Fault Diagnosis and Reconfigurable Control for Commercial Aircraft with Multiple Faults and Actuator Saturation

Active fault-tolerant control systems perform fault diagnosis and reconfigurable control. There is a bidirectional uncertainty between them, and an integrated scheme is proposed here to account for that. The system considers both actuator and sensor faults, as well as the external disturbance. The diagnostic module is designed using an unknown input observer, and the controller is constructed on the basis of an adaptive method. The integrated strategy is presented, and the stability of the overall system is analyzed. Moreover, different kinds of anti-windup techniques are utilized to modify the original controllers, because of the different controller structures. A simulation of the integrated anti-windup fault-tolerant control method is demonstrated using a numerical model of Boeing 747. The results show that it can guarantee the stability of the post-fault aircraft and increase the control performance for the overall faulty system.


Introduction
The electrical flight control system (EFCS) is the industrial standard for commercial aircraft and has been widely used in the aviation sector, because it can improve the safety and performance of aircraft [1]. Following the development of commercial aircraft, EFCSs are becoming more complex than before and the performance requirements (such as safety, reliability, maintainability, etc.) have increased [2]. In response to this, fault-tolerant control (FTC) has gained importance because it can deal with system faults automatically, make the system stable, and regain the performance of faulty aircraft. Furthermore, fault signal monitoring has improved so that the integration of estimation and reconfiguration has attracted particular interest during the last decade [3].
FTC consists of passive fault-tolerant control (PFTC) and active fault-tolerant control (AFTC) [4]. In PFTC, a class of presumed faults are tackled by the designed controller, so that it is a special kind of robust control. The structure of the controller is simple because there is no need to add a diagnostic module, but the fault-tolerant capability is limited [5,6]. Thus, recently the focus has been on AFTC because of its outstanding fault handling capability [7][8][9][10][11][12][13]. The main feature of AFTC is that it contains both estimation and reconfiguration. In most of the literature works, these two modules are designed independently in the FTC system, and the estimation is only used for monitoring or diagnosis. Moreover, the capability of it is often overrated, and very few articles concentrate on the integrated scheme of fault-tolerant controller design.
To design an active fault-tolerant controller capable of addressing the mentioned difficulties, it is necessary to develop an integrated design method, with no need for a prior

System Modeling
It is necessary to construct an appropriate aircraft model for the integrated design. The model of an aircraft during normal operation (without faults and actuator constraints) is described as where x = u a w a q θ T denotes the system state, in which u a is the forward velocity, w a is the vertical velocity, q is the pitch angle rate, θ is the pitch angle, and y = θ denotes the system output, and u = δ e1 δ e2 δ e3 δ e4 T denotes the system input, in which δ ei is the perturbation from trim in the ith elevator. A, B, and C are the system matrix, the input matrix, and the output matrix, respectively. The detailed expressions are shown in Appendix A.
If the aircraft operates in the presence of actuator and sensor faults, system (1) can be rewritten under the fictitious multiplicative fault formulation as where u c denotes the controller outputs, f m =Lu c = (L − I)u c denotes the fictitious multiplicative actuator fault value, L = diag{l 1 , l 2 , l 3 , l 4 } is an indication matrix, l i ∈ [0, 1] is the effectiveness factor, f a denotes the additive actuator fault value, d denotes the external disturbance, y o denotes the measured output, and f s denotes the sensor fault value. The detailed modeling and analysis for faults can be found in reference [25].
Assumption 1 ([5]). All of the faults and disturbance in (2) are norm-bounded, and the first time derivatives of faults are norm-bounded, too.
Considering Assumption 1, we can augment the faulty system (2) into where

Integrated Strategy and Anti-Windup Modification
In the AFTC strategy, there is a pairing between the estimation and reconfiguration, that is, the controller needs fault information provided by the estimator, and the estimator needs to know which strategy is available for reconfiguration [5]. Moreover, the actuator saturation is the most common nonlinearity in a control system and affects its stability [26]. Thus, the integrated fault-tolerant control scheme and its anti-windup modification are important for EFCS because they guarantee the aircraft to track the command signal in the presence of actuator faults and saturations. Inspired by this problem, a novel integrated anti-windup method for linear systems is presented.

