Fault Tolerant Flight Control

Lecture Notes
in Control and Information Sciences 399

Editors: M. Thoma, F. Allgöwer, M. Morari
Christopher Edwards, Thomas Lombaerts,
and Hafid Smaili (Eds.)
Fault Tolerant Flight Control
A Benchmark Challenge
ABC
Series Advisory Board
P. Fleming, P. Kokotovic,
A.B. Kurzhanski, H. Kwakernaak,
A. Rantzer, J.N. Tsitsiklis
Editors
Christopher Edwards Hafid Smaili
University of Leicester National Aerospace Laboratory NLR
University Road Anthony Fokkerweg 2
Leicester LE1 7RH 1059 CM
United Kingdom Amsterdam
E-mail: chris.edwards@le.ac.uk The Netherlands
E-mail: smaili@nlr.nl
Thomas Lombaerts
Delft University of Technology
Kluyverweg 1
P.O. Box 5058
2600 GB Delft
The Netherlands
E-mail: T.J.J.Lombaerts@tudelft.nl
ISBN 978-3-642-11689-6 e-ISBN 978-3-642-11690-2
DOI 10.1007/978-3-642-11690-2
Lecture Notes in Control and Information Sciences ISSN 0170-8643
Library of Congress Control Number: 2010924939

c 2010 Springer-Verlag Berlin Heidelberg
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting,
reproduction on microfilm or in any other way, and storage in data banks. Duplication of this publication
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9,
1965, in its current version, and permission for use must always be obtained from Springer. Violations
are liable for prosecution under the German Copyright Law.
The use of general descriptive names, registered names, trademarks, etc. in this publication does not
imply, even in the absence of a specific statement, that such names are exempt from the relevant protective
laws and regulations and therefore free for general use.
Typeset & Cover Design: Scientific Publishing Services Pvt. Ltd., Chennai, India.
Printed on acid-free paper
543210
springer.com
Preface
The European Flight Mechanics Action Group FM-AG(16) on Fault Tolerant Con-
trol, established in 2004 and concluded in 2008, represented a collaboration involv-
ing thirteen European partners from industry, universities and research establish-
ments under the auspices of the Group for Aeronautical Research and Technology
in Europe (GARTEUR) program1. In FM-AG(16) the following organizations par-
ticipated:
• Research Establishments
– Centro Italiano Ricerche Aerospaziali (CIRA, Capua, Italy)
– Deutsches Zentrum fur Luft-und Raumfahrt (DLR, Oberpfaffenhofen)
– Defence Science and Technology Laboratory (DSTL, United Kingdom)
– Netherlands National Aerospace Laboratory (NLR, Amsterdam)
• Industry
– QinetiQ (Bedford, United Kingdom)
– Airbus (Toulouse, France)
• Universities
– Bordeaux University (LAPS, Bordeaux, France)
– Delft University of Technology (DUT, Delft, the Netherlands)
· Faculty of Aerospace Engineering (DUT-AE)
· Delft Center of Systems and Control (DUT-DCSC)
– Lille University (USTL, Lille, France)
– University of Cambridge (UCAM, Cambridge, United Kingdom)
1
The Group for Aeronautical Research and Technology in EURope (GARTEUR) was
formed in 1973 and has as member countries: France, Germany, the Netherlands, Spain,
Sweden and the United Kingdom. According to its Memorandum of Understanding, the
mission of GARTEUR is to mobilize, for the mutual benefit of the GARTEUR member
countries, their scientific and technical skills, human resources, and facilities in the field
of aeronautical research and technology.
VI Preface
– University of Hull (UHUL, Hull, United Kingdom)

– University of Leicester (ULES, Leicester, United Kingdom)
The Action Group was chaired by Jon King (QinetiQ); Jan Breeman (NLR) was
vice-chairman and acting chairman during the last months of the program. Ten
meetings were held in total: Bedford (September 2004), Capua (February 2005),
Oberpfaffenhofen (July 2005), Lille (February 2006), Toulouse (Mid-Term Work-
shop, 4-5 April 2006), Bordeaux (October 2006), Leicester (January 2007), Delft
(April 2007), Cambridge (July 2007) and again Delft (20-21 November 2007),
which was the venue for the Final Workshop and SIMONA Demonstration, giving
an extra inter-cultural dimension to the project. The demonstration on the SIMONA
Research Simulator at the Faculty of Aerospace Engineering at Delft University
during the Final Workshop helped to provide a strong focus to develop the meth-
ods and provided a human appreciation of the problem. In a subsequent evaluation
in the SIMONA Research Simulator, conducted in 2008, professional airline pilots
were invited as an external expert group. This provided supporting information on
the practical and operational implications of advanced flight control systems inte-
gration from a human factors perspective.
The editors would like to emphasize that this book is the result of a joint effort
by the Action Group. With respect to the contents, it was considered to be important
that as many FM-AG(16) organizations as possible were given the opportunity to
present their work, in order to cover a wide variety of design approaches. Hence the
contributions in this book have not been selected by the editors.
The book consists of five parts. Part I contains the introduction and motivation of
this research project and a state-of-the-art overview in Fault Tolerant Flight Control
(FTC). Part II includes the description of the benchmark challenge, consisting of
details of the benchmark simulation model and the assessment criteria used to eval-
uate the performance of the Fault Tolerant Controllers. Part III covers all the dif-
ferent FDI/FTC design methods which have been applied to the benchmark simula-
tion model. There are two different evaluation methods for these FDI/FTC designs,
namely an off-line evaluation using the assessment criteria in the benchmark sim-
ulation model in Matlab, and an on-line evaluation on Delft’s SIMONA Research
Simulator. The off-line evaluations are described in the individual chapters in part
III, whereas the latter is treated extensively in part IV where the real time assess-
ments on the SIMONA Research Simulator are introduced and discussed. Finally
part V focuses on a review of the applied methods from an industrial perspective
together with some concluding remarks.
The work underpinning this book was undertaken by the participating organi-
zations of GARTEUR FM-AG(16). These organizations, which are listed above,
are thanked for their confidence in the group and their full support throughout the
project. In some cases national agencies and other research funding bodies, such as
STW in the Netherlands and EPSRC from the UK, gave direct financial help through
the provision of grants. Without their financial support this project would not have
been possible.
Preface VII
FM-AG(16) also wishes to express its gratitude to the Netherlands Aerospace

Laboratory NLR for supplying the high-fidelity nonlinear simulation model based
on realistic failure scenarios validated against flight data, which is a unique facility.
Also Delft University deserves thanks for offering the SIMONA Research Simulator
as an evaluation platform for the FTFC methods. This re-invigorated the programme
considerably. The contribution of the test pilots who participated in the FM-AG(16)
simulator campaign, and provided professional feedback on the evaluated control
designs, is gratefully acknowledged.
The group also thanks the GARTEUR organization, in particular the Flight Me-
chanics Group of Responsables and the Executive Committee, for making the publi-
cation of this book possible. John Keirl from QinetiQ and Dennis Fryer from DSTL,
who acted as the GARTEUR Monitoring Responsables of FM-AG(16), have pro-
vided key contributions behind the scenes. They were an indispensable link between
the Action Group and the GARTEUR organization.
The editors would like to thank all those who kindly provided their approval to
use the pictures and illustrations in this book. The authors have taken into account to
their best capacity the copyrights of the illustrations and these remain the property
of the cited copyright holders.
Not all the results of GARTEUR Action Group FM-AG(16) could be presented in
this book. Several research teams did not submit designs for the final workshop, and
there were other reasons why their work could not be included. In this respect Mar-
cel Staroswiecki and Cyrille Christophe (Lille University), Sven Lorenz (DLR-BS),
Stuart Runham (DSTL), Ron Patton (Hull University) and Youmin Zhang (Aalborg
University) and all their colleagues are acknowledged for their valuable contribu-
tions during the program.
Finally, special thanks to Airbus and Delft University for organizing and hosting
the Mid-Term and Final Workshops respectively.
December 2009 C. Edwards

T.J.J. Lombaerts
M.H. Smaili
Contents
Part I Surviving the Improbable: Towards Resilient Aircraft Control
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Thomas Lombaerts, Hafid Smaili, Jan Breeman
1.1 Towards More Resilient Flight Control . . . . . . . . . . . . . . . . . . . . . . 3
1.2 History of Flight Control Systems, Source: [40] . . . . . . . . . . . . . . . 4
1.2.1 Mechanical [33], [35] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.2 Hydro-mechanical [33], [35] . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.3 Fly-By-Wire Flight Control [33], [35], [34] . . . . . . . . . . . 7
1.2.4 Fault Tolerant Control in Fly-By-Wire Systems,
Sources: [40] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2.5 Airbus Philosophy, Sources: [22], [30] . . . . . . . . . . . . . . . 11
1.2.6 Boeing Philosophy, Sources: [24], [42] . . . . . . . . . . . . . . 12
1.2.7 Short Case Study of Other Fault Tolerant Systems,
Source: [24] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.2.8 A Final Note on Fault Tolerance Properties
Incorporated in Current Fly by Wire Flight Control
Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.3 Rationale of Damage Tolerant Control - Aircraft Accident
Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.3.1 American Airlines Flight AA191, Source: [27] . . . . . . . . 22
1.3.2 Japan Airlines Flight JL123, Source: [27] . . . . . . . . . . . . 26
1.3.3 United Airlines Flight UA232, Source: [27] . . . . . . . . . . . 28
1.3.4 EL AL Cargo Flight LY1862, Source: [40] . . . . . . . . . . . 30
1.3.5 USAir Flight 427 and United Airlines Flight 585,
Sources: [4], [9], [5] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
1.3.6 DHL Cargo Flight above Baghdad, Sources:
[31], [32] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
1.3.7 Final Note on Accident Analysis . . . . . . . . . . . . . . . . . . . . 38
1.4 Earlier Accomplishments in This Field, Source: [40] . . . . . . . . . . . 40
X Contents
1.4.1 Self-Repairing Flight Control System (SRFCS)

Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
1.4.2 MD-11 Propulsion Controlled Aircraft (PCA) . . . . . . . . . 41
1.4.3 NASA Intelligent Flight Control System (IFCS) F-15
Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
1.5 Research Challenges and Objectives . . . . . . . . . . . . . . . . . . . . . . . . 42
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
2 Fault Tolerant Flight Control - A Survey . . . . . . . . . . . . . . . . . . . . . . 47
Michel Verhaegen, Stoyan Kanev, Redouane Hallouzi,
Colin Jones, Jan Maciejowski, Hafid Smail
2.1 Why Fault Tolerant Control? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
2.2 Fault Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.3 Modelling Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.3.1 Multiplicative Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.3.2 Additive Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.3.3 Component Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
2.4 Main Components in an FTC System . . . . . . . . . . . . . . . . . . . . . . . . 55
2.5 FTC Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
2.5.1 Passive Fault Tolerant Control . . . . . . . . . . . . . . . . . . . . . . 61
2.5.2 Active Fault Tolerant Control . . . . . . . . . . . . . . . . . . . . . . . 62
2.6 State-of-the-Art in Fault Tolerant Flight Control . . . . . . . . . . . . . . . 63
2.6.1 Classification of Reconfigurable Control . . . . . . . . . . . . . 63
2.6.2 Multiple Model Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
2.6.3 Control Allocation (CA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
2.6.4 Adaptive Feedback Linearization via Artificial
Neural Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
2.6.5 Sliding Mode Control (SMC) . . . . . . . . . . . . . . . . . . . . . . 74
2.6.6 Eigenstructure Assignment (EA) . . . . . . . . . . . . . . . . . . . . 75
2.6.7 Model Reference Adaptive Control (MRAC) . . . . . . . . . . 78
2.6.8 Model Predictive Control . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.6.9 Model Following . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
2.6.10 Adaptive Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.7 Comparison of Fault Tolerant Flight Control Methods . . . . . . . . . . 83
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
3 Fault Detection and Diagnosis for Aeronautic and Aerospace
Missions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
David Henry, Silvio Simani, Ron J. Patton
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
3.2 Fault Detection and Diagnosis Approaches . . . . . . . . . . . . . . . . . . . 94
3.2.1 The Parity-Space Methods . . . . . . . . . . . . . . . . . . . . . . . . . 94
3.2.2 Particle Filtering Approach . . . . . . . . . . . . . . . . . . . . . . . . 97
3.2.3 Nonlinear EKF Approaches . . . . . . . . . . . . . . . . . . . . . . . . 99
3.2.4 Observer-Based Approaches . . . . . . . . . . . . . . . . . . . . . . . 101
3.2.5 Norm-Based Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Contents XI
3.2.6 H∞ Fault Estimation Approach . . . . . . . . . . . . . . . . . . . . . 104

3.2.7 Non-linear FDD Method . . . . . . . . . . . . . . . . . . . . . . . . . . 107
3.2.8 Sliding Mode Observer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
3.3 Application Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
3.3.1 Application to ‘Oscillatory Failure Case’ (OFC) . . . . . . . 110
3.3.2 Simulated Aircraft Model FDD . . . . . . . . . . . . . . . . . . . . . 110
3.3.3 Aerospace Mission Application Examples . . . . . . . . . . . . 113
3.3.4 Robust Diagnosis for Mars Express Satellite Thruster
Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
3.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4 Real-Time Identification of Aircraft Physical Models for Fault
Tolerant Flight Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Ping Chu, Jan Albert (Bob) Mulder, Jan Breeman
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
4.2 History of Aircraft Model Identification at Delft University of
Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
4.3 The Two Step Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
4.3.1 Decomposition of Aircraft State and Parameter
Estimation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
4.3.2 Estimation Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
4.3.3 Techniques to Cope with Estimation Biases . . . . . . . . . . . 146
4.4 On-Line Parameter Estimation Using Least Squares and Total
Least Squares Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
4.4.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
4.4.2 Sequential Total Least Squares (Ref. [34]) . . . . . . . . . . . . 148
4.4.3 Summary of TLS Method . . . . . . . . . . . . . . . . . . . . . . . . . . 149
4.5 Real-Time Identification of Aircraft Physical Model for Fault
Tolerant Flight Control, [13] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
4.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
5 Industrial Practices in Fault Tolerant Control . . . . . . . . . . . . . . . . . . . 157
Philippe Goupil
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
5.2 Aircraft Development Process - The V-Cycle . . . . . . . . . . . . . . . . . 157
5.3 Some ‘Golden Rules’ for Designing a Highly Dependable
System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
5.4 Flight Control Computer Functional Specification . . . . . . . . . . . . . 161
5.5 System Validation and Verification . . . . . . . . . . . . . . . . . . . . . . . . . . 162
5.6 An Example of Monitoring: A380 Oscillatory Failure Case
Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
5.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
XII Contents
Part II RECOVER: The Benchmark Challenge
6 RECOVER: A Benchmark for Integrated Fault Tolerant Flight

Control Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Hafid Smaili, Jan Breeman, Thomas Lombaerts,
Diederick Joosten
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
6.2 Flight 1862 Accident Reconstruction and Simulation . . . . . . . . . . 172
6.2.1 Sequence of Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
6.2.2 Analysis of Flight 1862 . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
6.2.3 Failure Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . 180
6.2.4 Flight Data Reconstruction and Simulation . . . . . . . . . . . 181
6.3 GARTEUR RECOVER Benchmark . . . . . . . . . . . . . . . . . . . . . . . . . 194
6.3.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
6.3.2 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
6.3.3 Fault Scenarios Specification . . . . . . . . . . . . . . . . . . . . . . . 200
6.3.4 Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
6.3.5 Aircraft Visualisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
6.3.6 User Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
6.3.7 Aircraft Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
6.4 GARTEUR RECOVER Benchmark Applications . . . . . . . . . . . . . 218
6.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
7 Assessment Criteria as Specifications for Reconfiguring Flight
Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Thomas Lombaerts, Diederick Joosten, Hafid Smaili,
Jan Breeman
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
7.2 Specification Modelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
7.2.1 General Evaluation Criteria . . . . . . . . . . . . . . . . . . . . . . . . 225
7.2.2 Test Manoeuvres for Qualification . . . . . . . . . . . . . . . . . . 227
7.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Part III Design Methods and Benchmark Analysis
8 Fault Tolerant Control Using Sliding Modes with On-Line

Control Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Halim Alwi, Christopher Edwards
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
8.1.1 Sliding Mode Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
8.1.2 Sliding Mode Control and Control Allocation . . . . . . . . . 248
8.2 Controller Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
8.2.1 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
8.2.2 Design Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Contents XIII

8.3.1 Fault Tolerant Controller Design . . . . . . . . . . . . . . . . . . . . 256
8.3.2 Heading and Altitude Control and EPR Control
Mixing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
8.3.3 ILS Landing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
8.3.4 Fault Tolerant Control Simulation Results . . . . . . . . . . . . 264
8.4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
9 An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft . . . 273
Adolfo Sollazzo, Gianfranco Morani, Andrea Giovannini
9.1 Fault-Tolerant FCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
9.1.1 Adaptive Model-Following . . . . . . . . . . . . . . . . . . . . . . . . 274
9.1.2 The SCAS Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
9.1.3 Limitations and Practical Solutions . . . . . . . . . . . . . . . . . . 279
9.2 The Classic A/P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
9.3 Numerical Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
9.4 Future Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
9.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
10 Subspace Predictive Control Applied to Fault-Tolerant Control . . . . 293

Redouane Hallouzi, Michel Verhaegen
10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
10.2 Architecture of the Fault-Tolerant Control System . . . . . . . . . . . . . 295
10.2.1 Control Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
10.2.2 Fault Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
10.3 Closed-Loop Subspace Predictive Control . . . . . . . . . . . . . . . . . . . . 297
10.3.1 Closed-Loop Subspace Predictor (CLSP) . . . . . . . . . . . . . 297
10.3.2 Closed-Loop Subspace Predictor Integrated with a
Predictive Control Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
10.4 SPC (Re-)configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
10.5 Simulation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
10.5.1 Trajectory Following for the Nominal Case . . . . . . . . . . . 306
10.5.2 Trajectory Following for Elevator Lock-in-Place . . . . . . 307
10.5.3 Trajectory Following for Rudder Runaway . . . . . . . . . . . 309
10.5.4 Trajectory Following for “Bijlmerramp”
Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
10.5.5 Discussion of the Simulation Results . . . . . . . . . . . . . . . . 312
10.6 Real-Time Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
10.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
XIV Contents
11 Fault-Tolerant Control through a Synthesis of Model-Predictive

Control and Nonlinear Inversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
D.A. Joosten, T.J.J. van den Boom, M. Verhaegen
11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
11.2 Overall Control-Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
11.2.1 Model Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
11.2.2 Nonlinear Dynamic Inversion . . . . . . . . . . . . . . . . . . . . . . 322
11.2.3 Model Predictive Control . . . . . . . . . . . . . . . . . . . . . . . . . . 324
11.2.4 Control Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
11.3 Modeling and Dynamic Inversion of the Benchmark
Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
11.4 Simulation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
11.4.1 Reference Tracking: Stabiliser Runaway . . . . . . . . . . . . . 331
11.4.2 Right Turn and Localiser Intercept . . . . . . . . . . . . . . . . . . 332
11.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
12 A FTC Strategy for Safe Recovery against Trimmable Horizontal
Stabilizer Failure with Guaranteed Nominal Performance . . . . . . . . 337
Jérome Cieslak, David Henry, Ali Zolghadri
12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
12.2 Nomenclature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
12.3 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
12.4 Model-Based FDI Schemes: Some Assumptions for an
Integrated FDI/FTC Design Approach . . . . . . . . . . . . . . . . . . . . . . . 344
12.4.1 Analysis of the FTC Loop . . . . . . . . . . . . . . . . . . . . . . . . . 344
12.4.2 Some Outlines for the Design . . . . . . . . . . . . . . . . . . . . . . 345
12.4.3 The Case of an Observer-Based FDI Scheme . . . . . . . . . 346
12.5 Important Issues about Stability and Performance in Faulty
Situations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
12.6 FM-AG16 FTC Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
12.6.1 Modelling the Aircraft Dynamics . . . . . . . . . . . . . . . . . . . 347
12.6.2 Modeling the Autoflight and FCS Systems . . . . . . . . . . . 350
12.6.3 Design of K(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
12.6.4 Nonlinear Simulation Results . . . . . . . . . . . . . . . . . . . . . . 354
12.7 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Appendix A: Bumpless Switching Scheme . . . . . . . . . . . . . . . . . . . . . . . . . 356
Appendix B: Computed Controller K̂(s) = ĈK (sI − ÂK )−1 B̂K +
D̂K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
13 Flight Control Reconfiguration Based on Online Physical Model
Identification and Nonlinear Dynamic Inversion . . . . . . . . . . . . . . . . . 363
Thomas Lombaerts, Ping Chu, Jan Albert (Bob) Mulder
13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Contents XV
13.2 On Line Nonlinear Damaged Aircraft Model Identification:

Two Step Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
13.2.1 Aircraft State Estimation . . . . . . . . . . . . . . . . . . . . . . . . . . 366
13.2.2 Aerodynamic Model Identification . . . . . . . . . . . . . . . . . . 368
13.3 Real Time Aerodynamic Model Identification . . . . . . . . . . . . . . . . 371
13.4 Application on the Boeing 747 Simulator . . . . . . . . . . . . . . . . . . . . 372
13.4.1 Trim Horizontal Stabilizer (THS) Runaway . . . . . . . . . . . 373
13.4.2 Loss of the Vertical Tail . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
13.4.3 Feedback of Aircraft Stability and Control Effector
Information to the Pilot . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
13.5 Trigger for Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
13.6 Reconfiguring Control: Adaptive Nonlinear Dynamic
Inversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
13.6.1 Autopilot Control: Assessment Criteria . . . . . . . . . . . . . . 382
13.7 Computational Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
13.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
13.9 Current and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
14 A Combined Fault Detection, Identification and Reconfiguration
System Based around Optimal Control Allocation . . . . . . . . . . . . . . . 399
Nicholas Swain, Shadhanan Manickavasagar
14.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
14.1.1 Control Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
14.1.2 Fault Detection and Identification . . . . . . . . . . . . . . . . . . . 402
14.1.3 Software and Hardware Testing . . . . . . . . . . . . . . . . . . . . . 403
14.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
14.3 Fault Tolerant Control System Overview . . . . . . . . . . . . . . . . . . . . . 405
14.3.1 Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
14.3.2 Outer-Loop Controller/Autopilot . . . . . . . . . . . . . . . . . . . . 406
14.3.3 Non-linear Dynamic Inversion . . . . . . . . . . . . . . . . . . . . . . 406
14.3.4 Direct Control Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . 407
14.3.5 Aerodynamic FDI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
14.3.6 Actuator FDI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
14.3.7 Flight Envelope Protection . . . . . . . . . . . . . . . . . . . . . . . . . 416
14.4 Benchmark Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
14.4.1 Longitudinal Control Failure Test . . . . . . . . . . . . . . . . . . . 418
14.4.2 Lateral Control Failure Test . . . . . . . . . . . . . . . . . . . . . . . . 419
14.4.3 El-AL Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
14.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
XVI Contents
15 Detection and Isolation of Actuator/Surface Faults for a Large

Transport Aircraft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Andras Varga
15.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
15.2 Design of Least Order Scalar Output Detectors . . . . . . . . . . . . . . . 424
15.3 Solving Fault Isolation Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
15.4 Computational Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
15.5 Monitoring Actuator Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
15.5.1 Component Level Monitoring . . . . . . . . . . . . . . . . . . . . . . 431
15.5.2 System Level Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 433
15.5.3 Pitch Axis Fault Monitoring . . . . . . . . . . . . . . . . . . . . . . . . 435
15.5.4 Gear and Roll Axes Fault Monitoring . . . . . . . . . . . . . . . . 439
15.6 Summary of Achieved Results and Needs for Further
Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Part IV Real-Time Flight Simulator Assessment
16 Real-Time Assessment and Piloted Evaluation of Fault Tolerant

Flight Control Designs in the SIMONA Research Flight
Simulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Olaf Stroosma, Thomas Lombaerts, Hafid Smaili, Mark Mulder
16.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
16.2 Evaluation Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
16.2.1 Experiment Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
16.2.2 Dependent Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
16.2.3 Participants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
16.2.4 Simulator Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
16.2.5 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
16.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
16.4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Appendix 1: Failure mode test matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Appendix 2: Cooper Harper Handling Qualities Rating Scale . . . . . . . . . . 474
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
17 Piloted Evaluation Results of a Nonlinear Dynamic Inversion
Based Controller Using Online Physical Model Identification . . . . . . 477
Thomas Lombaerts, Ping Chu, Hafid Smaili, Olaf Stroosma,
Jan Albert (Bob) Mulder
17.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
17.2 Fly-by-Wire ANDI Control Law Design . . . . . . . . . . . . . . . . . . . . . 478
17.3 Fly-by-Wire ANDI Control Law Evaluation . . . . . . . . . . . . . . . . . . 479
17.4 Analysis Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
17.4.1 FTC and Pilot Performance Analysis Results: Time
Histories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Contents XVII
17.4.2 Handling Qualities Analysis Results: CH

Ratings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
17.4.3 Pilot Workload Analysis Results . . . . . . . . . . . . . . . . . . . . 491
17.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
18 Model Reference Sliding Mode FTC with SIMONA Simulator
Evaluation: EL AL Flight 1862 Bijlmermeer Incident Scenario . . . . 501
Halim Alwi, Christopher Edwards, Olaf Stroosma,
18.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
18.2 A Model Reference Sliding Mode Control Allocation
Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
18.3.1 Lateral Controller Design . . . . . . . . . . . . . . . . . . . . . . . . . . 507
18.3.2 Longitudinal Controller Design . . . . . . . . . . . . . . . . . . . . . 508
18.4 SIMONA Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
18.5 SIMONA Flight Simulator Results with Experienced
Pilots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
18.5.1 SMC Controller Evaluation . . . . . . . . . . . . . . . . . . . . . . . . 511
18.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Part V Conclusions
19 Industrial Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

Philippe Goupil, Andres Marcos
19.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
19.2 Considerations for Commercial Aircraft - AIRBUS . . . . . . . . . . . . 522
19.2.1 Industrial Limitations and Constraints . . . . . . . . . . . . . . . 523
19.2.2 An Aircraft Manufacturer Perspective . . . . . . . . . . . . . . . 524
19.2.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
19.3 Perspectives for Aerospace Applications - Deimos Space . . . . . . . 528
19.3.1 Context and Significance of the FM-AG16 for Space
Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
19.3.2 Assessment of the Techniques and Results . . . . . . . . . . . . 532
19.3.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
20 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Christopher Edwards, Thomas Lombaerts, Hafid Smaili
20.1 Summary of Achievements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
20.2 Future Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
List of Contributors
Halim Alwi Christopher Edwards

Control and Instrumentation Control and Instrumentation
Research Group, Research Group,
Department of Engineering, Department of Engineering,
University of Leicester, University of Leicester,
University Road, University Road, Leicester,
Leicester, LE1 7RH, LE1 7RH, United Kingdom,
United Kingdom, e-mail: ce14@le.ac.uk
e-mail: ha18@le.ac.uk
Andrea Giovannini
Jan Breeman Italian Aerospace Research
National Aerospace Laboratory NLR, Center - CIRA, Via Maiorise,
P.O. Box 90502, 1059 CM 81043 Capua (CE), Italy,
Amsterdam, The Netherlands, e-mail: a.giovannini@cira.it
e-mail: breeman@nlr.nl
Philippe Goupil
Ping Chu Airbus France, EDYC-CC Flight
Delft University of Technology, Control Systems,
Faculty of Aerospace Engineering, 316 Route de Bayonne,
Kluyverweg 1, 2629 HS Delft 31060 Toulouse Cedex 09,
The Netherlands, e-mail: philippe.goupil@airbus.com
e-mail: q.p.chu@tudelft.nl
Redouane Hallouzi
Jerome Cieslak ReliaCon, Rotterdamseweg 145,
IMS laboratory - Automatic 2628 AL Delft, The Netherlands,
control group - Bordeaux university, e-mail: hallouzi@reliacon.nl
351 cours de la liberation,
33405 Talence, France, David Henry
e-mail: jerome.cieslak@ IMS laboratory - Automatic
ims-bordeaux.fr control group - Bordeaux university,
XX List of Contributors
351 cours de la liberation, Cambridge CB2 1PZ,

33405 Talence, France, United Kingdom,
e-mail: david.henry@ims-bordeaux.fr e-mail: jmm@eng.cam.ac.uk
Colin Jones Shadhanan Manickavasagar

ETH Zurich, QinetiQ, Cody Technology Park,
Automatic Control Laboratory, Farnborough, Hampshire,
ETL I28, Physikstrasse 3, GU14 0LX, United Kingdom,
8092 Zurich, e-mail: smanickavasa@qinetiq.com
Switzerland,
e-mail: cjones@ee.ethz.ch Andres Marcos
Advanced Projects Division,
Diederick Joosten Simulation & Control Section,
Delft University of Technology, Deimos Space S.L.,
Delft Center for Systems Ronda de Poniente 19,
and Control, Mekelweg 2, Edificio Fiteni VI,
2628 CD Delft, Madrid, 28760, Spain,
The Netherlands, e-mail: andres.marcos@
e-mail: d.a.joosten@tudelft.nl deimos-space.com
Stoyan Kanev Gianfranco Morani

ECN Wind Energy, Italian Aerospace Research
P.O.Box 1, 1755ZG Petten, Center - CIRA, Via Maiorise,
The Netherlands, 81043 Capua (CE), Italy,
e-mail: kanev@ecn.nl e-mail: g.morani@cira.it
Anthony A. Lambregts Jan Albert (Bob) Mulder

Advanced Control Systems, Delft University of Technology,
Federal Aviation Administration, Faculty of Aerospace Engineering,
Northwest Mountain Region, Kluyverweg 1, 2629 HS Delft,
1601 Lind Ave., SW, The Netherlands,
Renton, WA 98057, USA, e-mail: j.a.mulder@tudelft.nl
e-mail: tony.lambregts@faa.gov
Mark Mulder
Thomas Lombaerts Delft University of Technology,
Delft University of Technology, Faculty of Aerospace Engineering,
Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft,
Kluyverweg 1, 2629 HS Delft, The Netherlands,
The Netherlands, e-mail: mark.mulder@tudelft.nl
e-mail: t.j.j.lombaerts@tudelft.nl
Ron Patton
Jan Maciejowski University of Hull,
University of Cambridge, Department of Engineering,
Engineering Department, Cottingham Road,
Trumpington Street, Hull HU6 7RX,
List of Contributors XXI
United Kingdom, GU14 0LX, United Kingdom,

e-mail: R.J.Patton@hull.ac.uk e-mail: njswain@qinetiq.com
Silvio Simani Ton van den Boom

University of Ferrara, Delft University of Technology,
Department of Engineering, Delft Center for Systems and Control,
1 Via Saragat, 44100 Ferrara, Italy, Mekelweg 2, 2628 CD Delft,
e-mail: silvio.simani@unife.it The Netherlands,
e-mail: a.j.j.vandenboom@tudelft.nl
Hafid Smaili
National Aerospace Laboratory NLR,
Andras Varga
P.O. Box 90502, German Aerospace Center,
1059 CM Amsterdam,
DLR-Oberpfaffenhofen,
The Netherlands, Institute of Robotics and Mechatronics,
e-mail: smaili@nlr.nl Munchner Strasse 20,
82234 Wessling, Germany,
Adolfo Sollazzo e-mail: andras.varga@dlr.de
Italian Aerospace Research
Center - CIRA, Via Maiorise,
81043 Capua (CE), Italy, Michel Verhaegen
e-mail: a.sollazzo@cira.it Delft University of Technology,
Delft Center for Systems and Control,
Olaf Stroosma Mekelweg 2, 2628 CD Delft,
Delft University of Technology, The Netherlands,
Faculty of Aerospace Engineering, e-mail: m.verhaegen@moesp.org
Kluyverweg 1, 2629 HS Delft,
The Netherlands, Ali Zolghadri
e-mail: o.stroosma@tudelft.nl IMS laboratory - Automatic
control group - Bordeaux university,
Nicholas Swain 351 cours de la liberation,
QinetiQ, Cody Technology Park, 33405 Talence, France,
Farnborough, Hampshire, e-mail: ali.zolghadri@ims-bordeaux.fr
XXII List of Contributors
Fig. 1 Delft University, April 2007

Part I
Surviving the Improbable: Towards
Resilient Aircraft Control
Chapter 1
Introduction
Thomas Lombaerts, Hafid Smaili, and Jan Breeman
1.1 Towards More Resilient Flight Control

Within the aviation community, especially for commercial transport aircraft design,
all developments focus on ensuring and improving the required safety levels and
reducing the risks that critical failures occur. Recent airliner accident and incident
statistics (published in 2008), [8], show that about 16% of the accidents between
1993 and 2007 can be attributed to Loss of Control In-flight (LOC-I), caused by a
piloting mistake (e.g. due to spatial disorientation), technical malfunctions or un-
usual upsets due to external disturbances. Loss of flight control is a subcategory of
Loss of Control In-flight (LOC-I), where a technical malfunction is the initial event
which causes control loss. LOC-I remains the second largest accident category af-
ter Controlled Flight Into Terrain (CFIT) which accounts for 23% of air accidents.
However, a short term study for the year 2008 shows that loss of control comes at
the top in the list of catastrophic accidents, according to the UK Civil Aviation Au-
thority (UK-CAA). Data examined by the international aviation community shows
that, in contrast to CFIT, the share of LOC-I occurrences is not significantly decreas-
ing. Resilient flight control, or fault tolerant flight control (FTFC), allows improved
survivability and recovery from adverse flight conditions induced by faults, damage
Thomas Lombaerts
Kluyverweg 1, 2629 HS Delft, The Netherlands
Hafid Smaili
National Aerospace Laboratory NLR, P.O. Box 90502, 1059 CM Amsterdam,
The Netherlands
e-mail: smaili@nlr.nl
Jan Breeman
The Netherlands
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 3–45.
springerlink.com
c Springer-Verlag Berlin Heidelberg 2010
4 T. Lombaerts, H. Smaili, and J. Breeman
and associated upsets. This can be achieved by ‘intelligent’ utilisation of the con-
trol authority of the remaining control effectors in all axes consisting of the control
surfaces and engines or a combination of both. In this technique, control strategies
are applied to restore stability and manoeuvrability of the vehicle for continued safe
operation and a survivable recovery. The aim of the GARTEUR Flight Mechanics
Action Group FM-AG(16) on Fault Tolerant Flight Control, of which this book is
the culmination, was to facilitate the proliferation of new developments in fault tol-
erant control design within the European aerospace research community in practical
and real-time operational applications. This addresses the need to improve the re-
silience and safety of future aircraft and aiding the pilot to recover from adverse
conditions induced by (multiple) system failures and damage that would otherwise
be potentially catastrophic. Up until now, faults or damage on board aircraft have
been accommodated by hardware design using duplex, triplex or even quadruplex
redundancy of critical components. However, the approach of the research presented
in this book is to focus on new control law design methods to accommodate (unan-
ticipated) faults and/or damage that dramatically change the configuration of the
aircraft. These methods take into account a unique combination of robustness, re-
configuration and (real-time) adaptation of the control laws.
1.2 History of Flight Control Systems, Source: [40]

Shortly after the German aviation pioneer Otto Lilien-
thal (1848-1896) left the ground for the first time in his
self-made glider from the Windmuhlenberg (windmill
hill) of Derwitz (Germany) in the summer of 1891, the
problem of flight in a heavier-than-air vehicle created
a new challenge: namely that of controlled flight. The
Wright Brothers stated in 1912 that no one else grasped
the basics of human flight as clearly and thoroughly as
Lilienthal did. Based on his basic understanding of the
principles of the curved wing, enabling it to produce
Fig. 1.1 Otto Lilienthal
more lift, Otto Lilienthal realized during his numerous (1848-1896) glider show-
experimental flights that leaving the ground was easier ing vertical tail for lateral
than staying in the air. For controlling his flights, he in- stabilisation (1894), source:
vented the first means of lateral stabilization using a ver- Otto Lilienthal Museum
tical rudder. Just before crashing to his death in 1896, he
characterized the complexity and importance of aircraft
flight control by stating:
To design one is nothing, to build one is easy, to fly one is everything.
Following the first successful motorised flight of the Wright Brothers in 1903,
the first artificially controlled flight was demonstrated in 1914 by Lawrence Sperry
(1892-1923), the third son of the gyrocompass co-inventor Elmer Ambrose Sperry,
by flying his Curtiss-C-2 airplane hands-free in front of a speechless crowd. The
1 Introduction 5
Fig. 1.2 Commercial and military aircraft that include modern fly-by-wire technologies (Air-
bus A380, Dassault Falcon 7X, Eurofighter Typhoon, Joint Strike Fighter, Boeing 777),
sources: Creative Commons Attribution License, Kevin Koske, Naddsy, Keta
autopilot, or as it was nicknamed Metal Mike, consisted of three gyroscopes and a

magnetic compass both linked to the pneumatically operated flight control surfaces.
The autopilot enabled stabilized flight by holding the pitch, roll and yaw attitudes
constant while maintaining the compass course. During the next decades, Sperry and
other engineers further improved the concept of automatic stabilized flight for air-
craft stabilization to improve weapon targeting accuracy. By the 1950s, analog flight
control computers allowed artificial modification of the aircrafts handling qualities
on top of the basic stabilization functions of the autopilot. The Canadian Avro CF-
105 Arrow interceptor, which flew in 1958, and the inherently unstable Lockheed
Martin F-16 fighter, which entered service in the late 1970s, were the first aircraft
utilizing an analog flight control computer demonstrating impressive manoeuvering
capabilities. On the civil front, the Aerospatiale-BAC Concorde supersonic transport
(SST) made its first flight in 1969 equipped with a commercial version of an analog
flight control system. In 1972, NASA performed flight experiments with a modi-
fied F-8C Crusader to investigate the potential of software controlled flight, instead
of analog circuits, by means of digital fly-by-wire flight control (DFBW) technol-
ogy. Allowing better and safer airplane manoeuvering and control while providing
substantial cost reductions, DFBW technology as a full-time critical digital control
system, was made commercial in 1987 with the first flight of the Airbus A320. Al-
though, in 1982, the Airbus A310 and then the A300-600 flew with digital FBW
technology on the spoilers, the A320 was the first commercial use of digital FBW
on the primary control surfaces.
During the evolution of aircraft flight control systems, several versions have been
developed, dependent upon the moment in history and on the type of aircraft where
they have been applied. In the following, three categories of aircraft flight control
systems are described in more detail:
• mechanical systems
• mechanical-hydraulic systems
• fly-by-wire systems
1.2.1 Mechanical [33], [35]

The most elementary design of a flight control system is a mechanical one, consist-
ing of cables, pulleys, capstans, levers and other mechanical devices. This kind of
flight control system was used in early aircraft and is still used in current light air-
craft, like the Cessna Skyhawk. Figure 1.3 illustrates a mechanical type of control
system.
(a) roll, pitch and yaw channel of an early (b) roll channel of a transport aircraft
military jet c BAE Systems, Reproduced
with permission
Fig. 1.3 Illustrations of mechanical flight control systems, source: ref. [37]
In larger aircraft, the control loads due to the aerodynamic forces acting on the
control surfaces are too excessive for simple mechanical control. Therefore, two
mechanical solutions have been developed. One option is to attempt to extract the
maximum possible mechanical advantage through the levers and pulleys, however
the maximum reduction in forces is limited by the inherent strength of the mechan-
ical components in this system. One example of this type of application can be
found in the Fokker 50. The alternative is to rely on so-called control tabs or servo
tabs that provide aerodynamic assistance to reduce complexity. These are small sur-
faces hinged at the end of the control surfaces which reduce the required control
force exerted by the pilot by exploiting the aerodynamic forces which act on the
tabs themselves. The pilot controls are directly linked to these control tabs, and the
aerodynamic force generated by the tab then in turn moves the main control surface
itself. The Boeing 707 used the concept of control tabs in its flight control system.
1.2.2 Hydro-mechanical [33], [35]

Due to the ever increasing size and flight envelopes of aircraft, mechanical flight
control systems are not sufficient. Due to the increasing speed of the aircraft, it
becomes more difficult to move the control surfaces as a result of high aerodynamic
forces. This led to the application of hydraulic power. A hydro-mechanical control
system consists of two parts:
• a mechanical circuit, essentially the same as the mechanical flight control system
• a hydraulic circuit
1 Introduction 7
Compared to the mechanical flight control system, the hydraulic part takes over
the interface between the conventional mechanical circuit and the control surfaces.
More precisely, the hydraulic system generates the forces for the actuators which
move the aerodynamic surfaces, but it still receives its signals from the mechanical
circuit which is steered by the pilot. The Boeing 727 and 737, Trident, Caravelle and
the Airbus A300, used such a flight control system, including a mechanical backup,
despite the fact that a total loss of the flight control system is extremely improbable.
The Boeing 747 was the first aircraft in the Boeing series to have a fully powered
actuation system, because the control forces required for any flight condition would
have been too large to be generated by the pilot.
The benefits of the hydro-mechanical flight control system compared to the
purely mechanical one are the reduction in drag and the increase of control sur-
face effectiveness due to the omission of the servo tabs. Moreover, the higher
mechanical stiffness of the hydraulics leads to better flutter characteristics of the
control surfaces. The main drawbacks of the hydro-mechanical control systems are
its structural complexity and weight.
1.2.3 Fly-By-Wire Flight Control [33], [35], [34]

In more recent civil airliners, military transport aircraft and especially military
jets, the mechanical linkage between control column and control surface has been
omitted and replaced by electrical wirings (hence the name fly-by-wire). All these
wirings are connected to each other by means of the flight control computer (FCC).
Figure 1.4 shows the situation for the General Dynamics F-16 Fighting Falcon air-
craft. The computer sends electronic signals to all actuators, in this specific case
flaperons and slats.
Figure 1.5 shows the hierarchy of the wiring network for the Eurofighter Ty-
phoon. The FCC bridges the gap between measurement signals (from the inertial
measurement unit and the air data transducers) and pilot inputs (such as the pilot’s
stick, pedal and throttle displacements) on one hand, and control surface actuators
Fig. 1.4 Illustration of the Fly-By-Wire principle on the F-16, source: ref. [23]
Fig. 1.5 Flight Control System architecture of the Eurofighter Typhoon, source: ref. [37]

c BAE Systems, Reproduced with permission
(such as flaperons, rudder and canards) on the other. Based upon the pilot control
inputs and the available measured signals, the computer calculates independently
the required surface deflections and gives the appropriate commands to the servos.
Note the quadruplex implemented FCC. This is the fail safety principle and the ap-
proach adopts a vote by majority principle. The same procedure is applied for the
most essential components.
The advent of Fly-By-Wire Flight Control

With the invention of the computer it became possible to control an aircraft elec-
tronically. The major initial advantages of the fly-by-wire FCS is that there is no
longer a complex and heavy mechanical linkage needed between the pilot and the
hydraulic system. But it is also possible to control the aircraft more accurately, flight
safety is enhanced, a safe flight envelope can be defined with so-called flight control
law protection, and finally this setup offers greater flexibility for evolution and for
implementations of improvements in the system. During the subsequent evolution
of the fly-by-wire concept, additional advantages arose, such as increased flexibility
in setting the flight control characteristics of an aircraft. Another important benefit
of Fly-By-Wire Flight Controls is that they define identical handling characteristics
for all members of an aircraft family, from the smallest twinjet to the long-range
widebody jetliners. This commonality does not only apply for the normal flight en-
velope, but also under extreme emergency conditions. With such a computer-based
flight control system, other major advantages are that its design and maintenance are
much simpler, while significantly reducing aircraft weight. Both commercial and
military aircraft are now being developed with fly-by-wire flight control systems.
For military aircraft, the benefits include increased agility and reduced supersonic
trim drag (in conjunction with reduced static stability) and carefree handling. For
commercial aircraft, the benefits include lower weight (attributed to flight controls),
1 Introduction 9
lower maintenance costs as well as passenger comfort and carefree handling. In both
categories, the provision of flight envelope protection is another important benefit
of fly-by-wire flight control systems.
How Fly-By-Wire Control works

In contrast to mechanical and hydro-mechanical control systems, in a fly-by-wire
system the pilot’s commands are fed into computers, which in turn route electrical
signals along wires to the actuators driving the control surfaces. Sometimes there
is a mechanical backup to keep the aircraft under manual control when control of
the aircraft becomes impossible with the nominal flight control system (electricity
loss, the loss of all flight control computers, etc.). The computers controlling the
fly-by-wire system provide multiple backup or redundancy. In the Airbus A340 for
example, there are five computers in all, and a single one can fly the plane. All
five computers work together. If one fails, another automatically takes over. More-
over, each of the five fly-by-wire computers is composed of two independent units
which are constantly monitoring each other. Furthermore, these computers are made
by different manufacturers, using different software and components. They are also
programmed by independent teams, using different computer languages. This means
that it is virtually impossible for the same problem to affect all computers simulta-
neously. It should be noted that the number of computers and units etc. differs for
other aircraft in the Airbus family and also the Boeing philosophy is significantly
different. The Airbus fly-by-wire system operates according to three control laws:
normal, alternate and direct.
• The normal law applies when all systems are working correctly, or during a sin-
gle failure of a computer or peripheral. It requires a high level of integrity and
redundancy of the computers, the peripherals (i.e. sensors, actuators and servo-
loop), and the hydraulics. When operating in normal mode, a forward or back-
ward movement of the sidestick corresponds to a vertical load factor command by
the pilot. The computers translate this demand into a pitch change, immediately
moving the aircraft’s nose up or down to the desired attitude. Once the sidestick
is released, the aircraft will maintain this flight path until the next pilot input.
Lateral control is similar to pitch control except that the pilot sets a roll rate com-
mand. Operation under normal laws provides flight envelope protection against
excessive load factors, overspeed, stall, extreme pitch attitude and extreme bank
angle.
• The alternate law applies when at least two failures occur. Within the normal
flight envelope, the handling characteristics under alternate control laws are the
same as under normal laws, if the integrity and redundancy are not enough to
achieve the normal law with its protections. Out of the normal flight envelope,
the pilot must take proper preventive action to avoid loss of control or high speed
excursions, just as he/she would on a non-protected aircraft, but this holds only
for manoeuvres corresponding to the protection that is lost.
• The direct law applies when more than two failures occur, if the alternate law
can not be safely achieved. In the unlikely event of a multiple system failure,
direct control laws provide the same handling characteristics as a good-handling

conventional aircraft, almost totally independently of configuration and centre of
gravity. The sidestick and control surfaces move in a direct relationship to each
other. Pitch trim is no longer automatic and must be manually controlled using
the trim wheel.
Flight Envelope Protection

All aircraft have physical limits they must not exceed. For example, if the airspeed
is too slow the aircraft may stall, if the speed is too high or a manoeuvre too vi-
olent, excessive loads can be generated, with the risk of damaging the structure.
These limits define the flight envelope, not to be exceeded during normal operation.
The fly-by-wire concept offers inherent flight envelope protection, which is an ad-
ditional guarantee against crossing these limits. Thanks to this built-in protection,
pilots can count on their aircraft providing maximum performance and safety un-
der any circumstances. The flight envelope protection function also protects against
wind shear. These are strong, sudden downdrafts that may occur during storms or
even in clear weather, and have caused many accidents. With a flight envelope pro-
tection system, the pilot can utilize maximum climb performance, escaping wind
shear and other conditions in complete safety. It also increases the aircraft’s agility.
For example, the pilot can act much more quickly when he has to carry out a sud-
den avoidance manoeuvre, while keeping the aircraft under perfect control. Flight
envelope protection does not limit the pilot’s options, but rather allows him to use
the aircraft’s maximum safe performance capacity. At the same time, the system
minimizes the risk of losing control of the aircraft or subjecting it to loads it was not
designed to handle.
1.2.4 Fault Tolerant Control in Fly-By-Wire Systems, Sources:

[40]
In aviation, all developments focus on the improvement of safety levels and reduc-
ing the risks that critical failures occur, on all possible system levels. Although most
civil transport fly-by-wire aircraft are fitted with a backup system, the basic FBW
system integrity is considered as critical. In Boeing and Airbus aircraft, where a
total loss of the FCS is already very improbable, and beyond the certification re-
quirements, see [20] and [19], there is a mechanical or electrical back-up system.
To further improve the levels of integrity, new aircraft configurations have a degree
of redundancy in terms of controls, sensors and computing. Control effector redun-
dancy means that there are more than the minimum required control effectors, or
motivators, to control the pitch axis on one hand, and the combined roll/yaw axis
on the other, although the full set of controls is required to satisfy the normal per-
formance requirements. The combination of these features provides the opportunity
to reconfigure the control system in the event of failures with the aim of increas-
ing the survivability of the aircraft. As a result, the digital fly-by-wire flight control
1 Introduction 11
system is a safety driven design built to very stringent dependability requirements.

