Model-Based Condition-Monitoring and Jamming-Tolerant Control of an Electro-Mechanical Flight Actuator with Differential Ball Screws

: The work deals with the development of deterministic model-based condition-monitoring algorithms for an electromechanical ﬂight control actuator with fault-tolerant architecture, in which two permanent magnets synchronous motors are coupled with differential ball screws in speed-summing paradigm, so that the system can operate even after a motor fault, an inverter fault or a mechanical jamming. To demonstrate the potential applicability of the system for safety-critical aerospace applications, the failure transients related to major fault modes have to be characterised and analysed. By focusing the attention to jamming faults, a detailed nonlinear model of the actuator is developed from physical ﬁrst principles and experimentally validated in both time and frequency domains for normal condition and with different types of jamming. The validated model is then used to design the condition-monitoring algorithms and to characterize the system failure transient, by simulating mechanical blocks in different locations of the transmission. The operability after the fault, obtained via fault-tolerant control strategy and position regulator reconﬁguration, is also veriﬁed, by highlighting and discussing possible enhancements and criticalities.


Research Context
The aircraft electrification is surely one of the most important and strategic initiatives currently supporting the innovation of the aviation industry [1,2]. This manifests in two basic concepts: the more-electric aircraft and the more-electric propulsion (way to the all-electric long-term targets). In particular, the more-electric aircraft concept entails the gradual replacement of onboard systems based on mechanical, hydraulic, or pneumatic power sources with electrically-powered ones, aiming to reduce weight and costs, to optimize energy and to increase eco-compatibility and reliability of future aircrafts [3][4][5][6]. One of the key technological enablers for pursuing these challenging objectives is the electromechanical actuation [7][8][9]. The applicability of Electro-Mechanical Actuators (EMAs) in aerospace is well proved in terms of load and speed performances [10][11][12][13][14], but it still entails several concerns in terms of safety and reliability [15][16][17][18][19]. In civil aircrafts, EMAs are often avoided for safety-critical functions (flight controls, brakes, landing gears, nose wheel steering), essentially because the statistical database on components fault modes is poor [20]. Electrical and electronic faults are currently not critical for aerospace applications of EMAs, since they can be effectively counteracted via hardware redundancy, without significant impacts on weight and volumes [21][22][23][24][25][26]. On the other hand, mechanical faults are more problematic. The most feared fault mode is surely the mechanical jamming, which is the final consequence of the progressive degradation of loaded metallic contacts in the EMA gear train. The wear and fatigue in the materials initially imply increased friction and lower efficiency (affecting power consumption and control performances), or increased freeplay (with possible impacts on aeroservoelastic stability of flight movables), while in the long term they can lead to mechanical blocks. Potentially, the jamming of a primary flight surface is a failure with catastrophic consequences, which can make useless any architecture based on either parallel or grouped actuators. The survivability to jamming is thus one of the major challenges in the development of EMAs for safety-critical aerospace applications.
Many research efforts have been and are made to protect EMAs from jamming, by applying both prognostic and diagnostic monitoring methods, aiming at anticipating (i.e., avoiding), or detecting and isolating the fault, respectively. The prognostic solution, though potentially overwhelming [27][28][29][30], is nowadays far from being applicable to airworthy systems, so that diagnostic approaches are typically preferred [31,32].
The diagnostic monitoring requires that fault detection and isolation (FDI) algorithms are implemented and real-time executed by onboard control electronics [33][34][35][36], so that, in case of a detected jamming, redundant mechanical channels or unlock devices can be engaged [37,38]. Depending on how the mechanical redundancy is applied, after the fault compensation, the EMA can maintain its functionality, or it can be reverted in a stand-by mode, so that jamming-operative or jamming-safe EMAs are respectively obtained. In fact, for each primary flight movable, the mechanical redundancy can be applied at load-level (by splitting the movable and using a jamming-safe EMA on each part), at actuator-level (using multiple jamming-safe EMAs on a single movable), or at subsystem-level (using a single jamming-operative EMA on a single movable). The use of jamming-tolerant transmissions in EMAs clearly increases the design complexity, but it strongly simplifies the system integration with respect to architectures with multiple actuators. On the other hand, the FDI algorithms of a jamming-operative (more generally fail-operative) EMA are expected to be more sophisticated and prone to errors.

