Avionic Air Data Sensors Fault Detection and Isolation by means of Singular Perturbation and Geometric Approach

Singular Perturbations represent an advantageous theory to deal with systems characterized by a two-time scale separation, such as the longitudinal dynamics of aircraft which are called phugoid and short period. In this work, the combination of the NonLinear Geometric Approach and the Singular Perturbations leads to an innovative Fault Detection and Isolation system dedicated to the isolation of faults affecting the air data system of a general aviation aircraft. The isolation capabilities, obtained by means of the approach proposed in this work, allow for the solution of a fault isolation problem otherwise not solvable by means of standard geometric techniques. Extensive Monte-Carlo simulations, exploiting a high fidelity aircraft simulator, show the effectiveness of the proposed Fault Detection and Isolation system.


Introduction
Current manned and unmanned aircraft implement autopilots ranging from simple stability augmentation systems to complex navigation systems. Due to the high level of criticality of aircraft, autopilots need to implement robust design strategies to guarantee, for example, appropriate levels of fault tolerance. In particular, a review of aeronautical worldwide sources on safety event reports reveals repeated instances of anomalous Air Data Sensor (ADS) events. The nature of ADS measurements, indeed, makes air-data probes subject to the spectrum of environmental conditions and, even with a design meant to withstand harsh conditions, instances of ADS probe faults have been recorded for diverse platform types and situations [1][2][3] and citations therein.
The Fault Detection and Isolation (FDI) represents a relevant and critical theme in many sectors such as surgery [4], automotive [5], electrical engineering [6], wind turbines [7] and aerospace engineering [8][9][10][11][12][13][14][15][16][17][18]. Although aircraft subsystems are designed with sufficient levels of redundancy to tolerate both hardware and software faults, FDI algorithms are suitable to monitor the aircraft safety and assess the eventual presence of anomalies, [19][20][21][22][23]. The main goal of the FDI is represented by the decision about the status of health of the system (fault detection) and, in case of faults, the second objective is the localization as well as the determination of the fault nature [24]. Furthermore, the importance and relevance of Air Data Sensor FDI has been highlighted by the European project (ADDSAFE, Advanced Fault Diagnosis for Sustainable Flight Guidance and Control) which was focused on the study of this problem [25].
Common FDI systems are based on either hardware or analytical redundancies but, in recent years, the aerospace industry is demanding for solutions guaranteeing the same or an improved fail safety level with a reduced level of hardware redundancy [26]. From one hand both general aviation aircraft and UAVs have not the payload capacity to be equipped with standard hardware redundancy and, on the other hand, engineers designing large aircraft try to save weight to reduce the consumed fuel, costs, noise and pollution. Conversely, analytical redundancy does not require additional hardware because exploits the mathematical model of the system as redundant information but is more challenging due to the need of guaranteeing its robustness in the presence of unknown disturbances, noise and model uncertainties.
Different model based FDI methods have been developed during recent years [27][28][29][30] but all of them share the same common structure highlighted in Figure 1. The state of art sees model based FDI methodologies be roughly classified in two main groups: those based on a bank of detection residuals each one trivially dependent on different fault components and those which implement a fault re-constructor. With reference to the FDI methods belonging to the first group, this work introduces an innovative approach applicable to those systems which can be described by a singular perturbation model. This paper presents a model based FDI approach which solves the problem with a two-step procedure. In the first phase a set of variables known as residuals is provided by one or more parallel residual generators: each residual is designed to be zero (or zero mean) in absence of faults belonging to a certain different subset of the whole faults set. The second step is represented by the decision, made on the base of the analysis of the residuals, about the presence of faults (fault detection) and which is the fault that is affecting the system (fault isolation). The FDI module proposed in this paper is designed by means of the NonLinear version of the Geometric Approach (NLGA) [31,32]. Thanks to the NLGA it is possible to design detection residuals which are insensitive to a selected subset of all the faults potentially affecting the system. The fault isolation is obtained by collecting the detection residuals, which are insensitive to different fault subsets, in a bank of residuals whose configuration identifies which fault is present. This paper proposes, for the design of the residual generators, an innovative and combined use of the NonLinear version of the Geometric Approach (NLGA) [31,32] and of the Singular Perturbations (SP) theory [33]. This work shows that this kind of strategy allows for the solution of the fault isolation problem, for general aviation aircraft affected by faults on air data sensors, not otherwise solvable with the standard NLGA approach, see [31,34].