Integrated Reconfigurable Controller Design
An integrated scheme is utilized to design the reconfigurable controller in this subsection. In the augmented faulty model (3), the unknown fault values f m , f a , and f s are contained in x a and are obtained by using the diagnostic module. The design procedure of the integrated strategy contains three steps: (1) Design a reconfigurable controller to control the aircraft to track the desired command, (2) design a fault estimator to estimate the states of the augment faulty system, and (3) calculate the undecided parameters of the controller and estimator by analyzing the stability of the overall system. Augment the healthy system (1) into ẋ n = A n x n + B n u y = C n x n (4) The reference control law is chosen as whereẋ g = r − y is the controller state vector, r is the command signal, and G x and G g are control gains. Thus, the reference model (as a command generator) represented by the augmented system (4) and the reference controller (5) is obtained as The system dynamics is completely controllable by calculating the controllability matrix, and the detailed data are given in the Appendix A. An optimal control technique (such as LQR) is used here to adjust the reference controller gains. The detailed design procedure can be found in [7], and thus it is omitted here. Moreover, the system dynamics can be derived from (3) by introducing a new control variableẋ g = r − y o as where Defining the error between the reference model state and the system state as e mp = x m − x p , a reconfigurable control law is chosen as Substituting the reference model (6), the system (7), and the control law (8) into the error expression yieldṡ where ξ mp = −d a . G e and G m are control gains, and are designed by analyzing the stability of the postfault aircraft model, that is, ensuringė mp = (A p − B p G e )e mp + ξ mp where (A p − B p G e ) is a Hurwitz matrix. The term ξ mp represents the errors between the faulty aircraft and the reference model, and it affects the control performance. Furthermore, the control gains are calculated by an adaptive integrated strategy to address the unknown external disturbance and system parameter errors.
In the design procedure of the fault estimator, an observer is described as where x o is the observer state vector andx a is the estimate of x a . The remaining undefined matrices are designed observer gain matrices. The design objective is to make sure that the error e ao = x a −x a between the faulty system state x a and its estimatex a converges to zero. Substituting (3) and (10) intȯ e ao =ẋ a −ẋ a yieldṡ where

Remark 1.
Based on the works in [27,28], the rank condition for the designed observer (10) is rank(C a D a ) = rank(C a ), where D a is the coefficient matrix of d a in (3). As D a is chosen as an identity matrix I in this paper, the rank condition is satisfied.
The observer matrices are designed by analyzing the stability of the system, that is, ensuringė ao = Me ao + ξ ao , where M is Hurwitz. The term ξ ao represents a coupling between estimator and controller, and it affects the estimation performance. The integrated scheme is shown in Figure 1. The following theorem is proposed to guarantee the stability of the overall system and to calculate the corresponding adaptive adjustment laws. Theorem 1. The integrated system consisting of (3), (8) and (10) is asymptotically stable if the gains of controller and estimator hold so that where P mp , P ao , Ξ 1 , and Ξ 2 are symmetric positive-definite matrices.
Proof. Rewrite the controller error dynamic system aṡ whereĀ p is a Hurwitz matrix, Γ e = G e (t) − G e (0), and Γ m = G m (t) − G m (0). A Lyapunov candidate function is chosen as where e I = e mp e ao T , P I = diag P mp , P ao .
, the first and second items of (12) are obtained.
. Thus, the rest of (15) is transformed intȯ where As A I is Hurwitz, it can be concluded that P I is the unique solution of the following Lyapunov matrix equation: where Q I is any symmetric positive-definite matrix.

Remark 2.
The errors ξ mp and ξ ao are always nonzero in the application so that it is necessary to integrate the estimator and the controller. The adaptive laws cancel the adverse effect of the coupling and improve the capability of the reconfigurable control.