Motivations of the Research
Provided that fail-operative EMAs are the preferred solution for the primary flight controls of more-electric aircrafts, a key aspect entails the design and the verification of appropriate condition-monitoring systems. Apart from the need of limiting the number of additional sensors and algorithms, a special attention must be paid to the monitoring approach itself. Literature identifies three basic methods: knowledge-based, signal-based and model-based approaches [39,40]. In knowledge-based approaches, there is no a priori knowledge (i.e., model) of the physics-of-failure, but it is reconstructed from a large volume of historical data, by means of artificial intelligence techniques. Signal-based approaches instead utilize coarse pre-defined information about the system behaviour and the diagnostic output is directly generated by analysing the system signals. Finally, in model-based approaches, the diagnosis is obtained from the comparison of system measurements with a priori information provided by mathematical models, through the generation and analysis of residual quantities [41].
The condition-monitoring of a primary flight control EMA, which must be executed in real-time and with minimum FDI latency, surely requires a model-based approach, but different techniques can be applied. Since nonlinearities, disturbances, environment and loads can significantly affect actuators response, an in-depth knowledge of both normal and faulty behaviours is required. The crucial problem entails the knowledge of faulty dynamics and failure transients in complex systems with a huge number of fault modes.
In data-driven model-based techniques, this knowledge is achieved via experiments, by artificially injecting the major faults and measuring the system response during and after the fault [20,28,29,42,43]. This method provides more accurate predictions, but rigging costs are often prohibitive and the FDI strongly depends on tested conditions. In deterministic model-based techniques, which this paper refers to, the knowledge of dynamics with faults is derived from a mathematical model, capable of simulating the faults occurrence by physical first-principles [33][34][35][36], which is experimentally-validated with reference to normal and/or regime faulty conditions. Oppositely to the data-driven case, this method generally provides less accurate predictions, but it is cost-effective, it allows to verify FDI functionalities in extreme conditions and (above all) permits to generalise the FDI algorithms validity to similar equipments (i.e., governed by similar equations).
The development of a high-fidelity dynamic model of an EMA and its consequent experimental validation are thus, of paramount importance for the design of a deterministic model-based condition-monitoring, especially for the failure transients characterisation (with particular reference to the ones related to jamming faults, literature information is scarce). The basic objective of this work is thus to design and validate a deterministic model-based monitoring system of a fault-tolerant EMA for primary flight controls developed by Umbragroup (Italy), aiming at demonstrating the potential applicability of the actuator for safety-critical aerospace applications. In previous works by the authors [44,45], a preliminary performance verification of the monitoring system was obtained, but the experimental validation of the model was limited to the normal condition and the accuracy in terms of motor currents response was poor. This paper substantiates the effectiveness of the condition-monitoring design, by enhancing the EMA model accuracy and extending its experimental validation in both time and frequency domains to all the system operative modes.

System Architecture
The reference actuator is a fault-tolerant EMA (Figure 1a) In deterministic model-based techniques, which this paper refers to, the knowledge of dynamics with faults is derived from a mathematical model, capable of simulating the faults occurrence by physical first-principles [33][34][35][36], which is experimentally-validated with reference to normal and/or regime faulty conditions. Oppositely to the data-driven case, this method generally provides less accurate predictions, but it is cost-effective, it allows to verify FDI functionalities in extreme conditions and (above all) permits to generalise the FDI algorithms validity to similar equipments (i.e., governed by similar equations).
The development of a high-fidelity dynamic model of an EMA and its consequent experimental validation are thus, of paramount importance for the design of a deterministic model-based condition-monitoring, especially for the failure transients characterisation (with particular reference to the ones related to jamming faults, literature information is scarce). The basic objective of this work is thus to design and validate a deterministic model-based monitoring system of a fault-tolerant EMA for primary flight controls developed by Umbragroup (Italy), aiming at demonstrating the potential applicability of the actuator for safety-critical aerospace applications. In previous works by the authors [44,45], a preliminary performance verification of the monitoring system was obtained, but the experimental validation of the model was limited to the normal condition and the accuracy in terms of motor currents response was poor. This paper substantiates the effectiveness of the condition-monitoring design, by enhancing the EMA model accuracy and extending its experimental validation in both time and frequency domains to all the system operative modes.

System Architecture
The reference actuator is a fault-tolerant EMA (Figure 1a), basically composed of

Mechanical Transmission
The mechanical transmission of the EMA is based on differential ball-screws couplings. The two motors engage, via rotor-integrated ball-nuts, an intermediate screwshaft having . . .
in which p s1 and p s2 are the leads of the motor screw-nut couplings and p s3 is the lead of the output shaft screw. Theoretically, there are infinite combinations of motors motions generating the same output translation, Equation (3). However, a set of relevant combinations of motors speeds has been selected to define the EMA operative modes, Table 1.
In active/stand-by modes (ASB and SBA in Table 1), one motor rotates and the other is de-energized and held by the related brake, so that the screwshaft has a roto-translating motion, Equations (1) and (2). In active/active modes, both motors rotate and, depending on their speeds, the motion of the screwshaft can range from roto-translation to pure translation or pure rotation (AAPT and AAPR in Table 1). Among all possible active/active modes generating the screwshaft roto-translation, one implies a balanced power split among the motors in quasi-dynamic regime (i.e., at constant motors speeds). This speeds combination, given by Equation (4), is imposed by the EMA control laws if no jamming or motor faults are detected, obtaining the so-called "active-active equal power" mode (AAEP in Table 1).

