Should sensors be clustered near the centre of a flexible structure, or spread all over the surface? The JLQ system models these issues and the cost (3) therefore provides a rational measure for selecting the appropriate compromise: the B., i=l to N, matrices are function of actLators authorities and locations, the matrix of transition rates n is built from the individual components MTBFs, the C, 1=1 to N, matrices describe the sensors accur1cies and the way they degrade ... The best components selection or location is therefore the one which minimizes the cost function (3). As such , this new optimization problem is a very difficult one. However, design constraints and some commonsense often reduce this problem to selecting a solution among a reduced number of possibilities. The cost function (3) can then be computed for these possibilities and an ordering of solutions is directly obtained. Similar ideas were reported in (Montgomery 1983) for the grid structure at Nasa Langley Research Center. However, the Jump Linear model was introduced only in the analysis of different solutions. The control law synthesis was pursued in a Linear Quadratic framework, while for the analysis of the performance and reliability obtained, one switched to a Jump Linear Quadratic formulation. It is thus the discrepancy between the synthes is and analysis steps in (Montgomery 1983) which inspired the idea to use a JLQ mode l right from the beginning . The reason was our feeling that the control synthesis should influence the reliability issue. This interaction between control synthesis and reliability evaluation is now demonstrated in the example below.

(a)

\ (t f ) =O ( 10) ( b)

with ii=Ai-BiFiC i and X~=E(X(to)x' (to) I r(t ) = i}. o Other control syntheses can be obtained for different on-line information structures. The idea here is to stress that for the basic JLQ problem one can now choose a variety of control strategies. 5 . COMPONENTS SELECT ION AND PLACEMENT

5 . 2. Example To illustrate the approach proposed, a simple example is now considered. Although of small dimension, it captures the essential features of flexible structures control ( Rossi 1979) . Figure 3 represents a system of three masses and springs and two actuators. The actuators can be placed on any of the three masses to provide direct force cont rol. This system is described in R6 with x' =(X"X1 ,x2'X2 , x3'X3) and u' =(["f 2 ) , where Xi is the ith mass deriv ation.

The JLQ model is used here to discuss the problem of components selection and placement (or locati on ) on a flexible structure. Selection and location of components is a cho ice to be made in the early stages of a FCS design, and, to a large extent, it rules the ultimate quality attainable by the FCS . It is therefore necessary to provide some rational and quantitative support for this problem. It is demonstrated that the value of the cost function (3) provides an ordering of different selections and placements in the presence of failures. The major finding is that this ordering is dependent on the duration of the mission and also on the control law used.

5.1. Incorporating performance and reliability The cost function reflects both the reliability and performance aspects of the control problem: it measures performance through the usual integral of the quadratic error to the desired posi tion, but this performance is also influenced

Figure 3 - A simple flexible structure

M, Maritun and p, Benrand

154

Co st

For the actuator location of i'igure 3 the model is thus

x

O.

1,

Q.

O.

O.

O.

O.

O.

-20 .

-0.5

20.

O.

O.

O.

1.

O.

0,

O.

O.

1.

O.

O.

O.

O.

10.

O.

-20.

-0.5

10.

O.

O.

O. u

O.

O.

O.

O.

O.

1.

O.

O.

O.

O.

10.

O.

-20.

-0.5

O.

1.

.~.-

For other actuator locations, one adapts the B matrix by moving 1 and 0 to the right places. Actuator f"ilure produces a zero entry in B. The MTBF of the ith actuator is 1/~ i-l 2 No maintenan ce is allowed . For two actJ~tor~ ~n~ has N=4, but the complete failure case (B(4)20) was excluded in order not to bias the problem by a dominant catastrophic failure mode. Hence the mat~ix of transition rates is - ( lT

1

n=

1

+" 2 )

lT1

®

------. _ _ _ _ _ _ _ _ _ Mission time

Figure 5 - Location A / B , "1=1. and "2=0.

Cos t , . :';I!S£

'~l

",

O.

O.

"2] O.

O.

o.

o.

®

_ _ ~~ ==-----'

and the ini tal mode r=1 is transient with two trapping failed modes r=2 and r = 3.

Consider first the problem of components location. We wish to decide between, say, locations A a nd B of Figure 4.