These requirements ensure that the system will not generate erroneous or faulty sig-
nals compromising flight safety and that the system remains available even in faulty
conditions. The certification requirements state that all potentially catastrophic fail-
ure scenarios should have a probability rate of less than 10−9 per flight hour and no
single failure should be catastrophic. Potentially catastrophic failures include con-
trol surface runaways (elevator, rudder and horizontal stabiliser), loss of control in
pitch, oscillatory failures at frequencies which are critical to the aircraft’s structure
and insufficient lateral control during engine failures. Failure detection and recon-
figuration is performed via self-tests, signal comparison and hardware and software
redundancy. Self-tests are performed by the hardware equipment to prevent any un-
detected failures (latent failures) and to ensure that the probability of a failure re-
mains low.
1.2.5 Airbus Philosophy, Sources: [22], [30]

In Airbus aircraft, comparison of signals from
both control and monitoring channels enables
detection of failures in the case that one of the
signals differs from the other above a certain
threshold. The detection threshold should be
sufficiently robust against sensor inaccuracies
and system tolerances to prevent false alarms
but tight enough to detect unwanted failures.
Hardware reconfiguration in the Airbus family
is performed at system level whereby for each
function one computer operates in active mode,
and the remaining computers are in standby Fig. 1.6 Hainan Airlines A340-642
mode. When the active computer fails, one of B-6510, c Thomas Lombaerts
the standby computers changes to active mode
and immediately takes over the function. This holds for example for servo-loops in
the case of a duplex architecture. Flight control law reconfiguration is performed
in the case when sensor information, processed by the control laws, becomes un-
available or no longer trustworthy (for example, one source failed, followed by a
disagreement between the two remaining sources). This control law reconfiguration
is also performed in the case of flight control surface or hydraulic circuit loss. In this
situation, the flight control computer switches to alternate control laws providing
less protection depending on the remaining sensory information and equipment. A
FBW system architecture showing its redundancy components and reconfiguration
scheme (Airbus A340 [13], [30], [22]) is illustrated in fig. 1.7. Moreover, the flight
control computer (FCC) architecture is a so-called COM/MON architecture where
the fail-safe computers consist of a control and monitoring channel, ensuring the
permanent monitoring of all the FCS components. The control channel executes the
relevant function (e.g. a pilot command to a surface) while the monitoring channel
Fig. 1.7 Modern fly-by-wire system architecture including redundancy components and re-
configuration scheme (A340), source: [30]
guards against any faults in the control channel and ensures permanent monitoring
of all the components in the flight control system (sensors, actuators, other comput-
ers, etc. ...). The monitoring (MON) channel is designed to detect failure cases and to
trigger reconfiguration by pointing out the failure detection to the command (COM)
channel and to the other computers. Fault mitigation is achieved by means of redun-
dancy and software and hardware dissimilarities. In the case of the Airbus A340,
the redundancy components include five FBW computers and three power sources
for surface actuation. Dissimilarity is achieved through the use of two completely
different types of computers and two independently developed software packages
designed by different teams. It should be noted that these numbers vary for other
aircraft as well as for other manufacturers. Reconfiguration, for instance in pitch,
consists of switching from the Primary computer (P1) to the second Primary com-
puter (P2). In this situation, elevator actuation switches from the green system for
both elevators to the blue system for the left elevator and the yellow system for the
right elevator. Following a possible failure of P2, reconfiguration can be performed
up to the second Secondary computer (S2).
1.2.6 Boeing Philosophy, Sources: [24], [42]

A completely different fault tolerance approach has been adopted by Boeing in
the Boeing 777 for example. The heart of its FBW concept is the use of triple re-
dundancy for all hardware resources, varying from the computing system through
1 Introduction 13
electric and hydraulic power to the communication path. The 777 FBW design phi-
losophy for safety considers the following constraints:
1. Common mode/common area faults: by designing the systems to both component
and functional separation requirements.
2. Separation of FBW (line replaceable unit LRU) components: isolation and sepa-
ration of redundant flight control elements to the greatest extent possible in order
to minimize the possibility of loss of function.
3. FBW functional separation: allocation of electrical power to the primary flight
computer (PFC) and the actuator control electronics (ACE) LRUs to provide
maximum physical and electrical separation between the flight control electrical
buses. The ACE functional actuator control is distributed to maximize control-
lability in all axes after loss of function of any ACE or supporting subsystem.
The hydraulic systems are also aligned with the actuator functions to provide
maximum controllability after the loss of hydraulics in one or two systems.
4. Dissimilarity: various combinations of dissimilar hardware, different component
manufacturers, dissimilar control/monitor functions, different hardware and soft-
ware design teams, and different compilers are considered at the level of PFCs,
ACEs, inertial data, the Autopilot Flight Director Computer (AFDC) and ARINC
bus.
5. The FBW effect on the structure: FBW component failures can result in oscilla-
tory or hardover control surface motion. Structural requirements are analyzed and
apportioned to all FBW components. (This constraint is a safety consideration in
the Airbus philosophy too.)
The system is designed to provide unin-
terrupted control following any two failures.
Although the flight control function is nec-
essary for safe flight and landing of the air-
craft, the system includes a direct backup mode
that allows the pilot to electrically position
flight control surfaces without using the flight
control computers. The flight control comput-
ers are configured as a Triple Modular Re-
dundancy (TMR) system. Because of concerns
about generic hardware or software failures,
Fig. 1.8 KLM Boeing 777-206/ER
each of the three computers is itself a TMR
PH-BQD, Tommy
c Desmet, via air-
unit. These TMR computers use three inter- liners.net
nal channels that use different processor hard-
ware from different manufacturers. Within each
TMR computer, the choice of which output is to be the output of the computer is
determined using the so-called principle of median value select.
Each PFC lane operates in two roles: a command role or monitor role. Only one
lane in each channel is allowed to be in the command role. The command lane will
send the proposed surface commands, its own, together with those received from
two other PFC channels, to its ARINC 629 bus. The hardware device residing in the
Fig. 1.9 Boeing 777 PFC Lane Redundancy Management (Output Signal Monitoring),
source: [42]
PFC lane will perform a median select of these three inputs of each variable. The
output of the median select hardware is sent in the same wordstring as the ‘selected’
surface commands. The PFC lanes in the monitor role perform a ‘selected output’
monitoring of their command lane. The PFC command lane, meanwhile, performs
‘selected output’ monitoring of the other two PFC channels. The median value select
provides fault blocking against PFC faults until the completion of the fault detection
and identification and reconfiguration via PFC cross-lane monitoring.
Should any of the three dissimilar processors produce an output different from
the other two, it will not be selected. The three dissimilar processors are kept tightly
synchronized and receive bit identical input data from the system data buses. The
three channels of computers at the next level of TMR are also kept in synchroniza-
tion and exchange data to keep state data consistent between the channels. The 777
actuators rely on the vote by majority principle.
1.2.7 Short Case Study of Other Fault Tolerant Systems, Source:

[24]
Many fault-tolerant control systems have been produced and used successfully for
other aerospace applications. The following is a brief survey of a few of these other
systems with a discussion of the requirements they satisfy and the design approach
that was used. The systems described were selected based on the availability of
information and the personal experience of the author of ref. [24]. These are believed
1 Introduction 15
to be representative of the many excellent systems in use. Table 1.1 is a summary of

the systems surveyed and captures the primary attributes of these systems.
F-16 Analog Fly-by-Wire Flight Control [1]

Early production F-16A/B aircraft used an ana-
log electronic FBW flight control system. From
Block 25 F-16C/D onward, a digital system has
been used. The F-16 is an inherent unstable
aircraft that requires continuous stability aug-
mentation. In case of problems with the flight
control system, the F-16 aircraft can fail catas-
trophically. The system was designed to deal
with two failures. The analog FBW used a quad-
redundant N-fold Modular Redundancy (NMR)
Fig. 1.10 Belgian Air Component F-
computer architecture with approximate con- 16AM FA-126, Dirk c Voortmans,
sensus Middle Value Selection (MVS) electron- via Airliners.net
ics to determine which computers’ signals are
transmitted to the flight control actuators. The hydraulic actuators include voting to
reject possible faulty outputs from any computer MVS or its servo amplifier. Both
the computer MVS electronics and the hydraulic actuators make use of fault down
logic to disengage a known, faulty signal. The analog computers use MVS on the
sensor inputs to provide the same inputs to the redundant computers. Analog control
integrators, the only state data involved, are held in agreement between the redun-
dant channels by means of cross-connecting signals. The design uses neither design
diversity (identical hardware) nor software.
F-16 Digital Fly-by-Wire Flight Control [10]

Experience with a triplex digital system on the
AFTI/F-16 gave General Dynamics the confi-
dence to abandon the proven analog FBW sys-
tem of the earlier Fighting Falcon and adopt the
quadruplex digital FBW system for the Block
25 and beyond F-16C/D. This choice resulted in
capability and integration advantages with other Fig. 1.11 AFTI/F-16, source: NASA
aircraft systems, e.g. displays via 1553 buses. Multimedia Gallery
The quad-redundant analog NMR computers used in earlier production F-16A/Bs

were replaced by quad-redundant digital computers. These digital computers also
include simple analog backups in each computer to protect against generic hard-
ware or software design error failures. Digital data exchange is used between com-
puters for various reasons, namely to mechanize computer output voting, to ensure
identical inputs, to keep the computers synchronized, and to maintain consistent
state data.
Table 1.1 Survey of typical in-service fault-tolerant systems, source: ref. [24]
Application Vehicle Impact of Impact of Fault-Tolerant System Description
& System Loss of Malfunc-
Type Function tion
Military F-16 FBW loss of loss of 4-channel analog computer NMR iden-
Aircraft flight con- aircraft aircraft tical hardware, approx. agreement MVS
trol, analog control control computer selection, MVS on computer
inputs, voting hydraulic actuators, ana-
log integrator states held consistent
Military F-16 FBW loss of loss of 4-channel digital computer NMR iden-
Aircraft flight con- aircraft aircraft tical hardware and software, simple
trol, digital control control analog backup control, voted computer
selection, voted computer inputs, voting
hydraulic actuators, digital state data
exchanged and kept consistent
Commercial B-757, shutdown mechanical Dual standby system
Aircraft Pratt & engine, overspeed
Whitney land using protection,
PW2037 one engine shutdown
jet engine engine
control
Manned Space loss of loss of 4-channel NMR, identical hardware
Space Shuttle vehicle and vehicle and and software, 5th channel backup using
crew crew same hardware but dissimilar software,
identical inputs by data bus monitoring,
computer outputs compared for crew
annunciation only, computer selection
by external voters (hydraulic voting ac-
tuators, pyro fire electronic discrete vot-
ing), exchange and vote of some state
data
Commercial B-777, Limp home potentially Two separate units, one for pilot and
aircraft AIMS on backup hazardous one for copilot displays, each unit uses
instruments faulty 3 sets of selfchecking dual processors,
display Arinc-659 Safebus to distribute identi-
data cal inputs, select output from a healthy
pair, exchange state data, identical hard-
ware and software in all processing
pairs
Unmanned Inertial destruction destruction Dual self-checking pair processing, no
space upper of vehicle of vehicle dissimilar hardware or software, both
stage, flight by range by range pairs must send same critical actuation
controller safety safety signals
Manned X-33 destruction destruction TMR 3 identical COTS hardware and
space Ex- Reusable of vehicle of vehicle software channels, RMS provides same
perimental Launch by range by range inputs by exchange and MVS, voting of
Vehicle safety safety outputs and some state data, dual actua-
tion, transient fault recovery
Manned X-38 Crew loss of ve- loss of ve- NMR 4 identical hardware and soft-
space Ex- Return Ve- hicle hicle ware channels, identical inputs by ex-
perimental hicle change and voting, voting of outputs
transient fault and state data recovery,
any 2 FCCs can control single fault tol-
erant actuation.
1 Introduction 17
Pratt and Whitney

PW2037 Electronic Engine Control [29]
The PW2037 was the first production commer-
cial jet engine to use a Full-Authority Digital
Electronic Control (FADEC) system with no
mechanical backup control. It was introduced
on the Boeing 757 civil airliner and remains
representative of state of the art commercial
engine controls. Because all commercial trans-
port aircraft have at least two engines, loss of
thrust from one engine is not catastrophic. An Fig. 1.12 Pratt & Whitney PW2037,
engine control malfunction leading to a poten- source: Pratt & Whitney
tially catastrophic engine overspeed is mitigated
by mechanical overspeed protection. Because
of this, electronic engine controls are capable of meeting FAA safety requirements
using a dual standby system. In the worst case scenario, an engine control failure
not detected by BIT (Built-In-Test) will trip the overspeed protection, resulting in
the shutdown and loss of thrust from one engine only. Also this set-up does not
rely on hardware design diversity. The risk of a common design error affecting both
channels of one engine or all engines on the aircraft is addressed through exhaustive
testing.
Boeing 777 Airplane Information Management Systems (AIMS) [18]

The B-777 AIMS system is used to command all cockpit displays and to interact
with the crew via keyboards to provide flight management functions. Total loss of
cockpit displays, a system loss of function, is potentially hazardous, particularly in
adverse weather, but is not by itself a catastrophic event. A malfunction resulting in
erroneous display information to the crew is possibly a greater hazard, which is mit-
igated somewhat by requiring that pilot and copilot displays are driven by different
sources, allowing the crew to detect faulty display data by proper cross-checking.
In addition to requiring fault tolerance for safety, airline operators of transport air-
craft desire systems that can be operated safely with known failures until repairs
can be made without interruption to revenue-generating aircraft service. For this
purpose, the so-called Minimum Equipment List (MEL) has been defined, which is
specific for every aircraft and type of operation, and approved by the appropriate au-
thority. The AIMS is required to fail operationally only after two failures and must
provide very robust protection against malfunctions that would produce erroneous
crew displays. AIMS uses a triple, self-checking pair architecture. The complete
system actually consists of two separate triple self-checking units in separate cabi-
nets, separately driving the pilot’s and copilot’s displays. This allows the flight crew
to manually compare displays. The AIMS uses the same hardware and software in
both systems and in all self-checking pairs, so they do not provide dissimilarity for
protection against a generic software error. A unique type of backplane bus, the
Arinc-659 ‘Safebus’, is used to mechanize switchover between the redundant self-

checking pairs and to provide a robust method for transferring state data between
the processor pairs. Switchover to backup occurs when the backup processor pair
detects that the primary processor pair has failed to transmit its data on the Safebus.
US Space Shuttle FBW Flight Control [25]

Together with the McDonnell Douglas F/A-18 Hornet, the Space Shuttle was one
of the first digital FBW flight control systems and remains a representative exam-
ple of today’s systems. The Space Shuttle is a very demanding control problem
throughout an extensive flight envelope, requiring a single system that provides un-
interrupted control of a space launch vehicle, control of an orbiting spacecraft, and
both space and atmospheric flight control during the return to Earth. The shuttle
uses a four-channel NMR approach, with a fifth computer used as a backup system.
The fifth computer uses no hardware design di-
versity compared to the other four, but is pro-
grammed with dissimilar software. The fifth
channel can be engaged manually by the crew in
case the primary system fails, but this has never
been necessary during the hundred or so Shuttle
flights to date. The Shuttle operates the four pri-
mary computers as a redundant set, providing
them with identical input data by monitoring
the same data buses and holding the comput-
ers in close synchronization. The computers are
programmed with the same software and should
produce the same outputs. No attempt is made
by the computers to select the correct output,
but instead, these redundant outputs are trans-
mitted to external voting devices. On one hand,
these external voters include voting hydraulic Fig. 1.13 Space Shuttle, source:
actuators for control surfaces and thrust vector NASA Multimedia Gallery
control. On the other hand, there are electronic
discrete command voters that control pyrotech-
nic ignition of the Shuttles engines and the separation of the solid rockets and the
external tank. The redundant computers do exchange and compare outputs in order
to alert the crew if a computer is producing a different output from the others. The
crew may then choose to remove power from a faulty computer to configure the
system to operate following additional failures. In fact, this is a manual fault down.
Boeing Inertial Upper Stage (IUS) Guidance and Control System [12]
The IUS is an example of a typical high-value unmanned space launch vehi-
cle guidance and control system. This IUS has been used to launch the space-
craft Ulysses, Galileo and Magellan in the right orbit for interplanetary missions
1 Introduction 19
after they have been brought to space in the cargo bay of the
Space Shuttle. Space launch vehicles must provide a high
level of reliability to be economical and must not malfunc-
tion in a manner that endangers human safety or property. In
the event of a malfunction, ground crews can monitor the ve-
hicle and command destruction thanks to the incorporation
of a vehicle self-destruct system and range safety systems.
The control system for the IUS uses four processors con-
figured as a dual self-checking pair. The switchover from
the primary processor pair to the backup pair will occur if Fig. 1.14 Boeing Iner-
there is disagreement between the processor pairs. A form tial Upper Stage (IUS),
of electronic voting is used for critical pyrotechnic signals, source: Boeing Multi-
requiring both processor pairs produce the same command media Gallery
to these actuators.
X-33 Reusable Launch Vehicle Control System [11]

The X-33 program was a technology demonstrator for
the next generation of single stage to orbit reusable
launch vehicles. This prototype was unmanned. Thus, a
control system failure would have primarily economic
consequences. A TMR (Triple Modular Redundancy)
fault-tolerant computer with dual standby actuation was
selected to guarantee a high probability of successfully
completing a series of sub-orbital test flights. The sys-
tem used commercial-off-the-shelf (COTS) computers
with custom Redundancy Management System (RMS)
hardware and software to form the TMR fault-tolerant Fig. 1.15 X-33 Reusable
computer. It was planned to expand from TMR to quad Launch Vehicle, source:
NMR and to increase the level of actuation redundancy NASA Multimedia Gallery
for the manned, operational system, for which even
higher safety requirements would be imposed, however
budget cuts and technical troubles have led to the cancellation of these plans. The
TMR computers used MVS to vote outputs, maintain identical inputs, and to main-
tain consistent state data. Voting was selectively applied to some, but not to all data,
to minimize the data exchange and voting required. The TMR computers were de-
signed in order to fault down to a self-checking pair after one persistent failure. The
system was designed to recover the use of a computer that had experienced a tran-
sient fault. The COTS computers and the software that runs on them are identical:
no dissimilarity was used to protect from generic design errors.
X-38 Prototype Crew Return Vehicle (CRV) Control System [2]

The X-38 program was an unmanned technology demonstrator for a re-entry vehi-
cle that would be used for emergency return from the International Space Station.
However, budget cuts have led to the cancellation of this

development program after a few unmanned demonstra-
tor test flights. The demonstration system was required
to operate following any two Flight Control Computer
(FCC) failures and following any one non-computer
failure. A four channel NMR FCC with dual standby
actuation was selected to meet these requirements. Sen-
sors and actuators were connected to the FCCs such that Fig. 1.16 X-38 Prototype
any two operating FCCs can control the vehicle. The Crew Return Vehicle,
FCCs were COTS computers and were interconnected source: NASA Multimedia
Gallery
by special network element hardware and fault tolerant
systems serviced software to form a Fault Tolerant Par-
allel Processor (FTPP). The FTPP was designed to provide resilience to Byzantine
failures. A Byzantine fault is an arbitrary fault that occurs during the execution of
an algorithm by a distributed system. It encompasses those faults that are commonly
referred to as ‘crash failures’ and ‘send and omission failures’. When a Byzantine
failure has occurred, the system may respond in any unpredictable way, unless it is
designed to have Byzantine fault tolerance. These arbitrary failures may be loosely
divided into three categories, namely a failure to take another step in the algorithm
(crash failure), a failure to correctly execute a step of the algorithm, and arbitrary
execution of a step other than the one indicated by the algorithm. The FTPP was
also designed to discriminate between transient and permanent faults, allowing re-
covery of an FCC that had a transient fault. The COTS computers and the software
that ran on them were identical, no dissimilarity was used to protect from generic
design errors.
1.2.8 A Final Note on Fault Tolerance Properties Incorporated in

Current Fly by Wire Flight Control Systems
Based upon this information, it is clear that up to now, faults or damage on board
an aircraft like computer failures, power/hydraulic failures, engine failures, link-
age breaks and sensor failures, have been accommodated by hardware design. Crit-
ical components (flight control computers, actuators and sensors) have been im-
plemented duplex, triplex or even quadruplex redundantly. Additionally, one can
choose distributed systems and alternate controls or sensors. As a consequence, to-
day’s research efforts are gradually shifting from correcting additive failures (sen-
sors and actuators) towards dealing with parametric failures (major structural and
engine failures). The approach discussed in this book is to focus on control law de-
sign such that more severe kinds of faults and/or damage, like aerodynamic changes
(damage), control surface damage and actuator failures can be tackled. This can
be done by means of robustness, reconfiguration and adaptation of the control
laws. This method of control law design is motivated by a survey of recent LOC-I
1 Introduction 21
accident cases in which the control and performance capabilities of the aircraft
were compromised due to the failure of one or more critical systems and structural
damage.
1.3 Rationale of Damage Tolerant Control - Aircraft Accident

Survey
Recent flight control research activities are currently exploring the potential bene-
fits of fault tolerant flight control (FTFC) techniques, in particular the mitigation of
(severe) damage to the aircraft and its systems using reconfiguration methods. The
reason for this is the observation that a considerable number of aircraft accidents
over the last thirty years could possibly have been prevented in one way or another
if considered from an aeronautical-technical point of view. A reconfigurable flight
control system might have prevented the loss of two Boeing 737s due to rudder ac-
tuator hard overs and of a Boeing 767 due to inadvertent asymmetric thrust reverser
deployment. The 1989 Sioux City DC-10 incident is an example of the crew per-
forming their own reconfiguration using asymmetric thrust from the two remaining
engines to maintain limited control in the presence of total hydraulic system failure.
The crash of a Boeing 747 freighter in 1992 near Amsterdam, the Netherlands, fol-
lowing the separation of the two right-wing engines was potentially survivable given
adequate knowledge about the remaining aerodynamic capabilities of the damaged
aircraft. New forms of threat within the aviation community have recently come
into play from deliberate hostile attacks on both commercial and military aircraft.
A surface-to-air missile (SAM) attack has recently been demonstrated to be surviv-
able by the crew of an Airbus A300B4 freighter performing a successful emergency
landing at Baghdad International Airport after suffering from complete hydraulic
system failures and severe structural wing damage. Apart from system failures and
hostile actions against commercial and military aircraft, recent incident cases also
show the destructive impact of hazardous atmospheric weather conditions on the
structural integrity of the aircraft. In some cases, clear air turbulence (CAT) has
resulted in aircraft incurring substantial structural damage and loss of engines.
An increasing number of measures are currently being taken by the international
aviation community to prevent LOC-I accidents due to failures, damage and upsets
for which the pilot was not able to recover successfully despite available perfor-
mance and control capabilities. This not only includes improvements in procedures
training and human factors, but also finding measures to better mitigate system fail-
ures and increase aircraft survivability in the case of an accident or degraded flight
conditions. Six recent airliner LOC-I accidents will be described in detail which
demonstrate that better situational awareness or guidance would have recovered
the impaired aircraft and improved survivability if unconventional control strate-
gies were used. In some of the cases described, the crew was able to adapt to the
unknown degraded flying qualities by applying control strategies (e.g. using the en-
gine effectors to achieve stability and control augmentation) that are not part of any
standard airline training curriculum. A selection of the accident cases as described
in this chapter formed the basis for the reconstruction of realistic and validated air-
craft accident scenarios as part of the FM-AG(16) simulation benchmark. This was
partly based on available flight data of the accident cases, simulation models and
results from earlier studies. Although the accident survey in this chapter shows that
the aircraft propulsion system can be used as the only effective means of control-
ling and landing a damaged aircraft when the complete flight control system is lost,
within FM-AG(16) this control strategy has not been investigated (despite having
evaluated some control options using differential thrust for stabilisation). This is
mainly due to the additional design requirements on engine performance (e.g. re-
sponse time) and health monitoring to allow them to be used as an integrated part
of the flight control system. This subject is currently the topic of other proposed
research initiatives in the area of damage tolerant flight control [7]. The majority
of documentation and supporting graphics of the aircraft accidents cases, described
in this chapter, are based on reference [27]. Selected graphics and diagrams used
in this book have been reproduced from the original artwork created by Matthew
Tesch for the Air Disaster series of books published by the-then Aerospace Publica-
tions (Canberra) and appear here by kind permission of the artist and the publisher.
To distinguish these from other graphic material used in this document, the shorter
acknowledgement (MT/AA) appears at the end of each caption.
1.3.1 American Airlines Flight AA191, Source: [27]

On May 25 1979, the American Airlines
widebody DC-10-10, registered N110AA,
was preparing at Chicago O’Hare Interna-
tional Airport for departure with 271 peo-
ple aboard on the transcontinental flight
AA191 to Los Angeles, California. At the
start on the runway, the DC-10’s accelera-
tion and takeoff roll seemed perfectly nor-
mal at a flap setting of 10 degrees and left
rudder with right aileron use as compensa-
tion for the right crosswind. But at 6000 Fig. 1.17 AA DC-10-10 N110AA,
feet down the runway, just before rotating Werner
c Fischdick
into the takeoff attitude, pieces of the port
(No 1) engine pylon fell away from the aircraft, and white vapour began to stream
from the mounting. A moment later, during the rotation itself, the entire No 1 en-
gine and pylon tore themselves loose from the aircraft, flew up over the top of the
wing, and smashed back onto the runway behind the still accelerating DC-10 as it
lifted into the air. The aircraft’s port wing had dropped slightly as the DC-10 lifted
off, but this was quickly picked up by application of aileron and rudder and the
DC-10 continued to climb out with its wings level while accelerating to a maxi-
mum speed of 172 knots. The nose up attitude of about 14 ◦ , as well as the air-
craft’s heading, appeared stable with the right aileron and right rudder being used
1 Introduction 23
Fig. 1.18 Main developments in the DC-10’s disastrous takeoff, from engine separation to
impact, (MT/AA)
to maintain equilibrium and it seemed that, despite the loss of its port engine, the
DC-10 was responding well to control. But 10 seconds later, when the DC-10 had
climbed to about 300 feet, the speed decreased to 159 knots and it began to roll to
the left at an increasing rate, despite the crew’s application of right aileron. The roll
quickly steepened alarmingly, even though increasing amounts of opposite rudder
and aileron were being applied, and it began yawing to the left as well. Simultane-
ously, the nose lowered and the aircraft began to loose height, despite increasing the
up elevator. At the same time, the bank increased still further. Finally, the DC-10’s
wings were past the vertical in a 112 degree left roll and a 21 degree nosedown atti-
tude, with full opposite aileron and rudder, and almost full up elevator being applied.
At this point the wingtip struck the ground, pivoting the DC-10 into the ground, nose
first, with enormous impact. The aircraft exploded in an enormous flash of flames
and a cloud of black smoke. The DC-10 had been airborne for only 31 seconds, and
none of the occupants survived. The trajectory of this ill-fated flight is illustrated in
fig. 1.18.
During the subsequent investigation by the National Transportation Safety Board
NTSB, two key questions dominated the investigators’ minds: What had caused the
engine pylon to break away so unexpectedly from the aircraft’s wing under perfectly
normal operating conditions? And why had this led to such a complete loss of con-
trol? In theory, the DC-10 should certainly have been aerodynamically capable of
climbing away successfully after the physical loss of the engine, and returning for
a safe landing. The overall investigation therefore concentrated primarily on two

major areas:
1. Identifying the structural failure which led to the engine-pylon separation and
determining its cause;
2. Determining the effects of the structural failure on the aircraft’s performance and
systems, and identifying what led to the loss of control.
The following observations in these areas were made during the analysis:
1. The analysis of the pylon structural failure revealed that fractures in the upper
flange of the pylon rear bulkhead at the joint between the pylon and wing re-
sulted in this structural failure. Moreover, a subsequent fleetwide grounding and
inspection of all US registered DC-10’s revealed that in total six other American
Airlines and Continental aircraft had similar fractures. All six had been subjected
to the same maintenance procedures, involving removal and reinstallation of the
engines and pylons. Both airlines had individually devised a procedure which
they believed to be more efficient than that one recommended by the manufac-
turer, involving the removal of the engine and pylon as a single unit instead of
removing the engines from the pylons before the pylons are removed from the
wing. Altogether the evidence was compelling that the cracks in the rear bulk-
head upper flanges were being introduced as a result of these irregular main-
tenance practices, which were unauthorized by the manufacturer as well as the
FAA.
2. During the wreckage analysis, it was found that a three metre section of the port
wing’s leading edge, just forward of the join between the No 1 engine pylon and
the wing, was torn away with the pylon, severing the hydraulic system’s lines for
the port wing’s outboard slats. Thirty five of the 36 leading edge slat tracks were
subsequently examined, disclosing that, at impact, the port wing’s outboard slats
were retracted, while its inboard slats, together with the starboard wing’s inboard
and outboard slats, were in an extended position, as illustrated in fig. 1.19. This
retraction of the port wing’s outboard slats was caused by the combination of a
lack of hydraulic pressure and the air loads. This retraction was critical since it
had a profound effect on the aerodynamic performance and controllability of the
aircraft. The lift on the port wing was reduced and its stalling speed increased to
159 knots. Since the aircraft’s speed reduced to 159 knots during the 14◦ pitch
attitude climb1 , the port wing stalled and the roll to the left was initiated. With
the loss of engine No 1, all other accessories driven by this engine were lost,
namely the pressure pumps of hydraulic system No 1 and the No 1 AC genera-
tor2 . The separation also severed electrical wiring, resulting in the loss of power
to the captain’s instrument panel, the slat disagreement warning system, stall
warning system and its stick-shaker function. This implied that there was little or
1 In accordance with the airline’s prescribed engine failure procedures.
2 These accessories would have remained operational when an engine ceased to operate, but
these were severed in this situation because of the physical separation of the engine from
the aircraft and the damage to the hydraulic power and other lines.
1 Introduction 25
(a) Artist impression of the dam- (b) Picture of the dam- (c) Picture of the dam-
aged aircraft during its 31 second aged aircraft just before aged aircraft just after
flight, note the retracted outboard impact, source: [3] impact, source: airdis-
slats on the port wing, (MT/AA) asters.com
Fig. 1.19 Drawings and pictures of heavy damage to AA DC-10-10 N110AA
no warning to the pilot of the onset of the stall on the outboard section of the port
wing. The loss of control of the DC-10 was thus the result of a combination of
three events: the retraction of the port wing’s outboard leading edge slats, the loss
of the slat disagreement warning system, and the loss of the stall warning sys-
tem. All were consequences of the separation of the engine and pylon assembly.
Each on its own would not have resulted in the crew losing control. But together,
during a highly critical phase of flight, they posed a problem that gave the crew
insufficient time to recognize and correct.
The National Transportation Safety Board finally determined the cause of the
accident to be the asymmetric stall and ensuing roll of the aircraft because of the
retraction of the port wing outboard leading edge slats, and the loss of stall warning
and slat disagreement indicator systems resulting from the separation of the No 1
engine and pylon assembly, at a critical point during takeoff. The separation resulted
from damage inflicted by improper maintenance procedures which led to the failure
of the pylon structure.
Contributing to the cause were:
• The vulnerability of pylon attachment points to maintenance damage and of the
leading edge slat system to the damage which produced asymmetry;
• Deficiencies in the FAA’s surveillance and reporting systems in failing to detect
improper maintenance procedures;
• Deficiencies in communication between the aircraft operators, the manufacturer
and the FAA in failing to disseminate details of previous maintenance damage;
• The inadequacy of prescribed engine failure crew procedures to cope with unique
emergencies.
Post accident analysis has indicated that the pilot had about 15 seconds to react
to the failure before control was completely lost. If corrective action had been taken,
the plane could have been saved [26]. Obviously, under such emergency conditions,
an automatic fault-tolerant control system could have been extremely useful to assist
the pilots, and on-line generated diagnostic information could have been useful to
recover the plane. However, it should be noted that once the pilot let the speed
decrease to V2, the angle of attack of the affected left wing exceeded its stall limit
thus causing a non recoverable loss of control. It is important to realize that the main
contribution fault tolerant control could most probably provide in this situation, was
to improve the reaction time of the pilot to recover and stabilize the aircraft and to
prevent the speed to decay by taking into account the minimum speed limit. Once
the stall limit was exceeded, fault tolerant control could not recover from this fatal
condition anymore as there would not be enough control authority by the remaining
effectors to recover from the loss of control. From an operational standpoint, a too
low airspeed combined with a very low altitude leads to a lack of sufficient energy
to escape from this catastrophic situation.
1.3.2 Japan Airlines Flight JL123, Source: [27]

On August 12 1985, the Japan Airlines
short range Boeing 747SR with registration
JA8119 departed as domestic flight JL123
from Tokyo Haneda towards Osaka. De-
spite the usual meticulous maintenance, an
ill-accomplished fuselage repair more than
seven years before was in effect a time
bomb which unfortunately went off during
this flight. The repair was necessary be-
cause of a tail strike at a landing performed
by the aircraft at Osaka in 1978. The dam-
age required repair to the aft fuselage and Fig. 1.20 JAL B747SR JA8119,
even the rear pressure bulkhead, which sus- Werner
c Fischdick Collection
tained heavy damage from the impact on
(a) Illustration of explosive decompres- (b) Picture of crippled tailless aircraft

sion, (MT/AA, with acknowledgement to
Flight International/John Marsden & Time
magazine/Joe Lertola)
Fig. 1.21 Illustrations of heavy damage to JAL Boeing 747 JA8119, (MT/AA)
1 Introduction 27
Fig. 1.22 Trajectory of flight JL123, (MT/AA)
the fuselage hull. Unfortunately, the repair work on the bulkhead involved rivet
numbers and placement which was not optimized for long term fatigue, as explained
in [27]. The repaired pressure dome held for seven years. Unfortunately, on flight
JL123 the repaired dome joint broke and resulted in an explosive decompression,
as illustrated by fig. 21(a). The volume of air escaping violently from the passenger
cabin through the ruptured bulkhead, the failure of which in itself did not destroy the
aircraft, had the same impact on the tailcone and tail surfaces as an explosion. Al-
most the complete vertical fin was blown off, together with components of all four
independent hydraulic systems powering the primary flight controls. This meant
that all hydraulics were lost and the crew was left with no means to control the air-
craft except for the engines. An amateur photographer took a picture of the crippled
tailless aircraft, as seen in fig. 21(b).
The loss of the vertical tail rendered the heavy aircraft de facto laterally unsta-
ble and led to a hopeless situation for the crew. The loss of hydraulics halted the
functioning of all stability augmentation equipment, resulting in the appearance of
phugoid as well as Dutch roll behaviour3. The only way for the crew to stabilize
the aircraft, was to apply differential thrust by handling the four throttle levers sepa-
rately. In this way the experienced crew succeeded in stabilizing the aircraft for half
an hour, and almost managed to bring the aircraft back to Haneda’s airport. Unfortu-
nately, they did not make it to the airport and crashed on Mount Osutaka. According
to [27], it is widely accepted that the aircraft crashed because of crew fatigue and
experts believe they would never have succeeded in performing a successful landing
even if they had managed to bring the crippled aircraft back to the airport. A sketch
of the aircraft trajectory can be found in fig. 1.22.
From the flown trajectory shown in fig. 1.22, the aircraft was still controllable to
some degree through differential thrust from its engines: the only problem is that
this was not an efficient way to do so by the crew. With the available controls, they
did not have the necessary capabilities to bring the aircraft and the passengers back
to safety.
1.3.3 United Airlines Flight UA232, Source: [27]

On July 19 1989, United Airlines flight
UA232 going from Denver to Chicago was
operated by one of the company’s Mc-
Donnell Douglass DC-10-10’s. The aircraft
involved had the registration N1819U. A
little more than an hour after departure from
Denver, when the DC-10 was flying above
the state of Iowa, North of the town Alta, it
attempted to make a heading change from
15◦ to 95◦ at an airway intersection point.
Close to the end of that turn, at 80◦ , the fan Fig. 1.23 UA DC-10-10 N1819U,
disk of engine number two, which is placed Werner
c Fischdick
on the aircraft’s tail, fractured due to a disk
forging flaw. The debris of this explosive
engine failure punctured the horizontal stabilizer as well as the tailcone. Also the
tubes of all three independent hydraulic systems powering the flight controls were
damaged, which resulted in the loss of all hydraulics, just like the situation with the
3 After this accident, the manufacturer included some safety measures in the hydraulic cir-
cuit to prevent the total loss of all hydraulics in future in similar scenarios. This led to the
choice to include the vertical tail loss in the RECOVER accident scenarios list without
considering the total loss of hydraulics, see chapter 6.
1 Introduction 29
(a) Bad quality picture of the aircraft with arrows (b) Picture of re-assembled
indicating the damage locations on elevator and tail- stabilizer wreckage after crash,
cone, source: NTSB source: [3]
Fig. 1.24 Illustrations of heavy damage to UA DC-10-10 N1819U
JAL jumbo jet four years before. This event is illustrated by some pictures. Figure
24(a) is a picture of the aircraft, where the small arrows indicate the punctured areas
on the right elevator. Note the large hole in the elevator leading edge, and the miss-
ing tailcone. Note that the major damage is clearly situated in the plane of the No.
2 fan disk. Finally, fig. 24(b) shows a picture of the stabilizer on the re-assembled
wreckage after the crash. This is a top view, the structure on the top left is the tail
engine housing. It is clear where the No. 2 fan disk is located in that housing, since
the skin is completely missing there. With regard to the stabilizer, it is clear that the
inner part was damaged to a significantly larger extent than the outer one.
Since the aircraft was swinging through a gradual right turn at the airway in-
tersection at the moment the tail-mounted engine disintegrated, its ‘frozen’ control
surfaces left it with the tendency to continue the turn. Figure 1.25 shows a map of
the aircraft’s radar-plotted track. The post failure ground track clearly shows the
right hand turn tendency. In their fight to retain control with engine power alone,
the DC-10 crew had small but crucial advantages over the hapless Japanese Boe-
ing 747 crew in a similar predicament four years before, as described above. The
undamaged fin gave the aircraft some measure of directional stability, moreover a
‘dead-heading’ check pilot joined the United crew on the flight deck. The check
pilot’s remarkable skills in handling the power levers undoubtedly allowed the op-
erating crew to concentrate more closely on their crucial individual tasks. Thanks to
the joint efforts of the highly experienced crew, they managed to divert the aircraft
to the airport closest in the vicinity, namely the Sioux Gateway Airport. As can be
clearly seen in fig. 1.25, they succeeded only once to make a left turn, but this was
sufficient to line the crippled DC-10 up with one of the airport’s runways.
Unfortunately, since the flaps were stuck at their ‘in’-position, the crew was
forced to make their approach at high speed. Moreover, the sluggish aircraft re-
sponses to the throttle setting changes made it particularly difficult to make changes
in the aircraft final approach path and speed close to the runway. This resulted in the
final seconds of flight being in a nearly unsurvivable situation. Any throttle change
induced some very badly damped phugoid oscillations, which are extremely danger-
ous at this altitude. Moreover it was impossible to set the throttles to idle at finals,
Fig. 1.25 Map of the aircraft trajectory, (MT/AA)
because this would result again in the natural tendency of the aircraft to make a grad-
ual right hand turn. All this resulted in the situation whereby the aircraft made ex-
tremely hard and rough contact with the ground, rolling and tumbling upside down
as it broke up. Despite this dramatic end, and although 111 people died in the valiant
landing attempt, the superb airmanship of the crew to nurse the aircraft back to the
closest airport led to the survival of 185 passengers, including all the four crew on
the flight deck. It is clear that the survival of a considerable number of the passen-
gers depended entirely on the magnificent skills of the crew. Without these highly
experienced pilots, this situation would have been definitely unsurvivable.
1.3.4 EL AL Cargo Flight LY1862, Source: [40]

On October 4 1992, a Boeing 747-200F
freighter aircraft operated by Israel’s na-
tional airline EL AL (registration: 4X-
AXG) departed from Amsterdam airport on
cargo flight 1862 towards Tel Aviv. Un-
fortunately, while the aircraft was climb-
ing over the most southern part of the IJs-
selmeer, the pylon of engine No. 3 broke
off due to metal fatigue. Without the usual
heavy aircraft inertia, the engine raced in Fig. 1.26 EL AL B747-200F 4X-AXG,
front of the aircraft, but due to the moment Werner
c Fischdick
of the rotating parts it started tumbling and
impacted on engine No. 4. This resulted in the loss of both right-wing engines, in-
cluding serious damage to the wing leading edge resulting in the loss of lift force
1 Introduction 31
Fig. 1.27 Illustration of aircraft damage, source: [40]
and a significant drag increase. Due to this extensive damage, the aircraft was ren-
dered considerably asymmetric. Moreover, this damage resulted in a partial loss of
the hydraulics, and hydraulic systems 3 and 4 became unavailable. As illustrated in
fig. 1.27, a significant number of control surfaces were paralysed after the engine
separation. The outboard (low speed) ailerons, outboard flaps, spoilers No. 1, 4, 5,
6, 7, 8, 9, 12 as well as the inner left and outer right elevator were lost completely,
while the inner (high speed) ailerons suffered a 50% hinge moment loss and the
functionality of the horizontal stabilizer was reduced to half trim rate.
After experiencing the limping behaviour of the crippled aircraft, the crew de-
cided to return to the airport. In an attempt to make an emergency landing, the
aircraft flew several right-hand circuits in order to lose altitude and to line up with
runway 27. During the second line-up, the aircraft entered an unrecoverable roll-
dive. As a result, the aircraft crashed, 13 km east of the airport, into an eleven-floor
apartment building in the Bijlmermeer, a suburb of Amsterdam. The trajectory of
the aircraft is shown in fig. 1.28. Since the crew was not aware of the actual scale
of the damage, they decided to return to the airport as quickly as possible. However,
this resulted in the fact that they attempted to make an emergency landing with the
heavy take off weight of 317 tons. This would have required such a high approach
speed of 133.8m/s, that no safe landing would have been possible. Jettisoning fuel
in order to reduce the aircraft weight to a more acceptable 263 tons would have re-
sulted in a lower minimum speed of 108m/s that possibly would have led to a more
survivable emergency landing, even with the flaps stuck at position 1.
The official analysis from this investigation concluded that given the performance
and controllability of the aircraft after the separation of the engines, a successful
landing was highly improbable. In 1997, the division of Control and Simulation in
Fig. 1.28 Trajectory of EL AL flight 1862
the Faculty of Aerospace Engineering at the Delft University of Technology (DUT),

in collaboration with the Netherlands National Aerospace Laboratory NLR, per-
formed an independent analysis of the accident. In contrast to the analysis performed
by the Netherlands Accident Investigation Bureau, the DFDR flight parameters were
reconstructed using modelling, simulation and visualisation techniques in which the
DFDR pilot control inputs were applied to detailed flight control and aerodynamic
models of the accident aircraft. The purpose of the analysis was to acquire an esti-
mate of the actual flying capabilities of the aircraft and to study alternative control
strategies for a successful recovery. The application of this technique resulted in a
simulation model of the impaired aircraft that could reasonably predict the perfor-
mance, controllability effects and control surface deflections observed on the DFDR.
Analysis of the reconstructed model (later used for the simulation benchmark in
Chapter 6), indicated that from a technical point of view the damaged aircraft was
recoverable if unconventional control strategies were used. Further results of this
investigation, including detailed qualitative results of the analysis, can be found
in [38] and [39]. Comparing this aircraft accident analysis with the previous two,
shows that differential thrust is not the only way of recovering a crippled aircraft.
It is possible that a limited number of control surfaces are still operative, and these
should be taken into account when attempting to apply a form of unconventional
control in order to bring the aircraft back to safety.
1.3.5 USAir Flight 427 and United Airlines Flight 585, Sources:
[4], [9], [5]
On March 3, 1991, a United Airlines (UAL) Boeing 737-200, registration number
N999UA, operating as flight 585, was on a scheduled passenger flight from Denver,
Colorado, to Colorado Springs, Colorado. Visual meteorological conditions (VMC)
prevailed at the time, and the flight was on an instrument flight rules (IFR) flight
1 Introduction 33
plan. Numerous witnesses reported that

shortly after completing its turn onto the
final approach course to runway 35 at Col-
orado Springs Municipal Airport (COS),
at about 0944 Mountain Standard Time,
the airplane rolled steadily to the right and
pitched nose down until it reached a nearly
vertical attitude. In the last 8 seconds, the
pilot requested 15 degrees of flaps, which
was confirmed by the first officer and it has Fig. 1.29 United Airlines B737-200
been noted in the recorded cockpit sounds N999UA, Werner c Fischdick
of the CVR that both engines were acceler-
ating just prior to impact. This selection of 15-degrees flaps, in combination with
increased thrust, is consistent with the initiation of a go-around. Despite this crew
effort, the altitude continued decreasing rapidly, the indicated airspeed increased to
over 200 knots, and the normal acceleration increased to over 4 G, before hitting
the ground in an area known as Widefield Park, less than four miles from the run-
way threshold. Figure 1.30 shows a plot of United flight 585s ground track based on
FDR and radar data. The airplane was destroyed completely by the impact forces
and post-crash fire, and the 2 flight crew-members, 3 flight attendants and 20 pas-
sengers aboard were fatally injured.
The subsequent investigation by the NTSB lasted one year and 9 months. Despite
extensive damage to the flight data recorder (FDR), all the data was extractable. The
Fig. 1.30 Trajectory of United Airlines Flight 585, source: [5].