Electronic Control Unit and Sensors
The electronic section of the EMA includes dual ECUs (whose architectural block diagram is depicted in Figure 2) for the independent drive of the motors, and each ECU is composed of two boards: one dedicated to the closed-loop control (CON board) and the other to the condition-monitoring (MON board).
The CONi board (with i = 1, 2) is connected with the inverter of the i-th motor, which is controlled by a TMS320F28335 Texas Instruments Microcontroller (C2000 real-time series) [46].
The electronic section of the EMA includes dual ECUs (whose architectural block diagram is depicted in Figure 2) for the independent drive of the motors, and each ECU is composed of two boards: one dedicated to the closed-loop control (CON board) and the other to the condition-monitoring (MON board).
The CONi board (with i = 1, 2) is connected with the inverter of the i-th motor, which is controlled by a TMS320F28335 Texas Instruments Microcontroller (C2000 real-time series) [46]. Concerning data exchange among the ECU boards, the MONi board (with i = 1, 2) is interfaced with:  Concerning data exchange among the ECU boards, the MONi board (with i = 1, 2) is interfaced with: one of the two set of current sensors of the i-th motor. Table 2 reports the main characteristics of the sensors used for the closed-loop control and condition-monitoring functions.

Condition-Monitoring System
The condition-monitoring system developed for each MON_i board essentially includes (together with signal-based threshold checks on overheating, communication bus consistency and hardware components functionality) the following model-based algorithms: • Motion Monitor; • Currents Monitor; • Jamming Monitor. The Motion Monitor calculates voted position values for the two motors, and the output shaft, by using triple redundant signals. This is obtained analytically, by combining the measurements of the dual sensors with model-based reconstructions derived from kinematic relationships. In fact, by reformulating Equation (3) in terms of displacements, once that two out of the three quantities θ 1 , θ 2 and x o are known, the resting one can be estimated. Taking into account that the LVDTs provide two linear feedback signals (LF1 and LF2) and that two consolidated angle feedbacks (CAF1 and CAF2, each one obtained by the resolvers related to the i-th motor) are available, five position estimates can be calculated, Equations (5) The system can thus apply a triple redundancy on each position signal, up to obtain voted output position feedback (VLF) as well as voted angle feedbacks (VAF1 and VAF2), and it is capable of tolerating up to two position sensors faults, except the fault of two resolvers located on different motors, Table 3.

Currents Monitor
The Currents Monitor aims to detect and isolate current sensors faults and motor phases faults, as well as to calculate voted values of phase currents. Also in this case, a model-based technique is used: when a three-phase PMSM correctly operates, the sum of its phase currents is constant (near to zero). From the six current measurements related to the i-th motor (I x i Y , where x = a, b, c is the motor phase; Y = C, M is the CON or MON sensors set), eight sums of currents can be obtained, Equation (10).
As reported in Table 4, by selecting the sums of currents (Σ i h , with h = 1, . . . , 8) that contain the same measurement, it is possible to construct six groups (G aC , G bC , G cC , G aM , G bM and G cM ). Then, by selecting the groups of sums of currents that also contain the same current data, three classes are obtained (C a , C b , C c ).  Table 4. Currents Monitor: groups and classes for FDI of sensors and coil faults to the i-th motor.

Sums of Currents Common Measurement Class
The algorithm generates the following diagnostic outputs: • if all sums of currents do not exceed a predefined threshold, no fault is detected; • if the threshold is exceeded by all the sums of currents belonging to a group, a fault of the sensor providing the common measurement is detected; • if the threshold is exceeded by all the sums of currents included in a class, a fault of the common coil included in the class is detected.