Anti-Windup Mechanisms
Actuator constraints consist of rate and magnitude saturation. In this paper, a modified software rate limiter (S RL ) is utilized to address the rate constraint problem. As shown in Figure 2, the plants "P n " and "P a " consist of actual aircraft models, "G ult " represents the ultimate reference controller (the original controller with/without a compensator), "G * ult " represents the ultimate reconfigurable controller, "M" is the reference model, and the actuator "A" is position-controlled and is subject to saturation of physical systems (i.e., they only provide a certain amount of force or moment). In this scheme, the reference controller is modified by S RL , and a signal d b (t) has taken the place of the limiter in its quasilinear part. The reconfigurable controller can also be modified by S RL , and another signal d f (t) has taken the place of the limiter in the post-fault model. If the physical limitations of the actuators are not considered in the design procedure, the control performance will not be satisfactory and could possibly even lead to disastrous consequences. It is difficult to design integrated anti-windup controllers because of the different controller structures. The type of D b (s) (the Laplace transform of d b (t)) and D f (s) (the Laplace transform of d f (t)) are denoted as T D b and T D f , respectively [29]. Theorem 2. The stable system with rate limiters will exhibit asymptotic stability in response to the injected signals d b (t) and d f (t), if the types of ultimate controllers are more than zero.
Proof. The block diagram algebra for the normal system can be got from Figure 2 as where E b is the error, R is the command signal, and Y is the system output. The majuscules denote the Laplace transform of their corresponding time functions. The actuator "A" is ignored in this algorithm, because the linear part of "A" is insignificant and the rate constraint in it can be canceled by S RL . The detailed actuator model is shown in Appendix A.
Applying the final value theorem, it can be obtained that As , the type of the first item is T 1b = T R − 1 − T P n − T G ult and the type of the second item is T 2b = T D b − T G ult . The stable normal system with rate limiters is going to achieve asymptotic stability if T 1b < 0 and T 2b < 0, i.e., e b (∞) = 0. Considering Assumption 2, T G ult > 0 should hold.
Furthermore, the block diagram algebra for the faulty model is shown as follows: where P 1 , P 2 , and P 3 denote the plant elements, respectively, and G * ult is the ultimate expression of G e . Other majuscules are the Laplace transforms of their corresponding signals.
Applying the final value theorem, it can be obtained from (20) that In a similar way, all the types of terms on the right-hand side of (21) should be less than zero. Thus, T G * ult > 0 should hold. This completes the proof of Theorem 2.
Remark 3. In this paper, T G ult = 1 satisfies T G ult > 0, so that it is not necessary to add a compensator to the original controller; however, T G e = 0 does not satisfy T G * ult > 0, so that in this case the ultimate controller can be defined with a compensator as G * ult = G e s+G r s .

Remark 4.
Based on the work in [30], the software rate limiters can provide enough stability margins for the linear design. Assumption of closed-loop stability is just the first step to analyze Theorem 2, so that the final value theorem can be utilized. We can use the asymptotic stability to derive a condition about the type of the injected signals and the type of controllers. The designed rate limiters and compensators may decrease the performance of the unconstrained system, but the performance of the constrained system is improved.
For the magnitude saturation problem, as the reference controller and reconfigurable controller have different block diagram architectures, different schemes should be used to modify these two controllers. An observer-based scheme is utilized to modify the reference controller to mitigate windup, as shown in Figure 3. The control signal will not reflect the plant if there is a mismatch betweenū and u r , which is the reason causing windup. The modified reference controller is given as where G b is the designed gain matrix. The design task is choosing G b such that −G b G g is Hurwitz. An effective design procedure is to analyze the difference between a system with actuator constraint and a system without it. The unconstrained normal system with state vector z u = x u n x u g T is shown aṡ and the constrained normal system with state vector z = x n x g T is shown aṡ Finally, the mismatch between the two systems is shown asz = z − z u . Subtracting (23) from (24), the mismatch system is shown aṡz Assuming A mis can be decomposed as S mis Ξ mis S −1 mis and choosing W mis = 0 I S −1 mis , the gain G b is designed as where W mis2 is the last x g columns of W mis , and W mis1 is the remaining column of W mis . The closed-loop system exhibits asymptotic stability.

Remark 5.
The observer-based approach is intuitively appealing as the concept of the observer is widely used [26]. Amplitude constraint is addressed by feeding back the error betweenū and u r to the reference controller, and it will not be modified whenū = u r .
As shown in Figure 4, the anti-windup problem in the reconfigurable controller is tackled by using a modified conditioning technique. "O" represents the estimator, and "G p " represents the reconfigurable controller consisting of a compensator and a software rate limiter. x m is chosen as the reference signal and the controller is described as In the conditioning technique, an auxiliary input x r m , which is called realizable reference, is chosen as a new reference signal to make sure that there is no difference between u c and u cr . The new controller is Note that the actual reference signal x m does not appear in (28), so that an assumption on the present realizability (ū c = u cr ) of the control is held as The x r m is calculated by subtracting (29) from (28) as where G ur = G † m is the designed gain.

Remark 6.
In the modified conditioning technique case, the realizable reference x r m removes the effect of the nonlinearity on the system input, so that the reconfigurable controller is "conditioned" back to the unconstrained mode as soon as it can.