FDR only recorded five parameters4. The flightpath, pitch and roll angles were de-
termined by calculations using the heading and normal acceleration (G-loads) data.
The direct availability of roll attitude data would have provided direct information
about sideslip angles when the roll angle and heading data were compared, thus
permitting a more accurate analysis to determine the nature of the airplane’s final
manoeuvre. Had rudder, aileron and spoiler deflection data been available, investi-
gators would have been able to compare the airplane’s theoretical performance with
other data that described the airplane’s flight profile to determine with a high level
of confidence the effect of external (atmospheric) forces. The direct evidence pro-
vided by the parameters would also have permitted an analysis of the flight control
system and engine function. Consequently, the data proved insufficient to establish
why the plane suddenly went into the fatal dive. The NTSB did not rule out the
possibilities of a malfunction of the rudder PCU servo (possibly causing a rudder
reverse) and the effect that powerful rotor winds coming off the Rocky Mountains
might have had, but there simply was not enough evidence to judge the expected
cause. In the first NTSB report (issued on December 8, 1992) no ‘probable cause’
could be given. Instead, it said ‘The National Transportation Safety Board, after an
exhaustive investigation effort, could not identify conclusive evidence to explain the
loss of United Airlines flight 585.’
Sadly enough, three years later, a highly similar accident occurred...
On September 8, 1994, at about 1903 local time, USAir flight 427, a Boeing 737-
3B7 (737-300), N513AU, crashed while manoeuvring to land at Pittsburgh Inter-
national Airport, Pittsburgh, Pennsylvania. Flight 427 was operating as a scheduled
domestic passenger flight from Chicago-O’Hare International Airport, Chicago, Illi-
nois, to Pittsburgh. The flight departed at about 1810, with 2 pilots, 3 flight atten-
dants, and 127 passengers on board. FDR data indicated that the accident airplane
was rolling out of a left bank to its assigned
heading of 100◦, after which it began to
yaw and roll; the airplane’s heading moved
left past 100◦ at an increasing rate. There-
after, the airplane’s heading moved left at
a rate of at least 5◦ per second. The air-
plane’s heading continued to move left at
least at this rate until the stickshaker ac-
tivated5 . The airplane’s left roll angle was
also increasing rapidly during this time: the
airplane’s left roll angle was about 28◦ and
5 seconds later the airplane’s left roll angle Fig. 1.31 USAir B737-300 N513AU,
exceeded 70◦ . All this happened in less than Werner
15 seconds. The airplane kept rolling to the
4 Since 1994, FDRs are required to have more parameters, including those to provide roll
and pitch attitude data, as well as thrust data.
5 This system warns the pilot when the aircraft is critically close to stalling.
1 Introduction 35
(a) Drawing of the Boeing 737 main rud- (b) Drawing of the Boeing 737 main rud-
der power control unit (PCA) der PCU servo valve
Fig. 1.32 Drawings of the faulty rudder PCU equipment on both Boeing 737s, source: [5].
left and finally entered an uncontrolled descent and impacted terrain near Aliquippa,
Pennsylvania, about 6 miles northwest of the destination airport. All 132 people on
board were killed, and the airplane was destroyed by impact forces and fire. The
Safety Board therefore considered various scenarios that could have resulted in such
an abrupt heading change, including asymmetric engine thrust reverser deployment,
asymmetrical spoiler/aileron activation, transient electronic signals causing uncom-
manded flight control movements, yaw damper malfunctions, and a rudder cable
break or pull. At the end, the Safety Board ruled out each of these scenarios as a
possible factor or cause of the left yaw/roll and heading change for various reasons.
After this second accident, similar to the USAir Flight 427, the NTSB reopened
the investigation of Flight 585, discussed earlier6 , and came up with the following
identical conclusion for both accidents: ‘The National Transportation Safety Board
determines that the probable cause of the United Airlines flight 585 and USAir
Flight 427 accidents was a loss of control of the airplane resulting from the move-
ment of the rudder surface to its blowdown limit. The rudder surface most likely
deflected in a direction opposite to that commanded by the pilots as a result of a
jam of the main rudder power control unit servo valve secondary slide to the servo
valve housing offset from its neutral position and overtravel of the primary slide’,
see fig.1.32.
Comparing this aircraft accident analysis with the previous ones, shows that not
only a (partial) loss of hydraulics can lead to disastrous situations. Here, all hy-
draulics were still operational, but the rudder actuator suffered from a malfunction,
leading to an extreme deflection up to its blowdown limits. Since all other control ef-
fectors, surfaces and engines, were still operative, their control authority could have
been exploited by a form of unconventional control in order to bring the aircraft
back to safety. In this scenario of a rudder hardover, the ailerons and differential
thrust on both engines would be the steering channels par excellence to compensate
for the failure.
6 And even another related accident with the same type of aircraft, namely Eastwind Flight
517.
Finally, flight tests conducted in a Boeing 737-300 aircraft, following the acci-
dent, demonstrated that an airspeed of 190 KIAS was close to the crossover speed
for the weight and configuration of USAir Flight 427. At this speed, it was found that
the ailerons and spoilers were sometimes unable to stop the roll induced by a (faulty)
full rudder deflection. Moreover, the investigation by NTSB showed that if a B-737-
300 aircraft cruising at an airspeed of 190 knots with flaps 1 encountered a rudder
hardover, recovery was impossible if altitude was maintained by the pilot. In these
conditions, aircraft recovery was only possible if the pilot descended to gain air-
speed, which decreases the effectiveness of the rudder and increases aileron/spoiler
authority enough to compensate for the rolling moment. However, the natural re-
action of the pilot would be to maintain altitude while analyzing a control problem
as was the case for this accident. Simulations have shown that a roll/yaw upset is
almost likely to be unrecoverable due to the surprise reaction of the pilot and the
aircraft being below the crossover speed and/or close to the ground. However, a rud-
der hardover of a Northwest Airlines Boeing 747-400 aircraft (Flight 85) in 2002
showed that the remaining control capabilities of the aircraft, including the engines,
could be used to recover the aircraft and reduce speed to conduct a successful land-
ing. Also for these scenarios, fault tolerant control could assist to recover correctly
and timely from a fault induced upset and stabilize the aircraft for an emergency
landing.
1.3.6 DHL Cargo Flight above Baghdad, Sources: [31], [32]

On November 22 2003, the DHL Air-
bus A300B4-203F freighter, registered OO-
DLL, took off from Baghdad, bound for
Bahrain. While in initial climb, at about
8000 ft, the aircraft was hit by a surface-
to-air missile. The missile entered the air-
craft’s left wing from below at approxi-
mately half span. By perforating the wing
skin, the projectile entered the outer wing
fuel tank 1A. After it ignited, it destroyed
the tank so comprehensively that the fuel
Fig. 1.33 DHL A300-B4 OO-DLL,
just drained out. This tank was full of fuel Werner
and luckily contained no fuel-air vapour,
otherwise the wing would have been blown
off the aircraft. However, it still proceeded to burn away at the rear spar. The fuel
tank ribs in the area directly in front of the outboard flap burnt almost 50% through,
but the front spar remained intact. Besides destroying tank 1A, the missile also
pierced the inboard left wing tank 1, so it too was losing fuel. Since this inboard
tank feeds directly the left engine, this led to a very time critical situation. Once the
left inboard tank lost all its fuel content, the left wing engine would have stopped
working. The crew knew they had to land quickly because the wing was trailing
1 Introduction 37
(a) Picture of the flying (b) Picture of damaged trail- (c) Picture of missile hole in
aircraft with the left wing ing edge wing structure lower skin of wing structure
on fire, the flames eating
slowly their way through
the wing structure
Fig. 1.34 Pictures of heavy damage to DHL A300B4-203F OO-DLL
a 50m flame, see fig.34(a). They also knew that if a part of the wingtip separated
they would lose all control of the aircraft. Despite the fact that the leading edge of
the wing was complete along almost its entire length, unknown to the crew, the fire
was gradually destroying the outer wing, creeping forward from the trailing edge.
At some stage before they landed, the rear wing spar separated and the remaining
structure was held together by the forward spar only, see fig.34(b). The impact hole
where the surface to air missile (SAM) entered the wing box is visible in fig.34(c).
Within a few seconds after impact, the aircraft lost all pressure in the three sepa-
rate hydraulic systems. Consequently, the primary flight control surfaces (ailerons,
rudder, elevators) and the spoilers were no longer powered and went limp as their ac-
tuators drained, trailing in the slipstream. The aircraft was rendered uncontrollable
by conventional means and adopted a rapid phugoid motion. The horizontal stabi-
lizer setting was frozen at the trim position for 215 KIAS, while flaps and slats were
unavailable. Fortunately, it was a short flight with a light load, the total weight being
only 220 klb, well below maximum landing weight. This was a clear and essential
advantage compared with the EL AL scenario described earlier, since the aircraft
was in an acceptable configuration in order to perform immediately a relatively safe
landing with acceptable approach speed. Because of the expanding left wing dam-
age, the only way to control the aircraft, namely by applying differential thrust, had
also a time critical issue which ruled out any option of fuel jettison before switching
over to the landing. If they had taken too long to return to the airport, the no 1 engine
could have fallen dry of fuel due to the leaking no 1 fuel tank, or the structural in-
tegrity of the left wing could have been compromised because of the expanding fire,
slowly ‘eating’ its way through the structure. Both would lead to unsurvivable addi-
tional damage. As the aircraft climbed towards a maximum altitude of about 12,000
feet, within 10 minutes, the crew essentially managed to apply an adaptive control
strategy’ regaining control and understanding the basic principles of the flying char-
acteristics induced by the phugoid motion. In addition to controlling pitch and roll
of the aircraft by the engine throttles only, the additional drag and lift loss due to the
damaged left wing needed to be compensated for. A welcome help was the fact that
Fig. 1.35 DHL A300 flight trajectory, acknowledgement to Flight International
deploying the gear during the descent increased the damping of the phugoid. After a
first unsuccessful attempt to land the aircraft using the engines only, the crew made
a go-around and finally made a successful landing at Baghdad International Airport,
see fig.1.35. This was a tremendous achievement, and the crew made the most of
the little chance they were given. It was a remarkable premiere.
This failure resulted in additional challenges with respect to the previous situa-
tions. This time, there was not only a sudden failure, but it was also developing and
expanding. This is an additional challenge for the identification routine, as it has to
be continuously monitoring, even after failure detection. Also some kind of indi-
cation of time critical issues to the crew could be interesting to contribute to their
situational awareness. Finally, it should be noted that this incident is an extreme
situation which only serves as one of the incidents motivating the need for a fault
tolerant flight control system. It is not our goal to discuss this failure specifically.
1.3.7 Final Note on Accident Analysis

Only a few aircraft accidents have been analysed in detail above. Three of the above
examples concern the total loss of the hydraulic circuits, leaving thrust control
as the only way to steer the crippled aircraft. It should be noted that these acci-
dents just serve as a general introduction and motivation for FTFC. Thrust control
only was not a specific point of research within FM-AG(16), since it has been ex-
plored already in depth (see section 1.4.2). Moreover, there are many other exam-
ples of loss of control in flight. For example, there was an unintentional asymmetric
thrust reverser deployment in flight on a Lauda Air Boeing 767 above Thailand,
which left the crew a ‘recovery window’ of only 4 to 6 seconds. This failure was
very improbable to survive with the current autopilot systems, but the presence of
an automatic adaptive control strategy would have compensated for this. Also the
crash of an Air Florida Boeing 737 due to ice accretion would probably have been
1 Introduction 39
Fig. 1.36 Accident statistics, source: [8]
avoidable with this strategy, as well as the American Airlines DC-10 accident at
Chicago O’Hare International Airport, described earlier. Moreover, there have been
several other engine separation incidents on Boeing 747’s and DC-8’s, similar to the
EL AL situation. There is even the documented story of a McDonnell Douglas F-
15 performing an emergency landing with only one wing due to a mid-air collision
with another aircraft. After some attempts, the pilot succeeded in regaining control
over the aircraft, and nursed the crippled vehicle back to the airport. Key aspects
were the fact that the aircraft kept flying and even landed at high speed and that the
F-15 fuselage is quite wide, containing two engines, so that it has some lifting body
behaviour. After landing, the pilot acknowledged that he was not aware of missing
his entire right wing, and if he had been, he would certainly have ejected...
A recent worldwide civil aviation accident survey for the period 1993 to 2007,
conducted by the Civil Aviation Authority of the Netherlands (CAA-NL) and based
on data from the National Aerospace Laboratory NLR [8], indicates two major cat-
egories of accidents which can be attributed to a common initial event, ‘controlled
flight into terrain’ where an aircraft, despite being fully controllable and under con-
trol, hits terrain due to the loss of situational awareness of the crew, counting for
as much as 23% of all the accidents. This percentage is decreasing over the years
thanks to the enormous international attention given to CFIT with respect to crew re-
source management training and development and implementation of new systems
in the cockpit. The second major category is ‘loss of control in flight’, which can be
attributed to mistakes made by the pilot or a technical malfunctioning. This category
counts for 16% of all aircraft accidents and is not decreasing. Figure 1.36 shows a
table from this survey. According to the research team of this project, a reconfigur-
ing flight control system would make the success of the United Airlines and DHL
examples less dependent on the extreme skills of the pilots. Moreover, the other ex-
amples explained above, and a significant part of this 16% of aircraft accidents due
to loss of control in flight could be prevented if some form of reconfiguring control
was implemented in the aircraft. It is important to acknowledge that these accidents
could not have been prevented at the time when they occurred, since computer ca-
pabilities at that time were not at the level they are now. From this perspective, it is
very clear that research on fault tolerant flight control is in the interest of the civil as
well as military aviation industry.
1.4 Earlier Accomplishments in This Field, Source: [40]

Motivated by several aircraft accidents at the end of the 1970s, including the crash
of American Airlines Flight 191 DC-10 at Chicago in 1979, research on reconfig-
urable fault tolerant flight control (RFTFC) was initiated to accommodate in-flight
failures and to improve the safety and reliability of onboard avionics and flight con-
trol system equipment. Reconfigurable control aims to utilise all remaining control
effectors on the aircraft (control surfaces and engines) after an unanticipated me-
chanical or structural failure, to recover the performance of the original system by
automatic redesign of the flight control system in order to resemble the unfailed air-
craft design. The first objective of reconfiguration is to guarantee system stability
while the original performance is reconstructed as much a possible. Due to limi-
tations of the control allocation scheme caused by, for instance, actuator position
and rate limits, the system performance of the unfailed aircraft may not be fully
achieved. In this case, the failed aircraft would be flown in a degraded mode but
with sufficiently acceptable handling qualities for a successful recovery. Reconfig-
urable flight control systems have been successfully flight tested [21], [17], [6] and
evaluated in manned simulations [21], but up to date, no RFTFC has been certified
or applied in both commercial and military aircraft.
Passive design approaches are robust control techniques that can handle model
uncertainties, flight condition changes and several types of faults and failures with-
out on-line fault information within the robust boundary region. Unanticipated fail-
ures that occur outside the stability region of the robust controller may result in
catastrophic system instability or performance degradation. For the mitigation of
mechanical or structural failures that occur outside the stability region of the robust
controller, the use of active reconfigurable control becomes necessary. Fault detec-
tion and isolation (FDI) modules are necessary to deliver on-line fault information
for control reconfiguration. Active fault accommodation may then be performed
based on off-line predetermined (a-priori) fault scenarios, control law switching, or
by means of on-line and real-time control law restructuring (architecture changes)
or reconfiguration (parameter recalculation).
1.4.1 Self-Repairing Flight Control System (SRFCS) Program

The earliest flight tests of reconfigurable flight control systems were performed dur-
ing the Self-Repairing Flight Control System (SRFCS) program [17], sponsored by
the US Air Force Wright Research and Development Center in 1984. Using a cate-
gorised pre-determined set of failure modes, the states of the system were estimated,
based on the known list of failures, to determine the failed component. Residual
1 Introduction 41
errors were generated by comparison with a nominal model to isolate failures and
estimate the control derivatives of the failed damaged surface for use in a control
allocation scheme. The probability of the pre-defined failure cases was estimated
and used to determine the weighted average for the control inputs. The limitation of
this method is that modelling errors can be interpreted as a failure while the only
failures that can be identified ‘correctly’ are those that fall into the predetermined
fault list. The SRFCS was successfully flight tested by NASA in 1989 and 1990 on a
F-15 aircraft at the Dryden Flight Research Center [17]. Real-time control reconfig-
uration was demonstrated for fault cases that included loss of control surfaces due
to battle damage.
1.4.2 MD-11 Propulsion Controlled Aircraft (PCA)

Following the Sioux City incident in 1989, the SRFCS project was followed by
a program at the NASA Dryden Flight Research Center on Propulsion Controlled
Aircraft (PCA). The system aims to provide a safe landing capability using only
augmented engine thrust for flight control. Throughout the 1990s, the system has
been successfully tested on several aircraft, including both commercial (Figure 1.37)
and military, but the acceptance of PCA technology in the commercial and military
field has still not been achieved. Ref. [15] provides more background on PCA.
Fig. 1.37 A McDonnell Douglas MD-11 lands at Dryden Flight Research Center equipped
with a computer-assisted engine control landing system developed by a NASA-Industry team.
NASA Dryden Flight Research Center Photo Collection, photo by J. Ross
1.4.3 NASA Intelligent Flight Control System (IFCS) F-15

Program
In 1992, the Intelligent Flight Control (IFC) research program was established to
explore the possibilities of utilising adaptive flight control technology to accommo-
date unanticipated failures through self-learning neural networks. Within the 1999-
2004 Intelligent Flight Control System (IFCS) F-15 program [6] [41], sponsored by
NASA Dryden, pre-trained and on-line learning neural networks were flight tested
on the NASA IFCS F-15 testbed (Figure 1.38). The pre-trained neural networks
Fig. 1.38 NASA Drydens highly modified F-15B, tail number 837, performing Intelligent
Flight Control System (IFCS) project flights. NASA Dryden Flight Research Center Photo
Collection, photo by C. Thomas
provide estimates of the stability and control characteristics for model inversion.
The on-line learning neural networks provide on-line compensation of errors in the
estimates and from the model inversion. In addition, the adaptive neural networks
compensate for changes in the aircraft dynamics due to failures or damage. Piloted
simulation studies have been performed at NASA Ames of Integrated Neural Flight
and Propulsion Control Systems (INFPCS) in which neural flight control architec-
tures are combined with PCA technology. The evaluation successfully demonstrated
the benefits of intelligent adaptive control [28]. Subsequent evaluations are planned
to further validate the IFC technologies in a C-17 testbed [28]. Adaptive neural net-
work based technology was further investigated in the Reconfigurable Control for
Tailless Aircraft (RESTORE) program in which reconfigurable control design meth-
ods were applied to a tailless aircraft [14], [16]. Within the Active Management of
Aircraft System Failures (AMASF) project, as part of NASA’s Aviation Safety Pro-
gram, several issues in the area of FTFC technology were addressed. These include
detection and identification of failures and icing, pilot cueing strategies to cope with
failures and icing, and control reconfiguration strategies to prevent extreme flight
conditions following a failure of the aircraft. In this context, a piloted simulation
was conducted early in 2005 of a Control Upset Prevention and Recovery System
(CUPRSys). Despite a few limitations, CUPRSys provided promising fault detec-
tion, isolation and reconfiguration capabilities [21].
1.5 Research Challenges and Objectives

The objective of this Action Group was to demonstrate the capability and viability of
modern fault detection, isolation and reconfiguration (FDIR) methods when applied
to a realistic, nonlinear design problem and to assess their contribution to flight
safety. The research group aims to further integrate the latest developments in fault
detection and isolation techniques with reconfigurable control technology which
has only been done by a few studies so far [36], [43]. In particular, most of the fault
detection and isolation methodologies are developed independently as diagnostic
or monitoring tools and not as an integral part of a reconfigurable fault tolerant
control system. Most of the current reconfigurable control systems are developed
1 Introduction 43
under the assumption of perfect information from the FDI system. Furthermore,
the group addressed the need for high-fidelity nonlinear simulation models, relying
on accurate failure modelling, to improve the prediction of reconfigurable system
performance in degraded modes.
Several realistic failure modes have been considered in this research project. The
most important scenarios are the engine separation (inspired by the El Al accident,
see 1.3.4) and the rudder hardover (inspired by the US Airways and United Airlines
accidents, see 1.3.5) cases. However, it should be noted that the scenario ‘total loss
of hydraulics’, leading to the need of ‘thrust control only’ has not been considered
explicitly in this research. An important motivation for this is the fact that this case
has been considered intensively in the PCA project of NASA, discussed in 1.4.2.
The focus of this research project is more general and not focussed on this specific
strategy.
References
1. Ammons, E.: F-16 flight control system redundancy concepts. In: Guidance and Control
Conference, Boulder, Colorado (August 1979)
2. Anderson, B., Bedos, T.: X-38 v201 avionics architecture. Technical Report
N20000086667, NASA (February 1999)
3. Anonymous. Applying lessons learned from accidents,
http://faalessons.workforceconnect.org/
4. Anonymous. Aircraft accident report united airlines flight 585 boeing 737-291, N999UA
uncontrolled collision with terrain for undetermined reasons 4 miles south of Colorado
Springs municipal airport Colorado Springs, Colorado March 3, 1991. Technical report,
National Transportation Safety Board, NTSB (1992)
5. Anonymous. Aircraft accident report uncontrolled descent and collision with terrain Us-
air flight 427 boeing 737-300, n513au near aliquippa, pennsylvania, September 8, 1994.
Technical report, National Transportation Safety Board, NTSB (1999)
6. Anonymous. Intelligent flight control: Advanced concept program. Final Report
BOEING-STL 99P0040, The Boeing Company (1999)
7. Anonymous. Integrated resilient aircraft control - stability, maneuverability and safe
landing in the presence of adverse conditions. Technical report, National Aeronautics
and Space Administration, Aeronautics Research Mission Directorate, Aviation Safety
Program (April 2007)
8. Anonymous. Civil aviation safety data 1993-2007. Technical report, Civil Aviation Au-
thority of the Netherlands, CAA-NL (2008)
9. Anonymous. Aircraft accident report: Uncontrolled descent and collision with terrain
united airlines flight 585 boeing 737-200, n999ua 4 miles south of colorado springs mu-
nicipal airport colorado springs, colorado, March 3, 1991. Technical report, National
Transportation and Safety Board (March 27, 2001)
10. Arabian, A.: Afti/f-16 digital flight control computer design. In: NAECOn 1983, Dayton,
Ohio (1983)
11. Boldue, L.: Redundancy management for the X-33 vehicle and mission computer. In:
19th Digital Avionics Systems Conference, Philadelphia, Pennsylvania (October 2000)
12. Brekke, D., Giere, N., Schlosser, R., Slavich, M., Tabor, D., Turner, B.: Next genera-
tion fault-tolerant guidance and navigation unit for the inertial upper stage. In: Rocky
Mountain Guidance and Control Conference, Keystone, Co (February 1995)
13. Briere, D., Traverse, P.: Airbus a320/a330/a340 electrical flight controls - a family of
fault tolerant systems. In: IEEE Conference (1993)
14. Brinker, J.S., Wise, K.A.: Nonlinear simulation analysis of a tailless advanced fighter
aircraft reconfigurable flight control law. In: AIAA Guidance, Navigation and Control
Conference and Exhibit, Portland, OR, AIAA-99-4040 (August 1999)
15. Burken, J.J., Maine, T.A., Burcham, F.W., Kahler, J.A.: Longitudinal emergency control
system using thrust modulation demonstrated on an md-11 airplane. In: AIAA, ASME,
SAE, and ASEE, Joint Propulsion Conference and Exhibit, 32nd, Lake Buena Vista, FL
(July 1996)
16. Calise, A.J., Lee, S., Sharma, M.: Development of a reconfigurable flight control law
for the x-36 tailless fighter aircraft. AIAA Journal of Guidance, Control and Dynam-
ics 24(5), 896–902 (2001)
17. Corvin, J.H., Havern, W.J., Hoy, S.E., Norat, K.F., Urnes, J.M., Wells, E.A.: Self-
repairing flight control systems, volume i: Flight test evaluation on an f-15 aircraft. Final
Report WL-TR-91-3025 (1991)
18. Driscoll, K., Hoyme, K.: The airplane information management system, an integrated
real-time flight deck control system. In: Real-Time System Symposium (December
1992)
19. EASA. Certification Specifications for Large Aeroplanes. EASA. CS-25
20. Federal Aviation Administration FAA. Airworthiness Standards: Transport Category
Airplane. Federal Aviation Administration FAA. title 14, part 25
21. Ganguli, S., Papageorgiou, G., Glavaski, S., Elgersma, M.: Piloted simulation of fault
detection, isolation and reconfiguration algorithms for a civil transport aircraft. In: AIAA
Guidance, Navigation and Control Conference and Exhibit, San Francisco, CA, AIAA-
2005-5936 (August 2005)
22. Goupil, P.: Airbus overview of fault tolerant control. In: Garteur AG-16 Workshop, April
4-5 (2006)
23. Gunston, B.: Modern Fighters. Salamander Books Ltd., London (1988)
24. Hammett, R.: Design by extrapolation: an evaluation of fault tolerant avionics. IEEE
Aerospace and Electronic Systems Magazine 17(4), 17–25 (2002)
25. Jarvis, C.R., Szalai, K.J.: Ground and flight test experience with a triple redundant digital
fly by wire control system. Technical Report 19810010480, NASA (1981)
26. Jiang, J.: Fault-tolerant Control Systems – An Introductory Overview. ACTA Automatica
Sinica 31(1), 161–174 (2005)
27. Job, M.: Air Disaster, vol. 2. Aerospace Publications Pty Ltd. (1996)
28. KrishnaKumar, K., Gundy-Burlet, K.: Intelligent control approaches for aircraft applica-
tions. Technical report, NeuroEngineering Laboratory, NASA Ames Research Center
29. Kuhlberg, J.F., Kniat, J., Newirth, D.M., Jamison, J.C., Switalski, J.R.: Transport engine
control design. In: AIAA, SAE and ASME, Joint Propulsion Conference, 18th, Cleve-
land, Ohio (June 1982)
30. Le Tron, X.: Airbus fly-by-wire: An integrated system design. In: Garteur AG-16 Work-
shop, April 4-5 (2006)
31. Learmount, D.: Missile attack, great escape. In: Flight International, pp. 34–38
(21/12/2004 - 03/01/2005)
32. Lemaignan, B.: Flying with no flight controls: Handling qualities analyses of the baghdad
event. AIAA-2005-5907 (2005)
33. Lombaerts, T.J.J., Chu, Q.P., Mulder, J.A.: Lecture Notes AE4-301, Automatic Flight
Control System Design. Delft University of Technology, Faculty of Aerospace Engi-
neering, Delft, The Netherlands (January 2005)
34. Maoui, G. (ed.): Cockpits by Airbus Industrie. Cherche midi enterprise (1998)
1 Introduction 45
35. Mulder, J.A., van Staveren, W.H.J.J., van der Vaart, J.C., de Weerdt, E.: Lecture Notes
AE3-302, Flight Dynamics. Delft University of Technology, Faculty of Aerospace Engi-
36. Patton, R.J.: Fault tolerant control systems: The 1997 situation. In: Proceedings of IFAC
Symposium on SAFEPROCESS, HULL, UK, August 1997, pp. 1033–1055 (1997)
37. Pratt, R.W.: Flight Control Systems, practical issues in design and implementation. In:
IEE/AIAA, Stevenage, UK/Reston, USA (2000)
38. Smaili, M.H.: Flight Data Reconstruction and Simulation of EL AL Flight 1862. Final
thesis, T.U. Delft (November 1997)
39. Smaili, M.H.: Flight data reconstruction and simulation of the 1992 amsterdam bijlmer-
meer airplane accident. AIAA-2000-4586 (August 2000)
40. Smaili, M.H., Breeman, J., Lombaerts, T.J.J., Joosten, D.A.: A simulation benchmark for
integrated fault tolerant flight control evaluation. In: AIAA MST (2006)
41. Williams-Hayes, P.S.: Flight test implementation of a second generation intelligent flight
control system. In: Infotech@Aerospace (2005)
42. Yeh, Y.C.: Triple-triple redundant 777 primary flight computer. In: IEEE Aerospace Ap-
plication Conference, Aspen, Colorado, pp. 293–307 (1996)
43. Zhang, Y., Jiang, J.: Bibliographical review on reconfigurable fault-tolerant control sys-
tems. In: 5th IFAC Symposium on Fault Detection, Supervision and Safety for Technical
Processes, Washington DC, USA, June 9-11, pp. 265–275 (2003)
Chapter 2
Fault Tolerant Flight Control - A Survey
Michel Verhaegen, Stoyan Kanev, Redouane Hallouzi, Colin Jones,

Jan Maciejowski, and Hafid Smail
2.1 Why Fault Tolerant Control?

Nowadays, control systems are involved in nearly all aspects of our lives. They
are all around us, but their presence is not always really apparent. They are in our
kitchens, in our DVD-players, computers and our cars. They are found in elevators,
ships, aircraft and spacecraft. Control systems are present in every industry, they are
used to control chemical reactors, distillation columns, and nuclear power plants.
Michel Verhaegen
Delft University of Technology, Delft Center for Systems and Control,
Mekelweg 2, 2628CD Delft, The Netherlands
e-mail: m.verhaegen@moesp.org
Stoyan Kanev
ECN Wind Energy, P.O.Box 1, 1755ZG Petten, The Netherlands
e-mail: kanev@ecn.nl
Redouane Hallouzi
ReliaCon, Rotterdamseweg 145, 2628AL Delft, The Netherlands
e-mail: hallouzi@reliacon.nl
Colin Jones
ETH Zurich, Automatic Control Laboratory ETL K14.2,
Physikstrasse 38092 Zurich, Switzerland
e-mail: cjones@control.ee.ethz.ch
Jan Maciejowski
University of Cambridge, Engineering Department, Trumpington Street,
Cambridge CB2 1PZ, United Kingdom
e-mail: jmm@eng.cam.ac.uk
Hafid Smaili
National Aerospace Laboratory NLR, Anthony Fokkerweg 2, 1059 CM Amsterdam,
The Netherlands
springerlink.com c Springer-Verlag Berlin Heidelberg 2010
48 M. Verhaegen et al.
They are constantly and inexhaustibly working, making our life more comfortable
and more efficient . . . until the system fails.
Faults in technological systems are events that happen rarely, and come mostly
unexpectedly. In [43] the following definition for a fault is made:
A fault is an unpermitted deviation of at least one charac-
teristic property or parameter of the system from the ac-
ceptable/usual/standard condition.
Faults are difficult to accurately predict in time, and to prevent. The impact of
a fault can be a small reduction in efficiency, but could also lead to overall system
failure. In safety critical systems this can lead to catastrophic events with significant
costs, both economically and in terms of human life. Several such examples are
• the explosion at the nuclear power plant at Chernobyl, Ukraine, on 26th April
1986 [67]. About 30 people were killed immediately, while another 15,000 were
killed and 50,000 left handicapped in the emergency clean-up after the accident.
It is estimated that five million people were exposed to radiation in Ukraine,
Belarus and Russia.
• the crash of the A MERICAN A IRLINES flight 191, a McDonnell-Douglas DC-10
aircraft, at Chicago O’Hare International Airport on 25 May 1979 (see Chap-
ter 1). In this incident 271 persons on board and 2 on the ground were killed
when the aircraft crashed into an open field [74, 75].
• the explosion of the Ariane 5 rocket on 4th June 1996, where the reason was
a fault in the Internal Reference Unit that had the task to provide the control
system with altitude and trajectory information. As a result, incorrect altitude
information was delivered to the control unit [67].
The question that immediately arises is “Could something have been done to
prevent these disasters?”. While in most situations the occurrences of faults in
the systems cannot be prevented, subsequent analysis often reveals that the con-
sequences of the faults could be avoided or, at least, that their severity (in terms of
economic losses, casualties, etc.) could be minimized. If faults could be detected
and diagnosed rapidly enough, then, in many cases, it is possible to subsequently
reconfigure the control system so that it can safely continue its operation (though
with degraded performance) until the time comes when it can be switched off to
allow repair. In order to minimize the chances for such catastrophic events as those
summarized above, safety-critical systems must possess the properties of increased
reliability and safety.
A way to offer increased reliability and safety is by means of a fault-tolerant
control (FTC) system design. An FTC system could have been designed to lead to
a safe shutdown of the Chernobyl reactor way before it exploded [67]. Subsequent
studies following the McDonnell-Douglas DC-10 crash showed that the crash could
have been avoided [75]. In the last minutes of the Ariane 5 crash the normal alti-
tude information had been replaced by some diagnostic information that the control
system was not designed to understand [67]. Fortunately, there are also examples,
2 Fault Tolerant Flight Control - A Survey 49
system faults
actuators
sensors
reference inputs Controlled outputs
Controller
System
-
Fig. 2.1 According to their location, faults are classified into sensor, actuator and component
faults.
which show that taking appropriate measures can indeed prevent disasters (see also
Chapter 1):
1. A McDonnell-Douglas DC-10 aircraft executing flight 232 of U NITED A IR -
LINES from Denver to Minneapolis experienced a disastrous failure in the hy-
draulic lines that left the plane without any control surfaces at 37,000 ft. The
crew then improvised a control strategy that used only the throttles of the two
wing engines and managed to successfully crash-land the plane in Sioux City,
Iowa, saving the lives of 184 out of the 296 passengers on board [66].
2. In the D ELTA A IRLINES flight 1080 an elevator became jammed at 19 degrees.
The pilot was not given any indication of what had actually occurred but still
was able to reconfigure the remaining lateral control elements to land the aircraft
safely [75].
All these examples clearly motivate the need for increased fault-tolerance in order
to improve to the maximum possible extent the safety, reliability and availability of
controlled systems. This is particularly true as modern systems become increasingly
complex. The examples above also explain the large amount of research in the field
of fault detection, diagnosis and fault-tolerant control. An overview of this research
is provided in this chapter.
2.2 Fault Classification

Faults are events that can take place in different parts of the controlled system. In
the FTC literature faults are classified according to their location of occurrence in
the system (see Figure 2.1).
Actuator faults: they represent partial or total (complete) loss of control action.
An example of a completely lost actuator is a “stuck” actuator that produces no
(controllable) actuation regardless of the input applied to it. Total actuator faults
can occur, for instance, as a result of a breakage, cut or burned wiring, short cir-
cuits, or the presence of a foreign body in the actuator. Partially failed actuators
produce only a part of the normal (i.e. under nominal operating conditions) actu-
ation. This can result from hydraulic or pneumatic leakage, increased resistance
or a fall in the supply voltage, etc. Duplicating the actuators in the system in
order to achieve increased fault-tolerance is often not an option due to their high
prices and large size and mass.
Sensor faults: these faults represent incorrect readings from the sensors that the
system is equipped with. Sensor faults can also be subdivided into partial and
total. Total sensor faults produce information that is not related to the value of
the measured physical parameter. They can be due to broken wires, lost contact
with the surface, etc. Partial sensor faults produce readings that are related to the
measured signal in such a way that useful information could still be retrieved.
This can, for instance, be a gain reduction so that a scaled version of the signal
is measured, a biased measurement resulting in a (usually constant) offset in the
reading, or increased noise. Due to their smaller sizes sensors can be duplicated
in the system to increase fault tolerance. For instance, by using three sensors to
measure the same variable one may consider it reliable enough to compare the
readings from the sensors to detect faults in (one and only one) of them. The so-
called “majority voting” method can then be used to pinpoint the faulty sensor.
This approach usually implies significant increases in the related costs.
Component faults: these are faults in the components of the plant itself, i.e. all
faults that cannot be categorized as sensor or actuator faults will be referred to as
component faults. These faults represent changes in the physical parameters of
the system, e.g. mass, aerodynamic coefficients, damping constant, etc., that are
often due to structural damage. They often result in a change in the dynamical
behaviour of the controlled system. Due to their diversity, component faults cover
a very wide class of (unanticipated) situations, and as such are the most difficult
ones to deal with.
Further, with respect to the way faults are modelled, they are classified as ad-
ditive and multiplicative, as depicted in Figure 2.2. Additive faults are suitable for
representing component faults in the system, while sensor and actuator faults are in
practice most often multiplicative by nature.
Faults are also classified according to their time characteristics (see Figure 2.3)
as abrupt, incipient and intermittent. Abrupt faults occur instantaneously often as a
result of hardware damage. They can be very severe since, if they affect the perfor-
mance and/or the stability of the controlled system, prompt reaction from the FTC
system is required. Incipient faults represent slow parametric changes, often as a re-
sult of aging. They are more difficult to detect due to their slow time characteristics,
fault fault
signal faulty signal faulty

+ x
signal signal
additive fault multiplicative fault
Fig. 2.2 According to their representation, faults are divided into additive and multiplicative.
fault
fault
fault
time time time
abrupt incipient intermittent
Fig. 2.3 With respect to their time characteristics faults can be abrupt, incipient and
intermittent.
but are also less severe. Finally, intermittent faults are faults that appear and disap-
pear repeatedly, for instance due to partially damaged wiring.
2.3 Modelling Faults

As already mentioned in Section 2.2, faults are often represented as additive or mul-
tiplicative adjustments to the nominal behaviour. In this section we further concen-
trate on the mathematical representation of these faults and will provide a discussion
on when and why one representation is more appropriate than the other.
Throughout this chapter the state-space representation of dynamical systems is
used, so that the relation from the system inputs u ∈ Rm to the measured outputs
y ∈ R p is written in the form

xk+1 = Axk + Buk
Snom : (2.1)
yk = Cxk + Duk ,
where xk ∈ Rn denotes the state of the system at time instance k, and A, B, C and D
are matrices (possibly time-varying) of appropriate dimension.
2.3.1 Multiplicative Faults

Multiplicative modelling is mostly used to represent sensor and actuator faults.
Actuator faults represent malfunctioning of the actuators of the system, for ex-
ample as a result of hydraulic leakages, broken wires, or stuck control surfaces in
an aircraft. Such faults can be modelled as an abrupt change of the nominal control
action from uk to
ukf = uk + (I − ΣA )(ū − uk ), (2.2)
where ū ∈ Rm is a (not necessarily constant) vector that cannot be manipulated, and
where
ΣA = diag{ σ1a , σ2a , . . . , σma }, σia ∈ R.
In this way σia = 0 represents a total fault (i.e a complete failure) of the i-th actuator
of the system so that the control action coming from this i-th actuator becomes
equal to the i-th element of the uncontrollable offset vector ū, i.e. ukf (i) = ū(i). On
the other hand, σia = 1 implies that the i-th actuator operates normally (uk (i) = u(i)).
f
The quantities σia , i = 1, 2, . . . , m can also take values in between 0 and 1, making it
possible to represent partial actuator faults. Substituting the nominal control action
uk in equation (2.1) with the faulty ukf results in the following state-space model

xk+1 = Axk + BΣAuk + B(I − ΣA )ū
Smult,a f : (2.3)
yk = Cxk + DΣA uk + D(I − ΣA )ū.
Models in the form (2.3) are referred to as multiplicative fault models and have been
widely used in the literature (see, for example [86, 73]).
It needs to be noted that while such multiplicative actuator faults do not directly
affect the dynamics of the controlled system itself, they can significantly affect the
dynamics of the closed-loop system, and may even affect the controllability of the
system. Figure 2.4 presents a simple example with a 50% actuator fault that results
in instability of the closed-loop system. In the example of Figure 2.4 a system con-
sisting of the transfer function S(s) = 1/(s − 1) is controlled by a PI controller with
transfer function C(s) = 1.5 + 5s , so that a sinusoidal reference signal is tracked un-
der normal operating conditions (i.e. during the first 20 seconds of the simulation).
At time instance t = 20 sec, a 50% loss of control effectiveness is introduced and
as a result the closed-loop system stability is lost. This example makes it clear that
even “seemingly simple” faults may significantly degrade the performance and can
even destabilize the system.
Similarly, sensor faults occurring in the system (2.1) represent incorrect reading
from the sensors, so that as a result the real output of the system yreal
k differs from
the variable being measured. Multiplicative sensor faults can be modelled in the
following way
yk = yk + (I − ΣS )(ȳ − yk ),
f
(2.4)
where ȳ ∈ R p is an offset vector, and

ΣS = diag{ σ1s , . . . , σ ps }, σis ∈ R,
so that σ sj = 0 represents a total fault of the j-th sensor, and σ sj = 1 models the
normal mode of operation of the j-th sensor. Partial faults are then modelled by tak-
ing σ sj ∈ (0, 1). Substitution of the nominal measurement yk in (2.1) with its faulty
counterpart ykf results in the following state-space model that represents multiplica-
tive sensor faults

xk+1 = Axk + Buk
Smult,s f : (2.5)
yk = ΣSCxk + ΣS Duk + (I − ΣS )ȳ.
In this way, combinations of multiplicative sensor and actuator faults are represented
in the following way

xk+1 = Axk + BΣA uk + b(ΣA , ū)
Smult : (2.6)
yk = ΣSCxk + ΣS DΣA uk + d(ΣA , ΣS , ū, ȳ),
Monitoring
1
1,5+5/s 50% fault
s−1
reference actuator
PI Controller fault System
generator
6
reference trajectory
fault occurrence
system output
−2
−4
−6
0 5 10 15 20 25 30 35 40
time, sec
Fig. 2.4 After a multiplicative fault the system may become unstable if no reconfiguration
takes place.
with
b(ΣA , ū) = B(I − ΣA )ū,
d(ΣA , ΣS , ū, ȳ) = ΣS D(I − ΣA )ū + (I − ΣS )ȳ.
The multiplicative model is thus a “natural” way to model a wide variety of sensor
and actuator faults, but cannot be used to represent more general component faults.
This fault model representation is most often used in the design of the controller
reconfiguration scheme of an active FTC system since for controller redesign one
usually needs the state-space matrices of the faulty system.
2.3.2 Additive Faults

The additive faults representation is more general than the multiplicative one. A
state-space model with additive faults has the form

xk+1 = Axk + Buk + F fk
Sadd : (2.7)
yk = Cxk + Duk + E fk ,
where fk ∈ Rn f is a signal describing the faults. This representation may, in prin-

ciple, be used to model a wide class of faults, including sensor, actuator, and
f(x)
fault constant constant
scaling offset
faulty signal faulty

+ x +
signal signal signal
additive fault multiplicative fault
Fig. 2.5 Using additive fault representation to model total sensor (or actuator) faults results
in a fault signal that depends on yk (uk ). This is not the case with the multiplicative model
where the fault magnitude and the offset are independent on the signals in the state-space
model.
component faults. Using model (2.7), however, often results in the signal fk becom-
ing related to one or more of the signals uk , yk and xk . For instance, when using this
additive fault representation to model a total fault in all actuators (ΣA = 0 and ū = 0
in equation (2.2)) then in order to make model (2.7) equivalent to model (2.3) one
F B
needs to take a signal fk such that E fk = − D uk holds, making fk dependent
on uk . Clearly, the fault signal being a function of the control action is not desirable
for controller design. On the other hand, fk is independent of uk when multiplicative
representation is utilized. Figure 2.5 illustrates this.
Another disadvantage of the additive model when used to represent sensor and
actuator faults is that, in terms of input-output relationships, these two faults become
difficult to distinguish. Indeed, suppose that the model
xk+1 = Axk + Buk + fka

yk = Cxk + Duk + fks ,
is used to represent faults in the sensors and actuators. By writing the corresponding
transfer function
y(z) = (C(zI − A)−1 B + D)uk + C(zI − A)−1 fka + fks ,
it becomes clear that the effect of an actuator fault on the output of the system can
be modelled not only by the signal fka , but also by fks .
An advantage is, as already mentioned, that the additive representation can be
used to model a more general class of faults than multiplicative ones. In addition, it
is more suitable for the design of FDD schemes because the faults are represented
by one signal rather than by changes in the state-space matrices of the system as is
the case with the multiplicative representation. For that reason the majority of FDD
methods are focused on additive faults [33, 3, 57].
2.3.3 Component Faults

The class of component faults was defined in Section 2.2 as the most general as it
includes faults that may bring changes in practically any element of the system. It
was defined as the class of all faults that cannot be classified as sensor or actuator
faults. A component fault may introduce changes in each matrix of the state-space
representation of the system due to the fact they may all depend on the same physical
parameter that undergoes a change. Component faults are often modelled in the form
of a linear parameter-varying (LPV) system
xk+1 = A( f )xk + B( f )uk

(2.8)
yk = C( f )xk + D( f )uk ,
where f ∈ Rn f is a parameter vector representing the component faults. It should be

noted that this model might also be used for modelling sensor and actuator faults.
Due to the fact the matrices may depend in a general, nonlinear, way on the fault
signal fk this model is less suitable for fault detection and diagnosis.
2.4 Main Components in an FTC System

FTC systems are generally divided into two classes: passive and active. Passive FTC
systems are based on robust controller design techniques and aim at synthesizing a
single, robust controller that makes the closed-loop system insensitive to anticipated
faults. This approach requires no online detection of the faults, and is therefore
computationally more attractive. Its applicability, however, is very restricted due to
its serious disadvantages:
• In order to achieve robustness to faults, usually a very restricted subset of the
possible faults can be considered; often only faults that have a “small effect” on
the behaviour of the system can be treated in this way.
• Achieving increased robustness to certain faults is only possible at the expense of
decreased nominal performance. Since faults are effects that happen very rarely it
is not reasonable to significantly degrade the fault-free performance of the system
only to achieve some insensitivity to a restricted class of faults.
However, using passive FTC systems can also have its advantages. One advantage
is that a fixed controller has relatively modest hardware and software requirements.
Another advantage is that passive FTC systems, due to their lower complexity com-
pared to active FTC systems, can be made more reliable according to classical reli-
ability theory [84]. Examples of passive FTC systems can be found in [61, 72, 97].
As opposed to passive methods, the active approach to the design of FTC systems
is based on controller redesign, or selection/mixing of predesigned controllers. This
technique usually requires a fault detection and diagnosis (FDD) scheme that has the
task of detecting and localizing the faults if they occur in the system. The structure
of an active FDD-based FTC system is presented in Figure 2.6. The FDD part uses
input-output measurement from the system to detect and localize the faults. The
estimated faults are subsequently passed to a reconfiguration mechanism (RM) that
changes the parameters and/or the structure of the controller in order to achieve an
acceptable post-fault system performance.
Depending on the way the post-fault controller is formed, active FTC methods
are further subdivided into projection-based methods and on-line redesign methods.
FDD
Reconfiguration Fault Detection &
mechanism estimated
fault
Diagnosis
FTC
reference
input output
Controller System
faults
Fig. 2.6 Main components of an active FTC system.
The projection based methods rely on the controller selection from a set of off-line
predesigned controllers. Usually each controller from the set is designed for a partic-
ular fault situation and is switched on by the RM whenever the corresponding fault
pattern has been diagnosed by the FDD scheme. In this way only a restricted, finite
class of faults can be treated. The on-line redesign methods involve on-line compu-
tation of the controller parameters, referred to as reconfigurable control, or recalcu-
lation of both the structure and the parameters of the controller, called restructurable
control. Comparing the achievable post-fault system performances, the on-line re-
design method is superior to the passive method and the off-line projection-based
method. However, it is computationally the most expensive method as it often boils
down to on-line optimization.
There are a number of important issues when designing active FTC systems.
Probably the most significant one is the integration between the FDD part and the
FTC part. The majority of approaches in the literature are focused on one of these
two parts by either considering the absence of the other or assuming that it is perfect.
To be more specific, many FDD algorithms do not consider the closed-loop oper-
ation of the system and, conversely, many FTC methods assume the availability of
perfect fault estimates from the FDD scheme. The interconnection of such methods
is potentially infeasible and there can be no guarantees that a satisfactory post-fault
performance, or even stability, can be maintained by such a scheme. It is therefore
very important that the designs of the FDD and FTC, when carried out separately,
are each performed bearing in mind the presence and imperfections of the other. For
making the interconnection possible, one should first investigate what information
from the FDD is needed by the FTC, as well as what information can actually be
provided by the FDD scheme. Imprecise information from the FDD that is incor-
rectly interpreted by the FTC scheme might lead to a complete loss of stability of
the system.
The usual situation in practice is that after the occurrence of a fault in the sys-
tem there is initially not enough information in terms of input/output measurements
from the system to make it possible for the FDD scheme to diagnose the fault. For
this reason, only after some time elapses and more information becomes available
can the FDD scheme detect that a fault has occurred. Even more time is required to
localize the fault and its magnitude. As a result, the information that is provided
to the FTC part is initially more imprecise (i.e. with larger uncertainty), and it gets
more and more accurate (with less uncertainty) as more data becomes available from
the system. The FTC scheme should be able to deal with such situations. There-
fore, the FTC should necessarily be capable of dealing with uncertainty in the FDD
information/estimates, and should perform satisfactorily (guaranteeing at least the
stability) during the transition period that the FDD scheme needs to diagnose the
fault(s).
Very often the dynamics of real physical systems cannot be represented accu-
rately enough by linear dynamical models so that nonlinear models have to be used.
This necessitates the development of techniques for FTC system design that can
explicitly deal with nonlinearities in the mathematical representation of the system.
Nonlinearities are, in fact, very often encountered in the representations of complex
safety-critical controlled systems like aircraft and spacecraft. To reduce the inherent
complexity of the control design, it is usual that the lateral and longitudinal dy-
namics of an aircraft are decoupled so that they have no effect on each other. This
significantly simplifies the model of the aircraft and makes it possible to design the
corresponding controllers independently. This decoupling condition can approxi-
mately be achieved for a healthy aircraft, but certain faults can easily destroy it, so
that the two controllers could not be considered separately.
An important issue in FTC system design is that even for a fixed operating re-
gion, where a nonlinear system allows approximation by a linear model, it is very
difficult to obtain an accurate linear representation, either due to the fact that the
physical parameters in the nonlinear model are not exactly known or because they
vary with time. Even the nonlinear model is often derived after some simplifying
assumptions, so that it only approximates the behaviour of the system. Even more,
this uncertainty is further increased due to the linearization that basically consists
in truncating second and higher order terms in the Taylor series expansion of the
nonlinear function. As a result only a representation with uncertainty is available.
It is important that the FTC system is designed to be robust to such uncertainties
within the model.
Another very important issue is that every real-life controlled system has control
action saturation, i.e. the input and/or output signals cannot exceed certain values.
In the design phase of a control system usually the effect of the saturation is ac-
commodated by making sure that the control action will not get overly active and
will remain inside the saturation limits under normal operating conditions. Faults,
however, can have the effect that the control action stays at the saturation limit. For
instance, when a partial 50% loss of effectiveness in an actuator has been diagnosed,
a standard and easy way to accommodate the fault is to re-scale the control action
by two so that the resulting actuation approximates the fault-free actuation. As a
result the control action becomes twice as big and may go to the saturation lim-
its. Clearly, in such situations one should not try to completely accommodate the
fault but one should be willing to accept certain performance degradation imposed
by the saturation. In other words, a trade-off between achievable performance and
available actuator capability might need to be made after the occurrence of a fault.
This situation is often referred to as graceful performance degradation [95].
2.5 FTC Problem Formulation