Miss ion time

Figure 6 - Location A / B , " 1=2. and "2=0.5 eventually occur and actuators clustered on the centr al mass provide better redundancy. This illustrates the power of the approach proposed which aggregates into a single measure, the optimal cost function, reliability and performance aspects of an FCS evaluation. The duration after which B should be preferred varies greatly with the values of" and " ? ' and the shape of the curves is also mOdihed. The same kind of findings were already reported in (Montgomery 1983) for an LQ synthesis . Here it is further demonstrated that the control law synthesis affects the best location choice . Figure

•

7 plots the over cost J • - J for the JLQ synthesis B A which is proposed here and (Montgomery 1983).

®

OVl":

the LQ synthesis of

r eo s t

Figure 4 - Two possib l e component locations The OSS F laws were used. The optimal performance is then J

•

~ x' 2

K (t ) x 1 0 0

0

( 12)

which reduces to trace K1 for x uniformly distributed over a sphere of radius l'2. The cost matrix Kl of course depends, through (6), on the complete JLQ system and espec ially on the components location and selectio~. Lo~ation A will be preferred to l ocation B when J < J A B Since the cost depends on the IT,' s, i=l,2, i.e . on the actuators MTBFs, several lsets of Riccati equations were solved. As illustrated in the figures below, it happened that the values affected to the ",' s, i=l,2, strongly modified the form of the curve~ obtained. On Figures 5 and 6, the costs J • and J • A B plotted as a function of the missio n duration, mission time t , for varying "i's, i=1,N. f 7he striking conclusion from these curves that the choi~e of a best location depends on

•

•

are or is the

mission time: for small t , J < J and for large f B A t , J < J . The interpretation is that for short A f B missions ( t small), failures are unlikely and one f should spread actuators to improve regulation, whereas for long missions (t large) failures will

•

•

r

II/Vol. VI

1

· "."

'~,-,--.,.--,..-"';:::::'::::::;:::::::;=0:;== Mi s don ,i me

Figure f - JLQ / LQ synthesis For both syntheses, it appears again that for short missions A should be preferred ( the overcost is positive), whilp. B is the best choice for long missions (the overcost is negaL ve). But the point to be stressed now is that the critical mission duration, af t e~ ',,'"ti ch the bes: c'"toice turns from A to B, is significantly influenced by the control l3w synthesis, I t appears that the JLQ synthesis yields a more cautious result by indicating B as the best choice for shorter mission times. This can be interpreted as a result of the model of failures whi ch is pr esent in the JLQ synthesis: while the LQ synthesis ignores failures, the JLQ one "knows", through the model (1 ) ,(2), that failures will eventually occur . Hence it tends to favour the location whi ch provides better actuator redundancy, location B.

Reliable Flight Control Svstems 6. CONCLUSION A methodology was proposed for the design of reliable flight Control Systems. It was shown that Jump Linear Quadratic models provide a suitable mathematical framework for studying the questions involved. With a simple example, the selection and location of components were discussed. It was found that the optimal cost function reflects the var ious ingredients of the problem and can therefore be used to arrive at a rational choice among compet ing alternat i ves. The important roles of mission duration and control law synthesis were brought to light. Several related questions deserve additional attention; for example, the influence of noise on the reliable rCS. A sensor f'l.ilure can lead to increased jitter in the observation channel (additive noise) or to more uncertain instruments (multiplicative noise). It is therefore necessary to include additive and multiplicative sensor noises in the components selection discussion. As well, failures of actuators should be modelled more accurately than by a 0/1 switch, and modes of partial failures should be described. Another approach was proposed by (Van der Velde 1982). The idea there was to measure the quality of a components placement by some deterministic degree of controllability. For the stochastic system (1),(2), the notion of stochastic £ controllability in probability (Sunahara 1974) seems to provide a generalization of this concept. It would be interesting to compare the analysis based on the cost function proposed here to one based on a stochastic degree of controllability.

REFERENCES ADAMS, M.B., H.N. GROSS, "Failure detection and isolation by dynamic hypothesis testing", in Proc. American Control Conf., June 1984, San Diego, pp. 1779-1785. BERNHARDT, R., "The no-down-time computer", Spectrum Mag., N°17, 1980, pp.33-37. BIRDWELL, J .D., "On reliable control designs", Ph.D. Dissertation, Mass. Technology, May 1978, Report N° ESL-TH-821.

IEEE system Inst.