Jamming Monitor
The Jamming Monitor algorithm is composed of two sections executed in series, dedicated to the fault detection on the motors and the screwshaft, respectively.
In particular, for each k-th monitoring sample (k = 1, 2, . . . ), the algorithm defines a fault flag vector F mon , in which four Boolean variables identify the occurrence of the four possible jamming events (F mon|1 and F mon|2 for the motors jamming, F mon|ssRJ and F mon|ssTJ for the screwshaft rotational and translational jamming respectively), Equation (11) If no jamming is detected, all the fault flag vector components are 0 (i.e., false Boolean values). Otherwise, if a jamming is detected, at least one fault flag vector component is 1 (i.e., true Boolean value). The jamming is also isolated if only one vector component is 1.
Each algorithm section uses a generalized Jamming-Detection Logic (JDL), whose flow chart is reported in Figure 3: the fault flag (F mon ) is generated by elaborating a monitor signal (ε mon ) sampled at the monitoring frequency (f mon ). If the monitor signal is lower than a pre-defined threshold (ε th ), a fault counter (c mon ) is increased by 2; if the threshold is exceeded, the fault counter is decreased by 1 if it is positive at the previous step, otherwise it is held at 0. The jamming is detected, when the fault counter exceeds a pre-defined value (c mon max , which basically defines the FDI latency).
The Jamming Monitor algorithm is composed of two sections executed in series, dedicated to the fault detection on the motors and the screwshaft, respectively.
In particular, for each k-th monitoring sample (k = 1, 2, …), the algorithm defines a fault flag vector Fmon, in which four Boolean variables identify the occurrence of the four possible jamming events (Fmon|1 and Fmon|2 for the motors jamming, Fmon|ssRJ and Fmon|ssTJ for the screwshaft rotational and translational jamming respectively), Equation (11) If no jamming is detected, all the fault flag vector components are 0 (i.e., false Boolean values). Otherwise, if a jamming is detected, at least one fault flag vector component is 1 (i.e., true Boolean value). The jamming is also isolated if only one vector component is 1.
Each algorithm section uses a generalized Jamming-Detection Logic (JDL), whose flow chart is reported in Figure 3: the fault flag (Fmon) is generated by elaborating a monitor signal (εmon) sampled at the monitoring frequency (fmon). If the monitor signal is lower than a pre-defined threshold (εth), a fault counter (cmon) is increased by 2; if the threshold is exceeded, the fault counter is decreased by 1 if it is positive at the previous step, otherwise it is held at 0. The jamming is detected, when the fault counter exceeds a pre-defined value (cmon max, which basically defines the FDI latency). In the first section of the algorithm, the jamming related to the i-th motor (i = 1, 2) is targeted. The monitor signal (εmon|i) is defined as the variation of the motor rotation (θi) between two samples, Equation (12), In the first section of the algorithm, the jamming related to the i-th motor (i = 1, 2) is targeted. The monitor signal (ε mon|i ) is defined as the variation of the motor rotation (θ i ) between two samples, Equation (12), and the algorithm operates as follows, Equation (13): if the i-th motor rotation demand (θ i d ) between two samples varies for more than a pre-defined threshold (ε d i ), the JDL is executed to define the related fault flag (F mon|i ); otherwise, all fault flags are set to 0 and the system operates normally (AAEP mode). If a motor jamming is detected by the JDL, the related fault flag becomes true and the control laws are reconfigured to engage the appropriate active/stand-by mode (ASB or SBA). The second section of the algorithm is instead dedicated to the screwshaft jamming FDI, which can result in a rotational or in a translational stuck, due to the jamming of the internal or external screw-nut couplings respectively. A model-based approach is again applied. In normal conditions (AAEP mode), the motors speeds are correlated via Equation (4), while, if there is a screwshaft rotation jamming, the mechanical train imposes that . θ 1 = p s2 /p s1 . θ 2 (given by . θ ss = 0 in Equation (1)). Otherwise, if the jamming causes a translation stuck, the transmission imposes . θ 1 = . θ 2 (given by . x ss = 0 in Equation (2)). Starting from these considerations, the screwshaft jamming is detected by:  (14).
It is worth noting that, if no jamming is occurred, δ sr is very small, due to the speed tracking of the EMA control laws, while it is large if there is a jamming. In fact, if we impose the kinematic relationships with or without a screwshaft jamming, the output speed estimate can be approximated via Equation (15) and δ sr is given by Equation (16).
In case of jamming faults, the first contributions at second hands in Equation (16) have large amplitudes (while the second ones are minor, due to motors speed tracking), i.e., any screwshaft jamming implies that δ sr is large.
The screwshaft jamming isolation (i.e., rotational or translational stuck) is finally obtained by executing two JDL algorithms in parallel, as summarized by Equations (17) and (18).
Concerning the parameters of the Jamming Monitor algorithm, they have been defined (Table 5), by taking into account the available computational resources of the ECUs, which have limited the monitoring sampling rate to 2 kHz, and by imposing that the following maxima FDI latencies: • 100 ms for the screwshaft jamming faults; • 20 ms for the motors jamming, to account for additional delays due to the brake activation and engagement.