Aircraft & Actuators
Thanks to the NLGA it is possible to analyse the system to identify the isolable faults. The results of this analysis are valid for any possible methodological tool successively exploited for the design of the detection residuals. When two or more faults are unisolable the only methodological approach which can provide information about the presence of these faults consists in an estimation of the whole unisolable fault vector thus requiring the implementation of high order input re-constructor systems. With the goals of reducing the complexity of the FDI system, to increase its modularity and to make it distributable, the designers try to minimize the estimator dimensions. The literature presents some remarkable works dealing with the detection and the isolation of faults affecting aircraft air data such as [1][2][3]10,13,17,20,21,35] in which the detection filters are base on full order unknown input re-constructors. At the opposite, this paper focuses on the reduction of dimensions of the unisolable fault set and, thanks to the innovative combined use of the SP and the NLGA, allows for the isolation of the angle of attack faults, otherwise not possible, by means of reduced order detection filters.
The paper is organized as follows: Section 2 describes the nonlinear aircraft model used for the FDI module design. Section 3 details the Air Data System and its associated fault scenario whereas Section 4 proposes the design of the novel FDI module, based on the NLGA combined with SP theory. Finally, in Section 5 simulations results, based on a general aviation aircraft flight simulator and Monte-Carlo simulations, are given, showing the effectiveness of the approach and the good performance of the FDI system.

Nonlinear Longitudinal Aircraft Model
In this paper the aircraft is modelled as a rigid body subject to the following external forces and momentums: gravity, aerodynamics and engine thrust. The longitudinal dynamics of aircraft can be represented by the following equations, [36]: where h is the altitude, V is the airspeed, v c the rate of climb, α the angle of attack and q is the pitch rate. The term m indicates the mass, I y the longitudinal inertia, q d is the dynamic pressure, S is the wing reference area andc indicates the mean aerodynamics chord, g represents the gravity acceleration and d T the thrust arm. The aerodynamic forces and momentums coefficients are C L TOT , C D TOT and C m TOT . Finally, T, indicating the thrust, is the first control input. For a conventional aircraft, the typical component build-up technique, see [36], leads to the following standard aerodynamics description: where the aerodynamics coefficients C s k with s ∈ {D, L, m} and k ∈ {0, α, q, δ e } are considered known parameters thanks to wind tunnel and flight tests. The term δ e , representing the elevator deflection, is the second control input. The overall model can be rewritten in the following compact form: where x 1 = [h, V, v c ] T ∈ R n 1 and x 2 = [α, q] T ∈ R n 2 represent the state vector, suitably partitioned, and where the term, ε, is the small positive perturbation parameter, called singular. Moreover, the actuator inputs are two, i.e., p = 2, with u 1 = T and u 2 = δ e . The model is completed by the outputs y 1 = x 1 and y 2 = x 2 whereas the non linear term g i,j (x 1 , x 2 ) with i ∈ {1, 2} and j ∈ {0, . . . , p} are: Hypothesis 1. AutoPilot Control model: in general, the design of the FDI module should be independent from the structure of the controller except for some high level properties introduced by means of the control unit, such as the stability of the closed loop system. In detail, this work proposes an FDI scheme which can be successfully applied to flight controllers which have sufficiently slow outputs to allow for the definition of the manifold x 2 M which will be defined later. In particular: • given the state x = [x T 1 , x T 2 ] T ∈ X ⊂ R n , the control laws u i are sufficiently smooth functions of the states x, i.e., u i = u i (x), and there exist a Lipschitz constant L such that ||u is not active when εẋ 2 = 0, i.e., it is such that The assumption of having ε = 0 shrinks the state-space dimension from n 1 + n 2 to n 1 because of the degeneration to an algebraic equation of the second relation in (3). In this slow time scale the fast state, x 2 , evolve on a manifold defined by the approximated slow state x 1 and the slow part of the control law, u s i , respectively identified byx 1 andū s i : Equations (8) represent the reduced model. For standard aircraft, the algebraic system in (8) admits one isolated root, x 2 M = M(x 1 ,ū s 1 , . . . ,ū s p ).
On the other hand, during the transient phases of the fast variables, the SP theory treats the slow variables as parameters. Defined the time scale change, τ = (t − t 0 ) /ε with t 0 > 0, the apex derivatives are defined as x = dx/dτ and the dynamic order of the system is reduced from n 1 + n 2 to n 2 by assuming ε = 0: Equations (10) represent the boundary-layer model. Defined the error z 2 = x 2 − x 2 M , the approximated model is well posed if the following hypothesis is verified [33]: The fast control law, u f i , is such that the origin of the system d dτ is a locally exponential stable equilibrium point, uniformly in (x 1 ,ū s i ).

