FDIR Strategy for Sensor Faults During Re-entry Flight

Corresponding Author: Gianfranco Morani On-Board Systems and ATM, Italian Aerospace Research Centre, Capua, Italy Email: g.morani@cira.it Abstract: In this study, a Fault Detection, Isolation and Reconfiguration (FDIR) strategy is proposed for dealing with the problem of single sensor faults during a re-entry flight. The proposed algorithms rely on a model based Fault Detection and Isolation. After the generation of a residual through a Kalman filter observer, detection is obtained via the estimation of residual signal statistics while isolation is obtained thorough the analysis of either residual vector direction or the residual covariance matrix, depending on which fault type has been detected. Finally, for some failure conditions, an adaptive reconfiguration strategy of the control laws is also developed. The effectiveness of the FDIR strategy has been shown through numerical simulations of single fault scenarios.


Introduction
The problem of detecting a fault, finding the location and then taking appropriate actions is the basis of Fault Tolerant Control (FTC). In fact, Fault Detection and Isolation (FDI) plays a vital role in active FTC as it provides information about incoming subsystem faults and, furthermore, gives the possibility to make reconfiguration actions (Zhang and Jiang, 2008) thus having Fault Detection, Isolation and Reconfiguration (FDIR) capability.
In aerospace applications, sensor faults may have dramatic impact on the vehicle stability. It is then of great importance to have health information in order to use them to either avoid feeding back the corrupted measurements or reconfigure the control laws based on actual sensor accuracy. In case of a space vehicle experiencing a re-entry flight, FDI is even more challenging as the vehicle passes through several flight conditions, extremely different from each other and consequently flight dynamics are highly unsteady.
A well-known approach to the FDI problem is the model-based one; the idea under the model-based fault diagnosis is the determination of a fault through the comparison of available system measurements with the system outputs predicted by a mathematical model (known as observer) of the system itself. The mismatch between estimated and measured outputs gives rise to a residual signal, which is then used as an indicator of the presence of a fault.
A great variety of model-based FDI approaches exists (Chen and Patton, 1999;Ding, 2013) which model the monitored system as Linear Time Invariant (LTI). In recent years, the concept of residual generation in modelbased FDI has been extended to Linear Time Varying (LTV) systems. In Fernandez et al. (2005), the Fundamental Problem of Residual Generation (FPRG) is generalized to the class of nonlinear systems that are affine in the control and the fault modes. The LTV FDI filter design is based on an extension of the FPRG concepts elaborated for LTI systems (Fernandez et al., 2005;Szászi et al., 2005;Hammouri et al., 1999;Murray et al., 2008;2010) and, therefore, a synthesis of FDI is performed on linearized models of the vehicle trimmed around a re-entry trajectory.
To be truly effective, FDI should be coupled with a reconfiguration strategy. It means that FDI information should be used to adapt the G&C system either to degraded accuracy of available measurements or to a malfunctioning of the actuators. Most of the existing works deal with actuator/thrusters faults (see for instance, among the most recent ones, Zolghadri et al., 2016;Fonod et al., 2015) while only few concern sensor faults despite the fact that, in aerospace applications, sensor faults may cause the loss of control stability and performances. In this regard, the reader may want to see the following references (Oliva, 2001;Patre and Joshi, 2011;Lu et al., 2015;Sevil and Dogan, 2015;Poderico et al., 2014 and references therein). However, in some cases only air data sensors are considered (Lu et al., 2016;Sevil and Dogan, 2015) while in other cases FDI problem is not addressed at all (Oliva, 2001;Patre and Joshi, 2011;Poderico et al., 2014).
In the present work, the control laws reconfiguration strategy proposed in Poderico et al. (2014) is extended to include also a model-based Fault Detection and Isolation scheme, which detects and isolates single sensor faults. With respect to other existing approaches, the proposed strategy combines FDI algorithms with a reconfiguration strategy, which adapts control parameters thus obtaining a FDIR architecture.
The following sensor fault types have been considered: (1) bias fault, i.e., the measurement value differs from the true value by a constant offset; (2) loss of accuracy fault, i.e., measurement noise is much larger than expected.
The proposed FDI scheme relies on a model-based approach. The first step is the construction of a system observer for the generation of a residual signal. To this end, a linear Kalman Filter (KF) is used. The process whose state shall be estimated by KF is obtained through the linearization of vehicle rotational dynamics around an equilibrium point. However, the resulting linearized system will depend on trajectory variables like airspeed, Mach and dynamic pressure, which will describe the system behavior along the flight envelope encountered during a re-entry flight. After the residual generation, detection is performed by estimating the statistics of residual signal. Finally, depending on which type of fault has been detected, different isolation techniques are used. In case a bias fault is detected, isolation is obtained by means of a maximum likelihood strategy based on the direction of residual vector. Otherwise, if the loss of accuracy fault is detected, isolation is obtained through the analysis of the residual covariance matrix, as it will be explained in the next sections. Furthermore, in case of loss of accuracy fault, control laws reconfiguration is also implemented via the on-line adaptation of control parameters that directly influence the control sensitivity to measurement noise.
The effectiveness of the proposed FDIR solution has been evaluated through the simulations of single fault scenarios during the re-entry flight of FTB3 vehicle, a flying test bed designed by Italian aerospace Research Centre in the framework of USV3 project (Palumbo et al., 2012), which was aimed at demonstrating enabling technologies for future generation reusable aerospace hypersonic transportation system. The paper is organized as follows. The problem of Fault Detection, Isolation and Reconfiguration is first introduced, then the proposed algorithms are described and finally simulations results and performance evaluation are provided. The manuscript ends with some concluding remarks.