The dynamics of a real-life physical system can be represented in state-space in the
following general form
⎧
⎨ xk+1 = f (xk , uk , pk ),
S(pk ) : yk = h(xk , uk , pk ), (2.9)
⎩
x0 = x̂0 ,
where the vector xk ∈ X ⊆ Rn represents the state of the system S(pk ), uk ∈ U ⊆

Rm+nξ represents the inputs to the system, yk ∈ R p+nz denotes the outputs of the
system. At each time instance t the system S(pk ) is parameterized by a (possibly
unknown) parameter vector pk ∈ P ⊆ Rn p . The vector pk may represent uncertain
physical parameters in the system or system faults.
Nonlinear models of systems are in general inconvenient to work with due to their
complexity and due to the lack of a well-developed theory for analysis and synthe-
sis for general nonlinear models. The usual strategy to deal with them is either by
approximating them with more convenient models (e.g. by means of blending of a
set of local linear models as in the multi-model and in the Fuzzy control theories) or
by assuming certain structure (e.g. bilinear systems, Hammerstein-Wiener systems,
linearity in the input, etc.).
In the multiple model approach the state space X is divided into N represen-
tative and disjoint regions Xi , with Ni=1 Xi ≡ X , and in each region a point
(x(i) , u(i) ) ∈ Xi × U is chosen around which the nonlinear system S(pk ) is approx-
imated by a linear model. Under the assumption that f (·), g(·) ∈ C1 , the local linear
approximation Mi (pk ) of the system S(pk ) within the open-ball neighbourhood

(i) (i) x − x(i)
B(x , u ) = (x, u) ∈ X × U : <ε ,
u − u(i) 2
is called the pk -parameterized local linear model

⎧ (i) (i)
⎪
⎨ xk+1 = Ai (pk )xk + Bi (pk )uk + bi(pk ),
(i) (i)
Mi (pk ) : yk = Ci (pk )xk + Di (pk )uk + ci (pk ),
⎪
⎩ (i)
x0 = x̄0 ,
with
Ai (pk ) = ∂x f (x(i) , u(i) , pk ), Bi (pk ) = ∂u f (x(i) , u(i) , pk )
Ci (pk ) = ∂x h(x(i) , u(i) , pk ), Di (pk ) = ∂u h(x(i) , u(i) , pk )
bi (pk ) = f (x(i) , u(i) , pk ) − A(pk )x(i) − B(pk )u(i)
ci (pk ) = h(x(i) , u(i) , pk ) − C(pk )x(i) − D(pk )u(i) ,
where ∂x f , ∂u f , ∂x h, and ∂u h represent the partial derivatives of the functions f (·)

and h(·) with respect to the vectors x and u.
Each local linear model Mi (pk ) describes the behaviour of the nonlinear system
within one regime Xi . A global approximation can then be formed by interpolating
the local models using smooth interpolation functions φi (xk , uk , pk ) > 0 that depend
on the operating point (xk , uk ) as well as on the parameter vector pk , i.e.
N
φi (xk , uk , pk )
ŷk = ∑ μk yk , with μk =
(i) (i) (i)
. (2.10)
i=1 ∑Ni=1 φi (xk , uk , pk )
Such approximations are widely used in the literature (see, for instance, [47]).
In fact it is shown in [46] that, under certain smoothness properties, the nonlinear
system S(pk ) can be approximated to any desired accuracy on a compact subset of
the state and input spaces by means of the representation (2.10) for a sufficiently
large number of local models.
The multiple model representation (2.10) is both intuitive and attractive, and is
(i)
related to the Takagi-Sugeno fuzzy model, where the weights μk in the linear com-
bination of the local outputs are called degrees of membership.
Suppose that the parameter vector pk is formed by two vectors, δk ∈ Δ ⊆ Rnδ and
fk ∈ F ⊆ Rn f , so that
δ
pk = k , (2.11)
fk
where the vector δk is used to represent unknown, time-varying physical parameters
of the system, and where the vector fk represents faults in the system. For consis-
tency in terms of dimensions nδ + n f = n p . While both vectors are unknown, the
fault vector fk is assumed to be estimated by an FDD scheme, and its estimate is
denoted here as fˆk . Let δ0 ∈ Δ represent the nominal values of the uncertain param-
eters, and f0 ∈ F represent the fault-free mode of operation.
Collect all local models Mi (pk ) into a model set
M (pk ) = {M1 (pk ), M2 (pk ), . . . , MN (pk )} , (2.12)
and consider only one element of the set M (pk ) which, due to (2.11), is denoted as
M(δ , f ). For simplicity of notation, the time symbol is omitted in M(δ , f ).
The following objectives are considered:
• passive robust FTC: design one controller K that achieves some desired perfor-
mance for the model M(δ , f ) for all possible uncertainties δk ∈ Δ and faults
fk ∈ F ,
• active robust FTC: given an estimate fˆ of the fault vector f by some FDD
scheme, design a controller K( fˆ) that achieves some desired performance for
the model M(δ , f ) for all possible uncertainties δk ∈ Δ and faults fk ∈ F ,
• active MM-based FTC: design a controller that achieves some desired perfor-
mance for the nonlinear system S(pk ) for some fixed δk = δ0 ∈ Δ (i.e. in the case
of no uncertainty) and for all possible faults fk ∈ F .
noises tracking error

disturbances regulated outputs
references u1 M11 M12 y1
M21 M22 y
measured outputs
u2
control actions
2
K
FL (M(δ , f ), K)
Fig. 2.7 Partitioning of the model M(δ , f ) and forming the closed-loop with the
controller K.
A natural continuation of this research activity is to combine the MM-based repre-

sentation of the nonlinear system with the passive and active approaches to FTC in
an attempt to deal with nonlinear systems with uncertainty as in (2.9).
We will next provide some technical insight into the above objectives. Suppose
that a continuous map, the performance index, is given by
J : R nz ×nξ → R+ ,
such that J(M) = ∞ for any M ∈ RH ∞ , where R nz ×nξ denotes the set of rational
transfer nz × nξ matrices, and RH ∞ denotes the set of stable real rational transfer
matrices. Let M(δ , f ) ∈ R (p+nz )×(m+nξ ) be partitioned as follows
M11 (δ , f ) M12 (δ , f )
M(δ , f ) = ,
M21 (δ , f ) M22 (δ , f )
where, as depicted in Figure 2.7, the subsystem M22 (δ , f ) ∈ R p×m gives the re-
lationships between the control actions and the measured output signals, and the
subsystem M11 (δ , f ) ∈ R nz ×nξ describes the relationships between all exogenous
inputs (such as noises, disturbances, reference signals) and the regulated (controlled)
outputs that are related to the performance of the system (e.g. tracking errors). The
feedback interconnection of the model M(δ , f ) with some controller K ∈ R m×p is
represented by the lower linear fractional transformation
FL (M(δ , f ), K) = M11 (δ , f ) + M12 (δ , f )K(I − M22 (δ , f )K)−1 M21 (δ , f ).
For a fixed controller K, the performance of the resulting closed-loop is therefore

represented by J(FL (M(δ , f ), K)).
2.5.1 Passive Fault Tolerant Control

The passive robust FTC problem is then defined as the following optimization
problem
Passive FTC:
KP = arg min sup J(FL (M(δ , f ), K)).
K (2.13)
δ ∈Δ
f ∈F
In this way a controller needs to be found that minimizes the worst-case performance
over all possible values for the uncertainty vector δ and the fault vector f . This
problem is considered in [51] where methods are developed for robust controller
design in the presence of structured uncertainty.
In practice, two main difficulties arise with the optimization problem (2.13), both
being related to convexity. In the case when the state vector xk is directly mea-
sured (or, equivalently, when yk = xk ), the optimization problem (2.13) is convex in
the controller parameters for many standard performance indices (e.g. J(·) = · 2 ,
J(·) = · ∞, etc.) provided that the set {M(δ , f ) : δ ∈ Δ , f ∈ F } is a convex poly-
tope. In such cases (2.13) can be represented as a linear matrix inequality (LMI)
optimization problem, for which there exist very efficient and computationally fast
solvers. If M(δ , f ) is not a convex set, however, the original problem (2.13) is also
nonconvex and the LMI solvers cannot be used. A “brute force” way to deal with
this problem is to embed the set M(δ , f ) into a convex set. This, however, intro-
duces unnecessary conservatism that for some problems might be unacceptable or
undesirable.
In order to deal with such problems a probabilistic design approach is proposed
in [51] that is basically applicable for any bounded set M(δ , f ), as long as (2.13) can
be rewritten as a robust LMI optimization problem (as for most state-feedback con-
troller design problems). This method is basically an iterative algorithm that at each
iteration generates a random uncertainty sample for which an ellipsoid is computed
with the properties that (a) it contains the solution set (the set of all solutions to the
robust LMI problem), (b) it has a smaller volume than the ellipsoid at the previous
iteration. The approach is proved to converge to the solution set in a finite number
of iterations with probability one.
In the output-feedback case the probabilistic method described in [51] cannot be
directly applied because the optimization problem (2.13) cannot be rewritten as a
robust LMI optimization problem. The reason for that is that the output-feedback
problem in the presence of uncertainty is a bilinear matrix inequality (BMI) prob-
lem, and BMI problems are not convex. Actually, such problems have been shown
to be NP-hard meaning that they cannot be expected to have polynomial time com-
plexity. A local BMI optimization approach is developed in [51] that is guaranteed
to converge to a local optimum of the cost function J(FL (M(δ , f ), K)).
2.5.2 Active Fault Tolerant Control

Whenever an estimate fˆ of the fault vector f is provided by some FDD scheme, and
if the imprecision in this estimate is described by an additional uncertainty Δ f ∈ Δ f
so that f = (I + Δ f ) fˆ, the active robust FTC can be defined as the problem:
given f = (I + Δ f ) fˆ, evaluate

K̃A ( fˆ) = arg min sup J(FL (M(δ , f ), K( fˆ))).
K( fˆ) (2.14)
δ ∈Δ
Δf ∈ Δ f
The resulting controller would, in this way, be scheduled by the fault estimate fˆ
and will be robust with respect to uncertainties both in the model M(δ , f ) and in
the estimate of f . Clearly, the way in which the scheduling parameter fˆ enters the
controller needs to be assumed before one could proceed with the optimization.
In the above, Δ f represents the FDD uncertainty that, as already discussed, usu-
ally increases after the occurrence of a fault. This will then subsequently decrease
as the FDD scheme refines the estimate based on the availability of more input-
output data from the impaired system. As a result the “maximal uncertainty” is only
active for some relatively short periods of time compared with the lifetime of the
system. Therefore, assuming a maximal uncertainty size during the complete op-
eration might be overly conservative since the robust controller effectively trades
off performance for increased robustness to uncertainties. Hence, it is interesting to
allow the controller to deal with an FDD uncertainty with time-varying size. To this
end, however, the FDD scheme should be capable of providing not only an estimate
of the fault but also an upper bound on the magnitude of the uncertainty on this
estimate. The size of the FDD uncertainty might, for instance, be represented by a
scalar γ f (k) such that fk = (I + γ f (k)Δ̄ f ) fˆk with Δ̄ f 2 ≤ 1. In this way the size
of the uncertainty set is allowed to vary with time. In fact γ f (k) might be a vector
to make it possible to assign different uncertainty sizes on the different entries of
the fault vector fk . Therefore, provided that the FDD scheme produces ( fˆk , γ f (k)) at
each time instance, the achievable performance in (2.14) may further be improved
by computing the controller by solving the following optimization problem
Active FTC:
given f = (I + γ f Δ̄ f ) fˆ, evaluate
KA ( fˆ, γ f ) = arg min sup J(FL (M(δ , f ), K( fˆ, γ f ))),
K( fˆ,γ f ) (2.15)
δ ∈Δ
Δ̄ f ∈ Δ̄ f
γ f ≤ γ f ≤ γ̄ f
where Δ̄ f = {Δ ∈ Δ f : Δ ≤ 1}, and where the vectors {γ f , γ̄ f }, assumed known

a-priori, define a lower and an upper bound on the possible uncertainty sizes. In this
way methods can be developed for the design of robust active FTC for one uncertain
local model M(δ , f ). The robust active FTC design problem is considered in [51].
Fig. 2.8 Classification of approaches to reconfigurable flight control.
2.6 State-of-the-Art in Fault Tolerant Flight Control

In this section an overview of the existing work in the area of fault tolerant control
is given, an area that has been gaining increasing attention in the aerospace com-
munity in recent years. Some overview books and papers in the field of FTC are
[36, 45, 5, 96].
Due to their improved performance and their ability to deal with a wider class of
faults, active FTC methods have gained much more attention in the literature than
the passive FTC methods. In the following, a survey is given focussed on current
active FTC methods of which several have been evaluated within this GARTEUR
action group. The survey starts with a classification of the described and evaluated
FTC methodologies to approach the problem of reconfigurable flight control.
2.6.1 Classification of Reconfigurable Control

Many methods have been proposed to solve the problem of fault tolerant control. As
shown in Figure 2.8 they fall into two main categories: active and passive.
Passive methods are essentially robust control techniques which are suitable
for certain types of structural failures that can be modelled as uncertainty regions
around a nominal model. Any failure which doesn’t push the system outside of the
stability radius given by the robust controller will still have satisfactory stability and
performance guarantees. However, any controller with a large enough stability ra-
dius to encompass most failure situations will likely be unnecessarily conservative
and there is no guarantee that unanticipated or multiple failures could be handled
or even that such a controller exists. There are also many types of common fail-
ures, such as actuator or sensor faults, which cannot be adequately modelled as
uncertainty. These problems motivate the need for a controller which more directly
addresses the situation.
The active methods differentiate themselves from passive approaches in that they
take fault information explicitly into account and do not assume a static nominal
model. Reconfigurable flight control is for the most part still an academic notion.
Although there have been very few controllers implemented on physical systems
and none on commercial aircraft, over the last 20 years several research programs
have been formed to investigate their potential and as a result there are a variety of
active methods. The following sections give an overview of each approach.
2.6.2 Multiple Model Control

The multiple model (MM) method is an active approach to FTC that belongs to the
class of projection based methods rather than to the on-line re-design methods. The
MM method is frequently used for FDD/FTC purposes [92, 78, 27, 37]. The MM
method is based on a finite set of linear models Mi , i = 1, 2, . . . , N that describe the
system in different operating conditions, i.e. in the presence of different faults in the
system. For each such local model Mi a controller Ci is designed (off-line). The key
in the design is to develop an on-line procedure that determines the global control
action through a (probabilistically) weighted combination of the different control
actions that can be taken. The control action weighting is usually based on a bank
of Kalman filters, where each Kalman filter is designed for one of the local models
Mi . On the basis of the residuals of the Kalman filters, the probability 1 ≥ μi ≥ 0 of
each model to be in effect, is computed. The control action is then computed as the
weighted combination
N N
u(k) = ∑ μi (k)ui (k), ∑ μi = 1, (2.16)
i=1 i=1
where ui (k) is the control action produced by a controller designed for the i-th local
model.
The multiple model method is a very attractive tool for modelling and control of
nonlinear systems. However, these approaches usually only consider a finite number
of anticipated faults and proceed by building one local model for each anticipated
fault. In this way, at each time instance only one model, say model Mi , is assumed to
be in effect, so that its corresponding weight μi is approximately equal to unity and
all the other weights μ j , j = i are close to zero. In such cases at each time instance
one local controller is “active”, namely the one corresponding to the model Mi that is
in effect. The disadvantage here is that if the current model is not in the predesigned
Fig. 2.9 Multiple Model Switching and Tuning
model set and is instead formed by some convex combination of the local models in
the model set (representing, for instance, unanticipated faults) then, in general, the
control action (2.16) is not the optimal one for this model. It can easily be shown
that forming the global control action as in (2.16) can even lead to instability of the
closed-loop system. In order to avoid that when dealing with unanticipated faults,
an approach is proposed in [51] that uses a bank of predictive controllers and forms
the global control action in an optimal way, so that the optimal control action for the
current model is used at each time instance instead of (2.16). Another disadvantage
of the MM approaches is that model uncertainties, as well as uncertainties in the
weights μi (k), cannot be considered.
There are three types of reconfigurable control that fall under the heading of
multiple model control: Multiple Model Switching and Tuning (MMST), Interact-
ing Multiple Model (IMM) and Propulsion Controlled Aircraft (PCA). In the first
two cases all expected failure scenarios are enumerated during a Failure Modes and
Effects Analysis (FMEA) and fault models constructed which cover each situation.
When a failure occurs, MMST switches to a pre-computed control law correspond-
ing to the current failure situation. Rather than using the model which is closest to
the current failure scenario, IMM computes a fault model as a convex combination
of all pre-computed fault models and then uses this new model to make control
decisions. PCA is a special case of MMST, where the only anticipated fault is a
total hydraulics failure, and in this case only the engines are used for control. The
following sections discuss these three approaches.
Fig. 2.10 Single Model vs. Multiple Model Adaptation
2.6.2.1 Multiple Model Switching and Tuning (MMST)
Although the idea of multiple model control has been around for many years, it
has seen some interest in the reconfigurable control literature in the last few years
[13, 34, 14, 10, 11, 12, 53, 25]. In MMST, the dynamics of each fault scenario is
described by a different model. These models are referred to as the identification
models [13] and are setup in parallel, with each one having a corresponding con-
troller as shown in Figure 2.9. The problem then becomes one of choosing which
model/controller pair to switch to at each time instant.
Figure 2.10 helps to motivate the use of MMST in reconfigurable control systems.
During a failure the plant is assumed to move from some nominal model P0 to a
failure model Pf some distance away in parameter space. The top half of the figure
shows an adaptive control scheme which is using only a single model, and the lower
a MMST method. For certain plants, the MMST converges to the correct fault model
faster than a single model approach.
Consider a system of the form

ẋ = A0 (p(t))x + B0 (p(t))u
P= (2.17)
y = C0 (p(t))x
where x ∈ Rn , u ∈ Rm , y ∈ Rk , A0 ∈ Rn×n , B0 ∈ Rn×m , C0 ∈ Rk×n and p(t) ∈ S ⊆ Rl

are the plant parameters. The quantity p(t) varies in time in an abrupt fashion and
represents the various failure scenarios.
Definition 6.1 (Model Set). The model set M is a set of N linear models
M : {M1 , . . . , MN }
such that
ẋi = Ai xi + Bi u
Mi :
yi = Ci xi
where model Mi corresponds to a particular set of parameters pi ∈ S .
A stabilizing controller Ki is designed for each model Mi ∈ M .
The control law proceeds as follows. At each time step, the model which is closest
to the current system is determined by computing a performance index Ji (t), which
is a function of the errors ei (t) between the estimated outputs of model Mi and the
measurements at time t. A commonly used index is [71]

Ji (t) = α e2i (t) + β 0t e−λ (t−τ ) e2i (τ )d τ
α ≥ 0, β > 0, λ > 0
where α and β are chosen to give a desired combination of instantaneous and long-
term accuracy measures. The forgetting factor λ ensures the boundedness of Ji (t)
for bounded ei . The model/controller, Mi /Ki with the smallest index is switched to
and a waiting period of Tmin > 0 is allowed to pass in order to prevent arbitrarily fast
switching. Most MMST algorithms include a ‘tuning’ part which occurs during the
period while a controller Ki is active, during which time the parameters of the cor-
responding model, and only the corresponding model Mi , are being updated using
an appropriate identification technique (e.g. [2]).
Recent interest in this approach arises from the following stability result:
Theorem 6.2 [71]. Consider the switching and tuning system described above,
where the N models are all fixed and the proposed switching scheme is used with β ,
λ , Tmin > 0, and α ≥ 0. Then, for each plant with parameter vector p ∈ S , there is
a positive number TS and a function μS (p, Tmin ) > 0, such that if:
• the waiting time Tmin ∈ (0, TS )
• there is at least one model Mi with parameter error || p̂i − p|| < μS (p, Tmin )
then all the signals in the overall system, as well as the performance indices {Ji (t)},
are uniformly bounded. Here TS depends only upon S , and μS also depends upon
α , β , λ and S .
In essence, Theorem 6.2 states that the MMST system is stable if the set of models
Mi is dense enough in the parameter space S and the sampling rate Tmin is fast
enough. How dense and how fast depend on the particular system and Theorem 6.2
gives no insight into the selection of M or Tmin .
Despite the limitations of Theorem 6.2, there are several papers which have ap-
plied these methods. In [13, 10, 11, 12] a MMST controller is developed for the
highly over-actuated tailless advanced fighter aircraft (TAFA). Eleven fault models
are required to cover the scenario of right wing damage ranging from 0% to 100%
and a switching interval of 25ms is needed for stability. Clearly, this approach will
not scale well to the situation where more than one failure, or multiple failures are
considered. Ref. [14] describes a MMST scheme which can handle locked, floating,
hard-over or loss of effectiveness actuator failures for an F-18 aircraft carrier land-
ing manoeuvre. Only five models are needed for satisfactory performance, but again,
multiple failures cannot be accommodated. Ref. [13] introduced a new method of
failure parameterizations for jammed actuators, enabling multiple complete failures
of control surfaces for an F-18 to be handled using a large number of simple models.
For systems with relatively few and well understood failure modes, multiple
model switching and tuning has advantages in being fast and provably stable. How-
ever, the main limitation is that there may be failure scenarios that were not mod-
elled, which would likely be the case for multiple or structural failures. A severe
limitation for larger systems is that the number of models required increases expo-
nentially with the number of simultaneous failures considered.
2.6.2.2 Interacting Multiple Models (IMM)

The method of interacting multiple models (IMM) attempts to deal with the key lim-
itation of MMST, namely that every fault scenario must be modelled, by considering
fault models which are convex combinations of models in a model set.
The primary assumption of IMM is that every possible failure can be modelled as
a convex combination of models in a pre-determined model set M as defined above
in Definition 6.1
⎡ ⎤
N
M1 N
⎢ ⎥
M f = ∑ μi Mi = μ T ⎣ ... ⎦ , Mi ∈ M , μi > 0 ∈ R, ∑ μi = 1, (2.18)
i=1 i=1
MN
Then M f is the system:

⎧ ⎡ ⎤ ⎡ ⎤
⎪
⎪ A1 0 . . . 0 B1
⎪
⎪ ⎢ 0 A2 . . . 0 ⎥ ⎢ B2 ⎥
⎪
⎪ ⎢ ⎥ ⎢ ⎥
⎪
⎨ ẋ = ⎢ .. .. . . .. ⎥ x + ⎢ .. ⎥ u
⎣. . . . ⎦ ⎣ . ⎦
Mf : (2.19)
⎪
⎪ 0 0 . . . A BN
⎪
⎪ n
⎪
⎪
⎪
⎩
y = μ1C1 μ2C2 . . . μN CN x
It is still an open question how to choose this model set or when the assumption that
the failure model can be written as a convex combination of the models in the set,
is valid.
Fault detection and modelling is then done online by identifying the variables
μi in Equation (2.18). Two proposed methods exist for computing the coefficients
μ . In the first, a Kalman filter is designed for each Mi ∈ M and all filters are run
in parallel. The probability that each of these models represents the true state of
the system can be computed and the coefficients μ are set to these probabilities.
This method is named Multiple Model Adaptive Estimation (MMAE) and is used
in [68, 93]. In the second approach, the previous k f time instants are considered and
the estimated output at each point is computed as a function of μ , which is then
selected to minimize this difference. This approach is advocated in [52, 54].
Once a fault model has been identified, there are a variety of methods for con-
trol law calculation. Refs. [52] and [54] suggest a Model Predictive Control (MPC)
scheme where the minimization of the past tracking error, and therefore of μ , is in-
cluded in the cost function. Ref. [93] proposes an Eigenstructure Assignment (EA)
(see Section 2.6.6) method and [68] uses a fixed controller, using the fault model
M f only for state estimation.
IMM is attractive in its ability to handle multiple failure scenarios by combining
single failure models. However, the requirement of finding the coefficients μ after a
failure makes this an adaptive algorithm and not a model-switching one. As a result
it loses some of the speed of the MMST approach. The formulation of IMM as an
MPC problem given in [54] also offers the potential of handling actuator constraints
naturally.
2.6.2.3 Propulsion Controlled Aircraft (PCA)

After the possibility of control using only the engine throttles was demonstrated by
the Sioux City accident (see Chapter 1), and following a recommendation from the
National Transportation Safety Board of America, the PCA problem was taken up
by the NASA Dryden Flight Research Center [16, 17] in order to provide a backup in
case of total hydraulic failure. PCA is a specific instance of a multi-model approach
where the fault model is identical to the nominal one, but in which all control sur-
faces are free floating. In 1995, a demonstration was made during which a MD-11
(Figure 2.11) and a F-15 recovered from a complete hydraulic failure and landed
successfully under propulsion-only control [18]. PCA is a useful and important idea
and solves a very practical problem. However, it clearly is not sufficient to solve the
general reconfigurable control problem.
2.6.3 Control Allocation (CA)

Control allocation is the problem of producing a desired set of forces and moments
from a (usually large) set of actuators. For example, as shown in Figure 2.12, the
output of the control law can be a set of desired moments and the job of the control
Fig. 2.11 Landing demonstration of MD-11 Propulsion Controlled Aircraft (PCA), NASA
Dryden, 2001 (copyright NASA)
Fig. 2.12 Control Allocation scheme
allocation block is then to select appropriate setpoints for the actuators which will
produce those moments.
The control allocation algorithm takes as inputs the desired moments and an es-
timation of the input derivatives (adaptive B f matrix) from either a FDI or a system
identification algorithm. The algorithm therefore has the ability to adapt the way
actuation forces are generated from the available actuators, to the faults that have
occurred. For example, if the effectiveness of a certain actuator becomes 0% due to
a fault, the corresponding column in B f will also become 0. This actuator is then
not considered anymore by the control allocation method. Instead, the remaining
actuators can be used to generate the desired actuation forces. The goal is then to
produce the desired moments ud by selecting the appropriate inputs to the system
u. Whether this can be done depends on the difference between the size of ud ∈ Rm
and the column rank of B f ∈ Rn×k . There are three cases to consider:
• If m < k the moments can be selected exactly and the remaining degrees of free-
dom can be used (for example) to drive the actuators towards a desired position
u p by minimizing [90, 15, 20]:
2 ||u − u p||Wp
= 12 (u − u p)T Wp (u − u p) where Wp = WpT > 0
1
subject to Bu = ud
where Wp is a weighting matrix prioritizing critical actuators.

• If m = k then there is only one solution which places the moments exactly
u = B−1 ud
• In the case when m > k there are not enough degrees of freedom to achieve ud
and so a compromise must be made by (for example) minimizing the weighted
norm
1
||Bu − ud ||Wd
2
Control allocation has been heavily studied in relation to over-actuated systems
(see [29] for a survey) and has received a great deal of attention in the literature for
reconfigurable systems as it allows actuator failures to be handled without the need
to modify the control law. However, there are two major limitations to this approach
to reconfiguration. Firstly, the system will not necessarily be stable, even with a
stabilizing control law, when m > k, as the input seen by the system may not be
equal to that intended by the controller. Secondly, the dynamics and limitations of
the actuators after a failure are not taken into account in the control law. This means
that the controller will still be attempting to achieve the original system performance
even though the actuators are not capable of achieving it.
Control allocation has received considerable attention from the field of aerospace
engineering. Extensions to the simple control allocation problem presented here
have been considered in the literature. In [9] and [28] the problem of control allo-
cation with magnitude and rate limits on the actuators is considered, [24] develops
a control allocation controller for the extremely over-actuated Innovative Control
Effector (ICE) aircraft and [98] looks at restoring as much of the performance of the
original B matrix as possible after an actuator failure. Other examples of work in the
area of control allocation for aerospace applications can be found in [7] and [38].
2.6.4 Adaptive Feedback Linearization via Artificial Neural

Network
This section examines a method primarily developed by Calise et al [42, 48, 41,
19, 21, 90, 20] involving a Model Reference Adaptive Control (MRAC) scheme
through adaptive feedback linearization augmented by an Artificial Neural Network
(ANN). This approach has been successfully demonstrated via simulation on the
Tailless Advanced Fighter Aircraft (TAFA) [90, 20] and the X-36 [21]. The approach
presented here splits the dynamics of the plane into three SISO subsystems, each of
which has a model reference adaptive controller: roll, pitch and yaw. The output of
each controller is a command specifying a desired roll, pitch or yaw moment and
it is then the job of the Integrated Control Effector Management (ICEM) [15, 90],
a form of control allocation, to generate these moments using the available control
surfaces. In the next three sections, a brief overview of the principles of feedback
linearization on SISO systems will be given, review the particulars and benefits of
its use in reconfiguration and finally discuss the ICEM and its role in the proposed
method.
2.6.4.1 Single-Input Single-Output (SISO) Feedback Linearization

Consider the SISO nonlinear system
ẋ = f (x, u)
x ∈ Rn , u, y ∈ R (2.20)
y = h(x)
In feedback linearization the goal is to design a control law for the SISO nonlinear
system given in Equation 2.20 such that the closed loop system is linear and con-
trollable. Assuming the relative degree of h is r = n, the rth derivative of the output
is the first derivative that is directly affected by the control. As a result, we can write
the system dynamics in the normal form ([44], Section 4.2):
Φ1 (x) = h(x) = z1 =y
Φ2 (x) = dh(x)
dt = ż1 = z2
2
Φ3 (x) = d dth(x)
2 = ż2 = z3
.. .. .. (2.21)
. . .
r
Φr (x) = d dth(x)
r = żr−1 = zr
żr = hr (z, u)
where Φ (x) = z = [z1 , . . . , zr ] .

We now define the ‘pseudo control signal’ ν
ν = ĥr (Φ (x), u)
where ĥr (Φ (x), u) is an invertible estimate of hr (z, u). Then the system dynamics
can be expressed as
żi = zi+1 , 1 ≤ i ≤ r − 1
żr = ν + Δ (2.22)
y = z1
where
Δ = Δ (z, u) = hr (z, u) − ĥr (y, u)
In effect, the transformation places r integrators between the pseudo control ν
and the system output y, with the error Δ acting as a disturbance signal. This is now
a linear and controllable system.
Fig. 2.13 Nonlinear Adaptive Output Feedback Controller
2.6.4.2 Feedback Linearization for Reconfigurable Control

Feedback linearization can be used in a model-following configuration by choosing
the pseudo control to have the form [19]
ν = yrc + νdc − νad ,
where νdc is the output of a stabilizing linear compensator for the linearized system
given by Equation (2.22) with Δ = 0. The quantity νad is an adaptive signal designed
to cancel Δ and yrc is the rth derivative of the signal to be tracked. The signal yrc can
be obtained from an (at least) rth order reference model which defines the desired
dynamics.
If the model of the system is perfect, Δ = 0 and we could simply apply the input
u = ĥ−1 −1
r (x, ν ) = hr (x, yc + νdc ) and the system would track the reference trajectory.
r
However, as there will always be modelling errors, the error Δ needs to be compen-
sated online and for this an ANN can be used. Neural networks can be trained to
approximate any function with an arbitrary precision. As a result, the ANN can
estimate the modelling error and hence cancel it. The benefit of this approach is
that no model structure needs to be assumed in order to estimate the error. Figure
2.13 shows the structure of the full controller, and Figure 2.14 that of the linear
compensator.
This control technique was proposed as a method of reconfigurable control in
combination with Wise’s ICEM [15]. This scheme is suited to reconfigurable con-
trol, as the adaptation makes no assumptions about the structure of the system after
Fig. 2.14 Block Diagram of the Error Dynamics
the failure. Since the ANN can approximate any nonlinear function, it can track
and cancel any structural failures which may occur under the assumption of suffi-
cient control authority and excitation for adaptation. The techniques presented in
this section have been developed and expanded upon in several publications: Single
Input Single Output (SISO) stability proofs [19], input saturation [48], combined
aero/engine control [42] and highly over-actuated systems [21].
2.6.5 Sliding Mode Control (SMC)

This section reviews the work in [82]. The proposed controller is setup in a two-loop
cascade configuration, with the ultimate goal of tracking a trajectory given by roll,
pitch and yaw angle setpoints. The outer-loop takes roll, pitch and yaw setpoints
and provides angular rate commands to the inner-loop, which is assumed to track
the commands using the inputs to the actuators.
The outer-loop is designed using standard robust SMC techniques. The inner-
loop is also a robust sliding mode controller but has an adaptive feature to handle
actuator magnitude and rate limitations. In [82] it is shown that modifying the size
of the boundary layer online can ensure that integrators do not wind up, as well as
ensuring that actuator magnitude and rate limits are satisfied. There is a direct trade-
off between the size of the boundary layer and tracking performance. Therefore,
this procedure provides an intuitive method of maximizing tracking while ensuring
actuator limits.
The benefits of this controller to reconfigurable control are two-fold. Firstly, be-
ing a robust control technique, it can handle all structural failures which modify
the dynamics of the plant less than the assumed uncertainty. Secondly, the online
adaptation of the boundary layer can handle partial loss of actuator surfaces, while
avoiding limits and integrator windup by reducing the tracking performance. Al-
though this technique provides benefits to aircraft control, there are limitations due
to the use of SMC when it is presented with the full reconfigurable problem.
1. There must be one and only one control surface for every controlled variable
and second, none of the control surfaces can ever be lost. This is handled in
[82] by only considering failures which cause a partial loss of effectiveness of
the control surfaces, which is not realistic as floating or jammed actuators are
certainly possible failure scenarios. This problem could be addressed by placing
a control allocation algorithm (see Section 2.6.3) between the requested outputs
and the physical actuators.
2. The method proposes to use robust control to handle all structural failures. This
requires a de-tuning of the controller to the point that it can handle uncertainties
including all possible structural failures, which may well result in an excessively
conservative controller in the non-failure situation.
2.6.6 Eigenstructure Assignment (EA)

Eigenstructure Assignment (EA) was made popular in the 1980s primarily by
Andry, Shapiro and Chung in their paper [1] where the method of Direct Eigen-
structure Assignment (DEA) was introduced. The idea behind the method is to place
the eigenvalues of a linear system using state feedback and then use any remaining
degrees of freedom to align the eigenvectors as accurately as is possible. The eigen-
values determine the natural frequency and damping of each mode while the eigen-
vectors control how much each mode contributes to a given output. The following
sections first give a brief overview of the theory behind EA and then a review of its
use in reconfigurable control.
2.6.6.1 Introduction to Eigenstructure Assignment

The eigenstructure assignment (EA) method [63] to controller reconfiguration is a
more intuitive approach than the Pseudo Inverse method (Section 6.6.3). It aims at
matching the eigenstructures (i.e. the eigenvalues and the eigenvectors) of the A-
matrices of the nominal and the faulty closed-loop systems. The main idea is to
exactly assign some of the most dominant eigenvalues while at the same time min-
imizing the 2-norm of the difference between the corresponding eigenvectors. The
procedure has been developed both under constant state-feedback [89] and output-
feedback [26]. More specifically, in the state-feedback case, if λi , i = 1, 2, . . . , n are
the eigenvalues of the A-matrix of the nominal closed-loop system formed as the
interconnection of (2.25) with the constant state-feedback control action uk = Fxk ,
and if vi are their corresponding eigenvectors, the EA method computes the state-
feedback gain FR for the faulty model (2.26) as the solution to the following problem
⎧
⎪
⎪ Find FR
⎨
EA : such that (Af f + B f FR )vi = λi vf i 2, i = 1, . . . , n,
f f
(2.23)
⎪
⎪ and vi = arg min vi − vi Wi ,
⎩ f
vi
f f f
where vi − vi W 2
i
= (vi − vi )T Wi (vi − vi ). In other words, the new gain FR needs to
be such that the poles of the resulting closed-loop system coincide with the poles of
the nominal closed-loop system and, in addition, the eigenvectors of the closed-loop
A-matrices are as close as possible. As both the eigenvectors and the eigenvalues
determine the shape of the time response of the closed-loop system, this method can
be thought of as trying to preserve the nominal closed-loop system time-response
after the occurrence of faults. Thus, the objective of the EA method seems more
“natural” than that of the Pseudo Inverse Method (PIM) and, moreover, the stability
is guaranteed. The computational burden of the approach is not high since an ana-
lytic expression for the solution to (2.23) is available, i.e. no on-line optimization is
necessary. The disadvantage is that model and FDD uncertainties cannot be easily
incorporated in the optimization problem, and that only static controllers are consid-
ered. The references [22, 58] further describe the use of Eigenstructure Assignment.
2.6.6.2 Reconfigurable Eigenstructure Assignment

Although a method for choosing appropriate eigenvectors and eigenvalues is not
immediately obvious for aircraft, some studies have been made on the effects of
the eigenstructure (eigenvalues and eigenvectors) on flying qualities [23]. Methods
which propose EA for use in reconfigurable flight control systems [58, 4, 94] first
assume a linear fault model which has been given to the controller by a FDI system.
ẋ = A f x + B f u
y = Cf x
The goal is then to design a stabilizing output feedback law K f
u = Kf Cf x (2.24)
such that the new eigenstructure closed-loop system A f + B f K f C f is as close as

possible to that of the original closed-loop system A + BKC.
The choice of K f can be made in a variety of ways, but the placement of the
eigenspace is limited by Theorem 2.1. Generally the eigenvalues of the failed sys-
tem, λif are ordered from most important to least and then the top max(m, k) are
made to exactly match those of the non-failed system λ , while the remainder are
kept stable. Similarly, the most important max(m, k) eigenvectors of the failed sys-
tem, vif , are made close to those of the original system vi in the least squares sense.
Theorem 2.1. [23] Consider a controllable and observable system with the output
feedback law of (2.24) and the assumption that the matrices B and C are full rank.
Then, there exists a matrix K ∈ Rm×k such that
1. max(m, k) closed-loop eigenvalues can be assigned
2. max(m, k) eigenvectors can be partially assigned with min(m, k) entries in each
vector arbitrarily chosen
There are several limitations to this approach when applied to reconfiguration.

Firstly, only linear systems have been considered and actuator limitations have not
been taken into account. Secondly, a perfect fault model is assumed and the effects
of uncertainty have not been extensively studied. Finally, the effect of the eigen-
vectors in the failed system not being exactly equal to those in the nominal system
is not well understood. The result of these significant limitations is that only a few
researchers have proposed this approach.
2.6.6.3 Pseudo Inverse Method (PIM)

The pseudo-inverse method (PIM) [31] is one of the most cited active methods to
FTC due to its computational simplicity and its ability to handle a very large class
of system faults. The basic version of the PIM considers a nominal linear system

xk+1 = Axk + Bu
(2.25)
yk = Cxk ,
with a linear state-feedback control law uk = Fxk , under the assumption that the
state vector is available for measurement. The method allows for a very general
post-fault system representation

f
xk+1 = A f xkf + B f uRk
(2.26)
ykf = C f xkf ,
where the new, reconfigured control law is taken with the same structure, i.e. uRk =
FR xkf . The goal is then to find the new state-feedback gain matrix FR in such a way
that the “distance” (defined below) between the A-matrices of the nominal and the
post-fault closed-loop systems is minimized, i.e.

FR = arg min (A + BF) − (A f + B f FR ) F
PIM : FR (2.27)
= B†f (A + BF − A f ),
where B†f is the pseudo-inverse of the matrix B f . The advantages of this approach are
that it is very suitable for on-line implementation due to its simplicity, and moreover,
that it allows for changes in all state-space matrices of the system as a consequence
of the faults. A very strong disadvantage is, however, that the optimal control law
computed by equation (2.27) does not always stabilize the closed-loop system. Sim-
ple examples that confirm this fact can easily be generated, see for example [31].
To circumvent this problem, the modified pseudo-inverse method was developed in
[31] that basically solves the same problem under the additional constraint that the
resulting closed-loop system remains stable. This, however, results in a constrained
optimization problem that increases the computational burden. A similar approach
is also discussed in [77, 62], where the reconfigured control action uRk is directly
computed from the nominal control uk as uRk = B†f Buk . Other modifications of this
approach that were proposed include the consideration of additive faults on the state
equation and additive terms on the control action to compensate for them in [73]
and static output-feedback in [59].
Fig. 2.15 Model Reference Adaptive Control
2.6.7 Model Reference Adaptive Control (MRAC)

Aström defines an adaptive controller as “a controller with adjustable parameters
and a mechanism for adjusting those parameters” ([2], Page 1). Clearly, all meth-
ods presented in this survey are adaptive to some degree (save for robust control
techniques) as they require the identification of a fault model in order to compute a
control law. The approach we consider here is Model Reference Adaptive Control
(MRAC) which can be effective for many types of structural failures and is often
used as a final stage in other algorithms.
The goal of adaptive model-following is to force the plant output to track a refer-
ence model. We consider linear plants of the form
ẋ = Ax + Bu + d
(2.28)
y = Cx
where x ∈ Rn , u ∈ Rm , y ∈ Rk and a reference model of the form
ẏd = Ad yd + Bd r (2.29)
where yd ∈ Rk and r ∈ Rk . Ad and Bd are arbitrary square matrices with Ad stable.

State feedback of the form shown in Figure 2.15 is considered.
u = C0 r + G0 x + v
where C0 ∈ Rk×k , G0 ∈ Rk×n and v ∈ Rk are free controller parameters. The closed
loop dynamics are then
ẏ = (CA + CBG0)x + CBC0 r + CBv + Cd (2.30)
The goal is now to make the closed loop dynamics given by Equation (2.30)
match the desired dynamics of Equation (2.29). If the model shown in Equation
(2.28) was known exactly, the controller parameters C0 , G0 and v could be computed
to achieve this. However, since post-failure the model in (2.28) is not known exactly,
the controller parameters need to be adapted. There are two methods to achieve this:
direct and indirect adaptation.
2.6.7.1 Indirect Adaptation

There are two stages in indirect adaptive control. Firstly the matrices A, B and d are
estimated and then under the assumption that these estimates are correct the control
parameters G0 ,C0 and v are computed such that the closed-loop system matches the
desired dynamics.
A least squares algorithm can be used to compute the estimates Â, B̂ and dˆ ([2]),
which can then be used to compute the controller parameters such that the closed
loop dynamics (2.30) match the desired ones (2.29).
C0 = (CB̂)−1 Bd
G0 = (CB̂)−1 (Ad C − CÂ)
v = (CB̂)−1 (Cd)
where we must assume that det(CB̂) = 0.