Lemma 1.
Given two matrices K 1 and K 2 with proper dimensions, any linear static state feedback control law Proof. Let us define the fast control law with u f = K 2 x 2 − x 2 M and the slow control law with On the other hand, the fast control law is null when the linearisation of the system (11) at the the origin is represented byż 2 , for standard aircraft configurations, is stabilizable thus implying the existence of a state feedback matrix K 2 such that the origin of the system is locally exponentially stable.

Remark 1.
Thanks to the state augmentation technique, the results of Lemma 1 can be extended to linear dynamic controllers to demonstrate that standards autopilots installed on general aviation aircraft, usually implementing proportional-integral-derivative structures, fulfil the Hypotheses 1 and 2.
Finally, the actual system dynamics (3) can be approximated by:

Air Data System
The Air Data System (ADS) is one of the fundamental subsystems of aircraft because, thanks to it, autopilots can regulate the airspeed, V, and barometric altitude, h, which are necessary for guaranteeing the stability and for the guidance of the air-plane. Standard ADSs also include the measurement of the angle of attack, α, extremely useful for avoiding instantaneous dangerous stall situations (for example due to aggressive manoeuvres or unexpected wind). ADSs are composed by two main parts: the probes and the computational unit, see Figure 2a. The probes are constituted by a "total air pressure" port, a "static air pressure" port, a "total air temperature" port and a "vane sensor" which provide the measurements y P T , y P S , y θ T and y α respectively. The "total air pressure", P T , and the "static air pressure", P S , are linked to the airspeed V thanks to the Bernoulli's law: where ρ indicates the air density, in turn linked to the static air temperature, θ S , and pressure, P S , by means of the ideal gas law: where R is the ideal gas constant for air R = 287.04 m 2 /( • C s 2 ). Finally the International Standard Atmosphere (ISA) model [37] introduced a mathematical description of the static air pressure, P S as function of the geometric height above the mean sea level, H: where P 0 = 101, 325 Pa represents the standard static pressure at the seal level and K = 4.193 × 10 −4 m −1 is the temperature rate in the troposphere.
To correctly compute the barometric altitude, the airspeed V and the rate of climb v c , the total air temperature θ T is exploited to determine, combined with the static air pressure the air density. These computations are usually implemented into an Air Data Computer (ADC) which receive y P T , y P S y θ T and y α and give as output the estimated barometric altitude y h , the estimated airspeed y V and the estimated rate of climb y v c : whereM indicates the Mach number estimation,θ S the static air temperature estimation and γ is the ratio of specific heats. The term dy P S represents a low-pass filtered version ofẏ P S where λ P S is the pole of the filter. Finally, the FDI module needs of an estimation of the air density,ρ, which is provided by the ADS by means of the following equation:ρ The angle of attack, α, represents a crucial quantity which describes the aerodynamic behaviour of the aircraft in each flight condition. The aerodynamic lift, L, is directly (quasi-linearly) proportional to the angle of attack until α remains in certain limits, α ∈ [α lin min , α lin max ], determined by the aircraft shape. Close these limits the lift the aircraft can produce increases but non linearly and reach a (minimum)maximum at (α L min )α L max . Further increases of α correspond to a decrease of L up to the so called "stall angle" α stall at which the lift suddenly decreases to zero. The autopilot has to guarantee that α always remains in certain predetermined safety regions of the open set (α stall min , α stall max ). Usually the angle of attack is measured by means of vane sensors constituted by a mechanical flag which align itself with the air-stream and a electronic transducer which provides the measurement of the rotation angle y α , see Figure 2b.