Problem Formulation
Model-based FDI approach obviously requires a mathematical model of the system to monitor. Clearly, the more accurate is the model, the more reliable is the fault diagnosis of the system.
In aerospace applications, a common approach for modelling the aircraft dynamics concerns the linearization of flight dynamics along one or more points of the flight envelope. However, during a reentry flight, a wide range of flight conditions are encountered, from hypersonic to subsonic regime, thus leading to rapidly varying dynamics. For this reason, it is more convenient to describe the monitored system as a linear system having the statespace description function of some (time varying) parameters like airspeed, Mach, dynamic pressure that can be easily measured. In this way, linearization along a number of operative points is not required and a model-based FDI analysis can be designed to ensure robustness along the entire operative envelope as it will be explained in the following sections.

Re-Entry Flight Dynamics
A set of differential equations is generally used to describe the translational and rotational motion of the reentry vehicle (Roskam, 1995). Under the following assumptions: • Rigid vehicle (no elastic modes) • No wind shears or turbulence • Time rate of change of mass and inertia is assumed to be negligible • Only the effect of the moments produced by Reaction Control System (RCS) is taken into account while the effect of RCS forces is neglected • Contributions of spherical and rotating Earth will not be considered. Even though this contribution is not negligible in case of a reentry flight, it will be anyway accounted for as a source of uncertainty in the Kalman Filter observer (see next sections) The resulting equations are reported below (position equations are omitted): where, V is the true air speed, m is the vehicle mass, α the angle of attack, β the angle of sideslip, ϕ, ϑ, ψ are the Euler angles, p, q, r the angular rates, q ∞ is the dynamic pressure, S the reference surface, C L , C D , C Y are lift, drag and side-force coefficients respectively, l, m, n are the total moments along the body axes (aerodynamic moments plus RCS ones), i.e.: where, C l , C m , C n are the coefficients of roll, pitch and yaw moments, respectively, δ is the elevon deflection, b is the wing span, c is the mean aerodynamic chord and l RCS , m RCS , n RCS are the moments generated by RCS.
For the development of a state observer, the airspeed equation will not be taken into account; therefore the system state will be made of the angle of attack α, angle of sideslip β, angular rates p, q, r and Euler angles ϕ, ϑ, ψ.
The non-linear dynamic system will have the following state-space representation: , , As mentioned earlier, state vector is x = [α, β, p, q, r, ϕ, θ, ψ] and ρ is a vector of parameters that contains true airspeed, Mach number and dynamic pressure, i.e., ρ = [V, M, q ∞ ]. The input vector will be u = [δ, l RCS , m RCS , n RCS ] while the output vector is made of the state variables but it also includes the body axes accelerations, i.e., y = [x, a x , a y , a z ] where:

Linearization
System of Equation 4 can be linearized around an equilibrium point x trim with the input equal to the trim elevon deflection δ trim and zero RCS moments, i.e., u = Trim elevon deflection is computed as the elevon deflection at which the pitch moment coefficient C m is zero for a given angle of attack, Mach number, zero angular rates and zero sideslip angle (longitudinal trim), i.e., C m (M, α, β = 0, p = q = r = 0, δ = δ trim ) = 0. Therefore, the following system is obtained: The matrices A,B,C are obtained through differentiations of Equation 4 around the equilibrium point, that is: Under the above assumptions, the trim value for the state x is: ,0,0,0,0,0, , ,0,0,0 It is worth noting that trim values of lateral/directional variables β, ϕ, p, r are zero because the trim condition corresponds to longitudinal equilibrium. Pitch rate is assumed zero as well.