Application Example
The integrated anti-windup scheme is simulated on a numerical model of Boeing 747, which is trimmed at straight and level flight. The external disturbance is defined as a uniform "1-cosine" vertical gust [31]. Two flight conditions are shown in Tables 1 and 2, respectively. The detailed data for this aircraft are obtained solely from a Boeing 747 simulator description (Boeing D6-30643) and are provided in the NASA report [32]. In this condition, the reference command r = 5 • is a step signal given at 2 s, the elevator δ e2 is locked in −5 • , the surface deflection δ e3 loses 30% effectiveness, the bias of the sensor is 0.1 • , and all faults are given at the same time (0 s), that is, l 2 = 0, f a2 = −5, l 3 = 0.7, and f s = 0.1. The limits of magnitude and rate are ±20 • and ±40 • /s, respectively. Figure 5a shows the necessity of the FTC strategy because there is a significant decrease for control performance in the post-fault aircraft with LQR (red) than in the healthy aircraft with LQR (blue). In Figure 5b, however, the control performance of FTC in the post-fault aircraft (red) is nearly the same as the one of the LQR in the normal aircraft (blue). When there are magnitude and rate saturation modules in the actuators, as shown in Figure 6, the FTC method without anti-windup (red) will reduce the control performance or even make the system unstable. The anti-windup reconfigurable method is designed using a compensator (blue) to deal with the windup phenomenon and regains the performance of the post-fault aircraft. Figure 7 shows the estimates of actuator and sensor fault values. They are estimated accurately using the proposed estimator at about 5 s after occurrence. The faulty aircraft model with actuator saturation modules (magnitude and rate) is used in Figure 8. It compares the actuator deflections (u 1 , u 2 , u 3 , u 4 ) and rates (r 1 , r 2 , r 3 , r 4 ) between the original FTC method and the FTC with capability of anti-windup. The actuators with FTC meet their constraints so that the aircraft is unstable; on the contrary, the proposed anti-windup modifications mitigate the effects of saturation and guarantee the stability of the aircraft.  A higher altitude and faster condition than before is considered to verify the effectiveness of the presented method, where r = 5 • is a step signal given at 2 s, δ e1 is locked in 5 • , δ e4 loses 50% effectiveness, and the bias of the sensor is −0.2 • . That is, l 1 = 0, f a1 = 5, l 4 = 0.5, and f s = −0.2. The limits of magnitude and rate are ±20 • and ±40 • /s, respectively. Figure 9 shows the pitch angles of the normal and faulty aircraft. From Figure 9a, it can be seen that the reduction of the control performance for the faulty aircraft with LQR (red) is more serious than the one in Figure 5a. However, FTC in the faulty system in Figure 9b (red) can also recover the control performance of the healthy system with LQR (blue). In Figure 10, we can get the same results as in Figure 6. Figure 11 shows the estimates of fault values. Figure 12 shows the actuator outputs of FTC and anti-windup FTC in the faulty aircraft with two kinds of saturation modules. As actuator 1 is locked in 5 • , actuators 2 and 3 meet their constraints so that FTC cannot guarantee the post-fault aircraft stability. On the contrary, the anti-windup FTC can cancel out the nonlinear windup phenomenon in the actuators and make the faulty aircraft stable.

Conclusions
In this paper, we proposed a novel anti-windup integrated reconfigurable control approach for a rigid aircraft experiencing faults and actuator saturation. A reference controller using an optimal control scheme and a reconfigurable controller using an adaptive scheme are designed without actuator constraints. To obtain accurate fault signals, an estimation module using an observer-based method is presented. For the overall faulty system, an integrated strategy is utilized to calculate the adaptive adjustment control and estimate gains by analyzing the system stability. Three anti-windup schemes are utilized to modify the original designed controllers. Actuator and sensor faults are discussed and analyzed to verify the effectiveness of the proposed reconfigurable control method. The simulation results of the case study show that the presented method can decrease the effects of faults and actuator constraints in different flight conditions.  Data Availability Statement: See reference [32].

Conflicts of Interest:
The authors declare no conflict of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript; or in the decision to publish the results.

Abbreviations
The following symbols and acronyms are used in this manuscript:

Appendix A
In this part, the detailed models for the aircraft and actuator are provided. A schematic for Boeing 747 is shown in Figure A1, and the main control inputs for the longitudinal control are elevators. There are four independent elevators, and they can achieve the longitudinal output angle (the pitch angle). The longitudinal flight control objective is to control elevators so that the pitch angle for aircraft can track the command signal. The expressions of the matrices in (1) can be got using the following small-disturbance equations for longitudinal motions:       u a = X u u a + X ω ω a − g 0 cos Θ 0 θ + X δ e δ e (1 − Zω)ω a = Z u u a + Z ω ω a + u a0 + Z q q − g 0 sin Θ 0 θ + Z δ e δ ė q = M u u a + Mωω a + M ω ω a + M q q + M δ e δ ė θ = q (A1) whose the details can be found in [33].
Combining with the expression of state x, A, B, and C can be got as Moreover, the block diagram of the actuator for elevator is shown in Figure A2. It consists of an actuator gain K a (K 1), a saturation module for rate limiting, an integrator, and another saturation module for level constraint.