Air Data System Faults
This work demonstrates that, thanks to the joint use of the NLGA and the SP, faults affecting ADS can be correctly detected and isolated. To this end, the model of the system, even in presence of such faults, have to hold the singular perturbation properties. It is worth observing that failures on sensors which induce the instability of aircraft are not taken into account because no hardware redundancy is considered in this work. Different strategies, which are out of the scope of this paper, can be exploited to deal with this kind of fault scenario. Furthermore, only multiple (more than one) but non concurrent (only one per time) faults are considered in this work. The i-th fault is indicated by F i where F i (x, u, t, t 0 ) → R is a scalar real values function dependent on time, input and state. The faults affect the system at time t 0 ∈ R, with t 0 > 0, so that F i (x, u, t, t 0 ) = 0 ∀t < t 0 and progressively reach their asymptotic value F ∞ i (see Figure 3) where ∆ t ∈ R >0 is a time constant. The subscript i ∈ {1, . . . , n F } indicates the physical faults on altitude, air speed, rate of climb and angle of attack sensor. Finally, to improve the readability of this manuscript, the dependencies of faults are omitted but where necessary. The faults are modelled in terms of variation, from the nominal behaviour, due to biases and sensitivity modifications as where F s = b s + (k s − 1)s, (b s , k s ) ∈ R × R + . In particular, the faulty static and total pressure outputs are described by: where F P T , F P S and F θ T respectively indicate the faults affecting the total pressure, the static pressure and the total temperature port. The faults influencing both pressure and temperature ports result in faults on altitude, F h , airspeed, F V , and rate of climb, F v c , as: Let us now identify the following sets of faults: Thanks to the assumption of non-concurrent faults, it is possible to define the "active fault" as the element F i ∈ F which is non-zero and the "active fault subset" as the fault subset, among F x 1 and F x 2 , which the active fault belongs to. Finally, let use define the k-th fault parameter set as:

NLGA FDI for Singularly Perturbed Aircraft Model
This section shows novel methodological aspects arising when combining SP and NLGA for the solution of the FDI problem which can be generally stated as: Problem 1. FDI: given the aircraft longitudinal models (3) and (12) with the fault scenario F described in (22), design an FDI module with inputs y 1 (t), y 2 (t) and u 1 , . . . , u p , and output the set R = {r d 1 , ..., r d n R } of n R binary residuals such that each fault F k , with k ∈ {1, ..., n F }, affect a different, non-empty subset, Ω k , of residuals within R.
The solution of an FDI problem can be stated in terms of a residual matrix, RM which is an n R × n F rectangular matrix with boolean elements where the rows list the detection residuals whereas the columns represent the fault/fault subsets. The matrix's element RM(i, j) is equal to a logic 0 if the i-th detection residual is not sensitive to the j-th fault whereas is a boolean X ∈ {0, 1} otherwise. The presence of the boolean X is motivated by the residual sensitivity to the fault with respect to the noise which will be investigated in Section 5. Finally, the subsets Ω k is identified by the k-th column of RM.
To this end, the dynamic model of aircraft subject to faults on ADS is represented by: where the output is given by with Fault os output can be seen as input faults by means of the method proposed in [34] and here briefly reported: ν k ≥ 1 equivalent and simultaneous input faults, f k,i (i = 1, ..., ν k ), are introduced in place of the non concurrent output faults F k ∀k ∈ {1, ..., n F }. Given the k-th scalar output y k of (24), substitute y k to its relative state x k in the dynamic system (24) and identify the ν k ≥ 1 different functions, φ k,i (y k ) with i ∈ {1, . . . , ν k }, containing the term y k . Define the equivalent input fault as f k,i := φ k,i (x k )-φ k,i (y k ) and its input vector as l k,i . Whenever the k-th sensor fault occurs, i.e., F k = 0, all associated input faults f k,i (i = 1, ..., ν k ) will become non-zero: where the terms l 1 k,i and l 2 k,i represent the input distributions of mathematical sensor faults. Let us define with the term f k the set of input faults associated to the sensor fault F k : The set of equivalent mathematical faults associated to F is given by the set of vectors f k , for k = 1, . . . , n F , and is denoted by f: Finally, define with l k,i the mathematical fault vector field for the overall system, i.e., l k,i = l T 1k,i , l T 2k,i T and with l k the vector field collecting all the input vector fields relative to the set f k : l k := l k,1 , . . . , l k,ν k Before introducing the solution to the FDI problem rewrite the system (27) as: where Im case of of fully measured state, i.e., h(ξ) = ξ, the NLGA necessary conditions for solving the FDI problem are expressed by the following algorithm [31]: 1.
given the fault set F, define the subset F s ⊆ F with F s := {F k , k ∈ s} and the generalized disturbance D s = F \ F s ; 3.
given the equivalent fault set f associated to F, define the subset f s ⊆ f associated to F s , i.e., f s := {f k , k ∈ s}, and the generalized disturbance d s = f \ f s associated to D s ; 4.
associate to the sets f s and d s their relative input vector fields l s and p s respectively:

5.
if l s / ∈p s the generalized faults set f s is detectable and a suitable change of coordinate can be determined. (22), an NLGA study reveals that, defined F s = F \ {F x 2 } then l s =p s thus implying that the necessary conditions for the solution of the FDI problem are not fulfilled for the isolation of fault affecting the air (pressure and temperature) ports and the angle of attack vane sensor.

Property 1. Given the system (27) with the fault scenario
On the other hand, the sufficient conditions are expressed by the existence of two coordinate changes, in state and output spaces, Φ(ξ) and Ψ(χ) respectively, which consist in a surjection Ψ 1 and a function Φ 1 such thatp ⊥ are (local) diffeomorphisms, whilst C 2 is a selection matrix, i.e. its rows are a subset of the rows of the identity matrix. If the sufficient conditions are verified then, by using the new (local) state and output coordinates (ξ,χ), the system (31) is transformed as follows:ξ with l s 1 (ξ) not identically zero. As described in [31], the subsystemξ 1 in Equation (34) is locally weakly observable so the detection residual associated to f s and thus to F s is given by:ξ Finally, for each vectorial residual r, define a positive scalar function r = √ r T Wr where W is a positive weights matrix, a positive real constant r th and a boolean variable r d defined as:

NLGA Combined with Singular Perturbations
This Section contains the main results of this work and shows how the FDI problem can be solved by means of the coordinated use of the SP jointly with the standard NLGA. Theorem 1. Given the system (24) and for each k-th fault, there exist a subset of S k such that it is possible to approximate the actual dynamics of the aircraft (24) by its associated reduced and boundary layer models.
Proof. Let us assume that the aircraft (24) is equipped with a controller fulfilling Hypotheses 1 and 2 and define the eigenvalues of the system, affected by the k-th fault F k , as λ i (ν k ) with i = 1, . . . , n and ν k = (b k , η k ) ∈ S k . Then, as stated in [38,39] and thanks to the smoothness of the system (24) and its control system and based on their Lipschitz features, for any k > 0 it is possible to find a sufficiently small subset S k ⊆ S k , possibly dependent on k , such that the eigenvalue of the closed loop system (24) are such that whereν k = (0, 1) indicates the vector of the nominal parameters (fault free condition). For each fault parameter in the set S k , the model approximation is valid because the eigenvalues remain close the nominal ones so that the stability as well as the time separation properties can be kept valid.
On the base of the Theorem 1 the actual aircraft dynamics (24) is approximated by its reduced and boundary layer models: where x 2 M = M x 1 , u 1 , . . . , u p is an isolated root of The fault mapping procedure [34] applied to (37) leads to: In conclusion, the involutive closure of p s is such that span{dȳ 1 } ⊆p ⊥ s because, thanks to the Singular Perturbation approximation, the first n 1 components of each vector field in p s are null. Lemma 3. Given the system (39) with the fault scenario (22), given F and F x 1 as in Property 1 and defined the input vector fields relative to their generalized disturbance, p and p x 1 respectively, thenp ⊥ ⊃p ⊥ x 1 .
Proof. The combined used of Lemma 2 and SP shows that the projection ofp ⊥ onȳ 1 has components that the projection ofp ⊥ x 1 has not. As consequence, a coordinate change can be found to design a residuals that is independent from F α . Lemma 4. Given the system (27) and its singularly perturbed approximation (39), then the active fault subset is isolable.
Proof. Two different residuals are designed on the base of Property 1 and Lemma 2, r d 1 and r d 2 . The first one, r d 1 , is originated by Φ 1 (ξ) = Ψ 1 (ξ) = y 1 and the second one, r d 2 , exploits the singular perturbed coordinate change Φ 1 (ξ) = Ψ 1 (ξ) =ȳ 1 . The residual r d 1 and r d 2 are organized in a residual matrix, depicted in Table 1, where the second row results to be fundamental to isolate the active fault subset.  Table 1 reveals that the elimination of the residual r d 2 , introduced thanks to the adoption of the SP approximation, make the the isolation the faults in F x 1 and the fault on the vane sensor, F α , structurally impossible. Furthermore, can be demonstrated that Lemma 4 is valid also when considering the whole aircraft dynamics (comprehensive of lateral and directional motions) also in presence of faults affecting the side-slip angle vane sensor (considered as a further element of the fault set F x 2 ).

Simulation Results
The results presented in this paper have been obtained in simulation. The simulation benchmark is represented by a general aviation aircraft for which technical reports are available in literature. In particular NASA Technical Notes [40][41][42] describe the aerodynamics of the aircraft and the propeller. Figure 4 graphically depicts the blocks diagram details composing the simulator:

•
Aircraft Dynamics: The dynamics of the aircraft, seen as a rigid body with six degree of freedom, is altered by torques and forces inducing accelerations which, integrated two times, generate speeds and positions. Euler angles describes the attitude of the aircraft; • Aerodynamics: The NASA reference [40] graphically reports the aerodynamic coefficients of lift L, drag D and pitch momentum M which are functions of the angle of attack α and the thrust coefficient T/(q d S). The simulator implements these coefficients by means of look-up tables; During the simulations the updating of both the air density, ρ, and the gravity acceleration modulus, g, are performed by implementing the reference [37,43] respectively. The simulation of the sensor suite follows what stated in [44,45]: • the pitch rate is provided by means of one gyroscope of an IMU (Inertial Measurement Unit). The measurement errors are comprehensive of non unitary scale factor, alignment error (random), g-sensitivity, additive white noise and gyro drift; • Air Data System (ADS):

-
The true air-speed is affected by calibration error of the differential pressure sensor plus additive white noise; - The altitude measurement is corrupted by calibration error of the static pressure port plus additive white noise; - The attack angle vane sensor is influenced by calibration errors plus additive white noise.
A detailed description of the measurements used by the considered system can be found in [14].