Proposed FDI Algorithms
In this section, the proposed fault detection and isolation strategy is described. Fault detection and isolation in model-based approach goes through the following stages: Residual generation, detection and, finally, isolation based on the analysis of residual itself.

Residual Generation
Once the system to monitor has been modeled as in Equation 6, a residual signal shall be generated. This is possible after constructing a state observer, which predicts system outputs that will be compared to the measured outputs. In the proposed strategy, Kalman Filter is used for this goal.
Kalman filter represents a well-known methodology for the optimal estimation of state variables in presence of process and measurements noises (Gelb, 1989). A generic linear system is given in the form: where, x ∈ℜ h is the state vector, u∈ℜ p is the input vector, y ∈ℜ m is the output vector, w and v are uncorrelated white Gaussian noises with zero mean and diagonal covariance matrices Q∈ℜ hxh and R∈ℜ mxm . Measurement noise v accounts for the difference between true and measured outputs while process noise w accounts for model uncertainties. In this regard, as explained earlier, process noise will also include the model errors due to simplifying assumptions under which Equation 1 and 2 have been obtained. The predictor-corrector equations of Kalman filter are reported below.

Prediction
Step: Correction Step: The covariance matrices Q and R are determined as filter parameters. After estimating the system state, residual signal can be simply computed as r = y −Ĉ x .

Fault Detection
Once the residual signal has been generated, the decision about whether a fault is present or not (i.e., detection stage) could be carried out by simply comparing the instantaneous value of residual signal with a threshold (Ding, 2013). However, since the residual signal (computed through a Kalman Filter) is a stochastic process, an effective detection stage use the estimation of residual statistics and hypotheses testing. Under nominal (no fault) condition, the statistics of the residual are indeed (hypothesis H 0 ): where the subscript k indicates the instant at which the above quantities are computed, the superscript T indicates matrix transpose, mean{⋅} and cov{⋅} are the mean and covariance operators respectively. When a fault occurs, the statistics of the residual will be different from the nominal ones. Therefore, deviations of the monitored system from its nominal behavior can be detected via the estimation of residual mean and covariance and comparison with thresholds, i.
where, T µ and T σ are threshold vectors. Clearly, low thresholds ease the fault detection but, at the same time, increase the probability of signaling a fault that has not occurred (false alarm). On the contrary, high threshold reduce the false alarm probability but also the capability of detecting faults. For the above reasons, threshold values should be selected as a trade-off between sensitivity to faults (low threshold) and insensitivity to measurement noise (high threshold). Equation 13 must be intended in the following way: If at least one component of mean{r k } overcomes the related threshold, a fault is signaled. Similarly, for what concerns the covariance matrix cov{r k }, only the elements of the main diagonal are considered and if at least one of these elements overcomes the related threshold, the fault is signaled. Mean and covariance are continuously estimated with a moving average of fixed length, i.e.: where, r is a column vector and represents the residual signal as in Equation 12, ˆr µ is a column vector representing the estimation of mean{r}, ˆr S is a matrix representing the estimation of cov{r} and the superscript T indicates matrix transpose. Finally, N is the number of samples in the time window used for the moving average. It is worth specifying that, depending on either the mean or the covariance overcomes the threshold, a bias fault or a loss of accuracy fault is detected.