The idea of identifying the model online and then computing a control law under
the assumption that the estimated model is perfect is common in the reconfigurable
control literature. For example, the EA algorithms of Section 2.6.6 and the IMM
algorithms of Section 2.6.2.2 assume this type of structure.
2.6.7.2 Direct Adaptation
Direct adaptive control attempts to estimate the controller parameters G0 ,C0 and v
directly rather than first computing the model parameters. We define G0 ,C0 and v as
the ‘correct’ values of the controller parameters which will force the plant to track
the reference model. A problem can then be formulated such that a least squares
routine can be used to estimate the correct controller parameters [8]. The idea of
direct adaptation is seen in algorithms such as the adaptive feedback linearization
approach presented in Section 2.6.4.
The basic model-reference adaptive control techniques described here are not
by themselves suitable for reconfigurable control for two main reasons. Firstly, in
order for these approaches to work a model structure must be assumed. However,
the types of failures addressed in reconfigurable control may well cause the plant
structure to change drastically. Secondly, adaptive control requires the system pa-
rameters to change slowly enough for the estimation algorithm to track them. Faults
may well cause abrupt and drastic changes in the parameters moving the system
instantaneously to a new region of the parameter space. There is no guarantee that
the system will be stable during the transient period in which the adaptive algorithm
is identifying the faulty plant. Despite the limitations of adaptive control for recon-
figuration, some researchers have attempted to apply it in slightly modified forms
[6, 35, 8]. As a result adaptive control on its own is not enough to handle the general
problem, but may well be an important part of a reconfigurable algorithm.
2.6.8 Model Predictive Control

After its introduction in the 1970s, model predictive control (MPC) has become a
popular strategy in the field of industrial process control. The main reasons for this
popularity are the abilities of MPC to control multivariable systems and to handle
constraints. Initially, MPC was primarily applied to relatively slow processes such
as the plants encountered in the process industry. The reason for this is that MPC can
require considerable computational effort to generate the control signals as a result
of an optimization that has to be performed at each time instance. This optimization
is based on matching a prediction of the system output to some desired reference
trajectory. The latter is assumed to be known in advance. For the relatively slow
plants in the process industry, the considerable computational effort of MPC was
not an issue because of the low sampling frequency of the controllers. However, for
faster systems, higher frequencies were required that prevented on-line implementa-
tion of MPC for such systems. More recently, MPC has become a viable alternative
for faster systems as a result of the increase in computational power that is available
in modern control systems. For example, in [79] MPC has been used for real-time
control of a miniature hovercraft. Another example is [56], in which MPC has been
used for real-time control of an unmanned aerial vehicle.
As discussed in [65], the MPC architecture allows fault-tolerance to be embedded
in a relatively easy way by: (a) redefining the constraints to represent certain faults
(usually actuator faults), (b) changing the internal model, (c) changing the control
objectives to reflect limitations due to the faulty mode of operation. In such a way
there is practically no additional optimization that needs to be executed on-line as a
consequence of a fault being diagnosed, so that this method can be viewed as having
an inherent self-reconfiguration property. However, if state-feedback MPC is used in
an interconnection with an observer one should also take care to also reconfigure the
observer appropriately in order to achieve fault-tolerant state estimation. Examples
of the application of MPC to FTC are numerous [66, 51, 76, 50, 56].
Model predictive control has been proposed as a method for reconfigurable flight
control due to its ability to handle constraints and changing model dynamics sys-
tematically. MPC relies on an internal model of the system and so, like many of the
approaches presented in this survey, a fault model is required. There are two gen-
eral classifications of aircraft faults: actuator and structural. As noted in [69], these
failures can be handled naturally in a MPC framework via changes in the input con-
straints and internal model. Actuator limit and rate constraints can be written as:
uli ≤ ui (t) ≤ uui
duli ≤ u̇i (t) ≤ duui
for actuator inputs u1 through um . If actuator i becomes jammed at position ui the
MPC controller can be made to compensate by simply changing the constraints on
input i to
ui ≤ ui (t) ≤ ui
0 ≤ u̇i (t) ≤ 0
The result will be similar to the control allocation approach where other input chan-
nels are used to create the same effect. As noted in [64], an MPC controller can
be designed so that it has an intrinsic ability to handle jammed actuators without
the need to explicitly model the failure. Structural failures can also be handled in a
natural fashion by changing the internal model used to make prediction in either an
adaptive fashion [52], a multi-model switching scheme [13] or by assuming an FDI
scheme which provides a fault model [40, 39, 55, 66].
An important issue when using MPC is the robustness with respect to model
uncertainties. Since MPC heavily depends on how well the controlled system is rep-
resented by the model used, measures should be taken in case of model uncertainty.
One method to do so is to define an uncertainty region around the nominal model
and to ensure that the MPC algorithm achieves a certain minimum performance
level for the whole uncertainty region. MPC methods that take model uncertainty
explicitly into account are referred to as robust MPC methods. One of the first re-
search efforts that addresses the issue of robust MPC was performed by [60]. This
issue has been addressed in the context of FTC in [51].
Like most active FTC methods, MPC-based FTC requires availability of fault in-
formation to accommodate faults. This requirement limits the ability of MPC-based
FTC to deal with unanticipated fault conditions for which fault information cannot
be obtained most of the time. An FTC algorithm that has this ability is therefore
very desirable. Such an algorithm is subspace predictive control (SPC). This algo-
rithm consists of a predictor that is derived using subspace identification theory [87],
making it a data-driven control method. This subspace predictor is subsequently in-
tegrated into a predictive control objective function. The basic SPC algorithm was
introduced by [30] and has since been used by various researchers [91, 49, 88]. If the
subspace predictor is updated on-line with new input-output data when it becomes
available, then SPC has the ability to adapt to changing system conditions, which
can also include unanticipated faults. Besides having this ability, another important
advantage of the SPC algorithm is that the issue of robustness with respect to model
uncertainty is implicitly addressed because of the adaptation of the predictor. In [37]
the SPC algorithm is used for FTC of the GARTEUR benchmark model.
2.6.9 Model Following

The model following method is another approach to active FTC. Basically, the
method considers a reference model of the form
k+1 = AM xk + BM rk ,
xM M
yk = xk ,
M M
where rk is a reference trajectory signal. The goal is to compute matrices Kr and

Kx such that the feedback interconnection of the open-loop system (2.25) and the
state-feedback control action
uk = Kr rk + Kx xk
matches the reference model. To this end the reference model and closed-loop sys-
tem are written in the form
k+1 = AM xk + BM rk ,
yM M
yk+1 = (CA + CBKx )xk + CBKr rk ,
so that perfect model following (PMF) can be achieved by selecting

Kx = (CB)−1 (AM − CA),
PMF: (2.31)
Kr = (CB)−1 BM ,
provided that the system is square (i.e. dim(y) = dim(u)), and that the inverse of
the matrix CB exists. When the exact system matrices (A, B) in (2.31) are unknown,
they can be substituted by some estimated values (Â, B̂), resulting in the indirect
(explicit) method [8]. The indirect method provides no guarantees for closed-loop
stability, and in addition, the matrix (CB̂) may not be invertible. In order to avoid
the need for estimating the plant parameters, the direct (implicit) method of model
following can be used, which directly estimates the controller gain matrices Kr and
Kx by means of an adaptive scheme. Two approaches to direct model following exist,
the output error method and the input error method. Examples of the application of
the model following approach can be found in [8, 70, 85]. We note here, that the
direct model following method is based on adaptation rules and as such is also a
candidate for the group of adaptive control methods.
The model following methods have the advantage that they usually do not require
an FDD scheme. A strong drawback is, however, that they are not applicable to
sensor faults. In addition, these methods do not deal with model uncertainty.
2.6.10 Adaptive Control

Adaptive control methods form a class of methods that is very suitable for active
FTC. Due to their ability to automatically adapt to changes in the system parame-
ters, these methods could be called “self-reconfiguable”, i.e. they often don’t require
the “reconfiguration mechanism” and “FDD” components, as in Figure 2.6. This,
however is mostly true for component faults and actuator faults, but not for some
sensor faults. If one, for instance, makes use of an adaptive control scheme based on
output-feedback design to compensate for sensor faults it will make the faulty mea-
surement (rather than the true signal) track a desired reference signal, and this in turn
may even lead to instability. Indeed, in a case of a total sensor failure an adaptive
controller may try to increase the control action to make the faulty measured signal
equal to the desired value which will not be possible due to the complete failure of
the sensor. In such cases an FDD scheme is needed to detect the sensor failure, and
a reconfiguration mechanism would have to appropriately reconfigure the adaptive
controller. We note here that the direct model following and MM approaches, dis-
cussed above, also belong to the class of adaptive control algorithms. LPV control
methods for FTC design are also members of this class. In [51] LPV FTC methods
are developed that deal with structured parametric and FDD uncertainty. Further-
more, these methods are applicable to a wide class of faults as the fault signal is
allowed to enter the state-space matrices of the system in any way as long as the
matrices remain bounded. Other applications of LPV control for FTC can be found,
for example in [80, 32].
2.7 Comparison of Fault Tolerant Flight Control Methods

The table on the next page presents a comparison of the fault tolerant control meth-
ods, applicable for reconfigurable flight control, considered in this survey. Filled
circles mean that the method has the indicated property while empty circles imply
that an author has suggested that the approach could be modified to incorporate the
property. The columns are explained as follows:
• Failures: Types of failures that the method can handle
• Robust: The method uses robust control techniques
• Adaptive: The method uses adaptive control techniques
• Fault Model:
– FDI: An FDI algorithm is incorporated into the method
– Assumed: The method assumes an algorithm which provides a fault model
• Constraints: The method can handle actuator constraints
• Model Type: The type of internal model used
The table also shows the fault tolerant control methodologies that have been se-
lected for further evaluation in this action group. Their application in the different
control designs using the GARTEUR FTFC benchmark and achieved real-time per-
formances are described in the subsequent chapters of this book.
84
Method Failures Robust Adaptive Fault Model Constraints Model Type

Actuator Structural FDI Assumed Linear Nonlinear
Multiple Model Switching and Tuning (MMST) • • • •
Interacting Multiple Model (IMM) • • • ◦ •
Propulsion Controlled Aircraft (PCA) • ◦ • • •
Control Allocation (CA)* • • ◦ •
Feedback Linearization • • • • •
Sliding Mode Control (SMC)* ◦1 • •2 • •
Eigenstructure Assignment (EA) • • •
Pseudo Inverse Method (PIM) • • •
Model Reference Adaptive Control (MRAC)* • • • • ◦
Model Predictive Control (MPC)* • • ◦ ◦ • • • • •
Comparison of reconfigurable control methods
* Evaluated in this Action Group
1: Can handle partial loss of effectiveness of actuators, but not complete loss
2: Assumes robust control can handle all forms of structural failures
M. Verhaegen et al.
References
1. Andry, A.N., Shapiro, E.Y., Chung, J.C.: Eigenstructure assignment for linear systems.
IEEE Transactions on Aerospace Electronic Systems 19(5) (September 1983)
2. Aström, K.J., Wittenmark, B.: Adaptive control, 2nd edn. Addison-Wesley Publishing
Company, Reading (1995)
3. Basseville, M.: On-board component fault detection and isolation using the statistical
local approach. Automatica 34(11), 1391–1415 (1998)
4. Belkharraz, A.I., Sobel, K.: Fault tolerant flight control for a class of control surface
failures. In: Proceedings of the American Control Conference, June 2000. IEEE, Los
Alamitos (2000)
5. Blanke, M., Kinnaert, M., Lunze, J., Staroswiecki, M.: Diagnosis and fault-tolerant con-
trol, 2nd edn. Springer, Heidelberg (2006)
6. Bodson, M.: Multivariable adaptive algorithms for reconfigurable flight control. In: Pro-
ceedings of the 33rd Conference on Decision and Control, December 1994. IEEE, Los
Alamitos (1994)
7. Bodson, M.: Evaluation of optimization methods for control allocation. Journal of Guid-
ance, Control, and Dynamics 25(4), 703–711 (2002)
8. Bodson, M., Groszkiewicz, J.E.: Multivariable adaptive algorithms for reconfigurable
flight control. IEEE Transactions on Control Systems Technology 5(2), 217–229 (1997)
9. Bordignon, K.A., Durham, W.C.: Closed-form solutions to constrained control allocation
problem. Journal of Guidance, Control and Dynamics 18(5) (September 1995)
10. Boskovic, J.D., Li, S.M., Mehra, R.K.: Reconfigurable flight control design using multi-
ple switching controllers and on-line estimation of damage-related parameters. In: Pro-
ceedings of the 2000 IEEE International Conference on Control Applications, September
2000. IEEE, Los Alamitos (2000)
11. Boskovic, J.D., Li, S.M., Mehra, R.K.: Study of an adaptive reconfigurable control
scheme for tailless advanced fighter aircraft (TAFA) in the presence of wing damage.
In: Position Location and Navigation Symposium, pp. 341–348. IEEE, Los Alamitos
(2000)
12. Boskovic, J.D., Li, S.M., Mehra, R.K.: Robust supervisory fault-tolerant flight control
system. In: Proceedings of the American Control Conference (June 2001)
13. Boskovic, J.D., Mehra, R.K.: A multiple model-based reconfigurable flight control sys-
tem design. In: Proceedings on the 37th IEEE Conference on Decision & Control, De-
cember 1998. IEEE, Los Alamitos (1998)
14. Boskovic, J.D., Mehra, R.K.: Stable multiple model adaptive flight control for accom-
modation of a large class of control effector failures. In: Proceedings of the American
Control Conference (June 1999)
15. Brinker, J.S., Wise, K.A.: Flight testing of reconfigurable control law on the X-36 tailless
aircraft. Journal of Guidance, Control and Dynamics 24(5) (September 2001)
16. Burcham, F.W., Burken, J.J., Maine, T.A., Bull, J.: Emergency flight control using only
engine thrust and lateral center-of-gravity offset: a first look. Technical report, NASA
(1997)
17. Burcham, F.W., Burken, J.J., Maine, T.A., Fullerton, C.G.: Development and flight test
of an emergency flight control system using only engine thrust on an MD-11 transport
airplane. Technical report, NASA (October 1997)
18. Burken, J.J., Burcham, F.W.: Flight-test results of propulsion-only emergency control
system on MD-11 airplane. Journal of Guidance, Control and Dynamics 20(5) (October
1997)
19. Calise, A.J., Hovakimyan, N., Idan, M.: Adaptive output feedback control of nonlinear
systems using neural networks. Automatica 37(8) (March 2001)
20. Calise, A.J., Lee, S., Sharma, M.: Direct adaptive reconfigurable control of a tailless
fighter aircraft. In: AIAA Guidance, Navigation and Control Conference, Boston, MA
(August 1998)
21. Calise, A.J., Lee, S., Sharma, M.: Development of a reconfigurable flight control law for
the X-36 tailless fighter aircraft. In: AIAA Guidance, Navigation, and Control Confer-
ence (August 2000)
22. Davidson, J.B., Andrisani, D.: Gain weighted eigenspace assignment. Technical report,
NASA (May 1994)
23. Davidson, J.B., Andrisani, D.: Lateral-directional eigenvector flying qualities guidelines
for high performance aircraft. Technical report, NASA (December 1996)
24. Davidson, J.B., Lallman, F.J., Bundick, W.T.: Real-time adaptive control allocation ap-
plied to a high performance aircraft. In: 5th SIAM Conference on Control & Its Appli-
cations (2001)
25. Demetriou, M.A.: Adaptive reorganization of switched systems with faulty actuators. In:
Proceedings of the 40th IEEE Conference on Decision and Control (December 2001)
26. Duan, G.R.: Parametric eigenstructure assignment via output feedback based on singular
value decompositions. IEE Proceedings - Control Theory and Applications 150(1), 93–
100 (2003)
27. Ducard, G., Geering, H.P.: Efficient nonlinear actuator fault detection and isolation sys-
tem for unmanned aerial vehicles. Journal of Guidance, Control, and Dynamics 31(1),
225–237 (2008)
28. Durham, W.C., Bordignon, K.A.: Multiple control effector rate limiting. Journal of Guid-
ance, Control and Dynamics 19(1) (February 1996)
29. Enns, D.F.: Control allocation approaches. In: Proceedings of AIAA GNC Conference
(August 1998)
30. Favoreel, W.: Subspace methods for identification and control of linear and bilinear sys-
tems. PhD thesis, Faculty of Engineering, K.U. Leuven, Belgium (1999)
31. Gao, Z., Antsaklis, P.: Stability of the pseudo-inverse method for reconfigurable control
systems. International Journal of Control 53(3), 717–729 (1991)
32. Gáspár, P., Bokor, J.: A fault-tolerant rollover prevention system based on an LPV
method. International Journal of Vehicle Design 42(3-4), 392–412 (2006)
33. Gertler, J.: Designing dynamic consistancy relations for fault detection and isolation.
International Journal of Control 73(8), 720–732 (2000)
34. Gopinathan, M., Boskovic, J.D., Mehra, R.K., Rago, C.: A multiple model predictive
scheme for fault-tolerant flight control design. In: Proceedings of the 37th IEEE Confer-
ence on Decision & Control, December 1998. IEEE, Los Alamitos (1998)
35. Groszkiewicz, J.E., Bodson, M.: Flight control reconfiguration using adaptive methods.
In: Proceedings of the 34th Conference on Decision & Control, December 1995. IEEE,
Los Alamitos (1995)
36. Hajiyev, C., Caliskan, F.: Fault diagnosis and reconfiguration in flight control systems.
Kluwer Academic Publishers, Dordrecht (2003)
37. Hallouzi, R.: Multiple-model based diagnosis for adaptive fault-tolerant control. PhD
thesis, Delft University of Technology (2008)
38. Härkegård, O.: Dynamic control allocation using constrained quadratic programming.
Journal of Guidance, Control, and Dynamics 27(6), 1028–1034 (2004)
39. Huzmezan, M., Maciejowski, J.M.: Reconfiguration and scheduling in flight using quasi-
LPV high-fidelity models and MBPC control. In: Proceedings of the American Control
Conference (June 1998)
40. Huzmezan, M., Maciejowski, J.M.: Reconfigurable flight control of a high incidence
research model using predictive control. In: UKACC International Conference on CON-
TROL (September 1998)
41. Idan, M., Johnson, M., Calise, A.J.: A hierarchical approach to adaptive control for im-
proved flight safety. AIAA Journal on Guidance, Control and Dynamics (July 2001)
42. Idan, M., Johnson, M., Calise, A.J., Kaneshige, J.: Intelligent aerodynamic/propulsion
flight control for flight safety: a nonlinear adaptive approach. In: American Control Con-
ference, ACC (2001)
43. Isermann, R., Ballé, P.: Trends in the application of model-based fault detection and
diagnosis of technical processes. Control Engineering Practice 5(5), 709–719 (1997)
44. Isidori, A.: Nonlinear control systems, 2nd edn. Springer, Heidelberg (1989)
45. Jiang, J.: Fault-tolerant control systems - an introductory overview. Acta Automatica
Sinica 31(1), 161–174 (2005)
46. Johansen, T.A.: Operating regime based process modeling and identification. The Nor-
wegian Institute of Technology, University of Trondheim, ph.d. thesis, itk-report 94-109-
w edition (1994)
47. Johansen, T., Foss, B.: Identification of non-linear system structure and parameters using
regime decomposition. Automatica 31(2), 321–326 (1995)
48. Johnson, E.N., Calise, A.J.: Neural network adaptive control of systems with input satu-
ration. In: American Control Conference (ACC), Arlington, Virginia (June 2001)
49. Kadali, R., Huang, B., Rossiter, A.: A data driven subspace approach to predictive con-
troller design. Control Engineering Practice 11(3), 261–278 (2003)
50. Kale, M.M., Chipperfield, A.J.: Stabilized MPC formulations for robust reconfigurable
flight control. Control Engineering Practice 13(6), 771–788 (2005)
51. Kanev, S.: Robust fault-tolerant control. PhD thesis, University of Twente (2004)
52. Kanev, S., Verhaegen, M.: Controller reconfiguration for non-linear systems. Control
Engineering Practice 8, 1223–1235 (2000)
53. Kanev, S., Verhaegen, M.: A bank of reconfigurable LQG controllers for linear systems
subjected to failures. In: 39th IEEE Conference on Decision and Control (December
2000)
54. Kanev, S., Verhaegen, M., Nijsse, G.: A method for the design of fault-tolerant systems
in case of sensor and actuator faults. In: European Control Conference, ECC (September
2001)
55. Kerrigan, E.: Fault-tolerant control of the COSY ship propulsion benchmark using model
predictive control. Technical report, University of Cambridge (November 1998)
56. Keviczky, T., Balas, G.J.: Software-enabled receding horizon control for autonomous
unmanned aerial vehicle guidance. Journal of Guidance, Control, and Dynamics 29(3),
680–694 (2006)
57. Kinnaert, M.: Fault diagnosis based on analytical models for linear and nonlinear systems
- a tutorial. In: Proceedings of the 5th Symposium on Fault Detection, Supervision and
Safety for Technical Processes (SAFEPROCESS 2003), Washington D.C., USA, pp. 37–
50 (2003)
58. Konstantopoulos, I.K., Antsaklis, P.J.: Eigenstructure assignment in reconfigurable con-
trol systems. Technical report, Interdisciplinary Studies of Intelligent Systems (January
1996)
59. Konstantopoulos, I.K., Antsaklis, P.J.: An optimization approach to control reconfigura-
tion. Dynamics and Control 9(3), 255–270 (1999)
60. Kothare, M.V., Balakrishnan, V., Morari, M.: Robust constrained model predictive con-
trol using linear matrix inequalities. Automatica 32(10), 1361–1379 (1996)
61. Liao, F., Wang, J.L., Yang, G.H.: Reliable robust flight tracking control: an LMI ap-
proach. IEEE Transactions on Control Systems Technology 10(1), 76–89 (2002)
62. Liu, W.: An on-line expert system-based fault-tolerant control system. Expert Systems
with Applications 11(1), 59–64 (1996)
63. Liu, G., Patton, R.: Eigenstructure assignment for control systems design. John Wiley &
Sons, Chichester (1998)
64. Maciejowski, J.M.: The implicit daisy-chaining property of constrained predictive con-
trol. Applied Math and Computer Science 8(4), 695–711 (1998)
65. Maciejowski, J.M.: Predictive control with constraints. Prentice Hall, Englewood Cliffs
(2002)
66. Maciejowski, J.M., Jones, C.N.: MPC fault-tolerant flight control case study: Flight
1862. In: Proceedings of the 5th Symposium on Fault Detection, Supervision and Safety
for Technical Processes (SAFEPROCESS 2003), Washington D.C., USA, pp. 121–126
(2003)
67. Mahmoud, M., Jiang, J., Zhang, Y.: Active fault tolerant control systems: stochastic anal-
ysis and synthesis. Springer, Berlin (2003)
68. Maybeck, P.S.: Multiple model adaptive algorithms for detecting and compensating sen-
sor and actuator/surface failures in aircraft flight control systems. International Journal
of Robust and Nonlinear Control 9, 1051–1070 (1999)
69. Mignone, D.: Control and estimation of hybrid systems with mathematical optimization.
PhD thesis, Swiss Federal Institute of Technology, ETH (January 2002)
70. Morse, W., Ossman, K.: Model-following reconfigurable flight control system for the
AFTI/F-16. Journal of Guidance, Control, and Dynamics 13(6), 969–976 (1990)
71. Narendra, K.S., Balakrishnan, J.: Adaptive control using multiple models. IEEE Trans-
actions on Automatic Control 42(2) (February 1997)
72. Niemann, H., Stoustrup, J.: Passive fault tolerant control of a double inverted pendulum
- case study. Control Engineering Practice 13(8), 1047–1059 (2005)
73. Noura, H., Sauter, D., Hamelin, F., Theilliol: Fault-tolerant control in dynamic systems:
application to a winding machine. IEEE Control Systems Magazine 20(1), 33–49 (2000)
74. NTSB. Aircraft accident report - american airlines, inc. DC-10-10. Technical Report
NTSB-AAR-79-17, National Transpotration Safety Board, USA (1979)
75. Patton, R.: Fault tolerant control: the 1997 situation. In: Proceedings of the 3rd Sympo-
sium on Fault Detection, Supervision and Safety for Technical Processes (SAFEPRO-
CESS 1997), pp. 1033–1054. Hull University, Hull (1997)
76. Prakash, J., Narasimhan, S., Patwardhan, S.C.: Integrating model based fault diagno-
sis with model predictive control. Industrial & Engineering Chemistry Research 44(12),
4344–4360 (2005)
77. Rauch, H.: Intelligent fault diagnosis and control reconfiguration. IEEE Control System
Magazine 14(3), 6–12 (1994)
78. Ru, J., Li, X.R.: Variable-structure multiple-model approach to fault detection, identifi-
cation, and estimation. IEEE Transactions on Control Systems Technology 16(5), 1029–
1038 (2008)
79. Seguchi, H., Ohtsuka, T.: Nonlinear receding horizon control of an underactuated hover-
craft. International Journal of Robust and Nonlinear Control 13(3-4), 381–398 (2003)
80. Shin, J.-Y., Belcastro, C.M.: Performance analysis on fault tolerant control system. IEEE
Transactions on Control Systems Technology 14(5), 920–925 (2006)
81. Shtessel, Y.B.: Sliding mode control: overview and applications to aerospace control.
Talk notes (2001)
82. Shtessel, Y.B., Buffington, J.: Multiple time scale flight control using reconfigurable slid-
ing modes. AIAA Journal on Guidance, Control and Dynamics 22(6), 873–883 (1999)
83. Slotine, J.J.E., Li, W.: Applied Nonlinear Control. Prentice-Hall International, Inc., En-
glewood Cliffs (1991)
84. Stoustrup, J., Blondel, V.D.: Fault tolerant control: A simultaneous stabilization result.
IEEE Transactions on Automatic Control 49(4), 305–310 (2004)
85. Tao, G., Chen, S., Joshi, S.: An adaptive actuator failure compensation controller using
output feedback. IEEE Transactions on Automatic Control 47(3), 506–511 (2002)
86. Tao, G., Ma, X., Joshi, S.: Adaptive state feedback and tracking control of systems with
actuator failures. IEEE Transactions on Automatic Control 46(1), 78–95 (2001)
87. Verhaegen, M., Verdult, V.: Filtering and system identification: an introduction. Cam-
bridge University Press, Cambridge (2007)
88. Wang, X., Huang, B., Chen, T.: Data-driven predictive control for solid oxide fuel cells.
Journal of Process Control 17(2), 103–114 (2007)
89. Wang, G.S., Lv, Q., Liang, B., Duan, G.R.: Design of reconfiguring control systems via
state feedback eigenstructure assignment. International Journal of Information Technol-
ogy 11(7), 61–70 (2005)
90. Wise, K.A., Brinker, J.S., Calise, A.J., Enns, D.F., Elgersma, M.R., Voulgaris, P.: Direct
adaptive reconfigurable flight control for a tailless advanced fighter aircraft. International
Journal of Robust and Nonlinear Control 9(14), 999–1022 (1999)
91. Woodley, B.R., How, J.P., Kosut, R.L.: Subspace based direct adaptive H∞ control. In-
ternational Journal of Adaptive Control and Signal Processing 15, 535–561 (2001)
92. Yen, G.G., Ho, L.-W.: Online multiple-model-based fault diagnosis and accommodation.
IEEE Transactions on Industrial Electronics 50(2), 296–312 (2003)
93. Zhang, Y., Jiang, J.: An interacting multiple-model based fault detection, diagnosis and
fault-tolerant control approach. In: Proceedings of the 38th Conference on Decision &
Control (December 1999)
94. Zhang, Y., Jiang, J.: Integrated design of reconfigurable fault-tolerant control systems.
Journal of Guidance 24(1), 133–136 (2000)
95. Zhang, Y.M., Jiang, J.: Fault tolerant control system design with explicit considera-
tion of performance degradation. IEEE Transactions on Aerospace and Electronic Sys-
tems 39(3), 838–848 (2003)
96. Zhang, Y., Jiang, J.: Issues on integration of fault diagnosis and reconfigurable control
in active fault-tolerant control systems. In: Proceedings of the IFAC SAFEPROCESS,
Beijing, China (August 2006)
97. Zhang, D., Wang, Z., Hu, S.: Robust satisfactory fault-tolerant control of uncertain linear
discrete-time systems: an LMI approach. International Journal of Systems Science 38(2),
151–165 (2007)
98. Zhenyu, Y., Huazhang, S., Zongji, C.: The frequency-domain heterogeneous control
mixer module for control reconfiguration. In: Proceedings of the 1999 IEEE Interna-
tional Conference on Control Applications, August 1999. IEEE, Los Alamitos (1999)
Chapter 3
Fault Detection and Diagnosis for Aeronautic
and Aerospace Missions
David Henry, Silvio Simani, and Ron J. Patton
3.1 Introduction
The term Fault Detection and Diagnosis (FDD) is a development of the term Fault
Detection and Isolation (FDI). Generally speaking, FDD goes slightly further than
FDI by including the possibility of estimating the effect of the fault and/or diagnos-
ing the effect or severity of the fault. Hence, the term FDD also covers the capabil-
ity of isolating or locating a fault. Both of these topics have received considerable
attention worldwide and have been theoretically and experimentally investigated
with different types of approaches, as can be seen from the general survey works
[1, 2, 3, 4, 5, 6, 7].
To complete the terminology, the use of the word ‘failure’ (widely used in the
early literature) has been generally replaced by the word ‘fault’ [1]. This is important
and it is now widely recognised that faults are unwanted malfunctions of a system,
whereas a failure denotes a total cessation of a function, via a subsystem or a total
system failure [8].
The developments outlined in this Chapter have been stimulated mainly by the
trend in automation toward systems with increasing complexity and the growing
demands for fault-tolerance, cost efficiency, reliability, and safety as these consti-
tute fundamental design features in modern control systems. Studies of the ways
in which FDI and FDD methods can be applied in aerospace systems have been
David Henry
IMS laboratory, Bordeaux 1 University, 351 cours de la libération, 33405 Talence cédex
e-mail: david.henry@laps.ims-bordeaux.fr
Silvio Simani
University of Ferrara, Department of Engineering, 1 Via Saragat, 44100 Ferrara, Italy
e-mail: silvio.simani@unife.it
Ron J. Patton
University of Hull, Department of Engineering, Cottingham Road, Hull HU6 7RX,
United Kingdom
e-mail: R.J.Patton@hull.ac.uk
springerlink.com
c Springer-Verlag Berlin Heidelberg 2010
92 D. Henry, S. Simani, and R.J. Patton
given by [9, 10]. This Chapter moves the subject on about 17 years by presenting
a non-exhaustive overview of recent advances in model-based FDI/FDD and their
applicability for aeronautical systems and aerospace missions. This Chapter focuses
on methods that have either been applied to real aerospace systems or to high fi-
delity simulations. For the remainder of the Chapter the terms FDI and FDD will be
replaced by the term FDD because of the overlap between these two topics and as
a consequence of the preference for the use of the term FDD in aerospace system
studies.
Measurement sensors are among the most important components for flight con-
trol and aircraft safety. For example, pitot tube air velocity sensors work in a harsh
environment (e.g. the possibility of becoming iced up at high altitude). When sen-
sors of this kind have a common mode fault (e.g. all becoming iced up) all the
redundant lanes of the flight control system can potentially fail as a consequence
of failing to receive suitable air data information. It is generally the case that the
fault probabilities for sensors are high when compared with other components and
control actuators, thus making these devices the least reliable components of the
flight system. In order to improve the reliability of the system, sensor hardware and
software (analytical) redundancy schemes have been investigated for aircraft over
the last twenty or more years [9, 10].
For small and military aircraft, multiple hardware redundancy is harder to achieve
due to a lack of operating space and weight limitations. Multiple hardware is costly
and very complex to engineer and maintain. Analytical redundancy makes use of a
mathematical model of the monitored process and is therefore often referred to as
the model-based approach to FDD [1, 4, 11, 12]. The model-based FDD algorithms
are normally programmed in computer software that may be difficult to implement
on real and complex systems, where modelling uncertainty arises inevitably (due
for example to process noise, parameter variations and modelling errors). The FDD
procedure for incipient faults represents a challenge to the theory of model-based
FDD techniques due to the inseparable mixture between fault effects and modelling
uncertainty. This has been defined in the literature as the robustness problem in
FDI/FDD [1, 3].
Model-based FDI/FDD commonly make use of the so-called ‘residual signal’
to facilitate the detection and isolation of faults. Methods which use the residual
approach are known as the residual based methods. By far the most studied topic of
the use of residual generators for FDI/FDD has been that of the deterministic state
observer [13, 14, 3]. In the context of observers for stochastic systems there have
also been many studies [15, 16, 3].
A number of researchers have developed residual-based methods using the parity
space concept [17, 18, 2]. Others have developed the theme of robust FDI/FDD
around the Unknown Input Observer (UIO) [19, 3]. Parameter identification has
been a key subject for some investigators [15, 20].
Another popular approach to FDD/FDI, particularly considering robustness has
been via the use of eigenstructure assignment (EA) coupled with the UIO. Patton
and co-workers [21, 22] conducted a number of studies on this subject and a toolbox
3 FDD for Aeronautic and Aerospace Missions 93
for EA design was developed [23]. The UIO together with EA have been applied
successfully in a robust FDI/FDD study on a jet engine [24].
Geometrical concepts for FDI/FDD (and the so-called ‘failure’ detection for the
USA) were first proposed by [25]. The geometrical concepts were successfully ex-
tended in theoretical work to nonlinear systems [26, 27].
Nonlinear geometric approaches can also be found in [28, 29], in which the fault
estimation method relies on the successive derivatives of input/output signals. A
drawback of these strategies is a high sensitivity to measurement noise and uncer-
tainty due to dynamical system structure.
Ref. [30] describes an interesting FDD application of an UIO strategy for
Lipschitz-bounded nonlinear systems. This approach is applicable to a wide class
of non-linear systems without requiring a non-linear geometrical approach.
A further approach to FDI/FDD has been based on state estimation using non-
linear stochastic methods such ‘Particle Filters’, a technique belonging to the class
of Monte-Carlo methods, for nonlinear systems with non-Gaussian noise [31, 32].
Soft computing techniques for FDD/FDI [33] can be also exploited, making use
of neural networks, fuzzy logic or neuro-fuzzy structures. Uppal and Patton [34]
have shown that the neuro-fuzzy approach can be developed from the UIO concept,
making structured residuals as consequents in a neuro-fuzzy system with sets of
residual signals covering the non-linear operation of the system being monitored. In
essence, the soft computing approaches make use of ‘implicit’ rather than ‘explicit’
models of the monitored system and hence also constitute a part of the model-based
approach. The main advantages of the soft computing approaches is that an implicit
mathematical model of the system being diagnosed or monitored is not required and
the techniques handle non-linear dynamics in a very natural way, making them very
suitable for the design of FDD schemes.
Adaptive methods for fault estimation and FDI/FDD are applicable to a wide
class of nonlinear systems and are becoming popular as they blend well with fault
tolerant Control (FTC) or fault detection, isolation and recovery (FDIR). One adap-
tive method that addresses only output sensor faults, is reported in [35].
A crucial issue with any FDD scheme is its robustness to modelling uncertainty.
The robustness problem in FDD is defined as the maximisation of the detectability
and isolability of faults together with the minimisation of the effects of uncertainty
and disturbances on the FDD procedure [1, 3, 6]. A number of FDD techniques have
been mainly developed for linear systems. However, practical models of real-world
systems are mostly nonlinear. Hence, viable procedures for practical application of
FDD techniques must take into account model-reality mismatches and hence mod-
elling uncertainty. For aircraft and aerospace systems the development of FDD tools
that can be applied to real systems design and integration is still an open issue, par-
ticularly with interest in the reduction in the use of some multiple hardware and the
integrated development of analytical redundancy methods. This is an important area
for practical research.
This Chapter is organised as follows. Section 3.2 summarises the basic method-
ologies for actuator, system component and sensor FDD. The methods are based
on output estimation approaches, in conjunction with residual processing schemes,
which include simple threshold detection (for the deterministic case), as well as sta-
tistical analysis when data is affected by noise. The final result consists of a strategy
based on model-based FDI, namely to generate robust and redundant residual sig-
nals. The concept of residual generation is examined with reference to dynamic ob-
servers or Kalman filters. A residual signal is defined as an output estimation error,
in general obtained by the difference between the measurement of one output and
its corresponding estimate. Section 3.2 outlines the design of these FDD estimators
for both deterministic and stochastic environments.
Section 3.3 shows how the proposed FDD algorithms can be applied to the diag-
nosis of actuators, process components and input-output sensors for general exam-
ple of a flight control problem. Other aerospace examples (e.g. spacecraft)are also
considered. In particular, the FDD techniques presented in this Chapter have been
tested on time series of data acquired from different high fidelity prototypes, whose
linear mathematical descriptions are obtained by using both ‘first principles’ mod-
elling and dynamic system identification procedures. Results from simulations show
that diagnosed faults are perfectly compatible with the FDD requirements for these
applications. Finally, Section 3.4 summarises the contributions and achievements of
the Chapter.
3.2 Fault Detection and Diagnosis Approaches

The model-based approach to FDD in dynamic systems has been receiving more
and more attention over the last two decades, in the contexts of both research and
real application. Stemming from this activity, a great variety of methods are found
in the current literature, based on the use of mathematical models of the systems
under investigation and exploiting modern control theory. This Section provides an
overview of the various fault detection methods, with particular attention to FDD
techniques related to the applications described in this Chapter. Residual genera-
tors based on different methods, such as state and output observers, parity relations
and parameter estimation, are just special cases in this general framework. In the
following, some commonly used residual generation and evaluation methods are
discussed and their mathematical formulation presented. This Section presents and
summarises special features and problems regarding the different FDD methods.
3.2.1 The Parity-Space Methods

A significant number of publications address the problem of fault diagnosis using
the parity space approach, see for instance [36, 37, 38, 39, 9, 18, 40, 3].
The most common application of parity space methods in the aerospace field is
based on the redundancy available in Inertial Measurement Units (IMUs) [41, 39, 3,
42, 43]. The redundant measurements acquired from the IMUs are used for deriving
the so-called parity-space relations. In particular, three configurations are used, i.e.
the octahedron, dodecahedron and dedicated pyramidal configurations, see fig. 3.1
for an illustration.
Fig. 3.1 The octahedron (left), the dodecahedron (centre)and the dedicated pyramid (right)
configurations
In the octahedron configuration, each axis (labelled numerically 1 through 6)

contains a gyro and an accelerometer. Complementary axes i.e. 1 and 2, 3 and 4,
and 5 and 6) make angles of 90 deg with each other and are symmetrically placed
with respect to the body frame, i.e. instruments 1 and 2 are both inclined 45 deg with
respect to the z body axis. Instruments 3 and 4, are inclined 45 deg with respect to the
x body axis and 5 and 6, 45 deg with respect to the y body axis. This configuration
facilitates the determination of 7 (static) parity relations defined according to (see
[41] for more details).
r1 = m1 − m2 − m3 − m4
r2 = m2 + m3 − m5
r3 = m6 + m1 − m3
r4 = m4 + m5 − m1 (3.1)
r5 = m4 + m6 + m2
r6 = m1 + m2 + m6 − m5
r7 = m4 + m5 + m6 − m3
These equations are used to detect and isolate a single axis fault in either gyros
or accelerometers or a simultaneous correlated double axis fault.
The dedicated pyramidal configuration is based on two IMUs arranged in a geo-
metric configuration, so that any single failure (1-axis gyro or 1-axis accelerometer)
can be detected and isolated, through the 7 following (static) parity relations:
r1 = (m1 + m4) − (m2 + m5 )

r2 = (m2 + m5) − (m3 + m6 )
r3 = (m3 + m6) − (m1 + m4 )
r4 = 2(m1 + m3 + m5) − 3(m1 + m4 ) (3.2)
r5 = 2(m2 + m4 + m6) − 3(m1 + m4 )
r6 = 2(m1 + m3 + m5) − 3(m2 + m5 )
r7 = 2(m2 + m4 + m6) − 3(m2 + m5 )
where measurements m1 , m3 , m5 are for IMU1 and m2 , m4 , m6 are for IMU2. For
the fault detection purpose, only ri (t), i = 1, 2, 3 are used whereas the four last sig-
nals ri (t), i = 4, ..., 7 are used for fault isolation in gyros and accelerometers. The
dedicated pyramidal configuration FDD technique is used in the Mars Sample Re-
turn mission, a mission undertaken jointly by NASA and the ESA.
The parity-space approach can be based on the parity equations derived from the
dynamic model of the system under diagnosis. The relationship between the parity-
space approach and other model-based approaches has been described by a number
of authors. For example, Patton and Chen describe the equivalent properties between
the state observer approach and the parity space, under certain conditions [9, 18]
and [44] have described the relationship between the parity space and parameter
estimation approaches.
In all of these methods the analytical redundancy that is developed relies on an
input-output polynomial description of the system under diagnosis. The methods
comprise input-output strategies for FDD, in some sense. The use of input-output
forms facilitates the development of analytical descriptions for the disturbance de-
coupled residual generators. These dynamic filters, organised into bank structures,
are able to achieve fault isolation properties. An appropriate choice of their parame-
ters facilitates the maximistaion of the robustness with respect to both measurement
noise and modelling errors, whilst optimising fault sensitivity characteristics.
An approach which is strongly based on the use of input-output polynomials is
referred to as the Polynomial Method (PM), presented in [45]. The PM requires the
knowledge of the input-output representation of the continuous-time (or discrete-
time), time-invariant linear dynamic system affected by faults and disturbances. An
important aspect of the PM residual generator design concerns the decoupling prop-
erties of the disturbance. This decoupling is obtained by means of a suitable coordi-
nate exchange of the monitored input-output system.
Hence, the residual generator model for the investigated system depends on suit-
able design polynomials and matrices, which can be arbitrarily selected among the
polynomials with degree greater than or equal to the maximum row degree of the in-
put output model. The diagnostic capabilities of the PM residual generator strongly
depend on the choice of the residual transfer function. The analytical solution to
this problem exists and is unique, as demonstrated in [46], due to the choice of a
quadratic constraint equation. The design of the PM filter is completed by intro-
ducing a method for assigning both the zeros and the poles of the continuous time
transfer function from the fault to the residual. The pole and zero locations influence
the transient characteristics(maximum overshoot, delay time, rise time, settling time,
etc.) of the filter as described in [45].
Finally, this PM method can be used for fault isolation. In particular, for the
isolation of a fault affecting one of the output sensors, under the hypotheses that
the input sensors and the remaining output sensors are fault-free, a generalized bank
of residual generator filters is used. The number of these generators is equal to the
number m of the system outputs, and the i-th device (i = 1, . . . , m) is driven by all
but the i-th output and all the inputs of the system. In this case, a fault on the i-th
output sensor affects all but the i-th residual generator. The same technique can be
applied for the isolation of input sensor faults. However, it must be emphasised that
the PM approach is merely a re-iteration or a new interpretation of the parity space
philosophy of utilising input-output signals in polynomial form.
3.2.2 Particle Filtering Approach

The particle filtering approach [47, 48, 49], also called the ‘Condensation Algo-
rithm’ [50] or the ‘Markov Chain Monte Carlo Method’ [51, 52], is a probabilistic
technique that aims to estimate jointly the state of the system x and the discrete fault
modes z at time t as the a-posteriori distribution:
p (s(t)|y(t), y(t − 1), ...., u(t), u(t − 1).....) (3.3)
where s(t) = (x(t), z(t)), knowing a set of samples i.e. output/input data y(t), y(t −
1), ...., u(t), u(t − 1).....
Within the Bayesian context, the filtering problem is simplified by assuming that
s(t) evolves in a Markovian way. A Markov system is one in which past and fu-
ture states are conditionally independent, given the current state. The Markovian
assumption facilitates a recursive formulation of the estimation problem. The prob-
lem then turns out to be the computation of x̂ and ẑ satisfying the following jump
Markov linear Gaussian model:
z(t) ∼ P (z(t)|z(t − 1))
x(t) = A(z(t))x(t − 1) + B(z(t))u(t) + E1(z(t))w(t) (3.4)
y(t) = C(z(t))x(t) + D(z(t))u(t) + E2 (z(t))v(t)
where y(t) ∈ ℜm denotes the observations, x(t) ∈ ℜn the unknown Gaussian states,
u ∈ ℜ p a known control signal and where z(t) ∈ {1, ..., q} is the set of unknown
discrete states i.e. the fault modes). The noise processes are assumed to be Gaussian
so that w(t) ∼ N (0, I) and v(t) ∼ N (0, I). The parameters A, B,C, D, E1 , E2 and
P (z(t)|z(t − 1)) are known matrices with D(z(t))D(z(t))T > 0 for any z(t).
3.2.2.1 Kalman Filters

If we consider only one discrete mode z(t) in (3.4), linear transition and observa-
tion functions for the continuous parameters and Gaussian noise, then the ‘belief
state’ has a multivariate Gaussian probability distribution that can be computed in-
crementally using a Kalman filer. At each time-step t, the Kalman filtering algorithm
updates sufficient statistics (μ (t − 1), σ 2 (t − 1)), prior mean and covariance of the
continuous distribution, with the new observation y(t).
However, in the case of non-linear transformations, the Kalman filtering algo-
rithm does not offer an efficient solution. Good approximations can be achieved
by the extended Kalman filter (EKF) or via the unscented Kalman filter (UKF).
Rather than using the standard Kalman filter update to compute the a-posteriori dis-
tribution, the UKF performs as follows: Given a m-dimensional continuous space,
2m + 1 sigma points are chosen based on the a-priori covariance. The non linear
equations are then applied to each of the sigma points and the a-posteriori distri-
bution is approximated by a Gaussian distribution whose mean and covariance are
computed from the sigma points. The mean is set to the weighted mean of the tran-
sitioned sigma points and the covariance is taken to be the sum of the weighted
squared derivations of the transitioned sigma points from the mean. The UKF up-
date yields an approximation to the a-posteriori probability whose error depends on
how different the true probability distribution is from the ideal Gaussian case.
3.2.2.2 Particle Filters

The successes of the Kalman, EKF and UKF filtering approaches strongly depend
on how the belief states behave to a multivariate Gaussian. To overcome this prob-
lem, the particle filter has been proposed in [50]. Basically, a particle filter is a
Markov chain Monte Carlo algorithm that approximates the belief state using a set
of ‘particles’ and keeps the distribution updated as new observations are made over
time. To proceed, the algorithm operates in three steps:
1. The Monte Carlo step. This step considers the evolution of the system over
time. It uses the stochastic model of the system to generate a possible future state
for each sample.
2. The reviewing step. This step corresponds to conditioning on the observations.
Each sample is weighted by the likelihood of seeing the observations in the up-
dated state representing the sample. This step leads to samples that predict the
observations well and with high weighting, and samples that are unlikely to gen-
erate the observations, with low weighting.
3. The resampling step. In this step, a set of uniformly weighted samples from the
distribution represented by the weighted samples, is resampled. In this resam-
pling stage, the probability that a new sample is a copy of a particular sample
is proportional to its corresponding weighting. In other words, high-weighted
samples may be replaced by several samples and low-weighted samples may dis-
appear.
3.2.2.3 Rao-Blackwellized Particle Filters

Particle filters have a number of properties that make them suitable for FDD ap-
plications, e.g. they can be applied to nonlinear models with arbitrary prior belief
distributions, the computation time depends only on the number of samples, not on
the complexity of the model, etc. However, it should be stressed that the number
of samples required to cope with high dimensional continuous state systems x is
enormous, leading to curse of dimensionality and rendering the practical onboard
implementation questionable.
To solve this problem, the Rao-Blackwellized Particle Filter method can be used.
This approach is intended for application in problems of tracking linear multimodal
systems with Gaussian noise. In these systems, the belief state is a mixture of signals
with different Gaussian statistics. The idea is to combine both the Particle filter that
samples the discrete modes z(t) and the Kalman filter for each mode z that propa-
gates sufficient statistics (μi (t), σi2 (t)) for the state x(t). Note that as in the particle
filtering approach, a resampling step is needed to prevent particle impoverishment.
The interested reader can refer to [53, 54, 55] for more theoretical details.
The particle filtering approach has been used successfully for fault diagnosis in
planetary rovers, e.g. the Hyperion robot (four wheeled robot), the K-9 rover (six
wheeled rover).
The software code for the implementation of the PF strategy is freely available at
the website http://www.cs.ubc.ca/ñando/software.html[53, 32].
3.2.3 Nonlinear EKF Approaches