Nonlinear Dynamic Modelling
As described in Section 2.4, the condition-monitoring algorithms are designed via deterministic model-based approach, by performing threshold checks on monitor signals generated by theoretical predictions of the system behaviour. In practical terms, these predictions can significantly deviate from the actual dynamics (e.g., the sums of the phase currents are not constant, the mechanical train compliance alters the validity of the "rigid" kinematic relationships, the closed-loop bandwidth limitations imply that the motors speed tracking is not ideal), so the FDI effectiveness is generally questionable and it must be verified well before the EMA manufacturing. The development of a high-fidelity dynamic model and its consequent experimental validation are thus of paramount importance for a deterministic model-based conditionmonitoring, especially for the failure transient characterisation. In previous works by the authors [44,45], a preliminary verification of performances were obtained, but the accuracy in terms of motors currents response was poor and the experimental validation was limited to the normal operative condition. Here, an enhanced model of the EMA dynamics is proposed, which has been experimentally validated with reference to all the five operative modes of the EMA ( Table 1). The model is composed of: • an electromechanical section, simulating • FOC current dynamics (differently from [44,45], both quadrature and direct currents are simulated); • 5-degree-of-freedom mechanical transmission, with equations of motions related to motors rotation, output translation and screwshaft rotation and translation; • sliding friction on motors and output shaft described via combined "Coulombtanh" model [51,52], with optimized parameters with respect to [44,45]; • mechanical endstrokes (no model was included in [44,45]); • jamming faults, implying the sudden block of motors rotation, screwshaft rotation or screwshaft translation; • an electronic section, including • sensors errors and nonlinearities (bias, noise, resolution); • commands nonlinearities (saturation, rate limiting); • digital signal processing at 2 kHz sampling rate for both monitoring (Table 5) and closed-loop control functions.
As far as the normal operation is concerned (i.e., no faults), the electro-mechanical section of the model, schematically represented by Figure 4, is governed by Equations (19)-(24), J ss ..
x ss p s1 m ss ..
x ss p s1 x ss p s2 where V q i , V d i , i q i and i d i are the quadrature and direct voltages and currents of the i-th motor, J i and J ss are the motors and the screwshaft inertias, m ss and m o are the screwshaft and output shaft masses, R is the motors phase resistance, L d and L q are the motors inductances in the rotor frame (which are identical in the reference EMA, because the PMSMs have surface-mounted magnets), k t is the motors torque constant, n d is the number of motors pole pairs, F e is the external load, k m and d m are the stiffness and damping referred to the roto-translating motion deformation of the m-th screw-nut coupling (with m = 1, 2, 3), while T fr i , ω fr i , F fr o and v fr o are the parameters of the "Coulomb-tanh" friction models related to the i-th motor and the output shaft, respectively. iron losses in the motor [53,54], but the inclusion of these model features would entail minor effects for the examined application. In particular, the mechanical freeplay, due to the screw-nut couplings preload, was extremely small in the reference EMA and its contribution in the model would have been poor. Similarly, the motor iron losses have been neglected because they depend on electrical frequency, which is relatively small for the reference EMA (<60 Hz, Table 6) and their impact on actuator dynamics in the positiontracking frequency range (<20 Hz) is expected to be minor. On the other hand, more accurate friction models (including load and temperature dependence) could significantly enhance the simulation, but a simplified approach has been preferred for both the lack of detailed information and to limit the number of model parameters. The EMA model has been developed in the Matlab-Simulink-Stateflow environment and the numerical simulation is solved by the Runge-Kutta method, with 10 −5 s integration step. It is worth noting that the choice of a fixed-step solver is not strictly related to the objectives of this work, in which the model (once experimentally validated) is used for "off-line" simulations testing the FDI algorithms, but it has been selected for the next steps of the project, when the FDI system will be implemented in the ECU boards via automatic Matlab compiler and executed in "real-time".
The parameters of the electro-mechanical section of the model are given in Table 6.  Concerning the jamming faults, they are simulated as instantaneous stops of the moving element, as described by Equation (25), in which z is the position of the element interested by the jamming fault (i.e., z = θ 1 or z = θ 2 for motors jamming and z = θ ss or z = x ss for screwshaft rotational or translational jamming), t f is the time at which the fault is injected, while z 0 and . z 0 are the initial position and speed.
It is worth noting that the proposed model represents a balance between prediction accuracy, objectives of the study and complexity of the model itself. More accurate simulations could include mechanical freeplay [30], sophisticated friction models [51,52] and iron losses in the motor [53,54], but the inclusion of these model features would entail minor effects for the examined application. In particular, the mechanical freeplay, due to the screw-nut couplings preload, was extremely small in the reference EMA and its contribution in the model would have been poor. Similarly, the motor iron losses have been neglected because they depend on electrical frequency, which is relatively small for the reference EMA (<60 Hz, Table 6) and their impact on actuator dynamics in the positiontracking frequency range (<20 Hz) is expected to be minor. On the other hand, more accurate friction models (including load and temperature dependence) could significantly enhance the simulation, but a simplified approach has been preferred for both the lack of detailed information and to limit the number of model parameters.
The EMA model has been developed in the Matlab-Simulink-Stateflow environment and the numerical simulation is solved by the Runge-Kutta method, with 10 −5 s integration step. It is worth noting that the choice of a fixed-step solver is not strictly related to the objectives of this work, in which the model (once experimentally validated) is used for "off-line" simulations testing the FDI algorithms, but it has been selected for the next steps of the project, when the FDI system will be implemented in the ECU boards via automatic Matlab compiler and executed in "real-time". The parameters of the electro-mechanical section of the model are given in Table 6.