Fault Isolation
Once that the fault has been detected, the next task is the identification of which sensor is faulted. This task goes under the name of fault isolation.
For what concerns the bias fault, the proposed isolation strategy does not rely on schemes based on observers' banks such as Generalized Observer Scheme (GOS) and Dedicated Observer Scheme (DOS) (Zhang and Jiang, 2008). This dramatically reduces the computational complexity and eases the realtime implementation of the proposed FDI algorithms.
Fault isolation is indeed obtained via the computation of the residual direction and comparison to all possible residual directions generated by a set of specific faults. Therefore, the detected fault is attributed to the sensor whose fault would generate a residual having a direction that is most similar to the computed one. The comparison is carried out through the computation of a correlation coefficient. Actually, this computation is quite straightforward only under the hypothesis that the closed-loop matrix of the observer is diagonal (Chen and Patton, 1999). However, if we make the assumption that the main contribution to the residual response is given by the DC component of the fault signal, the steady state value of residual response can be easily obtained without any assumption about the observer closed-loop matrix, i.e.: where, K is the observer gain, W sens (s) = C(sI-(A-KC)) -1 K + I is the transfer matrix of the system having the fault vector f sens as input and the residual vector r sens as output, where 0 j sens f ≠ only if the j-th sensor is faulted. The above transfer matrix has been computed from dynamic equations of a generic state observer, i.e.: where, x is the state of observer system. Even though the above equations are valid only for a LTI system, we assume that the monitored system can be "locally" (i.e., for few instants after the fault occurrence) seen as a LTI system. Therefore, correlation index of the j-th sensor fault can be easily obtained as: where the symbol (⋅) means the dot product and ||⋅|| 2 is the vector norm. Fault is then attributed to the sensor having the highest correlation coefficient.
Clearly the above described isolation method is not effective for the fault concerning the increase of measurement noise (loss of accuracy fault) since, in that case, noise mean is not affected by fault (only noise variance changes), hence the fault vector f sens would exhibit a zero DC component. In this case, the isolation is carried out by looking at residual covariance matrix, which can be written as in Equation 12: As for the detection stage, only the elements of the main diagonal are considered. Furthermore, we make the assumption that, in case of loss of accuracy in the i-th sensor, the variance of the i-th measurement error is the predominant contribution to variance of the i-th residual component. In this way, we obtain { }

Control Laws Reconfiguration
In presence of loss of accuracy fault (i.e., measurements with degraded accuracy), a Fault Tolerance Control strategy should take into account the actual measurement accuracy and adapt the control gains accordingly. In this section, a strategy similar to the one proposed by the same authors in Poderico et al. (2014) is used to take advantage of the information on measurement accuracy.
Let's consider a generic linear plant defined by the equations below: where, A m ∈ ℜ nxn , B ∈ ℜ nxm , C∈ ℜ pxp are the dynamic, input and output matrices respectively. A state feedback control law u = Kx can be applied and, by choosing control matrix: where, A m ∈ℜ pxp is a Hurwitz matrix, the output dynamics can be assigned, i.e., y = A m y, provided that high frequency gain matrix CB is invertible. Therefore, considering the closed loop system: the system response to a measurement error ∆x = x measx true can be written (in Laplace domain) as: Since we are interested in the degradation of measurement accuracy due to an increase of the sensor noise, we can focus on the high frequency gain matrix. For a generic linear plant as the one defined in Equation  19, the high frequency gain matrix is equal to CB, therefore for the system of Equation 22, it will be CBK whose expression can be easily computed from the Equation 20, i.e.: with η > 1. The objective of control reconfiguration is to adapt control parameters such that closed-loop response to the measurement noise of failed sensor is almost the same of the nominal (no fault) case. Considering that the high frequency gain matrix can be written as CBK, this is obtained by ensuring that: where, C + is the right pseudo-inverse of C and Ω is an estimation of Ω, provided by FDI algorithms as described in sec. 3. Therefore, Equation 29 allows adapting the control sensitivity to the actual measurement noise level, which is estimated by FDI after that a loss of accuracy is detected.

Numerical Results
In this section, the effectiveness of the proposed FDIR strategy has been evaluated through a numerical analysis in which the re-entry flight of FTB3 (a Flying Test bed designed by Italian aerospace Research Centre) (Palumbo et al., 2012) has been simulated (nominal reentry trajectory is reported in Fig. 1). The model used for the analysis has been developed in a Matlab/Simulink® environment and it includes 6Dof equations of FTB-3 flight dynamics, Guidance, Navigation and Control algorithms, navigation sensors, actuators and Reaction Control System. Proposed FDI algorithms have been evaluated with respect to some fault scenarios concerning both accelerometers and gyroscopes. As explained in the introduction, the following fault types have been considered: Bias, i.e., a constant offset between the actual and measured signals and loss of accuracy, i.e. the level of measurement noise is increased.