Sensitivity Analysis
Uncertainties in model parameters influence the NLGA results in terms of decoupling from the disturbances d s , which is not more perfect, and reduce the sensitivity ofξ 1 with respect to f s thus making the fault detection and isolation harder. It is rather intuitive that, due to the residual sensitivities and model uncertainties, for each fault F k , different fault severities could identify actual residual subsets Ω k that are contained in those listed in Table 1.
In particular, for each k = 1, . . . , n F , there exist: • an undetectable fault parameter set defined as S k und ⊆ S k such that ∀ ν k ∈ S k und each binary residual r d i = 0, with i = 1, . . . , n R , so leading to Ω k = {∅} for each k = 1, . . . , n F ; • a detectable fault parameter set, S k det ⊆ S k , defined as the fault set for which the detection is guaranteed (but not the isolability). In particular, there exist a couple of fault parameters ν i and ν j with i, j ∈ {1, . . . , n F } with i = j, respectively belonging to S i det and S j det for which the residuals configurations Ω i and Ω j are non-empty but equal thus not providing the isolability; • an isolable fault parameter set, S k isol ⊆ S k , identified as the fault parameter set such that ∀ ν k ∈ S k isol the residuals configuration Ω k is unique. In particular, for each couple of fault parameters ν i and ν j with i, j ∈ {1, . . . , n F } with i = j, respectively belonging to S i isol and S j isol the residuals configurations Ω i and Ω j are non-empty and different.
Given the analogical vector residual r i and an associated comparison threshold r th i , the binary residual r d i > 0 is obtained by means of the following law where the elements of the matrices . . , w i,dim(r i ) ]) have been defined in the following way: for each j ∈ {1, . . . , dim(r i )} where dim(r i ) indicates the dimension of the vector r i . Table 2 reports the values given to the weight matrices. As result, the two residuals live under the threshold r th (set equal to 1 in this paper) when in absence of faults, see Figure 5.  For each k ∈ {1, . . . , n F } the sets S k und , S k det and S k isol have been numerically determined in presence of the most common uncertain quantity in standard general aviation aircraft (mass, inertia and drag coefficients) and simulated as a random variable with uniform distribution in the set of ±5% of the corresponding nominal parameter. Tables 3 and 4 and respectively list the nominal parameters, exploited by the FDI module, and their minimum and maximum values assumed into the plant. Table 5 lists the resulting fault sets whose bounds, shown in Figure 6, are obtained by assuming a slope modification k s ∈ [−0.1, 0.1]. All the results presented in this work have been obtained by means of an extended Monte-Carlo campaign covering all the cruise flight envelope (unitary positive load factor and air-speed up to the manoeuvre speed).

Remark 3.
The faults considered in this paper are corrupting the sensors and do not directly affect the plant, i.e., they are not system faults which modify the plant structure or the plant parameters. Anyway the fault have a secondary effect on the robustness of the proposed method because the aerodynamic coefficients, exploited by the FDI module, are obtained from look-up tables which entries contain also the angle of attack. This implies that erroneous values of α lead to erroneous values of the lumped parameters exploited to isolate the faults. All the simulation results are comprehensive of this phenomenon.

Remark 4.
The concept of the fault sets have been introduced to describe the behaviour of the detection and isolation logic in presence of faults modelled as sum of biases and slope modifications, i.e., F s = b s + (k s − 1)s. The sets are given to show how the combination of b s and k s influences the detection and isolation results: given k s the faults can be undetectable, detectable or isolable are functions of the value of b s . The identified fault sets are realistic due to the high fidelity of the simulator. As example the maximum tolerable fault on the static port is fixed by the vertical separation of the air traffic. In particular, the vertical separation is 75 m and a fault of ±690 Pa would lead to an error of about ±60 m [35]. The minimum isolable fault size identified in this paper is about ±155 Pa which is in line with the mentioned limits. Moreover, the aeronautical standard allows for a maximum tolerable error of ±4 knots on the airspeed. The fault size of ±55 Pa on the total air pressure port leads to an airspeed variation of less than ±2 knots while the fault on the static pressure port of ±155 Pa leads to an error of about ±4.5 knots. Finally a fault of about ±7 deg on the total air temperature port leads to an erroneous airspeed of about ±1.5 knots.