In a similar way to the approaches outlined in subsection 3.2.2, an extended Kalman-
type unknown input estimator is proposed in [56, 57, 58] to solve the FDD prob-
lem of fault diagnosis in aircraft and reusable launch vehicles control surfaces. The
methodology is based on joint parameter and state estimation techniques and con-
sists in providing an (optimal) estimate of the fault.
Consider the following nonlinear state-space model in the discrete-time frame-
work
x(k + 1) = fi (x(k), δs (k), Ψ (x, k)) + v(k)
(3.5)
y(k) = g(x(k)) + w(k)
where

fi (.) = f (x(k), δs (k), Ψ (x, k)) δi (k) (3.6)
δs refers to the healthy control surfaces and Ψ (x) is a vector composed of nonlinear
functions depending on a subset of the state vector x. The index ”i” is used to outline
that the estimation of the i-th fault δ̂i needs to be performed. The stochastic inputs v
and w denote the process and measurement noises, respectively which are assumed
to be uncorrelated white noise processes with covariance matrices:
Q(k) = E{v(k)v(k)T }, R(k) = E{w(k)w(k)T } (3.7)
The initial estimates of state and covariance matrix are denoted by:
x0 = E{x0 } (3.8)
P0 = E{(x0 − x0 )(x0 − x0 )T } (3.9)
Following the method proposed in [59], the problem of recursively estimating the
augmented state vector x can be formulated as a nonlinear filtering problem that
minimizes the conditional mean-square-error, i.e:
x̂(k) = argmin E{x̃(k)T x̃(k)|Y k−1 } (3.10)
where x̃(k) = x(k) − x̂(k) is the state estimate error and Y k−1 = {y0 , y1 , · · · , yk−1 }
is a matrix containing the past measurements. The state estimate x̂(k) is equivalent to
the conditional mean of the Gaussian probability density function p(x(k)/Y (k−1) ) ∼
N (x̂(k), P(k)) such as:
x̂(k) = E{x(k)|Y (k−1) } (3.11)
and where:
P(k) = E{(x(k) − x̂(k))(x(k) − x̂(k))T |Y (k−1) } (3.12)
refers to the state covariance matrix in charge to quantify the uncertainty of the esti-
mate. The estimation algorithm can then be formulated into the following nonlinear
observer-based scheme:

x̂(k + 1) = fi (x̂(k), δs (k), Ψ (x, k)) + K(k)e(k)
(3.13)
ŷ(k) = g(x̂(k))
where K(k) is a non stationary gain to be computed and e(k) = y(k) − ŷ(k/k − 1) is
the innovation sequence associated to the covariance matrix Pee :
Pee = E{(y(k) − ŷ(k))(y(k) − ŷ(k))T |Y k−1 } (3.14)
Based on the previous estimate of the state x̂(k/k) with covariance P̂(k/k), the filter
computes at a subsequent time-step an optimal forecast of the state x̂(k + 1/k) and its
covariance matrix P̂(k + 1/k) whenever observations become available. This leads
to the following update equations:
x̂(k + 1) = x̂(k) + K(k)e(k)

(3.15)
P(k + 1) = P(k) − K(k)Pee (k)K T (k)
The expression of K(k) is given by:

−1 (k)
K(k) = Pxy (k)Pee (3.16)
where Pxy denotes the predicted cross-correlation matrix defined as follows:
Pxy = E{(x(k) − x̂(k))(y(k) − ŷ(k))T |Y k−1 } (3.17)
As the above statistical expectations are generally intractable, some kind of ap-
proximation must be used, like for e.g. the Extended Kalman Filter (EKF) which
is based on a first-order Taylor linearization. However, even if the EKF estimator
seems to be adapted, some well-known drawbacks exist in practice, i.e. the parame-
ters estimates can converge slower than the state estimates and in general, only local
convergence can be expected. Based on the work reported in [59], this motivated
[57, 58, 56] to use an approximation of the nonlinear function ‘ fi (.)’ by means of a
multi-dimensional extension of Stirling’s interpolation formula.
Although this method presents some optimality proofs, the key feature remains
the a-priori choice of the covariance matrices Q and R. The matrix Q controls the
flexibility of the model whereas the measurement covariance matrix R controls the
flexibility of the measurement equations. In the most practical cases, the optimiza-
tion of Q and R is done by iteratively testing different values and evaluating the
results over a test period.
In practice, this tuning problem is often tackled as an ad hoc process involving
a very large number of manual trials. In view of this difficulty, it has been chosen
in [56] to automatically tune these matrices by means of an optimization method.
The performance index to be minimized corresponds to the root-mean-square of the
state estimate errors subjected to positivity constraints of Q and R matrices that is:
t 1 ⎧
f 2 ⎨ Q > 0, R > 0
J(k) = N1 ∑( x Π x)
T
s.t. R = diag(ri ) (3.18)
⎩
t0 Q = diag(qi )
For convenience, the additional constraints Q = diag(qi ) and R = diag(ri ) are im-
posed in the optimization algorithm. Π is a weighting matrix introduced to manage
separately each component of the vector x̃. t0 and t f are respectively the initial and
final discrete time of the tuning interval and N denotes the number of data points in
the tuning interval.
Because of the multi-parameter, non-linear and discrete nature of this optimiza-
tion problem, a Particle Swarm Optimization (PSO) algorithm is retained in [56] to
derive a numerical solution.
This approach has been applied successfully in [56] to the problem of control
surface failures in the HL-20 Reusable Launch Vehicles (RLV) during its landing
phase. See fig. 3.8 that illustrates some results.
3.2.4 Observer-Based Approaches

3.2.4.1 Disturbance Decoupling Approaches
In the disturbance decoupling approaches, the aim is to generate the fault indicating
signals i.e. the residuals denoted r)so that they behave in the orthogonal space of
unknown inputs(disturbances, modelling errors), whilst maintaining sensitivity to
faults.
In [60], this approach is used for IMU and thruster fault diagnosis of the Mars
Express spacecraft. A bank of UIOs (see Section 1 for definition) with minimum
variance state estimation error is used and organised into an estimator bank for
fault detection and isolation. The unknown inputs are estimated in a moving time
window; the unknown input direction(s) is/are estimated via additional states in an
augmented state observer structure. The unknown inputs are updated in the mov-
ing window and the minimum variance estimator is re-initialised at the end of each
window period. It is assumed that faults do not occur during the unknown input
estimation phase. Carefully selected performance criteria indices are used together
with Monte Carlo robustness tuning and performance evaluation to provide a fault
diagnosis solution.
To proceed, let the system model be given in the discrete-time domain according
to:
xk+1 = Ak xk + Bk uk + Ek dk + Fk1 fk + w1k
(3.19)
yk = Ck xk + Fk2 fk + w2k
where xk , uk , yk denote the state, the input and the output vectors, respectively. Each
entry of fk corresponds to a specific fault, dk denotes the unknown inputs to be de-
coupled and w1k , w2k are independent zero-mean white noise sequences with covari-
ance matrices Qk , Rk , assumed to be known. The authors show that the following
UIO can be used for FDD:
zk+1 = Fk+1 zk + Tk+1 Bk uk + Kk+1 yk
(3.20)
ŷk+1 = Ck+1 zk+1 + Ck+1 Hk+1 yk+1
The residual rk is also defined according to rk = yk − ŷk . Then the problem turns
out to be the design of F, T, K, H to achieve disturbance decoupling with minimum
variance of state estimation, K playing the role of a Kalman gain.
It is shown in [16, 3] that the decoupling objectives are achieved iff the following
conditions are satisfied:
Ek = Hk+1Ck+1 Ek (3.21)
Tk+1 = I − Hk+1Ck+1 (3.22)
Fk+1 = Tk+1 Ak − Kk+1
1
Ck (3.23)
2
Kk+1 = Fk+1 Hk (3.24)
Kk+1 = Kk+1
1
+ Kk+1
2
(3.25)
The necessary and sufficient condition for the existence of a solution to Eq. (3.21)
is rank (Ck+1 Ek ) = rank (Ek ) and a special solution is:
−1
Hk+1 = Ek (Ck+1 Ek )T (Ck+1 Ek ) (Ck+1 Ek )T (3.26)
1
The matrix Kk+1 is designed to stabilise the observer and achieve minimum state
estimation error variance. The solution to this problem is:
−1
1
Kk+1 = A1k+1 PkCkT Ck PkCkT + Rk (3.27)
where A1k+1 = Tk+1 Ak and Pk = E{(xk − x̂k )(xk − x̂k )T } is the covariance matrix of
the estimation state error at time k that can be computed according to the recursive
equation:
Pk+1 = A1k+1 Pk+1 (A1k+1 )T + Tk+1 Qk Tk+1

T +H T
k+1 Rk+1 Hk+1
(3.28)
Pk+1 = Pk − Kk+1Ck Pk (Ak+1 )
1 1 T
Remark 1. It can be seen that the observer structure described above is equivalent
to a classical Kalman filter for systems without unknown inputs.
Remark 2. Note that the UIO decoupling approach was used for FDD in gyro-
scopes [61]. For this study the author used eigenstructure assignment to achieve the
necessary de-coupling, based on the work on EA for UIO decoupling by [22].
3.2.4.2 Iterative Learning Observer Approach

The Iterative Learning Observer (ILO) approach is proposed in [62] to diagnose
time-varying faults in satellite thrusters. The goal is to derive jointly an estimate of
the system state and an estimate of the fault. The ILO-based strategy uses a learning
mechanism to perform estimation instead of using integrators that are used e.g. in
adaptive observers.
To proceed, let the system be modelled according to the following nonlinear state
space model:
ẋ(t) = f (x(t)) + Bu(t) + B f u f (t)
(3.29)
y = Cx
where x, u, y denote the state, the input and the output vectors. The vector u f denotes
an additive time varying signal that models the faults to be estimated. It is assumed
that u f is bounded and that ||u f (t) − K1 u f (t − τ )||∞ is finite where K1 and τ are
defined below.
The structure of the ILO is then defined according to:
˙ = f (x̂(t)) + Bu(t) + Λ (y(t) − Cx̂(t)) + B f ϕ (t)
x̂(t)
(3.30)
ϕ (t) = K1 ϕ (t − τ ) + K2(y(t) − Cx̂(t))
where K1 , K2 are gain matrices. The parameter τ is the updating interval. It may be
taken as the sampling-time interval, or as an integer multiple of the sampling-time
interval. The parameter Λ is a positive definite matrix and ϕ (t) is called the ILO
input that is used to estimate the time-varying fault. As it can be seen, the signal
ϕ (t) is updated by both its past information and the state estimation error.
3.2.5 Norm-Based Approaches

The majority of methods discussed above involve the use of an open-loop model
of the monitored system, in spite of that the FDD scheme is placed in a feedback
loop. In such situations, it is well known that faults may be compensated by control
actions and the early detection of them is clearly more difficult. This motivates the
so-called integrated design of control and diagnosis schemes, according to the ideas
proposed by [63] where robust controllers and fault detectors are designed together
by optimizing a set of mixed control and fault detection objectives. For an applica-
tion study on Reentry Launch Vehicles (RLV), see [64]. However, in many practical
cases, this solution cannot be applied since the existing control laws are already
certified for flight and consequently cannot be removed.
To overcome this problem, the H∞ methods proposed in [65, 66, 67, 68, 69, 70,
71, 72] can be used. The proposed methods can be classified as:
• fault signal estimation based approaches: see [65, 67, 70, 71]
• and residuals generation based approaches: see [66, 73, 74, 68, 69, 75, 76, 72]
A great advantage of these methods is that the framework employed i.e. the H∞
framework) facilitates the inclusion of several robustness objectives within the de-
sign procedure, e.g. against various disturbances, perturbations and model uncer-
tainties.
3.2.6 H∞ Fault Estimation Approach

Consider the system model in the following LFR (Linear Fractional Representation)
form, placed in a feedback control loop (see fig. 3.2 for easy reference):

y = Fu (P, Δ ) d f u , y = Ku (3.31)
where d denotes the exogenous disturbances (including measurement noise) and

f models the faults to be detected. The controller K is assumed to be known and
fˆ is the output of the filter F to be designed. The known LTI model is denoted
by P and Δ is a block diagonal operator specifying how the modelling errors
enter P. Δ belongs to the structure Δ so that Δ = {block diag(δ1r Ik1 , ..., δmr r Ikmr ,
δ1c Ikmr +1 , ..., δmc c Ikmr +mc , Δ1C , ..., ΔmCC ), δir ∈ ℜ, δic ∈ C , ΔiC ∈ C }, where δir Iki , i =
1, ..., mr , δ jc Ikmr + j , j = 1, ..., mc and ΔlC , l = 1, ..., mC are known as the ‘repeated real
scalar’ blocks, the ‘repeated complex scalar’ blocks and the ‘full complex’ blocks,
respectively.
The H∞ -based fault estimation problem is equivalent to the design problem of a
(stable) filter F such that, for all model perturbations Δ ∈ ||Δ ||∞ ≤ 1, fˆ is an optimal
estimate, in the H∞ -norm sense, of the fault signal f .
To achieve high FDD performance, some model-based FDD schemes include
a fault model in the design procedure. Here, the fault model is represented as a
colouring filter for f . In other words, f is considered to be the result of filtering a
Fig. 3.2 The H∞ -based fault estimation problem.

fictitious signal f through a filter W f . This filter is chosen taking into account the
frequency location of the fault to be detected, e.g. if the energy of the faults to be
detected are located at low frequencies, W f is chosen to be a low-pass filter.
Now, let us define the estimation error signal e:
e = f − fˆ (3.32)
Then the design problem turns out to be a minimization problem of the maximal
gain of the closed-loop transfers from the signals f and d to the fault estimation
error e. In other words, the goal is to design the filter F so that:
||Ted ||∞ < α , ∀Δ ∈ Δ : ||Δ ||∞ ≤ 1 (3.33)
||Te f ||∞ < β , ∀Δ ∈ Δ : ||Δ ||∞ ≤ 1 (3.34)

where Ted and Te f denote the closed-loop transfer functions between e and d, and
e and f , respectively. α and β are two positive constants which are introduced to
manage separately ||Ted ||∞ and ||Te f ||∞ . Of course, the smallest α and β are, the
highest the FDD performances will be.
In this formulation, ||M||∞ = supω σ (M( jω )) is the H∞ -norm of M and σ (•)
denotes the maximum singular value.
To solve the filter design problem, two approaches have been developed. The
first involves the solution of a Riccati equation (see for instance [65]) and the sec-
ond approach uses linear matrix inequality (LMI) optimization techniques. Since
an LMI-based approach has the advantage of eliminating the regularity restrictions
attached to the Riccati-based solution, the LMI-based approach is often preferred.
This approach has been successfully applied for fault diagnosis of control sur-
faces faults in the X-33 and Hopper RLVs, see for instance [77].
3.2.6.1 H∞ /H− Residual Generation Strategy

Based on similar reasoning to the above, Hou and Patton proposed the now well-
known H∞ /H− Residual Generation Strategy [78, 79] which has the joint design
goals of maximising the sensitivity of the FDI/FDD residuals to the faults, whilst
minimising the residuals to the modelling uncertainty, via H∞ optimisation.
In order to develop a structured residual approach, [68, 69] proposed a method
to generate a structured residual vector r in the following general form (see [66, 73,
74, 68, 69, 75, 76, 72] for more details):

y(s)
r(s) = My y(s) + Mu u(s) − L(s) u(s) = K(s)y(s) (3.35)
u(s)
The proposed method is developed in a very similar manner to the well known
H∞ /μ robust controller design technique. The FDD problem consists of jointly de-
signing My , Mu and L(s) such that the effects that faults have on r are maximized in
the H− -norm sense, whilst minimizing the influence of unknown inputs and model
uncertainties, in the H∞ -norm sense. The role of My , Mu is to merge optimally the

available measurements and control signals, in the H∞ /H− sense outlined above.
A great benefit of the proposed approach is that the residuals structuring matrices
are jointly designed with, say, the dynamical part of the FDD scheme. Furthermore,
it is shown how robust poles assignment and H2g -specifications can be specified
within the design procedure. The motivations for using such a mix of performance
measures are:
• H∞ performances are convenient to enforce robustness to model uncertainty (e.g.
external disturbances, nonlinear parametric uncertainties and neglected dynam-
ics) and to express frequency-domain specifications.
• H− objectives are useful for fault sensitivity requirements over specified fre-
quency ranges.
• H2g specifications and regional filter poles assignment are convenient to tune the
transient response and to enforce some minimum decay rate of the residual. This
feature becomes very important from a decision making point of view, as the
residual is generally post-processed by a hypothesis based test to make a final
decision about the fault.
To proceed, consider the system model in the LFR form placed in a feedback con-
trol loop given by equation (3.31). Let the residual signal r be defined according to:
r = z − ẑ (3.36)
where ẑ is an estimation of z = My y + Mu u, a subset of measurements y and inputs

u. My and Mu are two (constant) residual structuring
matrices. The goal is to derive
simultaneously My , Mu and L(s) : ẑ = L(s) yu such that:
• (S.1): ||Td→r ||∞ < γ1 . Td→r also denotes the closed-loop transfer function between
r and d.
• (S.2): ||T f →r ||− > γ2 over a specified frequency range Ω . T f →r denotes the
closed-loop transfer function between r and f , and Ω is the frequency range
where the energy of the faults is likely to be concentrated. From a practical point
of view, Ω is chosen depending on the nature of the faults to be detected, e.g.
small drifts suggests choosing Ω in a low frequency range.
In this formulation, ||M||− = infω ∈Ω σ (M( jω )), Ω = [ω1 ; ω2 ] denotes the H−
norm of M. σ (M( jω )) denotes the minimum non-zero singular value of matrix
M( jω ) and Ω = [ω1 ; ω2 ] the evaluated frequency range in which σ (M( jω )) = 0.
As explained previously, to achieve high performances, model-based FDD
schemes often use disturbance, measurement noise and fault models into the design
procedure. Here, such models are represented as colouring filters. In other words, d
and f are considered to be the result of filtering fictitious signals through dynamical
filters. Let Wd and W f denote these filters. The solution of the design FDD scheme
problem is then handled using the following lemma [68]:
Lemma 1. Consider the coloring filter W f defined above. Introduce WF , a right
invertible transfer matrix so that ||W f ||− = γλ2 ||WF ||− and ||WF ||− > λ , where
λ = 1 + γ2 . Define the signal r̃ such that r̃ = r −WF (s) f . Then a sufficient condition
for the fault sensitivity specification (S.2) to hold, is
||T f →r̃ ||∞ < 1 (3.37)
where T f →r̃ denotes the closed-loop transfer function between r̃ and f .
Using the above lemma, the H∞ /H− filter design problem can be re-cast in a ficti-
tious H∞ -framework: Using linear fractional algebra and including γ1 , λ ,WF and the
weighting functions Wd into the model P, one can derive from (3.31) a new model
P̃(My , Mu ) depending on the residual structuring matrices My and Mu so that:

rr̃ = Fu Fl P̃(My , Mu ), L , Δ d (3.38)
T
T
where d = d f in which d is the fictitious signal generating d through Wd . In
∞ 1/2
this formulation, we assume that d 2 = −∞ ||d(t)||2 dt ≤ 1, since it is always
possible to scale P̃(My , Mu ).
Then, a sufficient condition for specifications (S.1) and (S.2) to hold is:

Fl P̃(My , Mu ), L ∞ < 1 (3.39)
This equation seems to be similar to a standard H∞ equation. In fact, this is not

the case since the transfer P̃(My , Mu ) depends on My and Mu that are unknown. To
overcome this problem, a method based on LMI optimisation techniques is proposed
in [68].
3.2.7 Non-linear FDD Method

This Section presents the development of a new nonlinear FDD scheme providing
both fault detection and the estimation of the fault size. Moreover, the information
brought by the fault size estimation can be very useful for offline maintenance pur-
poses and for on-line reconfiguration of the automatic flight control system. This
method is based on the NonLinear Geometric Approach (NLGA) developed by de
Persis and Isidori [27] who showed that the problem of the FDD for nonlinear sys-
tems is solvable if and only if there is an unobservability distribution that leads, by
means of an appropriate coordinate change, to the determination of an observable
quotient subsystem which is unaffected by all faults but one. For this subsystem,
an adaptive nonlinear filter providing fault size estimation is developed. It is worth
observing that the basic NLGA FDD scheme [80] based on residual signals cannot
provide fault size estimation.
This method was applied to a simulation study of a Vertical Take-Off and Landing
(VTOL) aircraft with reference to a reduced-order model [80].
The new proposed FDD scheme belongs to the NLGA framework, where a coor-
dinate transformation is the starting point to design a set of adaptive filters in order to
detect additive faults acting on the monitored system and to estimate the magnitude
of the fault. The proposed approach can be properly applied to a nonlinear system
model in the form described in [27]. Moreover, as detailed in [81] and subsequently
developed in [27], a state and output coordinate transformation can be applied to
the considered nonlinear system if and only if a proper fault detectability condi-
tion is satisfied. In this case, the nonlinear system in the new reference frame can
be decomposed into 3 subsystems where the first one (the x̄1 -subsystem) is always
decoupled from the disturbance vector and affected by the fault.
The new proposed FDD scheme can be applied only if the fault detectability con-
dition presented in [81] holds and some new constraints are satisfied, as described
in [82].
Thus, an adaptive filter can be designed with reference to the transformed non-
linear system, in order to perform an estimation of the fault signal, which asymp-
totically converges to the magnitude of the fault f . The proposed adaptive filter that
solves this FDD problem is based on the least squares algorithm with forgetting fac-
tor [83] and described by a suitable adaptation law [45]. It can also be shown that
the designed adaptive filter represents a solution to the considered FDD problem,
so that the fault signal estimate provides an asymptotically convergent estimation of
the magnitude of the actual fault, as reported in [45].
3.2.7.1 NLGA Particle Filter FDD Scheme

This Section addresses the FDD problem for a nonlinear stochastic dynamic system.
When stochastic systems are considered, much of the FDD schemes rely on the
system being linear and the noise and disturbances as having Gaussian statistics.
In such cases, the Kalman filter is usually employed for state estimation and its
innovation is then used as the residual [3].
The idea used in the linear case mentioned above has been extended to some
nonlinear stochastic systems with additive Gaussian noise and disturbance by em-
ploying linearisation and ‘Gaussianisation’ techniques, and in this case, the Kalman
filter is usually replaced by the Extended Kalman Filter (EKF) [53]. Although this
EKF-based approach appears straightforward, there are no general results to guar-
antee that the approximations will work well in real applications. FDD problems
that are truly nonlinear and are non-Gaussian stochastic systems are still the subject
of extensive investigation in the literature.
Recently, the Particle Filter (PF), a Monte Carlo based method for nonlinear non-
Gaussian state estimation, has attracted much attention [53, 32].
Polynomial extended Kalman filters and the Unscented Kalman Filter (UKF) rep-
resent alternative techniques with performance superior to that of the EKF [84].
However, the interest for PF based methods stems from their ability to be able to
handle any functional nonlinearity and system or measurement noise of any proba-
bility distribution. As an example, the work [32] represents an attempt to introduce
PF into the field of FDD. The fault isolation problem is also investigated.
By combining PF with the NLGA design technique, a particle filtering based ap-
proach i.e. the NLGA-PF) to FDD is presented. In particular, the PF is employed to
develop a method for solving the FDD problem for the nonlinear stochastic model
of the system under diagnosis, which is derived by following a NLGA strategy. The
use of the NLGA facilitates the determination of disturbance decoupled residual
generators in a stochastic framework. The fault isolation and the disturbance decou-
pling suggested in this section is different from the method presented in [32], as
achieved via the NLGA strategy.
3.2.8 Sliding Mode Observer

Sliding mode observers are one of the nonlinear FDI approaches discussed in the
literature. In sliding mode systems, the trajectories are forced to evolve along a
surface in the state space [112]. The associated sliding motion is of reduced order
and poses very specific robustness properties [112]. Sliding mode ideas can be used
in an observer context [120]. The idea is to design the observer gains so that the
sliding surface is reached and maintained so that the error between the plant and the
observer outputs is zero.
In the last decade, sliding mode observers have been used for FDI. The first slid-
ing mode observer designs used typical residual based FDI ideas [122, 114]. The
idea was to ensure the sliding motion was broken when faults/failures occurred in
the system and a residual was generated containing information about the fault. The
more recent work by Edwards et al [113], Tan & Edwards [119], Jiang et al [115]
and Kim et al [117] represent some of the approaches which have the capability to
reconstruct/identify faults. Not only do these design approaches have the ability to
detect and isolate the source of the fault/failure they also provide further informa-
tion about the fault/failure which can be used especially for fault accommodation.
In terms of FTC, the availability of a fault reconstruction signal means that sensor
faults can be corrected before the measurement signals are used by the controller,
and the severity of an actuator fault (actuator effectiveness) can be estimated, which
is beneficial for controller reconfiguration [124, 121, 123].
A generic FDI development in terms of the reconstruction of faults using sliding
mode observers is given in Edwards et al [113]. The novelty of the work in Edwards
et al [113], is the use of the concept of the ’equivalent output error injection signal’
to reconstruct faults. Tan & Edwards [119] extended this work for robust reconstruc-
tion of sensor and actuator faults by minimizing the effect of modeling uncertainty
on the reconstruction in an L2 sense [116].
One of the benefits of using the method proposed in [113, 119, 118, 111] compared
to other sliding mode observer based FDI methods is that the sliding motion is not
broken even in the event of faults/failures. This allows the possibility of using the
sliding mode observer not only for FDI but also as a state estimator. However, for
FDI purposes, emphasis is placed on the fault estimation and not the state estimation.
3.3 Application Examples

In the following sections, several examples are presented in order to test the
FDD techniques presented in Section3.2. Complete design procedures for FDI for
isolation and identification of actuator as well as input and output sensor faults are
developed. In order to analyze the diagnostic effectiveness of the FDD strategies in
the presence of abrupt changes or drifts in measurements, realistic fault scenarios
have been considered. The results obtained by the presented FDD approaches indi-
cate that the detected faults on the various processes are of interest for future aircraft
and aerospace diagnostic applications.
3.3.1 Application to ‘Oscillatory Failure Case’ (OFC)

The term ‘Oscillatory Failure Case’ (OFC) is used to deal with an unwanted aircraft
control surface oscillation. Such faults lead to strong interactions with loads and
aero–elasticity when located within actuator bandwidth.
Consequently, early and robust detection of OFC is very important because it has
an impact on the flight envelope and on the structures. The need for this early and
robust detection has motivated Airbus to develop model-based fault diagnosis meth-
ods to tackle the problem of OFC, see chapter 5 for extensive details. In [57, 58], the
nonlinear EKF estimator described in Section 3.2.3 is used to estimate an OFC in the
Electrical Flight Control System. More precisely, the OFCs that are considered are
those due to electronic components in fault modes generating spurious sinusoidal
signals. These oscillatory signals propagate through the servo-loop control, leading
to control surface oscillation. The faulty components are located inside the Analog
Inputs/Outputs, the position sensors or the actuators.
OFC signals are modelled as sinusoidal signals with frequency and amplitude
uniformly distributed over the frequency range 0 − 10Hz. Beyond 10Hz, an OFC
has no significant effects because of the low-pass behaviour of the actuator. It is
necessary to detect an OFC beyond a given amplitude in a given number of periods,
whatever the OFC frequency. The time for detection is expressed in period numbers,
which means that, depending on the failure frequency, the time really allowed for
detection is not the same.
To solve the OFC detection problem, the authors use an approximation of the
nonlinear model of the actuator by means of a multi-dimensional extension of Stir-
ling’s interpolation formula. This facilitates a simplified implementation since dif-
ferentiability of the nonlinear mappings is not required.
As an illustration, fig. 3.3 show the behaviour of the residual signal r(k) = y(k) −
ŷ(k) in both fault-free and faulty situations, for some real telemetric flight data. For
the purpose of faults, a simulated OFC with amplitude 0.4 deg and frequency 5Hz
was injected at time 800 seconds. The interested reader can refer to [57, 58] for
more details.
3.3.2 Simulated Aircraft Model FDD

To show the diagnostic characteristics brought by the application of the proposed
PM and NLGA-AF FDD schemes to a general aviation PIPER PA30 aircraft,
some simulation results obtained in the Matlab
R
and Simulink R
environments are
1 1
0.5 0.5
0 0
residual (°)
residual (°)
−0.5 −0.5
−1 −1
−1.5 −1.5
0 500 1000 1500 0 500 1000 1500
Time (s) Time (s)
Fig. 3.3 Behaviour of the residual r - Fault-free situation (left) / OFC (right)
reported in this Section which also considers briefly the important features of the
performance evaluation of the diagnosis schemes, i.e. their robustness and reliabil-
ity with respect to the uncertainty and disturbance acting on the system by means of
a Monte-Carlo analysis.
The mathematical simulation model of the aircraft used in this Section is based
on the classical nonlinear 6 Degrees of Freedom (6 DoF) rigid body formulation
[85], whose motion occurs as a consequence of applied forces and moments (aero-
dynamic, thrust and gravitational). A set of local approximations for these forces
has been computed and scheduled depending on the values assumed by True Air
Speed (TAS), flap, altitude, curvature radius and flight path angle. In this way, it is
also possible to obtain a simplified mathematical model for each flight condition that
is suitable for a state-space representation, as it can be made explicit. The param-
eters in the analytic representation of the aerodynamic actions have been obtained
from wind tunnel experimental data. It should be observed that aerodynamic forces
and moments are not implemented by the classical linearised expressions (stability
derivatives).
Static aerodynamic actions (e.g. lift and drag characteristics), are implemented
by means of cubic splines approximating nonlinear experimental curves. More de-
tails can be found in the related paper [86]. The linear aircraft model used by the
proposed PM described in Section 3.2.1 embeds the linearisation both of the 6 DoF
model and of the propulsion system. On the other hand, the NLGA-AF FDD scheme
described in Section 3.2.7 requires a nonlinear input affine system [27], but the
adopted simulation model of the aircraft does not fulfil this requirement. For this
reason, a simplified aircraft model has been considered, as reported in [45].
The PM residual generator filters are fed by the 4 component input vector c(t) and
the 9 component output vector y(t) acquired from the nonlinear simulation aircraft
model [87, 46]. Each filter of the PM bank is independent of one of the 4 input
signals and then is also insensitive to the corresponding fault signals. Clearly, the
residual generator bank has been designed to be decoupled from the disturbance
signals, i.e. the wind gust signals, which represent disturbance terms acting on the
aircraft system.
Elevator sensor residuals 4

Aileron sensor residuals
1
2
0.5
0
0 -2
-4
-0.5 -6
-1 -8
-10
-1.5 50
0 100 150 200 250 300 0 50 100 150 200 250 300
Samples (sec.) Samples (sec.)
5
Rudder sensor residuals 14 Throttle sensor residuals
12
0
10
-5 8
6
-10
4
-15 2
0
-20
-2
-25 -4
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Fig. 3.4 PM residuals for the elevator sensor fault diagnosis.
In order to assess the diagnosis technique, different fault sizes have been simu-
lated on each sensor. As an example, the 4 residual functions rci (t) generated by the
filter bank for input sensor fault isolation, under both fault-free and faulty conditions
are shown in fig. 3.4.
Continuous lines represent the fault-free residual functions, while the dashed
lines depict the faulty residual signals. The dotted lines correspond to the settled
thresholds. The fault considered in Fig 3.4 has been generated on the elevator sen-
sor of the considered aircraft, starting at time t = 150 s. The first residual function
of fig. 3.4 also provides the isolation of the input sensor fault under consideration.
Regarding the new NLGA-AF FDD scheme, in order to assess its effectiveness in
estimating the faults affecting the input sensors, the same flight condition (a coordi-
nated turn at constant altitude) previously described for the PM evaluation has been
considered. A bank of 4 adaptive filters has been used in order to perform the diag-
nosis, the isolation, and the estimation of the elevator, aileron, rudder and throttle
actuator fault magnitudes. It is important to note that each filter is structurally de-
coupled from the vertical and lateral wind disturbance components and is sensitive
to a single input sensor fault.
In fig. 3.5, the simulation results referring to a particular case are reported, where
a small fault with a size of 2o starting at time t = 150 s is added to the elevator
actuator.
With reference to the results obtained, the proposed FDD strategies appear to be
promising for diagnostic application to commercial aircraft. Advantages and draw-
backs of the PM and the new NLGA-AF FDD methods developed in this Section
can be summarised as follows. Both PM filters and NLGA-AF perform lowpass
filtering of input/output measurements. For the particular aircraft application, the
computational burden of polynomial filters is lower than that of NLGA adaptive
filters, so that they are suitable for low-cost implementations. On the other hand,
NLGA-AF can obtain smaller detection time, compared with PM filters, thanks to
Elevator sensor fault estimate Aileron sensor fault estimate

3 0.5
2 0
1 -0.5
0 -1
-1 -1.5
0 100 200 300 0 100 200 300
Rudder sensor fault estimate Throttle sensor fault estimate
1.5
1 0.02
0.01
0.5
0
0 -0.01
-0.5 -0.02
0 100 200 300 0 100 200 300
Fig. 3.5 Adaptive filters via the nonlinear geometric approach for elevator sensor fault diag-
nosis and size estimation.
the fact that they directly take into account nonlinear terms [45]. It is worth not-
ing that the results of the Monte-Carlo analysis applied to the PM and NLGA-AF
FDD scheme show how the proper design and optimisation of the dynamic filters
allows the achievement of low false and missed alarm rates, with high detection and
isolation rates, and with minimal detection and isolation delay times, as described
in [45].
As for the NLGA-NF, the NLGA Particle Filter (NLGA-PF) has been designed
as described in [82, 46]). The NLGA-PF filter is implemented via the algorithm
summarised in Section 3.2.2 with a number M = 200 of particles and it uses 20000
data samples δthk and nek , acquired from the continuous-time aircraft model.
As an example, the residual functions generated by the NLGA-NF and NLGA-PF
filters for the throttle actuator FDI, under both fault-free and faulty conditions, are
shown in fig. 3.6. The continuous lines represent the fault-free residual functions,
whilst the dotted lines depict the faulty residual signals. As illustrated in fig. 3.6,
the fault has been generated on the throttle actuator of the aircraft, starting at time
t = 100s.
3.3.3 Aerospace Mission Application Examples

The fault detection, isolation and recovery techniques currently used for in flight
critical functions rely on hardware/software redundancy associated with simple con-
sistency checks or voting mechanisms, or simple estimation techniques such as
Kalman filters. Fixed thresholds, once validated with all the known delays in the
signals propagation (acquisition, frequency, filtering, ...) are used for rapid recogni-
tion of out-of-tolerance conditions. These actions (fault detection and isolation) are
Fig. 3.6 NLGA-PF and NLGA-NF residuals for throttle actuator FDD.
often done by operators using telemetry data collected by ground stations. This data
are usually elaborated using on-board functions based on, e.g. hardware redundancy
like IMUs placed in a pyramidal structure, cross checks using many star-trackers or
short rendezvous sensors, limit value checking with regard to certain tolerances of
normal values. However, the potential lack of communication between the system
and the stations and/or the time used to analyse the collected data, could lead the
missions to be aborted. This problem becomes crucial e.g. during the hypersonic
phase of an atmospheric re-entry and specially during the well known blackout
phase where no communication between the vehicle and the ground stations ex-
ist due to excessive thermic flow. In such cases, only on-board fault detection and
isolation solutions can be considered for aerospace systems.
Model-based methods applied to aerospace example systems can be considered
today as a mature and structured field of research. Significant progress has been
made during the past two decades to address the problem of robustness and perfor-
mances assessment. However, except within the Livingstone system [88] which flew
on the Deep Space One spacecraft as part of the Remote Agent Experiment, such
techniques have not been used so far in on-board computers for aerospace missions.
The principal reason is related to the fact that any new technique should provide a
solution having well-defined real-time characteristics and well-defined error rates.
The selection of an advanced model-based fault diagnosis solution at a local or
global level, necessarily includes a trade-off between the best adequacy of the tech-
nique and its implementation level for covering an expected fault profile, as well
as its industrialisation process with support tools for its design/tuning and valida-
tion. Very attractive advanced algorithmic solutions would not be accepted, without
such industrial framework capability, e.g. for easy parameter tuning and validation
by non specialist operators. A classical approach could therefore be preferred de-
spite its smaller fault coverage, because classical methods are well industrially mas-
tered and well characterized, without risk of excessive false alarms. It follows that
a good balance between physical redundancy and model-based techniques could be
the right solution, leading to more efficient health monitoring systems based on less
redundant elements. See discussion in [9, 10].
This section presents the results achieved when several diagnosis techniques, that
are designed exploiting both hardware and system redundancy, are applied success-
fully to aerospace missions.
3.3.3.1 The Microscope Satellite

M ICROSCOPE is a satellite to be launched on a circular, quasi-polar, sun-
synchronous orbit at an altitude of 700km with ascending and descending nodes at
6:00 and 18:00, respectively. To control its trajectory, M ICROSCOPE uses the cou-
pling of six ultra-sensitive accelerometer sensors, a stellar sensor and a very precise
electric propulsion system composed by twelve Field Emission Electric Propulsion
(FEEP) thrusters. The mission can be in danger if a FEEP thruster fault occurs,
since the satellite may not compensate for non-gravitational disturbances which are
indispensable prior conditions for testing the Equivalence Principle.
To overcome this problem, an FDI scheme that consists of a bank of 12 H∞ /H−
residual generators is proposed in [72]. The design is done so that the sensitiv-
ity level of the i − th residual with respect to the i − th FEEP thruster fault fi is
maximised in the H− -norm sense, whilst guaranteeing robustness against measure-
ment noises n and spatial disturbances h(ϖα , ϖspin ) in the H∞ -norm sense. Fig. 3.7
illustrate the behaviour of the residuals ri (t), i = 1, ..., 12, the behaviour of the de-
cision test and the isolation criteria, for some faulty situations. As can be seen in
the figures, after a small transient behaviour, all faults are successfully detected and
isolated by the FDD unit.
3.3.3.2 The HL-20 RLV

The RLV vehicle shown in Fig. 3.8 was defined as a component of the Personnel
Launch System (PLS) mission. This has initially been designed to support several
manned-space missions including the orbital rescue of astronauts, the International
Space Station (ISS) crew exchange and some satellite repair missions.
A typical atmospheric re-entry for a medium or high L/D vehicle consists of
performing three successive flight phases, namely the Hypersonic phase from about
120 km high down to TAEM (Terminal Area Energy Management) handover, the
TAEM phase from Mach 2 gate down to Mach 0.5 gate and the auto-landing phase
from Mach 0.5 gate down to the wheel stop on the runway. After having achieved
the hypersonic path, the vehicle initiates the TAEM phase characterized by an entry
point called TEP (Terminal Exit Point), typically defined when crossing Mach 2
gate, and an exit point called NEP (Nominal Exit Point) which is defined in terms
of altitude, velocity and distance to the runway. Finally, the landing path is defined
in terms of desired altitude from the runaway threshold and is composed of three
successive sections, i.e. a steep outer glideslope, a parabolic pullup manoeuver and
a shallow inner glideslope.
The work presented in [89, 90, 56] focuses on any type of faults in the wing flap
actuators during the landing phase. The strategy proposed by the authors consists of
a bank of two H∞ /H− fault detection filters that are designed so that a given filter is
Fig. 3.7 Fault-free and faulty residuals with the decision test (left) and the isolation criteria
(right).
made robust against measurement noise, winds turbulence, the guidance reference
signals and faults in a given wing flap actuator, whilst remaining sensitive to all
faults in the other wing flap actuator. For the purpose of estimating the position of
the faulty control surfaces, the nonlinear EKF method presented in Section 3.2.3 is
used. Fig. 3.8 illustrates the results for some nonlinear simulations in the presence
of wind and atmospheric turbulence. As it can be seen, the faults are successfully
detected, isolated and estimated by the FDI unit.
3.3.4 Robust Diagnosis for Mars Express Satellite Thruster Faults

This Section summarises a practical solution example with low computational cost
to the problem of the robust residual generator design for the FDD of the thrusters
of the Mars Express (MEX) satellite model subject to disturbance, uncertainty and
measurement noises. The main challenge is the detection and isolation of faults in
any one of the four active thrusters of the spacecraft during the phases of main
engine burn that cause large torque and centre of mass disturbances. This is the so-
called ‘thruster modulation’ problem, which is very difficult to solve using classical
robust FDD methods.
The proposed FDD strategy is based on fault decoupling observer design for
residual generation and isolation where a separate estimation of disturbance torque
30
30
Runaway-type fault on δwfl δwfl
25
20
δwfl (deg)
δwfl (deg)
20
10
15
0 Fault is declared
by the FDI unit 10 δ̂wfl
−10
5
10 20 30 40 50 60 20 25 30
Simulation time (s) Simulation time (s)
20
Jamming-type fault on δwfr 12 δwfr
15
11
δwfr (deg)
δwfr (deg)
10 10
5 9
δ̂wfr
Fault is declared 8
0 by the FDI unit
7
−5
0 20 40 60 32 34 36 38 40 42 44
Simulation time (s) Simulation time (s)
Fig. 3.8 HL–20 vehicle (top), residuals and position estimates (bottom)
makes the isolation possible. This disturbance is mainly contributed by the main en-
gine misalignment but may also include un-modelled dynamics. Local linear math-
ematical models of the satellite are estimated by means of a robust dynamic system
identification approach based on minimisation of the estimation error [5, 91]. The
identified models are used in the design of robust FDD residual generators based on
dynamic observers that are structurally decoupled from both disturbances and esti-
mated uncertainties acting on the space vehicle. For the satellite problem, the main
source of disturbance is caused by the large torque imbalance effects arising from
deployment of the main engine. These FDD observers are organised into observer
bank structures, providing good fault isolation properties. The parameters of these
optimal robust disturbance decoupling observers together with the use of a concur-
rent disturbance estimation strategy are designed jointly to maximise the robustness
with respect to both measurement noise and modelling errors, whilst optimising
fault sensitivity characteristics.
The FDD robustness obtained via unknown decoupling is far less conservative
than the best robustness that can be achieved using nonlinear strategies.
Nonlinear methods usually work well if the nonlinear structure of the mathemat-
ical model of the system under investigation is perfectly known. Nonlinear system
approaches are challenged heavily when the uncertainties are unstructured, whilst
the approach can be easily outperformed when the concurrent disturbance estima-
tion strategy is exploited, due to the conservativeness of the robust results arising
from the way in which the uncertainty bounds are defined.
In this study software algorithms to determine the overall performances of the
proposed FDD methods are described and implemented in the MATLAB and
SIMULINK environments. They perform simulations of the attitude control of the
MEX satellite system based on a reasonable detailed nonlinear model of the MEX
satellite system. The overall FDD scheme exploits a Monte Carlo (MC) tool for
both the design of the robust FDD technique and the final performance evaluation,
as described in [92, 93, 94, 95, 60].
As shown in fig. 3.9, the structure of the MEX orbiter consists of a cube-shaped
spacecraft with two solar panel wings extending from opposite sides. More details
can be found in [96].
The background to the FDD methods used in this study has developed from the
combined experiences of the academic authors [92, 93, 94, 95, 60]. The main ap-
proach to the FDD is to make use of unknown input decoupling to suppress/remove
the large main engine-induced disturbances from the residuals used for the FDD of
the gas thrusters. The decoupling approach is based on the work of Chen and Pat-
ton [16, 97], with the additional feature of direction of unknown input estimation
Fig. 3.9 The MEX structure.