Accelerometer Bias Increase
Fault has been modeled as a step signal added to the true value of accelerometer. The fault magnitude is equal to 2 m/s 2 . The fault has been injected at t = 500 s. For sake of brevity, only the case of fault on y-axis accelerometer is reported. FDI algorithms readily perform the fault detection and isolation (Fig. 2). Fault isolation flag indicates that fault is on the measurement labeled with number "10", which actually refers to a y (as explained earlier).
In Fig. 3, the mean and standard deviation of residual signal are reported (difference with respect to the threshold are plotted). As explained earlier, residual signal is a vector having the same dimension of system output and detection flag is raised when at least one component overcomes the related threshold; therefore, at each instant, the maximum value of residual vector wrt threshold (i.e., the value of the largest component) is reported.

Gyroscope Bias increase
Fault has been modeled as a step signal added to the true value of gyroscope. The fault has been injected at t = 500 s. and fault magnitude is equal to 0.2 deg/s.
Only the case of fault on pitch rate measurement is reported. FDI algorithms readily perform the fault detection and isolation (Fig. 4). Fault isolation flag indicates that fault is on the measurement labeled with number "4", which actually refers to q (as explained earlier). In Fig. 5, the mean and standard deviation of residual signal are reported (as explained before, difference with respect to the threshold are plotted).

Loss of Accuracy for Gyroscope
This fault has been modeled by increasing the standard deviation of gyroscope noise by a factor 5 (from 0.05 to 0.25 deg/s).
FDI algorithms readily perform the fault detection and isolation (Fig. 6, 8 and 10). Furthermore, the accuracy of faulted gyroscope is correctly estimated. Mean and standard deviation of residual signal (with respect to threshold) are also reported in Fig. 7, 9 and 11. As explained earlier, the detection of this type of failure triggers reconfiguration of control laws. From Fig. 12 to 14, the measured angular rates are reported both without and with reconfiguration of control laws.
As it can be seen from the figures, control laws reconfiguration allows reducing the sensitivity to measurement noise. Consequently, this leads to a reduction of control effort (less RCS fuel consumption) as shown in Table 1. As explained earlier, reconfiguration is done by using the estimation of actual sensor accuracy, coming from FDI subsystem and adapting control parameters such that closed loop response to high frequency disturbance (i.e., measurement noise) is almost the same as in the nominal situation.
It is worth noting that this adaptation of control parameters, which reduce the control sensitivity, also reduces the control accuracy. However, in case of this type of sensor failure, the main goal would be to avoid a high control effort and, consequently, a significant increase of RCS fuel consumption, which might lead to catastrophic consequences, as the efficiency of RCS thrusters is strongly dependent on the available fuel mass.

Conclusion
In this study, a FDIR strategy for single sensor faults during a re-entry flight has been presented. The proposed strategy is model based and relies on a linearized model of rotational flight dynamics, which continuously depends on some trajectory variables (like airspeed, Mach and dynamic pressure) thus being effective for modeling the rapidly changing flight conditions typical of a re-entry mission.
The FDI scheme makes use of a stochastic observer (Kalman Filter) for the generation of a residual signal. Detection is accomplished through the estimation of the statistics of residual signal while isolation is obtained thorough the analysis of either residual vector direction or the residual covariance matrix, depending on which fault type has been detected. Finally, in case of loss of accuracy fault, reconfiguration to sensors failure is obtained through the modification of control parameters that directly influence the sensitivity to measurement noise.
The effectiveness of the proposed FDIR strategy has been shown by means of numerical simulations where some accelerometer and gyroscope faults have been reproduced. Fault scenarios included bias increase and loss of accuracy. The analysis has been carried out with a 6DoF model of FTB3 vehicle (a Flying Test Bed designed by Italian Aerospace Research Centre for inflight validation of hypersonic and atmospheric re-entry technologies). Simulations showed promising results, in terms of both detection and isolation. Furthermore, in case of loss of accuracy of failed sensor, the proposed FDI algorithms correctly estimated actual sensor accuracy and allowed control laws reconfiguration, which in turn significantly reduced RCS fuel consumption.

Author's Contributions
Gianfranco Morani: Has worked on the methodological aspects and the definition of the FDIR algorithms and contributed to the writing of the manuscript.
Mariangela Di Lorenzo: Has been involved in the simulation set-up, in the execution of the numerical verifications and contributed to the writing of the manuscript.

Ethics
This article is original and contains unpublished material. The corresponding author confirms that all of the other authors have read and approved the manuscript and there are no ethical issues involved.