ECU Prototype for Experimental Tests
Since one of the main objectives of the research was to assess the FDI capabilities of the condition-monitoring system in case of mechanical jamming or motors faults before the final design of the dual CON-MON ECUs, an intermediate step has been made, by developing a prototype simplex ECU.
In the prototype ECU (whose block diagram is reported in Figure 5), the conditionmonitoring algorithms and the redundancy management functions are not implemented, but the fault-tolerant closed-loop control is the same of the final design.
Considering that, as outlined in Table 1, the relationship between the output shaft speed and the motors speeds varies with the operative mode, some kind of reconfiguration technique must be implemented to assure the system stability and the dynamic performances in all modes. In the proposed design, based on three nested loops, on motors currents, motors speeds and output shaft position, • all the regulators implement proportional/integral actions on tracking error signals, plus anti-windup function with back-calculation algorithm [55] to compensate for commands saturation; • the innermost loops on motors currents and motors speeds are processed at 2 kHz and use fixed parameters (i.e., they don't vary with EMA mode). They provide tracking bandwidths of 420 Hz and 58 Hz, on currents and speeds, respectively; • the reconfiguration strategy is applied to the outermost loop only, which is processed at 1 kHz (due to a prototype ECU limitation) and it can be reconfigured through a dedicated mode switching signal.

Experimental Validation of the Model
Excerpts of the model validation results are reported from Figures 6-11. The most relevant time-domain responses are reported from Figures 6-8, with reference to both active/stand-by modes and the normal operation (AAEP mode), by focusing the attention on position and currents dynamics. All the time-domain responses are referred to position tracking tests in which the EMA is commanded to follow a large-amplitude rate-limited square-wave signal under 100 kN/m spring-type load, which is roughly representative of the worst-case flight conditions. More precisely, by referring to Equation (24), the test have been carried out by imposing where ke = 10 5 N/m and xo max = 0.025 m. Thus, from Figures 6-8, the external load is opposite to (aiding) the EMA motion when the output speed is positive (negative). Satisfactory results are generally obtained, with concrete enhancement of the motor currents predictions with respect to [44,45]. In SBA mode, the currents prediction is accurate in both steady-state and transient phases, with overall accuracy of 2 A, Figure 6b. The predictions in terms of position response are more accurate (it is expected since the signal is characterised by a low-frequency content), with errors lower than 0.15 mm (0.3% of the EMA full stroke), Figure 6a. In ASB mode, the errors on currents simulation during steady-state conditions are limited to 2 A (i.e., 8% of the maximum current), but the errors tend to increase at the abrupt transients derived from command signal variations and when the EMA performs a dynamic position tracking with aiding load, Figure 7b. This behaviour essentially depends on the simplified friction model used for the EMA simulation: a load-dependant model could probably enhance the results and further developments of the research will take into account this point. Concerning the position response, it anyway exhibits a good accuracy, with errors lower than 0.25 mm (0.5% of the EMA full stroke). It is also worth noting that both simulation and experiment point out that the position response is characterised by a slight overshoot (0.75 mm), related to a too moderate anti-windup action in the position regulator, Figure 7a. Similar results characterise the simulation in AAEP mode (Figure 8), even if the prediction errors on position response  In the dual CON-MON ECUs, the mode switch comes from the condition-monitoring algorithms, while in the prototype ECU it is imposed by the operator via the test rig, together with the EMA position demand ( Figure 5).
Thanks to this prototype ECU, the system dynamic performances have been characterized in both frequency and time domains for each operative mode, aiming to validate the simulation results provided by the EMA model and to permit the design of the conditionmonitoring algorithms via model-based approach. The frequency responses highlight that the model is very accurate for small-displacement dynamics (relevant for flight control applications): for input frequencies up to 10 Hz, the prediction errors are actually comparable to sensors accuracy (i.e., 0.1% of the EMA full stroke).