-3
C o m p a r is o n o f s y m p t om s f o r f a u lt is o l a t io n ( S 2 )
x 10
O b se rve r-0
9 O b se rve r-1
O b se rve r-2
8 O b se rve r-3
O b se rve r-4
a v e r a g in g f u n c t i o n [ r a d / s e c ]
F a u lt
6 is o la ti o n
rk w in d o w
4
W e ig h te d
0
7 00 7 05 710 7 15 7 20
t im e [ s e c ]
D e tecti on ti m e t I s o la t io n t im e t
d i
Fig. 3.10 Residual signals for faulty thrusters.
using an augmented observer described in [3]. Instead of using the nonlinear physi-
cal model of the satellite directly, this model is used in a robust recursive identifica-
tion study to generate an identified model taking account of some of the modelling
errors associated with variations around a point of operation of the system. The iter-
ative procedure is included in the MC strategy to optimize the model and structure
of the residuals for robust FDD. The work of Simani and co-workers has been used
for the identification study [5]. The identified model is then used in the residual
generation strategy [92, 93, 94, 95, 60].
Once the linear model for the system under investigation is available, the FDI
scheme relies on the design of the so-called ORDDO [98]. The original work by
Uppal and Patton made use of a multiple-model structure consisting of a group of
decoupling observers for generating the required FDI residuals.
Each observer in the group is designed to be sensitive to a subset of faults (that
have to be detected and isolated). The authors selected the ORDDO strategy for
its ability to decouple faults and to make the FDI design robust w.r.t. the mod-
elling/parameter uncertainty, noise and disturbance. A separate augmented observer
proposed originally by Chen and Patton [3] is included in the design in order to es-
timate the directions of the distribution of the disturbance torque, mainly caused by
main engine misalignment, into the system.
As an example, the residual signals due to the thruster fault case are reported in
fig. 3.10. The residuals indicate a fault occurrence when their values are lower or
higher than the thresholds fixed in fault-free conditions. Regarding the MEX thruster
FDD, fig.3.10 shows the faulty residuals when thruster 1 is open.
According to the observer bank design described in [95, 60], the residual signal
with the smallest value indicates the corresponding faulty thruster command signal.
In this case, the thruster fault commences at the instant t = 700s.
Finally, various indices for performance evaluation of the suggested method
were analysed on the monitored MEX system. The MC simulation approach to
both the FDD scheme design and its performance evaluation as exploited here has
facilitated more reliable results than the conventional software reliability models
[92, 93, 94, 95, 60]. These evaluation performance and reliability indices were com-
puted based on extensive simulations using the MEX MATLAB and SIMULINK en-
vironments. Through many MC runs, the imperfect process modelling, uncertainty,
disturbance and noise can be taken into account, to give more accurate and realistic
results. The complete procedure was implemented using MATLAB and SIMULINK
software tools in order to automate the simulation process. The diagnosis feasibility
and reliability studies are of paramount importance for real application of FDI once
implemented on-board future spacecraft.
3.4 Conclusion
This chapter has provided some theoretical and mainly application study results for
the detection and diagnosis of faults in the actuators and sensors of aircraft and
aerospace systems, through the use of different FDD schemes.
Residual generators can be designed from the input-output description of the
linearised model of the system under diagnosis and the disturbance decoupling has
been obtained. A procedure for optimising the residual generator fault sensitivity
and dynamic response has also been presented.
An important aspect of the strategies based on linear residual generators is the sim-
plicity of the technique used to generate these residuals when compared with differ-
ent schemes. The algorithmic simplicity is a very important aspect when considering
the need for verification and validation of a demonstrable scheme for air-worthiness
certification. The more complex the computations required to implement the scheme,
the higher the cost and complexity in terms of air-worthiness certification.
On the other hand, nonlinear methodologies rely on a design scheme based on the
structural decoupling of the disturbance obtained by means of a coordinate transfor-
mation in the state space and in the output space. To apply the nonlinear theory,
a simplified model of the system under investigation can be required. The mixed
H− /H∞ optimisation of the tradeoff between fault sensitivity, disturbances and
modelling errors is now well understood in the theoretical work and is a promis-
ing area for application study. On the other hand, UIO strategies can have practical
application via moving ‘unknown input estimation windows’ as demonstrated on a
real satellite thruster modulation design problem.
The nonlinear FDD strategies can be based also on adaptive filters scheme. In
addition to a proper detection and isolation, these methods provided also a fault size
estimation. This feature is not usual for a fault detection and isolation method and
can be very useful during an on-line automatic flight control system reconfiguration,
in order to recover a faulty operating condition. Compared with similar methods
proposed in the literature, the nonlinear adaptive fault diagnosis technique described
here has the advantage of being applicable to more general classes of nonlinear
systems and less sensitive to measurement noise, since it does not use input/output
signal derivatives.
Suitable filtering algorithms for stochastic systems were also proposed. The
knowledge regarding the noise process acting on the system under diagnosis can
be exploited by the fault diagnosis method design, hence the proposed scheme pro-
vides a possible solution to nonlinear system diagnosis with non-Gaussian noise and
disturbance.
The main advantage of nonlinear based FDD techniques with disturbance de-
coupling features is represented by the fact that they take into account directly the
model nonlinearity and the system reality-model mismatch.
The FDD techniques that have been outlined in this chapter have been tested by
considering high fidelity simulators that are able to take into account disturbances
and measurement errors acting on the system under investigation. Moreover, the
robustness characteristics and the achievable performances of the FDD approaches
described have been carefully considered and investigated.
The effectiveness of the proposed diagnosis schemes was shown by simulations
and a comparison with widely used data driven and model-based FDI schemes with
disturbance decoupling. The reliability and the robustness properties of the designed
residual generators to model uncertainty, disturbances and measurements noise were
analysed via extensive simulations, including the use of Monte-Carlo simulation
experiments to tune the FDD parameters.
Finally, the need to bridge the design gap between FDD and recovery mecha-
nisms, i.e. e.g. Fault Tolerant Control (FTC) schemes is obvious. FDD and FTC
strategies can be combined as shown in Chapter 12 and in related works by the
same authors and by [99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110].
References
1. Patton, R.J., Frank, P.M., Clark, R.N.: Fault Diagnosis in Dynamic Systems, Theory
and Application. Control Engineering Series. Prentice Hall, New York (1989)
2. Gertler, J.: Fault Detection and Diagnosis in Engineering Systems. Marcel Dekker, New
York (1998)
3. Chen, J., Patton, R.J.: Robust Model-Based Fault Diagnosis for Dynamic Systems.
4. Patton, R.J., Frank, P.M., Clark, R.N.: Advances in Fault Diagnosis for Dynamic Sys-
tems. Springer, London (2000)
5. Simani, S., Fantuzzi, C., Patton, R.J.: Model-based fault diagnosis in dynamic systems
using identification techniques. In: Advances in Industrial Control, 1st edn. Springer,
London (November 2003)
6. Isermann, R.: Fault-Diagnosis Systems: An Introduction from Fault Detection to Fault
Tolerance, 1st edn. Springer, Heidelberg (November 28, 2005)
7. Ding, S.X.: Model-based Fault Diagnosis Techniques: Design Schemes, Algorithms,

and Tools, 1st edn. Springer, Heidelberg (April 10, 2008)
8. Isermann, R., Ballé, P.: Trends in the application of model-based fault detection and
diagnosis of technical processes. Control Engineering Practice 5(5), 709–719 (1997)
9. Patton, R.J.: Fault detection and diagnosis in aerospace systems using analytical redun-
dancy. Computing & Control Engineering Journal 2(3), 127–136 (1991)
10. Labarrère, M., Patton, R.J.: Detection of sensor failures. In: Pelegrin, M., Hollister,
W.M. (eds.) Concise Encyclopedia of Aeoronautics and Space Systems, vol. 2, pp. 101–
110. Pergamon Press, Oxford (1993)
11. Marcos, A., Ganguli, S., Balas, G.J.: An application of H∞ fault detection and isolation
to a transport aircraft. Control Engineering Practice 13, 105–119 (2005)
12. Amato, F., Cosentino, C., Mattei, M., Paviglianiti, G.: A direct/functional redundancy
scheme for fault detection and isolation on an aircraft. Aerospace Science and Technol-
ogy 10, 338–345 (2006)
13. Frank, P.M.: On-line fault detection in uncertain non-linear systems using diagnos-
tic observers - a survey. International Journal of Systems and Science 25, 2129–2154
(1994)
14. Chen, J., Patton, R.J.: Observer-based fault detection and isolation: robustness and ap-
plications. Control Engineering Practice 5, 671–682 (1997)
15. Basseville, M., Nikiforov, I.V.: Detection of Abrupt Changes: Theory and Application.
Prentice-Hall Inc., Englewood Cliffs (1993)
16. Chen, J., Patton, R.J.: Optimal filtering and robust fault diagnosis of stochastic sys-
tems with unknown disturbances. IEE Proceedings on Control Theory & Applica-
tions 143(1), 31–36 (1996)
17. Gertler, J.: Survey of model-based failure detection and isolation in complex plants.
IEEE Control System Magazine 8, 3–11 (1988)
18. Patton, R.J., Chen, J.: A review of parity space approaches to fault diagnosis for
aerospace systems. AIAA Journal of Guidance, Control & Dynamics 17, 278–285
(1994)
19. Chen, J., Patton, R.J., Zhang, H.Y.: Design of unknown input observers and robust fault
detection filters. International Journal of Control 63, 85–105 (1996)
20. Isermann, R.: Supervision, Fault Detection and Fault Diagnosis Methods - An Intro-
duction. Control Eng. Practice 5(5), 639–652 (1997)
21. Patton, R.J.: Robust fault detection using eigenstructure assignment. In: Proc. 12th
IMACS World Congress on Scientific Computation, pp. 431–434 (1988)
22. Patton, R.J., Chen, J.: On eigenstructure assignment for robust fault diagnosis. Int. J. of
Robust & Nonlinear Control - Special Issue on Fault Detection and Isolation 10 (2000)
23. Liu, G.P., Patton, R.J.: Eigenstructure Assignment for Control System Design. John
Wiley and Sons Ltd., Chichester (1998)
24. Patton, R.J., Chen, J.: Robust fault detection of jet engine sensor systems using eigen-
structure assignment. AIAA Journal of Guidance, Control & Dynamics 15, 1491–1497
(1992)
25. Massoumnia, M.A.: A geometric appoach to failure detection and identification in lin-
ear systems. PhD thesis, Massachusetts Institute of Technology, Massachusetts, USA
(1986)
26. Hammouri, H., Kinnaert, M., El Yaagoubi, E.: Observer–based approach to fault detec-
tion and isolation for nonlinear systems. IEEE Transactions on Automatic Control 44,
1879–1884 (1879)
27. De Persis, C., Isidori, A.: A geometric approach to non–linear fault detection and iso-
lation. IEEE Transactions on Automatic Control 45, 853–865 (2001)
28. Kaboré, P., Othman, S., McKenna, T., Hammouri, H.: An observer-based fault diag-
nosis for a class of nonlinear systems – application to a free radical copolymerization
reaction. International Journal of Control 73, 787–803 (2000)
29. Kaboré, P., Wang, H.: Design of fault diagnosis filters and fault tolerant control for
a class of nonlinear systems. IEEE Trans. on Automatic Control 46(11), 1805–1810
(2001)
30. Pertew, A., Marquez, H., Zhao, Q.: LMI–based sensor fault diagnosis for nonlinear
Lipschitz systems. Automatica 43(8), 1464–1469 (2007)
31. Cheng, Q., Varshney, P., Michels, J., Belcastro, C.: Fault detection in dynamic systems
via decision fusion. IEEE Trans. on Aerospace and Electronics Systems 44, 227–242
(2008)
32. Zhang, Q., Campillo, F., Cerou, F., Legland, F.: Nonlinear system fault detection and
isolation based on bootstrap particle filters. In: Proc. of 44th IEEE CDC-ECC, Seville,
Spain, December 2005, pp. 3821–3826 (2005)
33. Korbicz, J., Koscielny, J.M., Kowalczuk, Z., Cholewa, W. (eds.): Fault Diagnosis: Mod-
els, Artificial Intelligence, Applications, 1st edn. Springer, Heidelberg (February 12,
2004)
34. Uppal, F.J., Patton, R.J.: Neuro-fuzzy uncertainty de-coupling: A multiple-model
paradigm for fault detection and isolation. Int. Journal of Adaptive Control & Signal
Processing (Invited Special Issue Paper) 19, 281–304 (2005)
35. Wang, H., Huang, Z., Daley, S.: On the use of adaptive updating rules for actuator and
sensor diagnosis. Automatica 33(2), 217–225 (1997)
36. Chow, E.Y.: Failure detection system design methodology. PhD thesis, Lab. Information
and Decision system, University of Cambridge (1980)
37. Gertler, J.: Survey of model-based failure detection and isolation in complex plants.
IEEE Control Systems Magazine (1988)
38. Patton, R.J., Chen, J.: A review of parity space approaches to fault diagnosis. In: IFAC
Symposium Safeprocess 1991, pp. 239–255 (1991)
39. Chen, J., Zhang, H.Y.: Parity vector approach for detecting failures in dynamic systems.
International Journal of Systems and Science 21, 765–770 (1991)
40. Gertler, J.: Fault detection and isolation using parity relations. Control Eng. Prac-
tice 5(5), 653–661 (1997)
41. Satin, A.L., Gates, R.L.: Evaluation of parity equations for gyro failure detection and
isolation. Journal of Guidance and Control 1(1), 14–20 (2005)
42. Shim, D.S., Yang, C.K.: Geometric fdi based on svd for redundant inertial sensor sys-
tems. In: Proceedings of the 5th Asian Control Conference, Melbourne - Australia,
vol. 29, pp. 1093–1099 (2004)
43. Yang, C.K., Shim, D.S.: Double faults isolation based on the reduced-order parity vec-
tors in redundant sensor configuration. International Journal of Control, Automation
and Systems 5(2), 155–160 (2007)
44. Gertler, J., DiPierro, G.: On the relationship between parity relations and parameter
estimation. In: Proceedings of SAFEPROCESS 1997, Hull - England, pp. 468–473.
IFAC (1997)
45. Castaldi, P., Geri, W., Bonfè, M., Simani, S., Benini, M.: Design of residual generators
and adaptive filters for the fdi of aircraft model sensors. In: Control Engineering Prac-
tice, 2009. ACA 2007 – 17th IFAC Symposium on Automatic Control in Aerospace
Special Issue. Elsevier Science, Amsterdam (2007)
46. Benini, M., Bonfè, M., Castaldi, P., Geri, W., Simani, S.: Design and Performance Eval-
uation of Fault Diagnosis Strategies for a Simulated Aircraft Nonlinear Model. Journal
of Control Science and Engineering 2008, 1–18 (2008); Special Issue on Robustness
Issues in Fault Diagnosis and Fault Tolerant Control. Hindawi Publishing Corporation
47. Doucent, A.: On sequential simulation-based methods for Bayesian filtering. Technical
report, Cambridge University (1998)
48. Liu, J., Chen, R.: Sequential montecarlo methods for dynamic systems. Journal of the
American Statistical Association 93 (1998)
49. Pitt, M., Shephard, N.: Filtering via simulation: Auxiliary particle filter. Journal of the
American Statistical Association 94 (1999)
50. Isard, M., Blake, A.: Condensation: conditional density propagation for visual tracking.
International Journal of Computer Vision 29(1), 5–28 (1998)
51. Fox, D., Burgard, W., Thrun, S.: Markov localization for mobile robots in dynamic
environments. Journal of Artificial Intelligence 11, 391–427 (1999)
52. Thrun, S., Fox, D., Burgard, W.: Montecarlo localization with mixture proposal distri-
bution. In: Proceedings of the AAAI National Conf. on Artificial Intelligence. AAAI,
Menlo Park (2000)
53. Doucet, A., de Freitas, N., Gordon, N. (eds.): Sequential Monte Carlo Methods in
Practice. Statistics for Engineering and Information Science. Springer, New York (July
2001)
54. DeFreitas, N.: Rao-blackwellised particle filtering for fault diagnosis. Aerospace (2002)
55. Hutter, F., Dearden, R.: Efficient on-line fault diagnosis for non-linear systems. In: In-
ternational Symposium on Artificial Intelligence, Robotics and Automation in Space,
Nara, Japan, May 19-23 (2003)
56. Falcoz, A., Henry, D., Zolghadri, A.: A nonlinear fault identification scheme for
reusable launch vehicles control surfaces. International Review of Aerospace Engineer-
ing (October 2008)
57. Lavigne, L., Zolghadri, A., Goupil, P., Simon, P.: Robust and early detection of oscil-
latory failure case for new generation airbus. In: AIAA GNC 2008, Honolulu, Hawaii.
AIAA (2008)
58. Lavigne, L., Zolghadri, A., Goupil, P., Simon, P.: Oscillatory failure case detection for
new generation airbus aircraft: a model-based challenge. In: Proceedings of the 47th
IEEE Conference on Decision and Control, Cancun, Mexico, pp. 1249–1254. IEEE,
Los Alamitos (2008)
59. Norgaard, M., Poulsen, N.K., Ravn, O.: New developments in state estimation for non-
linear systems. Automatica 36, 1627–1638 (2000)
60. Patton, R.J., Uppal, F.J., Simani, S., Polle, B.: Robust fdi applied to thuster faults of a
satellite system. In: Control Engineering Practice, 2009. ACA 2007 – 17th IFAC Sym-
posium on Automatic Control in Aerospace Special Issue (2007)
61. Venkateswaran, N., Siva, M., Goel, P.: Analytical redundancy based fault detection of
gyroscopes in spacecraft applications. ACTA Astronomica 50(9), 535–545 (2002)
62. Chen, W., Saif, M.: Observer-based fault diagnosis of satellite systems subject to time-
varying thruster faults. Transactions of the ASME 129, 352–356 (2007)
63. Jacobson, C.A., Nett, C.N.: An integrated approach to control and diagnosis for the
minimisation of uncertainties effects on residual generation. IEEE Control Systems
Magazine 11(6), 22–29 (1991)
64. Marcos, A., Balas, G.: A robust integrated controller/diagnosis aircraft application. In-
ternational Journal of Robust and Nonlinear Control 15, 531–551 (2005)
65. Mangoubi, R.: Robust estimation and failure detection: A concise treatment. Springer,
Heidelberg (1998)
66. Henry, D., Zolghadri, A., Castang, F., Monsion, M.: A new multi-objective filter design
for guaranteed robust fdi performance. In: Proceedings of CDC 2001, Orlando, Florida,
USA, pp. 173–178 (2001)
67. Marcos, A., Ganguli, S., Balas, G.: An application of h∞ fault detection and isolation to
a transport aircraft. Control Engineering Practice 13, 105–119 (2005)
68. Henry, D., Zolghadri, A.: Design and analysis of robust residual generators for systems
under feedback control. Automatica 41, 251–264 (2005)
69. Henry, D., Zolghadri, A.: Design of fault diagnosis filters: A multi-objective approach.
Journal of Franklin Institute 342(4), 421–446 (2005)
70. Castro, H.V., Bennani, S., Marcos, A.: Robust filter design for a re-entry vehicle. In:
Proceedings of the 7th International Conference on Dynamics and Control of Systems
and Structures in Space, Greenwish, UK (2006)
71. Castro, H.V., Bennani, S., Marcos, A.: Integrated vs decoupled fault detection filter
and flight control law designs for a re-entry vehicle. In: Proceedings of the 2006 IEEE
International Conference on Control Applications, Munich, Germany (2006)
72. Henry, D.: Fault diagnosis of the MICROSCOPE satellite actuators using h∞ /h− filters.
AIAA Journal of Guidance, Control, and Dynamics 31(3), 699–711 (2008)
73. Henry, D., Zolghadri, A., Castang, F., Monsion, M.: A multiobjective filtering approach
for fault diagnosis with guaranteed sensitivity performances. In: Proceedings of the 15th
IFAC World Congress, Barcelona, Spain. IFAC (2002)
74. Henry, D., Zolgahdri, A.: h∞ /h− filters for fault diagnosis in systems under feedback
control. In: Proceedings of SAFEPROCESS 2003, Washington DC, USA, pp. 87–92.
IFAC (2003)
75. Henry, D., Zolghadri, A.: Norm-based design of robust fdi schemes for uncertain sys-
tems under feedback control: Comparison of two approaches. Control Engineering
Practice 14(9), 1081–1097 (2006)
76. Zolghadri, A., Castang, F., Henry, D.: Design of robust fault detection filters for mul-
tivariable feedback systems. International Journal of Modelling and Simulation 26(1),
17–26 (2006)
77. Kerr, M.L., Marcos, A., Penin, L.F., Bornschlegl, E.: Gain-scheduled fdi for a re-entry
vehicle. In: AIAA Guidance, Navigation and Control Conferences and Exhibit, Hon-
oluku - Hawaii, AIAA–2008–7266. AIAA (2008)
78. Hou, M., Patton, R.J.: An LMI approach to H∞ /H− fault detection observers. In: Pro-
ceedings of the UKACC International Conference, CONTROL 1996 (1996)
79. Hou, M., Patton, R.J.: An H∞ /H− approach to the design of robust fault diagnosis ob-
servers based upon LMI optimisation. In: Proceedings of the 4th European Control
Conference, ECC 1997, Brussels, July 1–4 (1997)
80. De Persis, C., De Sanctis, R., Isidori, A.: Nonlinear actuator fault detection and isolation
for a VTOL aircraft. In: Proceedings of the American Control Conference, June 2001,
pp. 4449–4454 (2001)
81. De Persis, C., Isidori, A.: On the observability codistributions of a nonlinear system.
Systems and Control Letters 40, 297–304 (2000)
82. Bonfè, M., Castaldi, P., Geri, W., Simani, S.: Nonlinear Actuator Fault Detection and
Isolation for a General Aviation Aircraft. Space Technology – Space Engineering,
Telecommunication, Systems Engineering and Control 27, 107–113 (2007); Special
Issue on Automatic Control in Aerospace
83. Ioannou, P., Sun, J.: Robust Adaptive Control. PTR Prentice–Hall, Upper Saddle River
(1996)
84. Germani, A., Manes, C., Palumbo, P.: Filtering of Stochastic Nonlinear Differential
Systems via a Carleman Approximation Approach. IEEE Transactions on Automatic
Control 52, 2166–2172 (2007)
85. Stevens, B.L., Lewis, F.L.: Aircraft Control and Simulation, 2nd edn. John Wiley and
Son, Chichester (2003)
86. Bonfè, M., Castaldi, P., Geri, W., Simani, S.: Fault Detection and Isolation for On–
Board Sensors of a General Aviation Aircraft. International Journal of Adaptive Control
and Signal Processing 20, 381–408 (2006) (Copyright 2006 John Wiley & Sons, Ltd.)
87. Bonfè, M., Castaldi, P., Geri, W., Simani, S.: Design and Performance Evaluation of
Residual Generators for the FDI of an Aircraft. International Journal of Automation
and Computing 4, 156–163 (2007), doi:10.1007/s11633–007–0156–7
88. Williams, B.C., Nayak, P.P.: A model-based approach to reactive self-configuring sys-
tems. In: Proceedings of the 13th National Conf. on Artificial Intelligence and 8th Inno-
vative Applications of Artificial Intelligence Conf., pp. 971–978. AAAI Press/The MIT
Press (1996)
89. Falcoz, A., Henry, D., Zolghadri, A.: Development of a robust model-based fault diag-
nosis technique for re-entry launch vehicles: A case study. Progress report (2007)
90. Falcoz, A., Henry, D., Zolghadri, A., Bornschleg, E., Ganet, M.: On-board model-based
robust fdir strategy for reusable launch vehicles (rlv). In: 7th International ESA Con-
ference on Guidance, Navigation and Control Systems, County Kerry, Ireland (2008)
91. Simani, S.: Identification of Residual Generators for Fault Detection and Isolation of
a Satellite Simulated Model. In: EUCA, I. (ed.) European Control Conference 2007 –
ECC 2007, Kos, Greece, July 2–5, vol. CD–Rom, pp. 2296–2303. EUCA, ICCS, IFAC,
ACPA & IEEE CSS (2007)
92. Patton, R.J., Uppal, F., Simani, S., Polle, B.: A Monte Carlo Analysis and Design for
FDI of a Satellite Attitude Control System. In: B. C. Department of Automation, Ts-
inghua University (ed.) SAFEPROCESS 2006, 6th IFAC Symposium on Fault Detec-
tion Supervision and Safety for Technical Processes, IFAC, Beijing, PR China, August
30 – September 1, vol. CDRom, pp. 1393–1398 (2006)
93. Patton, R.J., Uppal, F., Simani, S., Polle, B.: Monte–Carlo Reliability and Perfor-
mance Analysis of Satellite FDI System. In: IFAC (ed.) MECHATRONICS 2006 – 4th
IFAC Symposium on Mechatronic Systems, Heidelberg, Germany, September 12-14,
vol. CD–Rom, pp. 187–192. VDI VDE, IFAC (2006)
94. Patton, R.J., Uppal, F., Simani, S., Polle, B.: Robust FDI Applied to Thruster Faults of
A Satellite System. In: IFAC (ed.) ACA2007 – 17th IFAC Symposium on Automatic
Control in Aerospace, Toulouse, France, June 25–29, vol. CD–Rom, pp. 1–6. IFAC
ACA, IFAC (2007)
95. Patton, R.J., Uppal, F.J., Simani, S., Polle, B.: Reliable fault diagnosis scheme for a
spacecraft attitude control system. Journal of Risk and Reliability 222(2), 139–152
(2008); 6th IFAC SAFEPROCESS Special Issue. Professional Engineering Publishing
96. ESA, ESA – Mars Express – The Spacecraft, tech. rep., ESA – European Space Agency
(October 2005), http://www.esa.int/SPECIALS/MarsExpress/
97. Köenig, D., Patton, R.J.: New design of robust kalman filters for fault detection and
isolation. In: Chen, H.-F., Cheng, D.-Z., Zhang, J.-F. (eds.) 14th World Congress of
IFAC, Beijing, P.R. China, July 5-9, CD–ROM Paper P–7e–09–6 (1999)
98. Uppal, F.J., Patton, R.: Neuro–fuzzy uncertainty de–coupling: A multiple–model
paradigm for fault detection and isolation. International Journal of Adaptive Control
& Signal Processing 19(4), 281–304 (2005); Invited Special Issue Paper
99. Patton, R.J.: Fault-tolerant control: the 1997 situation (survey). In: Proceedings of IFAC
Symposium SAFEPROCESS 1997, pp. 1033–1055 (1997)
100. Chen, J., Patton, R.J., Chen, Z.: Active fault-tolerant flight control systems design using
the linear matrix inequality method. Trans. Inst. MC 21, 77–84 (1999)
101. Blanke, M., Frei, C.W., Kraus, F., Patton, R.J., Staroswiecki, M.: What is fault-tolerant
control? In: Proceedings of IFAC Symposium SAFEPROCESS 2000, pp. 40–51 (2000)
102. Cieslak, J., Henry, D., Zolghadri, A.: A methodoly for the design of active fault tolerant
systems. In: Proceedings of SAFEPROCESS 2006, Beijing, China. IFAC (2006)
103. Cieslak, J., Henry, D., Zolghadri, A., Goupil, P.: Development of an on-board fault toler-
ant control strategy with application to the Garteur AG16 benchmark. In: Proceedings
of the 17th IFAC Symposium on Automatic Control in Aerospace, Toulouse, France
(2007)
104. Cieslak, J., Henry, D., Zolghadri, A.: An active fault tolerant flight control strategy
for safe recovery against trimmable horizontal stabilizer failure: a case study. AIAA
Journal of Guidance, Control, and Dynamics (2007) (to appear)
105. Cieslak, J., Henry, D., Zolghadri, A.: Une méthodologie pour la synthèse de systémes
de commande tolérants aux défauts, revue électronique e-STA (Sciences et technologies
pour l’automatique), vol. 1, pp. 19–26 (2007)
106. Blanke, M., Kinnaert, M., Lunze, M., Staroswiecki, M.: Diagnosis and fault tolerant
control, 2nd edn. Springer, New York (2008)
107. Bonfè, M., Castaldi, P., Simani, S.: Active Fault Tolerant Control Scheme for a Gen-
eral Aviation Aircraft Model. In: 17th Mediterranean Conference on Control and Au-
tomation (Makedonia Palace, Thessaloniki, Greece), Mediterranean Control Associa-
tion MCA, IEEE Control Systems Society CSS, IEEE Robotics & Automation Society
RAS, June 24–26 (2009) (accepted)
108. Bertozzi, N., Castaldi, P., Bonfè, M., Simani, S., Bertoni, G.: Integrated design of an
aircraft guidance system using feedback linearization. In: IFAC Workshop Aerospace
Guidance, Navigation and Flight Control Systems – AGNFCS 2009, Samara, RUSSIA,
IFAC Technical Committee on Automatic Control in Aerospace, Russian Academy of
Sciences (RAS), Samara Scientific Center (SSC), Department of Dynamics and Motion
Control, IFAC – International Federation of Automatic Control, June 30 -July 2, pp. 1–6
(2009) (accepted)
109. Bonfè, M., Castaldi, P., Simani, S.: Fault Diagnosis and Fault Tolerant Control Inte-
grated Designs Applied to a Civil Unmanned Aerial Vehicle (CUAV). In: Faculty of
Engineering CTAC, Coventry University Computing (eds.) 20th International Confer-
ence on Systems Engineering – ICSE 2009, Coventry, UK, September 2009, Control
Theory and Applications Centre, Coventry University, CTAC, Coventry University, in
cooperation with Technical University of Wroclaw, Wroclaw, Poland, and the Univer-
sity of Nevada, Las Vegas, USA (2009)
110. Patton, R.J., Putra, D., Klinkhieo, S.: A fault-tolerant control approach to friction com-
pensation. In: Proceedings of European Control Conference, ECC 2009 (2009); Invited
Session on FTC in Mechatronic Systems
111. Alwi, H., Edwards, C., Tan, C.P.: Sliding mode estimation schemes for incipient sensor
faults. Automatica 45(7), 1679–1685 (2009)
112. Edwards, C., Spurgeon, S.K.: Sliding Mode Control: Theory and Applications. Taylor
& Francis, London (1998)
113. Edwards, C., Spurgeon, S.K., Patton, R.J.: Sliding mode observers for fault detection.
Automatica 36, 541–553 (2000)
114. Hermans, F.J.J., Zarrop, M.B.: Sliding mode observers for robust sensor monitoring.
In: Proceedings of the 13th IFAC World Congress, pp. 211–216 (1996)
115. Jiang, B., Staroswiecki, M., Cocquempot, V.: Fault estimation in nonlinear uncertain
systems using robust sliding–mode observers. IEE Proceedings: Control Theory & Ap-
plications 151, 29–37 (2004)
116. Khalil, H.K.: Nonlinear Systems. Prentice Hall, Englewood Cliffs (1992)
117. Kim, Y.W., Rizzoni, G., Utkin, V.: Developing a fault tolerant power train system by
integrating the design of control and diagnostics. International Journal of Robust and
Nonlinear Control 11, 1095–1114 (2001)
118. Tan, C.P., Edwards, C.: Sliding mode observers for detection and reconstruction of
sensor faults. Automatica, 1815–1821 (2002)
119. Tan, C.P., Edwards, C.: Sliding mode observers for robust detection and reconstruction
of actuator and sensor faults. International Journal of Robust and Nonlinear Control 13,
443–463 (2003)
120. Utkin, V.I.: Sliding Modes in Control Optimization. Springer, Berlin (1992)
121. Wu, N.E., Zhang, Y., Zhou, K.: Detection, estimation, and accommodation of loss of
control effectiveness. International Journal of Adaptive Control and Signal Process-
ing 14, 775–795 (2000)
122. Yang, H., Saif, M.: Fault detection in a class of nonlinear systems via adaptive sliding
observer. In: Proceedings of the IEEE International Conference on Systems, Man and
Cybernetics, pp. 2199–2204 (1995)
123. Zhang, Y., Jiang, J.: Design of integrated fault detection, diagnosis and reconfigurable
control systems. In: Proceedings of the IEEE Conference on Decision and Control,
pp. 3587–3592 (1999)
124. Zhang, Y.M., Jiang, J.: Active fault-tolerant control system against partial actuator fail-
ures. IEE Proceedings: Control Theory & Applications 149, 95–104 (2002)
Chapter 4
Real-Time Identification of Aircraft Physical
Models for Fault Tolerant Flight Control
Ping Chu, Jan Albert (Bob) Mulder, and Jan Breeman
4.1 Introduction
The primary goal of aircraft fault tolerant flight control is to recover or main-
tain safe flight when failures have occurred. Aircraft failures can be categorized
into subsystem failures and airframe/structural failures. Modern aircraft subsystems
are equipped with redundancies and failure detection systems for maintaining and
monitoring the health status of subsystems. However, when failures such as en-
gine separations, vertical tail loss, or wing separation (see Chapter 1) have occurred
to aircraft, the airframe/structure of the aircraft will experience significant changes.
These failures are not detected by current on-board monitoring systems. As a conse-
quence of these failures, the aerodynamic model and even the mass/inertia properties
of the aircraft will be obviously different from their nominal forms. The basic flight
control system designed for the nominal aircraft will suffer from the new configura-
tion of the vehicle. In most cases, the human pilot will take over from the automatic
flight control system (autopilot) when unexpected behaviour has been recognised,
and will try to handle the aircraft manually. Experienced pilots have been trained for
handling aircraft with a limited number of failures. However, unsuccessful recovery
of the flight may still happen due to human errors or limitations imposed by the
Ping Chu
e-mail: j.a.mulder@tudelft.nl
Jan Breeman
The Netherlands
130 P. Chu, J.A. (Bob) Mulder, and J. Breeman
flight control architecture. Many cases referring to human errors causing

incidents/accidents have been reported. In those cases, situational awareness and
psychological stress have been the major factors of introducing wrong
decisions/commands from human pilots (see Chapter 1).
In order to avoid errors of human pilots or to enhance the capabilities of au-
tomatic flight control systems, failures will have to be detected and identified on
board during the flight. This chapter is dedicated to discuss an approach which has
been developed within TU Delft for on-board and real-time identification of aircraft
models including damaged aircraft models.
Aircraft models can be identified using different approaches. Especially for struc-
turally damaged aircraft, model identification is particularly challenging. The main
difficulty of model identification for damaged aircraft is finding the proper struc-
ture of the model. Therefore, non-physical models are commonly applied for this
type of identification. Artificial Neural Networks (ANN) is a typical approach (Ref.
[23]). However, the convergence problem is always an issue in this approach due
to the selection of the network structure and the way of optimising the input-output
mapping between the real system output and ANN model output (neural weights es-
timation). For aircraft model identification, even when the aircraft is damaged and
the structure of the aerodynamic model for the aircraft is significantly changed, the
kinematic model of the vehicle should follow the flight dynamics. Moreover, expe-
rienced researchers in flight dynamics and aerodynamics may still insert physical
knowledge for predicting the model structure of the damaged aircraft as compared
to its nominal one. For example, the nominal model for fixed wing aircraft has sym-
metrical properties. This means that longitudinal and lateral aerodynamic models
are independent with respect to the aircraft lateral and longitudinal state variables
respectively. For airframe/structure damaged aircraft, this condition might no longer
be valid and longitudinal and lateral models might even be tightly coupled. From
the analysis of the identified aerodynamic parameters, one may recognise how se-
rious the damage is. This approach is therefore referring to aircraft physical model
identification. The advantage of this approach is that flight control designers can
always introduce their knowledge in flight dynamics and aerodynamics in defining
the model structure and physically interpret results of the identification. This is the
main idea of the present chapter.
4.2 History of Aircraft Model Identification at Delft University

of Technology
Since the early sixties the Faculty of Aerospace Engineering of the Delft Univer-
sity of Technology and the National Aerospace Laboratory, Amsterdam have been
engaged in the development of methods to derive aircraft performance as well as sta-
bility and control characteristics from dynamic flight test data. Traditional methods
of performance testing employed measurements in steady straight flight conditions
in which the aircraft experienced neither translational nor angular accelerations. At-
tention was focused on the analysis and design of ‘hybrid’ flight test manoeuvres
4 Real-Time Identification of Aircraft Physical Models for FTFC 131
consisting of quasi-steady as well as nonsteady flight conditions for the derivation

of all aircraft performance and stability and control characteristics of interest. The
emphasis on the simultaneous measurement of performance and stability and con-
trol characteristics dictated development and application of high accuracy flight test
measurement techniques and transducers. The key to success proved to be what was
called flight path reconstruction, i.e. a technique to accurately reconstruct the time
history of the aircraft’s state during the flight test manoeuvre. The results of these
investigations were reported in references (Refs. [8], [10], [9], [17], [14], [15], [16],
[7], [5], [6], [32], [4], [30], [21]).
Between 1967 and 1968, a number of flight test programs were carried out to
evaluate the quality and performance of the flight test methods, the flight test mea-
surement system and the data reduction procedures developed for the derivation
of aircraft performance, stability and control characteristics from measurements in
nominally symmetric nonsteady manoeuvring flight. Symmetric flight trials flown
with the DHC 2 Beaver aircraft owned by the Delft University of Technology
yielded most encouraging results.
These investigations were extended next to high-subsonic jet flight. In the early
seventies, a new high accuracy flight test instrumentation system was built which
was small enough to be installed in a wing mounted pod on the Hawker Hunter
MK 7 experimental aircraft owned by the National Aerospace Laboratory. During
1973 and 1974 several successful flight tests were conducted. The higher speeds and
different propulsion system required new aerodynamic models. Also, the flight path
reconstruction needed an extended model which included the effects of curvature
and rotation of the earth. This gave birth to a new concept namely, the calibration of
engine gross thrust and mass flow sensor systems in dynamic flight simultaneously
with the identification of aerodynamic parameters, and independent of any data from
Fig. 4.1 Delft University DHC2 Beaver PH-VTH, photo by Jack Wolbrink
Fig. 4.2 NLR Hawker Hunter MK7, PH-NLH, copyright Richard Vandervord, via airlin-
ers.net
the engine manufacturer. An overview of the results of these very successful flight
tests is given in Ref. [29].
Around 1978, further flight test programs were planned aiming at aircraft model
identification both in symmetric and asymmetric nonsteady manoeuvring flight in
an international cooperative program with DLR in Braunschweig, Germany. The
results of these investigations were reported in Ref. [33]. The method for parameter
identification developed at DUT was by then dubbed the Two- Step Method: in the
first step, the flight path is reconstructed, followed by the second step in which
the parameters are identified. Based upon the confidence and experience gained in
methods and analysis, further flight test programs were carried out by the National
Aerospace Laboratory (NLR) to investigate the applicability of this method for the
case of a twin engined transport type aircraft, the Fokker F 28 Fellowship. Initial
results of the assessment of performance and stability and control characteristics
were reported in Ref. [2]. The techniques developed in the course of these flight
test programs were subsequently applied with a high degree of success during the
testing and development phase of the Fokker 50 and Fokker 100 type aircraft (Ref.
[3]). In 1987 flight simulation models were developed for the Cessna Citation 500
of the Dutch Government civil aviation flying school (RLS) flight simulator (Ref.
[29]) based on the same technique.
The National Aerospace Laboratory and Delft University of Technology have
cooperated in a flight test program with the Fairchild Metro II experimental air-
craft owned by NLR. These experiments have demonstrated that estimation of the
aircraft state, as well as the identification of longitudinal and lateral aerodynamic
model parameters can be performed on-board in real time (Refs. [20], [19], [22]).
In the same flight test programme, attention was focused on different measurement
and analysis methods to identify propeller thrust in dynamic flight test manoeuvres
(Ref. [26]).
(a) Fokker F28 PH-JHG, photo by (b) RLS Cessna Citation 500, PH-CTF,
Klaus P. Krapp Erik
c Frikke, via airliners.net
(c) Fokker 50 PH-DMO, source: (d) Fokker 100 PH-MKC, source:

zap16.com zap16.com
Fig. 4.3 Fokker F28, Cessna Citation 500, Fokker 50 and 100
Fig. 4.4 NLR Fairchild Metro II, PH-NLZ, Terence

c Li, via airliners.net
Since 1993, Delft University of Technology has conducted a series of develop-

ments to improve the on-board flight test instrumentation system for its new labora-
tory aircraft, a Cessna Citation II (see Fig. 4.5), due to the availability of new Global
Positioning Systems GPS and solid state inertial sensors.
Fig. 4.5 TU Delft/NLR Cessna Citation II laboratory aircraft
The new flight test instrumentation system even offers the capability of measur-
ing the attitude of the aircraft using a GPS multi antenna receiver (see Fig. 4.6) to
calibrate rotational rate sensors in flight.
With the new instrumentation system, many successful flight tests were per-
formed and a flight simulation model of the Citation II was obtained under the
support of the Dutch Applied Science foundation (STW).
Thus, this successful chain of experiments and analyses amply demonstrated that
nonsteady flight test techniques as developed and tested at the Delft University of
Technology and the National Aerospace Laboratory was a proven, cost effective
and well established technique for the measurement of performance and stability
and control characteristics as required for the certification of aircraft.
The goals of most flight test programs for civil and military aircraft are the certifi-
cation for airworthiness and the estimation of performance and stability and control
characteristics. While certain characteristics can be measured directly in flight such
(a) left wing tip (b) fuselage (c) nose
Fig. 4.6 GPS antennas on the Cessna Citation II

as rate of climb in stationary rectilinear flight or damping ratios and time constants
of eigenmotions, a much more efficient approach is to start with the mathemati-
cal model of the aerodynamic forces and moments from measurements of dynamic
flight test manoeuvres. Identification implies the development of an adequate math-
ematical model structure as well as estimation of the numerical values of the pa-
rameters in the model. When applied to aircraft, this process is often referred to
as aircraft parameter identification. After successful identification of aerodynamic
models for different aircraft configurations and flight conditions they may be ex-
ploited in numerous different ways. It is possible now to compute a variety of per-
formance and stability and control characteristics, to compile tables and graphs for
Aircraft Operations Manuals and compare actual aerodynamic characteristics with
theoretical predictions using Computational Fluid Dynamics (CFD) or wind tunnel
results. A very interesting application is the enhancement of the fidelity of mathe-
matical models for flight simulation. During the last two decades, the advent of the
digital computer and improvements in flight measurement techniques has made a
tremendous impact on the theory and practice of aircraft parameter identification.
Stability and control derivatives are the parameters in a linear aerodynamic model
of the aircraft. Linear aerodynamic models can be represented by homogeneous
polynomials of the first degree in the state and control input variables of the lin-
earized equations of motion. Such polynomials are widely used as linear approxi-
mations of aerodynamic forces and moments acting on the aircraft in dynamic flight
conditions. In general the domain in which linear models are valid is restricted to
small deviations from a nominal flight condition. The advantage of using nonlinear
models is that such models should be valid for a larger range of flight conditions
and that flight test manoeuvres are much less constrained in terms of manoeuvre
amplitudes. A proven way of representing nonlinear models is by using higher or-
der polynomials in the state and control input variables. In principle, the domain of
nonlinear models covers larger deviations from a given nominal flight condition, as
compared to linear models.
This chapter presents and discusses a successful and practical method for aircraft
parameter identification that has originated at the Delft University of Technology.
This method is referred to here as the Two-Step Method (Ref. [28]), although one
may find other names like Estimation Before Modelling (EBM) in the literature. The
chapter goes into some detail on the two-step method as an attractive and efficient
identification tool for real-time aircraft aerodynamic model identification for fault
tolerant flight control.
4.3 The Two Step Method

In the two-step method, the state trajectory is estimated in the first step while the
aerodynamic parameters are estimated in the second step. The first step is also a
joint state and parameter estimation problem, since several unknown parameters
appear in the models of flight test instrumentation systems. However, the number
of unknown parameters in the flight test instrumentation system is much less than
the number of aerodynamic parameters, and therefore, this estimation problem is

relatively easy to solve. There is also an important factor to guarantee the estima-
tion accuracy in the first step due to the application of only kinematic models of
aircraft. The complex yet uncertain aerodynamic model is not included in the first
step. Once the flight path trajectory has been estimated, the aerodynamic model
becomes linear-in-the-parameters (Refs. [27], [31], [28], [32]). Simple regression
methods can then be applied to estimate these parameters. This is considered to be a
great advantage of the two-step method which can be implemented recursively, and
therefore is suitable for real-time applications.
An alternative is the Maximum Likelihood method which attempts to solve the
joint state and parameter estimation problem by searching for the global optimum
of a likelihood function composed of output errors (Ref. [24]) or prediction errors.
Since the state and parameter estimation problems are solved simultaneously the
method may be termed the One-Step Method (Ref. [32]).
Convergence problems may often be encountered when applying the one-step
Maximum Likelihood method if a large number of unknown parameters is involved
(ref. [1]). The two-step method does not suffer from such problems and is therefore
very suitable for the routine analysis of large amounts of flight test data.
This section presents an analytical comparison of the two-step method and the
one-step Maximum Likelihood method. It is shown that in contrast to Maximum
Likelihood estimates, the estimates as generated by the two-step method are neither
(asymptotically) unbiased nor efficient when linear regression methods are applied
to the second step of the two-step method. This holds true, however, except for
the limiting case in which measurement noise becomes negligible as compared to
aerodynamic process noise. This limit case is argued to be representative for state
of the art flight test instrumentation systems.
4.3.1 Decomposition of Aircraft State and Parameter Estimation

The equation of motion of an aircraft flying over a spherical, rotating earth, through
an atmosphere relative to the earth, in the local-level navigation frame will be given
below. The location of the aircraft centre of gravity relative to the earth is given
by the spherical polar coordinates δ (latitude), μ (longitude), and R (geocentric
radius). Their rates of change are related to the components of the velocity Un in the
local-navigation reference frame Fn (North-East-Down) relative to the earth. If the
components of Un are defined as Un = [UN UE UD ]T the relation between Un and the
spherical polar coordinates is:
UN UE
δ̇ = ; μ̇ = ; Ṙ = −UD (4.1)
R R cos δ
The rates of change of the velocity components in Fn are related to the specific
force components Ax , Ay , and Az in the aircraft body-fixed reference frame Fb as
follows:
U̇N = Ax cos θ cos ψ + Ay (sin φ sin θ cos ψ − cos φ sin ψ ) +

+ Az (cos φ sin θ cos ψ + sin φ sin ψ ) +
UN UD − UE2 tan δ
+ − 2 Ω UE sin δ
R
U̇E = Ax cos θ sin ψ + Ay (sin φ sin θ sin ψ + cos φ cos ψ ) + (4.2)
+ Az (cos φ sin θ sin ψ − sin φ cos ψ ) +
UN UE tan δ + UE UD
+ + 2 Ω (UE sin δ + UD cos δ )
R
U 2 + UE2
U̇D = −Ax sin θ + Ay sin φ cos θ + Az cos φ cos θ − N +
R
− 2 Ω UE cos δ + g
in which the rotational rate of the earth is expressed by Ω ( Ω = 7.2921 · 10−5

rad/s ), and g denotes acceleration due to gravity. A convenient expression for the
magnitude of gravity is:
2
Re
g = 9.780318 1 + 5.3024 × 10−3 sin2 δ − 5.9 × 10−6 sin2 2δ (4.3)
R
where the average radius of the earth Re = 6367434m. The relation between the
time derivatives of the Euler angles φ , θ , ψ and the rotational rates p, q, r in the
body-fixed reference frame is:

UE cos ψ
φ̇ = p + q sin φ tan θ + r cos φ tan θ − + Ω cos δ +
R cos θ
UN sin ψ
+ ,
R cos θ
UE UN cos ψ
θ̇ = q cos φ − r sin φ + + Ω cos δ sin ψ + , (4.4)
R R

UE
ψ̇ = q sin φ sec θ + r cos φ sec θ + + Ω cos δ tan θ cos ψ +
R
UN tan θ sin ψ UE tan δ
+ + + Ω sin δ
R R
In Eq. (4.3) Ax , Ay and Az denote the aerodynamic specific force components di-
rectly sensed by ideal accelerometers. From these the aerodynamic forces X = m Ax ,
Y = m Ay and Z = m Az , and the dimensionless aerodynamic force coefficients
CX = 1 X 2 , CY = 1 Y 2 and CZ = 1 Z 2 , where ρ , V and S are the air density, true
2 ρV S 2 ρV S 2 ρV S
airspeed and wing area. The aircraft rotational motion can be described by Euler’s
dynamic equation. Assuming that the aircraft inertia matrix is given by I , Euler’s
equation has the following form:
ω̇ = I −1 (T − ω × I ω ) (4.5)
T T
where ω = p q r denotes the rotational rate vector and T = L M N is total
moment vector about the centre of gravity of the aircraft. The dimensionless moment
coefficients about each axis follow from
L M
Cl = , Cm =
2 ρ V Sb 2 ρ V Sc
1 2 1 2
and Cn = N
1 ρV 2 S with the wing span b and aerodynamic mean chord c.
2
The observations of the system are provided by flight instrumentation system
including inertial sensors, airdata sensors and satellite radio navigation devices. The
observation model is given after laboratory calibrations (Ref. [28]) as
1. inertial sensors
⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤
Axm Ax λx pm p
⎣ Aym ⎦ = ⎣ Ay ⎦ + ⎣ λy ⎦ ; ⎣ qm ⎦ = ⎣ q ⎦ (4.6)
A zm Az λz rm r
2. airdata sensors
!
V = (UN − WN )2 + (UE − WE )2 + (UD − WD )2
(UN −WN )(cφ sθ cψ +sφ sψ )+(UE −WE )(cφ sθ sψ −sφ cψ )+(UD −WD )cφ cθ
α = arctan (UE −WE )cθ cψ +(UE −WE )cθ sψ −(UE −WE )sθ
(4.7)
(UN −WN )(sφ sθ cψ −cφ sψ )+(UE −WE )(sφ sθ sψ +cφ cψ )+(UD −WD )sφ cθ
β = arctan (UE −WE )cθ cψ +(UE −WE )cθ sψ −(UE −WE )sθ
where cθ = cos θ , sφ = sin φ etc.