CHIZECK, H.J., "Fault-tolerant opt imal control", Ph.D. Dissertation, Mass. Inst. Technology, June 1982, Report N°903-23077. FLORENTIN, J.J., "Optimal control continuous-time, Markov, stochastic systems", Electronics Control, Vol.l0, 1961, pp.473-488.

of J.

GAl, E.G., M.B. ADAMS and B.K. WALKER, "Determination of failure thresholds in hybrid navigation", IEEE Trans. Aerospace and Electronic Systems, AES-12, N°6, Nov.76, pp.744-754.

155

MARITON, M., P. BERTRAND, "Improved multiplex control systems: dynamic reliability and stochastic optimality", 1986,lnt. J. Control, vol.44, n O l, pp.219-23 4 . MARITON, M., "Jump linear quadratic control with random state discontinuities", 1987, to appear Automatica. MIRONOVSKII, L.A., "functional diagnosis of dynamical systems - a survey", Aut. Remote Control, Vol.41 , '1°8, 1980, pp.1122-1143. MONTGOMERY, R.C., "Reliability considerations in the placement of control systems components", in Proc. AlAA Guidance and Control Conf., Gatlinburg, 1983. MOORE, E.F., C.F. SHANNON, "Reliable circuits using less reliable relays", J. Franklin Institute, Sept. 1956, pp.191-208. MOZGALEVSKII, A. V., "Technical diagnosis continuous plants - a survey", Aut. Remote Control, Vol.39, N°l, 1978, pp.145-166. ROSSI, M. and co-authors, "Control of large space structures", Grunman Aerospace Corp., Report N°RE-589, April 1979. SILJAK, D.D. "Reliable control using multiple control systems", Int. J. Control, Vol.31, N°2, 1980, pp.303-329. SUNAHARA, Y. and co-authors, "On stochast i c controllability for non-linear systems", IEEE Trans. Aut. Control, AC-19, N°l, 1974, pp.49-54. SWORDER, D. D., "Feedback control for a class of linear systems with jump parameters", IEEE Trans. Aut. Control, AC-14, N°l, 1969, pp.9-14. SWORDER, D.D., L.L. CHOI, "Stationary cost densi ties for optimally controlled stochastic systems", IEEE Trans. Aut. ContrOl, AC-21 , N°4, 1976, pp.492-499. SWORDER, D.D., R.O. ROGERS, "An LQ solution to a control problem associated with a Solar Thermal Central Receiver", IEEE Trans. Aut. Control, AC-28, N°lO, 1983, pp.971-978. SWORDER, D.D., D.S. CHOU, "A survey of some design methods for random parameter systems", in Proc. Conference on Decision and Control, Dec. 1985, Fort Lauderdale, pp.894-899. VAN DER VELDE, W.E., C.R. CARIGNAN, "A dynamic measure of controllability and observability for the placement of actuators and sensors on large space structures", Mass. Inst. Technology, Space Systems Lab., Jan.1982, Report N°SSL-2-82. VON NEUMANN, J., "Automata studies", C.E. Shannon and E.F. Moore Eds., Annals of Mathematics N°34 Princeton University Press, 1956, Princeton.' ,

ISERMAN, R., "Process fault detection based on modeling and estimation methods a survey", Automatica, Vol.20, N°4, 1984, pp.387-404.

WILLSKY, A.S., "A survey of design methods for failure detection in dynamic systems", Automatica, Vol.12, 1976, pp.601-611.

KRASOVSKII, N.N., E.A. LIDSKII, "Analytical design of controllers in systems with random attributes", Aut. Remote Control, N°22, 1961, pp. 1021-1025, 1141 -11 46,1289-1294.

WONHAM, W.M., "Random differential equations in control theory", in Probabilistic Methods in Applied Mathematics, A.T. Bharucha-Reid Ed., Vol. 2, Academic Press, 1971, New York.

LOOZE, D. P. and co-authors, "An approach to restructurable control system design", in Proc. Conference on Decision and Control, Dec.1984, Las Vegas, pp.1392-1397. LOOZE, D.? and co-authors, "An automatic redesign approach for restructurable control systems", IEEE Control Systems Mag., May 1985, pp.16-22. MARITON, M., P. BERTRAND, "Output feedback for a class of linear systems with stochastic jump parameters", IEEE Trans. Aut. Control, AC-30, N°lO, 1985, pp.898-900.