Jamming Failure Transient Characterisation
The validated model is then used to verify the condition-monitoring performances, by injecting the jamming faults in different points of the mechanical train and by evaluating the FDI latency to implement the correct operative mode switching and the control laws reconfiguration. The most relevant results are reported from Figures 12-14 and are related to the motor 2 jamming and to the screwshaft jamming respectively. To evaluate the effectiveness of the Jamming Monitor (JM), the responses in terms of output position and motors speeds are reported with and without the JM execution.
All the simulations are carried out by commanding the EMA, under 2.4 kN compressive load, to track a large-displacement demand (±18 mm, i.e., 75% of the EMA full stroke) at maximum speed and by simulating a jamming when the actuator reaches its midstroke (i.e., at 2.03 s).

Jamming Failure Transient Characterisation
The validated model is then used to verify the condition-monitoring performances, by injecting the jamming faults in different points of the mechanical train and by evaluating the FDI latency to implement the correct operative mode switching and the control laws reconfiguration. The most relevant results are reported from Figures 12-14 and are related to the motor 2 jamming and to the screwshaft jamming respectively. To evaluate the effectiveness of the Jamming Monitor (JM), the responses in terms of output position and motors speeds are reported with and without the JM execution.
All the simulations are carried out by commanding the EMA, under 2.4 kN compressive load, to track a large-displacement demand (±18 mm, i.e., 75% of the EMA full stroke) at maximum speed and by simulating a jamming when the actuator reaches its midstroke (i.e., at 2.03 s). The most relevant time-domain responses are reported from Figures 6-8, with reference to both active/stand-by modes and the normal operation (AAEP mode), by focusing the attention on position and currents dynamics. All the time-domain responses are referred to position tracking tests in which the EMA is commanded to follow a large-amplitude rate-limited square-wave signal under 100 kN/m spring-type load, which is roughly representative of the worst-case flight conditions. More precisely, by referring to Equation (24), the test have been carried out by imposing where k e = 10 5 N/m and x o max = 0.025 m. Thus, from Figures 6-8, the external load is opposite to (aiding) the EMA motion when the output speed is positive (negative). Satisfactory results are generally obtained, with concrete enhancement of the motor currents predictions with respect to [44,45]. In SBA mode, the currents prediction is accurate in both steady-state and transient phases, with overall accuracy of 2 A, Figure 6b. The predictions in terms of position response are more accurate (it is expected since the signal is characterised by a low-frequency content), with errors lower than 0.15 mm (0.3% of the EMA full stroke), Figure 6a. In ASB mode, the errors on currents simulation during steady-state conditions are limited to 2 A (i.e., 8% of the maximum current), but the errors tend to increase at the abrupt transients derived from command signal variations and when the EMA performs a dynamic position tracking with aiding load, Figure 7b. This behaviour essentially depends on the simplified friction model used for the EMA simulation: a loaddependant model could probably enhance the results and further developments of the research will take into account this point. Concerning the position response, it anyway exhibits a good accuracy, with errors lower than 0.25 mm (0.5% of the EMA full stroke). It is also worth noting that both simulation and experiment point out that the position response is characterised by a slight overshoot (0.75 mm), related to a too moderate anti-windup action in the position regulator, Figure 7a. Similar results characterise the simulation in AAEP mode (Figure 8), even if the prediction errors on position response increase during the overshoot phase, by reaching 0.8 mm (1.6% of the EMA full stroke).
Excerpts of results of the frequency-domain validation of the model are then reported from Figures 9-11, in which the position tracking responses to sinusoidal demand waves of 0.5 mm (i.e., 1% of the EMA full stroke) under a 2 kN compressive load are proposed in terms of amplitude and phase of the first harmonic signal component. The plots also report the speed and acceleration limits of the EMA and it can be verified that, in the examined frequency range and for all operative modes, the system works without encountering saturation phenomena.
The frequency responses highlight that the model is very accurate for small-displacement dynamics (relevant for flight control applications): for input frequencies up to 10 Hz, the prediction errors are actually comparable to sensors accuracy (i.e., 0.1% of the EMA full stroke).