Fault Isolation Performance
To complete the dissertation about the fault detection and isolation, this work ends with the presentation of some single simulation runs in which the aircraft has been set to a cruise at speed whereas the faults dynamics has been characterized by a time constant ∆ t of 1 s. Figures 7 report the behaviours of the two detection residuals in presence of faults on the static air pressure port (Figure 7a) and on the total air pressure port (Figure 7b). Both the residuals, in accordance with their design criterion, overcome their threshold thus identifying the configuration of the residual matrix. The graphs in Figure 7a clearly show a quasi impulsive behaviour due to the variation of the rate of climb induced by a fault on the static pressure port: the rate of climb is a low pass filtered version of the static pressure first time derivative indeed. Once this effect disappears the asymptotic value of the residuals is due to the erroneous values of the airspeed. This impulsive behaviour is not present in Figure 7b where the aircraft is affected by faults on the total air pressure port because this measurement does not influence the rate of climb.
The composition of the residual matrix is replicated in the behaviour of the analogical residuals depicted in Figures 7a and 8b.
In conclusion, Table 6 reports the result of a 10,000-runs Monte-Carlo simulation in which, with respect to the sets described in Table 6, the faults have been randomly generated with a uniform distribution. The following dimensionless indexes constitute the meter for evaluating the performance of the FDI module:   1 Despite the NLGA analysis clearly states that it is impossible to isolate faults belonging to F x 1 , the occurrence of a fault in the group {F P S , F P T , F θ T } can be isolated from F α with the percentage indicated by the IR. Accordingly, the WIR indicates the percentage of test which resulted in the isolation of a fault out of the set F x 1 The values reported in Table 5 indicate a promising effectiveness of the proposed solution. With respect to the isolability of the faults affecting the total air pressure port, there is an inherent difficulty in the isolation of the faults affecting the static pressure port. In particular, a fault increasing P S produces two counteracting effects: on one hand it increases the estimated airspeedV but on the other it reduces the estimated air densityρ such that the final variation of the pressure dynamic q d = 1 2ρV 2 is, in modulus, smaller than the variation due to a fault, with the same magnitude, but affecting the total air pressure port. Since the pressure port faults reveal themselves by means of the dynamic pressure, this phenomenon makes easier the isolation of the faults on the total air pressure. The same conclusions can be obtained about the isolability of the faults affecting the total air temperature port. Furthermore, thanks to the structure of the detection residuals the isolation of faults affecting the vane sensor α is almost perfect (WIR 2%): the second detection residual, r 2 , is theoretically independent from fault on α thus reducing the possibility of confusing the residual configuration. Values of WIR different from zero, for F α , are due to the presence of model uncertainties which makes the decoupling not perfect. Finally the WIR values relative to fault in F x 1 are also due to the residual structure: for some flight conditions, these faults may force only the first residual r 1 out of its threshold thus inducing a wrong isolation.

Conclusions
Given a general aviation aircraft affected by faults on the air data system, this paper proposed a novel approach for solving the Fault Detection and Isolation problem. The cornerstone of the proposed approach stays in the coordinated use of the NonLinear Geometric Approach and the Singular Perturbation theory and represents a suitable solution for designing Fault Detection and Isolation schemes for all that plants whose dynamics can be described by two-time scales. This work demonstrated that, by means of the proposed approach, fault affecting the angle of attack and those affecting the air (both pressure and temperature) probes can be correctly detected and isolated. An aircraft flight simulator, based on high fidelity experimental data of one real general aviation aircraft, has been used as benchmark for assessing the results showed in this paper. Future works will focus on the improvement of the isolation performance by means of the introduction of further sensors.