Jamming Failure Transient Characterisation
The validated model is then used to verify the condition-monitoring performances, by injecting the jamming faults in different points of the mechanical train and by evaluating the FDI latency to implement the correct operative mode switching and the control laws reconfiguration. The most relevant results are reported from Figures 12-14 and are related to the motor 2 jamming and to the screwshaft jamming respectively. To evaluate the effectiveness of the Jamming Monitor (JM), the responses in terms of output position and motors speeds are reported with and without the JM execution.    The simulation points out that in case of motor 2 jamming, causing the operation to switch from AAEP to ASB mode (Figure 12), the FDI latency is extremely small (10 ms, similar to the one obtained in [44,45]), but immediately after the fault compensation the EMA tends to diverge from the correct position tracking, Figure 12a. This behaviour results from an imperfect reconfiguration of the position regulator (related to integral operator initialization), which implies a reverse speed demand to the active motor, Figure 12b.
The failure transient related to the screwshaft translational jamming, causing the operation to switch from AAEP to AAPR mode (Figure 13), is effectively minimized by the JM (FDI latency is 15 ms, larger than the one obtained in [44,45]), even if the EMA dynamic performances after the fault are significantly reduced (as also confirmed by Figure 10a). The faulty dynamics without JM is dramatically negative, since the EMA reacts to the jamming by oppositely diverging with respect to the position demand and it rapidly reaches the endstroke, Figure 13a. It is worth noting that the model enhancement has permitted to correctly reproduce this critical behaviour, by including the simulation of the impact on mechanical endstrokes.
Finally, the results related to the screwshaft rotational jamming, causing the operation to switch from AAEP to AAPT mode (Figure 14), point out that the FDI latency is more concrete (90 ms, again larger than the one obtained in [44,45]), but no relevant variation in tracking performances is observable after the fault (Figure 14a), because the reconfiguration of motors speeds demands generated by the fault-tolerant control laws are very close to the ones before the fault, Figure 14b. All the simulations are carried out by commanding the EMA, under 2.4 kN compressive load, to track a large-displacement demand (±18 mm, i.e., 75% of the EMA full stroke) at maximum speed and by simulating a jamming when the actuator reaches its midstroke (i.e., at 2.03 s).
The simulation points out that in case of motor 2 jamming, causing the operation to switch from AAEP to ASB mode (Figure 12), the FDI latency is extremely small (10 ms, similar to the one obtained in [44,45]), but immediately after the fault compensation the EMA tends to diverge from the correct position tracking, Figure 12a. This behaviour results from an imperfect reconfiguration of the position regulator (related to integral operator initialization), which implies a reverse speed demand to the active motor, Figure 12b.
The failure transient related to the screwshaft translational jamming, causing the operation to switch from AAEP to AAPR mode (Figure 13), is effectively minimized by the JM (FDI latency is 15 ms, larger than the one obtained in [44,45]), even if the EMA dynamic performances after the fault are significantly reduced (as also confirmed by Figure 10a). The faulty dynamics without JM is dramatically negative, since the EMA reacts to the jamming by oppositely diverging with respect to the position demand and it rapidly reaches the endstroke, Figure 13a. It is worth noting that the model enhancement has permitted to correctly reproduce this critical behaviour, by including the simulation of the impact on mechanical endstrokes.
Finally, the results related to the screwshaft rotational jamming, causing the operation to switch from AAEP to AAPT mode (Figure 14), point out that the FDI latency is more concrete (90 ms, again larger than the one obtained in [44,45]), but no relevant variation in tracking performances is observable after the fault (Figure 14a), because the reconfiguration of motors speeds demands generated by the fault-tolerant control laws are very close to the ones before the fault, Figure 14b.

Conclusions
A condition-monitoring system for the detection and isolation of faults in a faulttolerant EMA for flight control applications is developed via deterministic model-based approach. The monitoring algorithms are designed and verified by using a detailed nonlinear model of the EMA, which simulates, by physical first-principles, the most relevant phenomena involved in the system dynamics (structural compliance of the mechanical train, field-oriented control of the motors currents, sliding friction, digital signal processing, sensors errors, major faults). The model is experimentally validated in both time and frequency domains for normal operative conditions and with jamming faults. The results demonstrate that the EMA is capable of operating after a mechanical jamming. A particular attention is paid to the failure transient characterisation (strongly relevant for aircraft applications), pointing out that the monitoring algorithms, composed of two sections dedicated to the blocks of motors and differential screws, respectively, succeed in detecting and isolating the fault at different locations of the mechanical transmission, with fault latency lower than 90 ms.