3. position and velocity sensors
δm = δ ; μm = μ ; Rm = R; UNm = UN ; UEm = UE ; UDm = UD (4.8)
where λ and W are the known sensor biases and wind velocity components.
Combining all these equations in a general form, the aircraft model is given as
ẋ(t) = f [x(t), u(t), ξ ]

y(t) = h[x(t), u(t), ξ ] (4.9)
ym (k) = y(k) + v(k)
The dimensionless force and moment coefficients can be expressed in terms of aero-
dynamic, engine thrust and control surface deflection angle variables. This is called
the aerodynamic model.
Applying the output-error method (Ref. [1]), the unknown parameters ξ are es-
timated by minimizing the negative logarithm of the likelihood function composed
of the output errors:
1 N N
(ξ ) = ∑ μ (k, ξ )T Vv−1(ξ )μ (k, ξ ) + 2 ln detVv (ξ )
2 k=1
(4.10)
where μ (k, ξ ) is the computed system output error vector and Vv (ξ ) is the covari-
ance matrix of the output errors.
Since the state and the parameter estimation problems are solved simultaneously,
the method may be termed the One-Step Method (OSM) (Ref. [28]).
The aircraft model to be used for the following discussion is a reorganization of
the same model as used in the one-step method in the sense that the accelerometers
and the rate gyros serve as system inputs.
With this organization of the model, the unknown parameter vector ξ can be
T
separated into two sets ξ = ξ1T ξ2T in which ξ1 consists only of unknown pa-
rameters from the flight test instrumentation system. These parameters are biases
and scale factors in the models of the inertial and air data transducers. The ξ2 are
the aerodynamic parameters. The aircraft model can then be written in the following
form:
ẋ(t) = f [x(t), um1 (t), ξ1 ] + G[x(t)]w(t)

y1 (t) = h[x(t), um1 (t), ξ1 , w(t)]
ym1 (k) = y1 (k) + v1 (k) (4.11)
y2 (t) = h[x(t), um1 (t), um2 (t), ξ2 , w(t)]
ym2 (k) = y2 (k) + v2 (k)
It should be noticed that in order to meet this model, certain conditions have to be
satisfied. These are:
1. The mass and inertial characteristics have to be known.
2. The measured or calculated angular acceleration must be available.
It can be seen that the aerodynamic model only appears in the second observation
equation. The first observation equation only consists of air data measurements. It
can also be recognized that the system outputs consist of um1 and um2 . The um1
denote the measured quantities of specific forces and the rotation rates and um2 rep-
resents the elevator deflection and the thrust force. The process noise vector w(t)
then consists of the measurement noise of the accelerometers and rate gyros.
Although the system state equations are decomposed from aerodynamic models,
y2 will be compatible if and only if the state variables x , parameters ξ1 and measured
quantities um1 and um2 are the true values. Therefore the system model is not totally
decomposed. In this situation, joint state and parameter estimation is the only viable
solution.
Using the Maximum Likelihood method all the parameters ξ may be estimated
by minimizing the negative logarithm of the likelihood function composed of the
prediction errors:
(a) High performance ac- (b) High performance fiber (c) Inertial sensor calibra-
celerometers as part of TU optical rate sensors as part tion facility at TU Delft,
Delft flight test instrumenta- of TU Delft flight test instru- source: Acutronic
tion system, source: Honey- mentation system, source: Fi-
well zoptika
Fig. 4.7 Inertial measurement unit equipment used at Delft University of Technology
N
(ξ ) = 1
2 ∑ μ (k|k − 1, ξ )T Vμ−1 (k|k − 1, ξ )μ (k|k − 1, ξ )
k=1 (4.12)
N
+ 12 ∑ ln detVμ (k|k − 1, ξ )
k=1
where μ (k|k − 1, ξ ) is the predicted output error vector:
μ1 (k, ξ ) ym1 (k) − h1 [x̂(k|k − 1, ξ ), um1 (k), ξ1 ]

μ (k|k − 1, ξ ) = =
μ2 (k, ξ ) ym2 (k) − h2 [x̂(k|k − 1, ξ ), um1 (k), um2 (k), ξ ]
(4.13)
As the prediction error vector and its covariance matrix in Eq. (4.12) are calculated
from an extended or iterated-extended Kalman filter with two sets of observation
equations, it may be seen that it is a joint state and parameter estimation problem.
In order to decompose the estimation problem, the following assumptions have to
be made:
Assumption 1: The measured aerodynamic specific force and rotation rate are very
accurate. This is equivalent to the case that process noise in Eq. (4.12) is negligible.
Note that modern inertial sensors are nearly noise free; therefore this assumption
has indeed a practical meaning, and the system state equations in Eq (4.12) reduce
to a deterministic type while the prediction errors are simplified to output errors.
Furthermore, the observation noise in practice is assumed to be uncorrelated and
the likelihood function for this case becomes:
1 N T N
(ξ ) = ∑ μ (k, ξ )Vv−1(ξ )μ (k, ξ ) + 2 ln detVv (ξ )
2 k=1
1 N T N
= ∑ μ1 (k, ξ1 )Vv−1
2 k=1 1
(ξ1 )μ1 (k, ξ1 ) + ln detVv1 (ξ1 )
2
(4.14)
1 N T N
+ ∑ μ2 (k, ξ )Vv−1
2 k=1 2
(ξ2 )μ2 (k, ξ ) + ln detVv2 (ξ2 ) = 1 (ξ1 ) + 2(ξ )
2
in which μ1 , μ2 , Vv1 , and Vv2 are the calculated output errors and corresponding
covariance matrices with
Vv1 (ξ1 ) 0
Vv (ξ ) =
0 Vv2 (ξ2 )
It may be seen from Eq. (4.14) that the likelihood function is now decomposed into
two terms with respect to two observation models. All cross coupling terms in Eq.
(4.12) are neglected (Ref. [4]).
The necessary condition for a minimum of Eq. (4.14) is:
" # " ∂ (ξ ) #
∂ 1 (ξ1 )
∂ (ξ ) 2
= ∂ ξ1 + ∂ ∂2ξ(1ξ ) = 0 (4.15)
∂ξ 0 ∂ξ 2
The equivalent forms of Eq. (4.15) are:

N ∂ μ T (k,ξ )
∂ 1 (ξ1 )
∂ ξ1i + ∂∂2ξ(ξ ) = ∑ 1 1 −1
∂ ξ1i Vv1 (ξ1 )μ1 (k, ξ1 )
1
i k=1
N ∂ Vv (ξ )
− 12 ∑ μ1T (k, ξ )Vv−1 1
(ξ1 ) ∂ 1ξ 1 Vv−1
1
(ξ1 )μ1 (k, ξ1 )
1i
k=1 (4.16)
N ∂ μ T (k,ξ )
+ ∑ ∂2 ξ Vv−1 2
(ξ2 )μ2 (k, ξ )
k=1 1i
∂ Vv (ξ )
+ N2 Tr Vv−1 1
(ξ1 ) ∂ 1ξ 1 = 0; (i = 1, 2, . . . , L1 )
1i
and:
N ∂ μ T (k,ξ )
∂ 2 (ξ ) −1
= ∑ ∂ ξ2i Vv2 (ξ2 )μ2 (k, ξ )
2
∂ ξ2i
k=1
N ∂ Vv (ξ )
− 12 ∑ μ2T (k, ξ )Vv−1 2
(ξ2 ) ∂ 2ξ 2 Vv−1
2
(ξ2 )μ2 (k, ξ ) (4.17)
k=1 2i
∂ Vv (ξ )
+ N2 Tr Vv−1 2
(ξ2 ) ∂ 2ξ 2 = 0; (i = 1, 2, . . . , L2 )
2
i
in which L1 and L2 are the sizes of the parameter sets ξ1 and ξ2 respectively.
Eq. (4.16) shows that the gradient of the second term of the likelihood function
with respect to the first set of parameters ξ1 should also be evaluated to satisfy the
minimization condition because the second output error vector is also the function
of the first set of parameters ξ1 . This leads to the following assumption which has
to be made:
Assumption 2: With only the first set of observation equations y1 (t) the identifia-
bility of parameter ξ1 is guaranteed and the state variables x(k) , parameters ξ1 can
be estimated by minimizing the first term of the likelihood function.
In order to satisfy this assumption, the flight instrumentation system should make
information available about ground velocity, air velocity, altitude, and aircraft at-
titude. This is in practice achievable with modern flight instrumentation systems.
With this assumption, the contribution from the second observation equation can be
neglected with respect to the estimation accuracy. It is equivalent to the case that the
second output error vector only takes the estimated states and parameters as perfect
measurements, therefore, μ2 (k, ξ ) is no longer a function of ξ1 , i.e.:
μ2 (k, ξ ) = μ2 (k, ξ2 ) (4.18)
The gradient of the second likelihood function with respect to the first set of param-
eters is then:
∂ 2 (ξ ) N
∂ μ2T (k, ξ2 ) −1
=∑ Vv2 (ξ2 )μ2 (k, ξ2 ) = 0 (4.19)
∂ ξ1 k=1 ∂ ξ1
The necessary conditions in Eqs. (4.16),(4.17) become:
N ∂ μ T (k,ξ )
∂ 1 (ξ1 ) −1
= ∑ ∂ ξ1i Vv1 (ξ1 )μ1 (k, ξ1 )
1 1
∂ ξ1i
k=1
N ∂ Vv (ξ )
− 12 ∑ μ1T (k, ξ )Vv−1 1
(ξ1 ) ∂ 1ξ 1 Vv−1
1
(ξ1 )μ1 (k, ξ1 ) (4.20)
k=1 1i
∂ Vv (ξ )
+ N2 Tr Vv−1 1
(ξ1 ) ∂ 1ξ 1 = 0; (i = 1, 2, . . . , L1 )
1i
and:
N ∂ μ T (k,ξ )
∂ 2 (ξ ) −1
= ∑ ∂ ξ2i Vv2 (ξ2 )μ2 (k, ξ2 )
2 2
∂ ξ2i
k=1
N ∂ Vv (ξ )
− 12 ∑ μ2T (k, ξ2 )Vv−1 2
(ξ2 ) ∂ 2ξ 2 Vv−1
2
(ξ2 )μ2 (k, ξ2 ) (4.21)
k=1 2i
∂ Vv (ξ )
+ N2 Tr Vv−1 2
(ξ2 ) ∂ 2ξ 2 = 0; (i = 1, 2, . . . , L2 )
2i
Now the original joint state and parameter estimation problem Eq. (4.12) is solved
in two consecutive steps. In the first step the state trajectory is estimated simulta-
neously with some unknown parameters from the flight test instrumentation system
Eq. (4.20) named Flight Path Reconstruction (Refs. [14], [7], [5], [6], [30]) while
the aerodynamic parameters are estimated in the second step Eq. (4.21). The method
is then called the two-step method (Refs. [28], [32]).
From above discussions it is shown that in the limiting case, the two-step method
may produce the same results as the joint state and parameter estimation algorithm
i.e. one-step Maximum Likelihood method. This limit case requires an accurate
flight test instrumentation system to make the flight path reconstruction perfect, i.e.:
x̂FPR (k|k − 1) = x(k); ξ̂1FPR = ξ1 (4.22)
where the subscript FPR means Flight Path Reconstruction.

In practice, the measurements of the inertial, air data and other navigation sensors
are accurate but certainly not perfect, and the result of the flight path reconstruction
depends on the accuracies of these measurements. The aerodynamic parameter es-
timation takes the result from the flight path reconstruction as state and parameter
measurements whether it is perfectly estimated or not, i.e.:
xm (k) = x̂FPR (k|k − 1); ξ1m = ξ̂1FPR (4.23)
The second set of the observation equations, which is in fact the aerodynamic model,
is now written as:
y2 (k) = h2 [xm (k), um1 (k), um2 (k), ξ1m , ξ2 ] (4.24)
It should be noticed that Eq. (4.24) is usually not compatible due to the errors in
xm ,um1 , um2 , and ξ1m , i.e.:
y2 (k) = h2 [xm (k), um1 (k), um2 (k), ξ1m , ξ2 ] (4.25)

Once the flight path reconstruction is performed, the second set of observa-
tion equations becomes Linear-in-the-parameters. This means that the aerodynamic
models are linear functions of aerodynamic parameters when all the measurements,
which are needed to identify the aerodynamic parameters are available from direct
measurements and the result of the flight path reconstruction. Therefore Eq (4.3),
and the nonlinear observation model Eq. (4.24), can be written in the form:
ym2 (k) = Hm [xm (k), um1 (k), um2 (k), ξ1m ]ξ2 + v2 (k) (4.26)
where Hm [xm (k), um1 (k), um2 (k), ξ1m ] is a matrix of the variables xm ,um1 , um2 and
ξ1m . Since these variables are all available, this matrix may be called a data matrix.
The model becomes now a set of linear regression equations and the estimation
problem for this type of model is easier to solve than nonlinear models. This is
considered to be a great advantage of the two-step method.
Eq. (4.26) can further be written in terms of the total number of samples:
Ym = Ξm ξ2 + ζ (4.27)
in which:
Ym = [yTm2 (1), yTm2 (2), . . . , yTm2 (k), . . . , yTm2 (N)]T

ζ = [vT2 (1), vT2 (2), . . . , vT2 (k), . . . , vT2 (N)]T (4.28)
Ξm = [HmT (1), HmT (1), . . . , HmT (k), . . . , HmT (N)]T
The likelihood function to model Eq. (4.26) now becomes:

1 1
2 (ξ2 ) = (Ym − Ξm ξ2 )T Σζ−1 (Ym − Ξm ξ2 ) + ln det Σζ (4.29)
2 2
where:
Σζ = E{ζ ζ T } (4.30)
The maximum Likelihood estimates of ξ2 is then:
ξ̂2ML = (ΞmT Σζ−1 Ξm )−1 ΞmT Σζ−1Ym (4.31)

It is shown from the aerodynamic model Eq. (4.3) that the aerodynamic parameters
are all independent from each other. Therefore, the multi-output parameter estima-
tion problem of Eq. (4.29) can be simplified as number of single-output parameter
estimations. For each parameter estimation problem the Maximum Likelihood pa-
rameter estimation is reduced to a Least Squares estimation problem (Ref. [4]):
(i) (i)T (i) (i)T (i) (i)
ξ̂2ML = (Ξm Ξm )−1 Ξm Ym = ξ̂2LS (4.32)
In Eq. (4.32) index i denotes the ith aerodynamic model. In the present case i =
1, 2, 3, see Eq. (4.3). The index i will be dropped in the following discussions for
simplicity.
4.3.2 Estimation Properties

The estimation properties of the aerodynamic parameters may be analyzed in two
different cases: namely when the result of flight path reconstruction is perfect and
imperfect.
A. Perfect flight path reconstruction
Ξm = Ξ (4.33)
it is shown below that the Least Squares estimates of aerodynamic model param-
eters are unbiased when measurement noise is independent from the measured
data matrix and moreover it is efficient if the measurement noise is Gaussian
distributed.
The expectation of the Least Squares estimates of parameter ξ2 is:
$ % & ' & '
E ξ̂2LS = E (Ξ T Ξ )−1 Ξ T Ym = ξ2 + E (Ξ T Ξ )−1 Ξ T ζ (4.34)
The Least Squares estimation is unbiased if:

& '
E (Ξ T Ξ )−1 Ξ T ζ = 0 (4.35)
This means that the measured data matrix should be independent of the measure-
ment noise. This is the case when the measurement noise ζ is white, then:
& ' & '
E (Ξ T Ξ )−1 Ξ T ζ = E (Ξ T Ξ )−1 Ξ T E{ζ } = 0 (4.36)
When the measurement noise ζ is Gaussian distributed, the covariance matrix is

minimized and equals to Cramer-Rao lower bound:
$ % $ %
Cov ξ̂2LS = E (Ξ T Σζ−1 Ξ )−1 = M −1 (4.37)
where M is the Fisher information matrix ( Σζ is a scalar in the present case):

⎧ ⎫
⎨ ∂ 2 (ξ ) (( ⎬
2 2 (
M=E ( (4.38)
⎩ ∂ ξ2 ∂ ξ2 ξ =ξ̂ ⎭
T
2 2 LS
From Eq. (4.27) we have:

ζ = Ym − Ξ ξ2
(4.39)
n = Ym − Ξ ξ̂2
When ζ is white and Gaussian, the Least Squares estimation is unbiased. There-
fore n is also white and Gaussian. The negative logarithm of the likelihood func-
tion can then be written as the form of eq. (4.29):
1 1
2 (ξ̂2LS ) = (Ym − Ξm ξ̂2LS )T Σζ−1 (Ym − Ξm ξ̂2LS ) + ln det Σζ (4.40)
2 2
and the expectation of the second order partial derivatives of Eq. (4.40) is:
⎧ ⎫
⎨ ∂ 2 (ξ ) (( ⎬ $ %
2 2 ( T −1
M=E = E Ξ Σ Ξ (4.41)
⎩ ∂ξ ∂ξT (
2 2
⎭
ξ2 =ξ̂2LS
ζ
Comparing Eqs. (4.41) and (4.37) the Least Squares estimation is efficient.
B. In the imperfect flight path reconstruction case the measured data matrix can ap-
proximately be written in terms of a sum of the true data matrix and an additional
error term:
Ξm = Ξ + Δ Ξ (4.42)
The Least Squares estimates of ξ2 can be calculated if the error term is known.
Unfortunately, this error term is usually an unknown and the Least Squares
method only takes the measured data matrix with errors to calculate the Least
Squares estimates of the unknown parameters ξ2 using the incompatible obser-
vation equations Eq. (4.25):
ξ̂2LS = (ΞmT Ξm )−1 ΞmT Ym (4.43)
The expectation of the Least Squares estimates of parameter ξ2 in the present

case is then:
$ % & '
E ξ̂2LS = E (ΞmT Ξm )−1 ΞmT Ym
& ' & ' (4.44)
= ξ2 − E (ΞmT Ξm )−1 ΞmT Δ Ξ ξ2 + E (ΞmT Ξm )−1 ΞmT ζ
Eq. (4.44) shows that even when the noise is white the Least Squares method
using an incorrectly measured data matrix still produces biased estimates of pa-
rameters. The estimation bias is given by:
& '
E (ΞmT Ξm )−1 ΞmT Δ Ξ ξ2 (4.45)
The actual Fisher information matrix is then:

$ % $ %
M = E ΞmT Σζ−1 Ξm = E (Ξ + Δ Ξ )T Σζ−1 (Ξ + Δ Ξ ) (4.46)
Comparing Eqs. (4.46) and (4.37), the Least Squares estimation is not efficient
because of the errors in the data.
4.3.3 Techniques to Cope with Estimation Biases

It may be seen from previous sections that biased estimates of the aerodynamic
parameters are caused by a number of reasons. In order to keep the Least Squares es-
timates of ξ2 unbiased and efficient, several techniques which can cope with the es-
timation biases of the Least Squares method may be applied. These techniques are:
a) accurate flight test instrumentation system (Refs. [15], [16], [31], [28], [32]),
b) instrumental variable method (Ref. [18]), and
c) Total Least Squares method ([22], [19], [20]).
The Total Least Squares method has been applied with success at the Delft Uni-
versity of Technology to aircraft aerodynamic parameter estimation especially for
the case of errors in the data matrix.
4.4 On-Line Parameter Estimation Using Least Squares and

Total Least Squares Methods
The most common method to solve an over determined set of linear equations is
the least-squares estimator (LS). The numerical simplicity of the LS regression es-
timator and the availability of recursive algorithms are probably the prime reasons
behind its extreme proliferation. Although LS regression only acknowledges distur-
bances in the dependent variables, it is often applied to cases where not only the
system’s output, but also the independent explanatory variables are affected by un-
certainties. This applies to many aerospace applications, for example in the equation
error approach to aerodynamic model development and the validation from flight
test data. Here, both the dependent and independent variables are directly or indi-
rectly derived from measurements of the vehicle states and inputs, and are corrupted
by errors. However, the noise that affects the measurements on the explanatory vari-
ables is not properly addressed by an LS estimator.
The counterpart of the least-squares estimator that correctly handles the ‘error-
in-variables problem’ is the total least-squares estimator (TLS) (Ref. [35]). Instead
of minimizing the sum of squares of residuals on only the response variable, it seeks
to minimize the sum of squares of residuals on all the variables in the equation. Un-
fortunately, TLS estimators do not share the desirable computational properties of
the ordinary LS estimators. A recursive algorithm that directly propagates a TLS
estimate over the incoming measurements is not available (Refs. [20], [21]). To-
tal least-squares parameter estimates are found by computing the singular value
decomposition (SVD) of the compound matrix of explanatory and explained vari-

ables (Refs. [11], [36]). Since the size of this matrix is directly related to the number
of measurements, computation of a TLS estimate can be problematic for large sets of
measurements. Although no direct recursive algorithms are known, sequential tech-
niques are available that determine an updated SVD by means of another singular
value decomposition (Ref. [25]); the latter however is of a constant dimension that
is related to the number of model parameters and not the number of measurements.
Being part of most robust and adaptive control systems, least-squares estimators
are used in an environment where computational effort and manageability of data
are of great importance. Efficient recursive or sequential algorithms are therefore
mandatory. At the same time the context of measured data which corrupts both
dependent and independent variables constitutes a strong preference for total least-
squares estimators. This subsection presents a brief analysis of the TLS problem
as it is typically encountered during parameter estimation for aerospace dynamic
models. Based on this analysis, an efficient method for sequential computation of
the TLS estimate is proposed.
4.4.1 Preliminaries
The ordinary least-squares problem deals with the determination of the vector x ∈
ℜn that minimizes Ax − b 2 , in which the matrix of independent variables A ∈
ℜm×n and the vector of dependent variables b ∈ ℜm are the known elements in
the overdetermined set of equations b ≈ Ax. If rank(A) equals the dimension of
the parameter vector n, the least-squares problem has the unique solution xLS =
(AT A)−1 AT b (Refs. [11], [36]). The recursive least-squares algorithm computes the
solution to the LS problem for ATm = [ATm−1 , aTm ] and bTm = [bTm−1 , bm ] from the
solution for the case Am−1 , bm−1 . If the matrix ATm Am = ATm−1 Am−1 + aTm am is written
−1
as Pm−1 + aTm Iam , the matrix inversion lemma can be used to yield
Pm−1 aTm am Pm−1
(ATm Am )−1 = Pm = Pm−1 − (4.47)
1 + amPm−1 aTm
in which the remaining inverse is scalar. Setting k = (Pm−1 aTm )/(1 + am Pm−1 aTm )
and using (4.47), the recursive least-squares estimator consists of the following two
steps after the computation of k:
Pm = Pm−1 − k amPm−1
(4.48)
xm = xm−1 + k(bm − am xm−1 )
Because the matrix A contains the set of row vectors of explanatory variables - one
for each measurement - and the rank of a matrix equals its number of independent
row vectors, rank(A) cannot decrease when a new measurement is added. Once
enough independent measurements have been collected, the matrix AT A therefore
cannot become rank deficient again, although its condition may deteriorate. This
ensures successful propagation of the matrix P , a property that will prove useful for
the sequential TLS as well.
The total least-squares solution for the overdetermined set b ≈ Ax is the vector
that satifies the approximate set of compatible equations b ≈ A xT LS , for which the
Frobenius norm [A, b] − [A , b ] F is minimal (Ref. [36]). If U Σ V T is the singular
value decomposition of [A, b] where Σ = diag(σ1 , . . . , σn , σn+1 ) contains the ordered
set of real singular values for which σi ≥ σi+1 , then the closest approximate set of
rank n is U Σ V T with Σ = diag(σ1 , . . . , σn , 0) . The desired solution xT LS must then
satisfy U Σ V T [xTT LS , −1]T = 0 . Hence, the vector [xTT LS , −1]T is part of the kernel
of U Σ V T and must be perpendicular to the first n column vectors of V . As V is
orthonormal, the desired vector equals the last column vector of V .
4.4.2 Sequential Total Least Squares (Ref. [34])

The singular values of a matrix C are the square roots of the eigenvalues of the
matrix CT C ; the columns of the matrix of right singular values vectors V are the
corresponding eigenvectors of CT C . The TLS problem is thus reduced to finding
the eigenvector that is associated with the smallest eigenvalue of [A, b]T [A, b] . Com-
putation of CT C is usually strongly discouraged because of numerical inaccuracies
(Ref. [11], [36]). When the original matrix is ill conditioned, the product CT C can
become singular due to finite-precision computations. However, examples of such
matrices are highly academic. It is important to note that ill conditioning in a sys-
tem identification application due to insufficient excitation does not play a role here.
As was noted before, a full-rank matrix of variables cannot become rank deficient
again. Erroneous singularity of the matrix [A, b]T [A, b] can only occur when a newly
added row of measurements contains solely elements that lead to underflow of all
previous measurements. Assuming measurement errors (spikes) have been removed,
this is not a realistic scenario. Additionally, if such measurements would occur, the
ill conditioning of the matrix would also lead to unreliable parameter estimates if
computation takes place with infinite precision.
The eigenvector that is associated with the smallest eigenvalue of an invertible
matrix equals the eigenvector for the largest eigenvalue of the matrix inverse. The
power method (Ref. [11]) is based on the characteristic that lim Ak x converges to
k→∞
a multiple of the dominant eigenvector of A that is not perpendicular to the initial
x ; the dominant eigenvector is the one associated with the largest eigenvalue. Ap-
plication of the power method to the inverse of a matrix therefore produces a series
of vectors that converge to the eigenvector for the smallest eigenvalue of the orig-
inal matrix. A TLS estimate can thus be found most easily by applying the power
method to ([A, b]T [A, b])−1 .
At this point, a sequential algorithm for computing the TLS estimates can be for-
mulated on the basis of the propagation of the matrix P = ([A, b]T [A, b])−1 , similar
to the role of the matrix P in recursive ordinary least squares. Because the power
method computes the parameter estimate from the propagated matrix directly, the
estimate itself is not used in the recursion. Hence, the complete TLS propagation
consists only of
pT p
Pm = Pm−1 − (4.49)
1 + p[am, bm ]T
with p = [am , bm ]Pm−1 . If the actual estimate is required, it can be computed by
updating the eigenvector estimate v in the iteration
vk+1 = P(vk , vk,n+1 ) (4.50)
In Eq. (4.50) vk,n+1 denotes the (n + 1)th element of the vector vk . By dividing the
vector by its last element, an explosion of the iterated vector and potential numerical
problems are avoided. Because eigenvectors can arbitrarily be scaled, this does not
influence the iteration itself. Instead, because the last element of the vector is repeat-
edly scaled to 1, vk+1,n+1 converges to the largest eigenvalue of P and can be used
as a convergence requirement for the iteration: The dominant eigenvector is found
when the difference between vk,n+1 and vk+1,n+1 drops below a preset convergence
requirement. By choosing v0 = [0, . . . , 0, 1]T , it is guaranteed that the vector has
a component along the desired eigenvector. Because the converged vector can be
used as starting point for a later iteration when P has been updated, v needs only
to be initialized once. Finally, the actual parameter estimate is obtained from the
eigenvector estimate:
xT LS = −v1:n /vn+1 (4.51)
4.4.3 Summary of TLS Method

The application of the total least-squares method to typical aerospace parameter
estimation problems was briefly discussed. The commonly mentioned threat of in-
formation loss by reducing the variables matrix to its inner square was analyzed and
found harmless to applications where a series of measurements arrive with time.
Together with the notion that instead of singular values, only the smallest eigenvec-
tor of the inner square matrix is required to compute TLS estimates, this led to the
presentation of a computationally superior sequential TLS method.
The suggested method satisfies all the requirements on an estimator for real-time
applications: Its computational demand for each step is independent of the number
of preceding measurements and memory requirements are constant. Propagation of
the inverted inner square matrix with arriving measurement does not depend on
computation of the actual parameter estimate; without it, the number of operations
per step is deterministic and smaller than that for the recursive ordinary least-squares
estimator.
4.5 Real-Time Identification of Aircraft Physical Model for

Fault Tolerant Flight Control, [13]
Now the basic framework for on-line and real-time parameter identification has been
presented, the step towards in-flight fault detection has to be made. The goal of
the parameter identification is to provide a controller with the most likely, most
reliable model in flight. During normal flight with an undamaged aircraft, such a
model can best be based on an extensive set of aerodynamic data, which has been
previously built on the results of flight testing in different parts of the flight envelope.
A structure with different hyperboxes for different Mach numbers and angles of
attack can be used to provide the best estimation of the behaviour of an undamaged
aircraft. The flight controller can fully rely on this data to control the aircraft.
Based on different error criteria, the best aerodynamic model available will be
chosen to be forwarded to the model-based controller. This means that the on-line
estimated aerodynamic model will only be used if the aircraft encounters a failure.
As long as an aircraft is not damaged, the aerodynamic models originating from the
database will be the most accurate source.
When a failure does occur, a different situation is created, in which the aerody-
namic models originating from the database lose their reliability. A successful fault
tolerant flight control (FTFC) system will need to take two crucial steps in order to
adapt the controller to this new situation.
I. Trigger reconfiguration. This means that the control system needs to realize
that the current aerodynamic model (originating from the available aerodynamic
database) is not sufficiently accurate. The difficulty of this step is to create a sys-
tem which is both sufficiently reliable and sensitive to make a correct decision
for reconfiguration, without pilot interference.
II. Loading the on-line identified model of the damaged aircraft into the control
system. As soon as the conclusion is drawn that the model from the database
is unreliable, the on-line identified model can be loaded. This identification has
continuously been performed during the flight, meaning it is readily available for
uploading.
In order to remove the compromise between data loss and adaptivity which is the
negative effect of the use of a forgetting factor in any recursive parameter estimation
approaches, a different approach is now suggested. The use of a forgetting factor
λ < 1 has been shown to be useful in making the identification adaptive to model
changes over time. The effect of this forgetting factor is that the covariance matrix
Real-time
X identification of
aerodyn. model
Aircraft Trigger
reconfig.
To controller:
X Output of most accurate
aerodyn. model available
Choose most
X States
accurate model
Database
aerodynamic
models
Fig. 4.8 Trigger for reconfiguration and real-time aerodynamic model identification
Fig. 4.9 An example of model based adaptive flight controller using on-line identified aircraft
physical model
P does not reduce to zero, but constantly grows whenever the input channels are
excited insufficiently. A solution to the problem of data loss and model instabil-
ity would be to artificially only increase the covariance matrix P, when the current
model cannot be relied upon anymore. In this way, no data will be lost during nor-
mal flight, maintaining the quality of the model also in constant flight conditions. In
case an error occurs that affects the model, the aircraft will move (or this induced
movement will be counteracted by the nominal flight control system), creating suf-
ficient data on the input channels to identify the new model within a limited time
span.
The major requirement for this procedure is that reliable information is available
about the quality of the aerodynamic model. In Ref. [12], the authors describe a
procedure to use the innovation (difference between the model prediction and the
actual behaviour of the system or aircraft) as a measure for the quality of the model.
The absolute value of the innovation does not only depend on the model quality, but
also on the noise in the input channels, which makes it unsuitable for quality de-
termination. Instead, the ‘whiteness’ of the innovation is used as a quality measure,
since a perfect model would have a residual comparable to the noise present in the
input signals.
Once the whiteness criterion has suggested that the current model contains er-
rors, reconfiguration will take place. The covariance matrix of the parameter es-
timator gives a measure for quality of the data that has entered the identification.
Without a forgetting factor, this ‘data richness’ can only improve, since all informa-
tion from previous measurements is retained. This results in a gradual ‘freezing’ of
the parameter values, since every new data point is weighted less in the parameter
identification. When it is concluded that the real-life situation has changed to such
an extent that the identified model is not valid anymore, this old data should be dis-
regarded. By artificially returning the covariance matrix to its initial state (a matrix
with relatively large values), the parameters are more influenced by new measure-
ments and can be identified based on the flight data of the aircraft in its new, changed
situation. The newly identified model will be available to be presented to a model
based adaptive flight controller. Fig. 4.9 illustrates an example of this type of flight
controller.
4.6 Conclusions
In this chapter, the decomposition of the aircraft state and parameter estimation
problem has been discussed and the resulting two-step method is proven to possess
the same estimation properties as that of one-step Maximum Likelihood method, in
the case of accurate measurements given by the flight test instrumentation systems.
Once the flight path reconstruction has been performed, the aerodynamic param-
eter estimation becomes linear-in-the-parameters. A simple linear Least Squares
method can be applied to estimate the aerodynamic parameters. The Total Least
Squares method may be used in case of necessity.
Since the system and observation models for the flight path reconstruction are
known in detail it is not necessary to evaluate different model structures, and flight
path reconstruction needs only to be solved once for each flight test manoeuvre
without any knowledge about aircraft aerodynamic models. This is considered to
be one of the advantages of the two-step method because the aerodynamic model
must be assumed to be known correctly in advance before the one-step maximum
likelihood method can be used.
In the case of incorrect aerodynamic models, the one-step method may diverge
or converge to wrong values of aerodynamic parameters (local maximum of the
likelihood function). Therefore, the modification of the aerodynamic models has to
be considered and the one-step joint state and parameter estimation procedure has
to be performed over and over again. The two-step method does not suffer from
this problem. One can always construct the modified aerodynamic model and run
the linear Least Squares method to estimate the aerodynamic parameter again using
the same reconstructed state trajectories. Therefore, this method is very suitable for
routine analysis of large amounts of flight test data. The optimization algorithms
and initial parameters for the one-step method must be selected properly in order to
achieve the global maximum of the likelihood function – even in the case that correct
aerodynamic models are specified. On the other hand, this problem is obviated by
the use of the two-step method as the solution of the Least Squares method is direct
and unique. In the case of errors in the measured data or from the first step of the two
step approach, Total Least Squares can be applied to reduce the bias of the model
parameter estimates.
Recursive and sequential approaches for both steps can easily be implemented for
on-line applications of model identification, in order to realize the design of model
based adaptive flight controllers.
References
1. Anonymous. Rotorcraft system identification. Technical Report AGARD-AR-280,
AGARD (1991)
2. Breeman, J.H., Erkelens, L.J.J., Nieuwpoort, A.M.H.: Determination of performance and
stability characteristics from dynamic manoeuvres with a transport aircraft using pa-
rameter identification. In: AGARD FMP Symposium on Flight Test Techniques, Lisbon
(1984)
3. Breeman, J.H., Simons, J.L.: Evaluation of a method to extract performance data from
dynamic manoeuvres for a jet transport aircraft. In: 11th ICAS congress, Lisbon (1978)
4. Chu, Q.P., Mulder, J.A., Sridhar, J.K.: Analytical and numerical comparison of the maxi-
mum likelihood method and two step method for aircraft state and parameter estimation.
In: Proceedings of the 10th IFAC Symposium on System Identification, SYSID 1994,
July 1994, vol. 3, pp. 61–66 (1994)
5. Chu, Q.P., Mulder, J.A., Van Woerkom, P.T.L.M.: Aircraft flight path reconstruction with
nonlinear adaptive filters. In: Proceedings of the American Control Conference, ACC,
Seattle, vol. 2, pp. 1196–1200 (1995)
6. Chu, Q.P., Mulder, J.A., Van Woerkom, P.T.L.M.: Modified recursive maximum likeli-
hood adaptive filter for nonlinear aircraft flight path reconstruction. AIAA Journal of
Guidance, Control and Dynamics 19(6), 1285–1295 (1996)
7. Chu, Q.P., Verbass, A., Mulder, J.A., van den Broek, P.P.: Nonlinear adaptive filtering
with application to spaceplane flight path reconstruction. In: Proceedings of the 2nd
ESA International Conference on Guidance, Navigation and Control Systems, ESTEC,
ESTEC Conference Bureau, Noordwijk, April 1994, pp. 107–116 (1994)
8. Gerlach, O.H.: Analyse van een mogelijke methode voor het meten van prestaties
en stabiliteits- en besturingseigenschappen van een vliegtuig in niet stationaire, sym-
metrische vluchten (analysis of a possible method for the measurement of performance
and stability and control characteristics in non-steady symmetrical flight). Technical Re-
port VTH-117, Delft University of Technology, Department of Aerospace Engineering
(November 1964)
9. Gerlach, O.H.: Determination of performance and stability perameters from non-steady
flight test manoeuvres. In: SAE paper, number 700236, Wichita, Kansas. National busi-
ness aircraft meeting (1970)
10. Gerlach, O.H.: Determination of stability derivatives and performance characteristics
from non-steady flight test manoeuvres. Technical Report CP-85, AGARD, Toulouse
(1971), Also as report VTH-163, Delft University of Technology, Department of
Aerospace Engineering (February 1976)
11. Golub, G.H., Van Loan, C.F.: Matrix Computations. Johns Hopkins University Press,
Baltimore (1996)
12. Hajiyev, C., Caliskan, F.: Fault Diagnosis and Reconfiguration in Flight Control Systems.
Cooperative Systems, vol. 2. Kluwer Academic Publishers, Dordrecht (2003)
13. Huisman, H.O.: Fault tolerant flight control based on real-time physical model identifi-
cation and nonlinear dynamic inversion. Master’s thesis, Delft University of Technology,
Faculty of Aerospace Engineering, Control and Simulation Division, June 20 (2007)
14. Jonkers, H.L.: Application of the kalman filter to flight path reconstruction from flight
test data including estimation of instrumental bias error corrections. Technical Re-
port VTH-162, Delft University of Technology, Department of Aerospace Engineering
(February 1976)
15. Jonkers, H.L., Mulder, J.A.: Accuracy limits in nonsteady flight testing. In: The tenth
congress of the International Council of the Aerospace Sciences, ICAS, number 76-46,
Ottawa, October 1976. ICAS (1976)
16. Jonkers, H.L., Mulder, J.A.: New developments and accuracy limits in aircraft flight test-
ing. In: AIAA Aircraft System and Technology Meeting, number AIAA 76-897, Dallas,
Texas (September 1976)
17. Jonkers, H.L., Mulder, J.A., van Woerkom, K.: Measurements in non-steady flight: In-
strumentation and analysis. In: Proceedings of the 7th international aerospace instrumen-
tation symposium, Cranfield (1972)
18. Klein, V.: Identification evaluation method. AGARD Lecture Series, vol. 104, pp. 2-1–
2-21 (1979)
19. Laban, M.: Online aircraft state and parameter estimation. Technical Report AGARD-
CP-519, paper 29, AGARD (May 1992)
20. Laban, M.: Online aircraft aerodynamic model identification. PhD thesis, Delft Univer-
sity of Technology (1994)
21. Laban, M., Masui, K.: Total least squares estimation of aerodynamic model parameters
from flight data. Journal of Aircraft 30(1), 150–152 (1993)
22. Laban, M., Mulder, J.A.: Online identification of aircraft aerodynamic model parameters.
In: 9th IFAC/IFORS Symposium on Identification and System Parameter Estimation,
Budapest, Hungary (July 1991)
23. Liu, Y., Cukic, B., Fuller, E., Yerramalla, S., Gururajan, S.: Monitoring techniques for an
online neuro-adaptive controller. The Journal of Systems and Software 79, 1527–1540
(2006)
24. Maine, R.E., Illif, K.W.: Agard flight test techniques series. On identification of dynamic
systems - application to aircraft, part 1: The output error approach, vol. 3. Technical
report, AGARDograph (1986)
25. Moonen, M., van Dooren, P., Vandewalle, J.: An svd updating algorithm for subspace
tracking. SIAM Journal on Matrix Analysis and Applications 13(4), 1015–1038 (1992)
26. Muhammad, H.: Identification of turboprop thrust from flight test data. PhD thesis, Delft
University of Technology (December 1995)
27. Mulder, J.A.: Estimation of thrust and drag in nonsteady flight. In: Proceedings of the
4th IFAC Symposium, Identification and System Parameter Estimation, Tbilisi (1976)
28. Mulder, J.A.: Design and evaluation of dynamic flight test manoeuvers. Technical Report
LR-497, Delft University of Technology, Delft, the Netherlands (1986)
29. Mulder, J.A., Baarspul, M., Breeman, J.H., Nieuwpoort, A.M.H.: Determination of the
mathematical model for the new dutch government civil aviation flying school flight sim-
ulator. In: 18th Annual Symposium on Society of Flight Test Engineers, SFTE, Amster-
dam (September 1987), Also as Memorandum M-578, Delft University of Technology,
Department of Aerospace Engineering (July 1987)
30. Mulder, J.A., Chu, Q.P., Sridhar, J.K., Breeman, J.H., Laban, M.: Non-linear air-
craft flight path reconstruction review and new advances. Progress in Aerospace Sci-
ences 35(7), 673–726 (1999)
31. Mulder, J.A., Jonkers, H.L., Horsten, J.J., Breeman, J.H., Simons, J.L.: Analysis of air-
craft performance, stability and control measurements. AGARD Lecture Series, vol. 104
(1979)
32. Mulder, J.A., Sridhar, J.K., Breeman, J.H.: Identification of dynamic systems, applica-
tions to aircraft, part 2: nonlinear analysis and manoeuvre design. AGARDograph 300,
vol. 3 (1986)
33. Plaetschke, E., Mulder, J.A., Breeman, J.H.: Results of beaver aircraft parameter identi-
fication. Technical Report FB 83-10, DFVLR Institut für Flugmechanik, Braunschweig,
Germany (1983)
34. Soijer, M.W.: Sequential computation of total least squares parameter estimates. Journal
of Guidance and Control 27(3), 501–503 (2003)
35. Van Huffel, S.: Analysis of the Total Least Squares Problem and its use in Parameter
Estimation. PhD thesis, Catholic University of Leuven (1987)
36. van Huffel, S., Vandewalle, J.: The total least squares problem computational aspects and
analysis. SIAM, Philadelphia (1991)
Chapter 5
Industrial Practices in Fault Tolerant Control
Philippe Goupil
5.1 Introduction
Electrical Flight Control System (EFCS1 ), first developed by Aerospatiale and in-
stalled on Concorde (as an analog system) and then designed with digital technology
on Airbus aircraft from the 1980’s (A310), provides more sophisticated control of
the aircraft and flight envelope protection functions[3],[4],[5]. The main character-
istics are that high-level control laws in normal operation allow all control surfaces
to be controlled electrically and that the system is designed to be available under all
circumstances. The EFCS is a safety-critical system designed to meet very stringent
requirements in terms of safety and availability. Most, but not all, of these require-
ments come directly from the Aviation Authorities (for example FAA, EASA, for
details see [2],[1]).
In this chapter, Fault Tolerant practices used to design a dependable safety-critical
EFCS are described. In section 5.2, as a general introduction, the aircraft develop-
ment process is described using the V-cycle. The next section details some ‘golden
rules’ used for designing a Fault Tolerant EFCS. Section 5.4 outlines the flight con-
trol computer specification and shows how the dedicated process contributes to the
EFCS Fault Tolerant design. Section 5.5 discusses some aspects of the system vali-
dation and verification as a part of the Fault Tolerant design. Finally, the last section
shows an example of a failure detection technique implemented on the A380, illus-
trating one of the golden rules previously described.
5.2 Aircraft Development Process - The V-Cycle

This section describes the aircraft development process that is depicted in the V-
cycle (Fig. 5.1). Strictly following this cycle achieves Fault Tolerance. The first
Philippe Goupil
Airbus France, EDYC-CC Flight Control Systems, 316 Route de Bayonne,
31060 Toulouse Cedex 09
e-mail: philippe.goupil@airbus.com
1 EFCS is also known as Fly-By-Wire (FBW).
158 P. Goupil
branch of the V-cycle is the development phase. It starts with the aircraft speci-
fication corresponding to the ’top level requirements’: the definition of the needs,
the choice of concepts, control laws, technologies, etc. The aircraft is decomposed
into sub-parts called systems which are specified in the next step. The systems are
decomposed in sub-parts called ‘equipment’ which are then specified. For exam-
ple, the software of the Flight Control Computers is specified thanks to a specific
graphical language and an automatic generation tool produces the code (see Section
5.4). At this step the code is used in a desktop simulator to begin the initial vali-
dation. It is also used in a development simulator, a real cockpit where everything
is simulated. After equipment specification, the corresponding code is generated
and implemented inside the equipment. Then, the second part of the V-cycle can
start. This integration phase consists of a severe validation campaign on different
test benches (see Section 5.5 for more details), from the simplest ones (an actuator
bench) to more complete ones (the ‘Iron Bird’). The validation phase ends with the
flight tests. The V-cycle ends with the certification process. Significant verification
and validation is performed all along the cycle (see Section 5.5). The verification
objective is to get assurance that the product (system/equipment) is compliant to its
specification. The validation objective is, on the one hand, to get the assurance that
the specifications are correct and complete, and on the other hand, to get the assur-
ance that the final product is compliant with the customer needs. Consequently, the
V-cycle is not a fixed process but rather an iterative process due to the verification
and validation activities that can lead to changes in some specifications all along
the cycle. Aviation Authorities regulations (FAR/CS [2],[1]) are requirements and
part of the aircraft specification. Hence verification and validation need to demon-
strate aircraft compliance to these requirements in order to obtain certification. As a
consequence, certification may be considered as a sub-process of the validation and
verification process but with a more of formalism (certification sheets, reviews...)
and a particular point of view (safety oriented).
5.3 Some ‘Golden Rules’ for Designing a Highly Dependable

System
The EFCS is a safety-critical system in the sense that catastrophic consequences
may result from its failures, such as a control surface runaway (e.g. rudder or
Trimmable Horizontal Stabilizer), loss of control on the pitch axis, lack of control
after an engine burst or an oscillatory failure at a frequency critical to the structure
(see Section 5.6). The detection of all related failures is therefore a very important
point to be considered in the aircraft design. All these failures must be extremely
improbable, i.e. with a probability of less than 10−9 per flight hour and consid-
ering qualitative requirements (FAR/CS 25.1309). Specifically for flight controls,
FAR/CS 25.671 requires that a catastrophic consequence must not be due to a single
failure or a control surface jam or a pilot control jam. This qualitative requirement is
on top of the probabilistic assessment. In order to be compliant with Airworthiness
5 Industrial Practices in Fault Tolerant Control 159
Fig. 5.1 V-cycle representing the aircraft development process.
requirements for aircraft certification and to design a fault-tolerant aircraft, Airbus

uses a number of ‘golden rules’[5, 6] outlined below:
• A Safety System Assessment (SSA) to assess the effect of each functional fail-
ure on the system. The SSA is a kind of fault tree that studies all the possible
combinations of failures to determine the probability of occurrence of an event.
The probability of each elementary failure is given by the manufacturer of the
equipment concerned and is re-evaluated or confirmed by experience. This safety
analysis can lead to a modification of the flight control architecture (e.g. degree
of redundancy) and thus contributes to the design of a more fault tolerant system,
compliant with the safety requirements in the regulations.
• A stringent development process, based on the guidelines: ARP4754/ED7911[7]
for aircraft system development, DO178/ED1212[8] for software development
and DO254/ED8013[9] for hardware development. For instance, for software de-
velopment, the dedicated guidelines do not concern the content of the software,
but rather the development process to comply with (planning, development, ver-
ification, configuration management, quality assurance issues) in order to obtain
the aircraft certification.
• Hardware redundancy: for example the use of multiple FBW computers (5 on
an A330/A340, and 6 on an A380), and the use of different power sources for
control surface actuation. Three hydraulic sources are used on the A320/A340.
Four power sources are used on A380 (2 hydraulic and 2 electric). Furthermore,
as a last backup, in an emergency situation, a Ram Air Turbine provides enough
160 P. Goupil
energy to pressurize one of the hydraulic circuits and/or to supply the electric
network. Redundant sensors also provide air data and inertial information to other
systems through dedicated, separate but identical units2 .
• Monitoring: all the elements of the flight control system are monitored in real-
time, for example the sensors, actuators, probes, and the other computers. An
example of such monitoring is given in Section 6.
• Reconfiguration: meaning automatic management following a failure. This is a
key point in the design of a fault-tolerant aircraft. There are two levels of recon-
figuration:
– First level, system reconfiguration: consider a control surface with two ac-
tuators (Fig. 2). The first one is in active mode and is servo-controlled by
computer P1. The second one is in passive mode (it follows the movement
of the active actuator) and is associated with a second computer P2, in stand-
by mode. If a failure is detected (by the dedicated monitoring schemes, see
above) on the active actuator, then it changes to passive mode and the passive
one becomes active. There is a hand-over: P2 becomes active and controls
its associated actuator while P1 changes to stand-by mode. P1 loses its func-
tionality on this actuator but not all the others functionalities (control of other
actuators, flight control law calculations, etc). This reconfiguration is clearly
based on hardware redundancy (computers and actuators).
– Second level, flight control law reconfiguration: in normal conditions, with
the EFCS the aircraft is protected against critical events[5] such as stall, over-
speed, etc. The corresponding flight control law is called the ‘normal law’.
However some protection can be lost following failures, for example the loss
of a control surface, IRS (Inertial Reference System), ADR (Air Data Refer-
ence) or a Flight Control Computer. As a result of the loss of protection, there
is a reversion to low-level laws. Flight is still possible, but with less protec-
tion. The last level law is the ‘direct law’ where there is no protection. The
probability of reverting to a low-level law is very small. This reconfiguration
is a way to be fault tolerant and is due to a loss of hardware redundancy. For
more information on the control laws, see chapter 1.
• Dissimilarity: this is also a very important point to ensure fault tolerance. All
Airbus aircraft have at least two types of computer: a primary and a secondary
computer. Their hardware and software are different, and they are not developed
by the same teams. The system reconfiguration (hand-over) described above uses
primary and secondary computers (Fig. 2). The secondary computer is simpler
than the primary computer. The dissimilarity also concerns actuators. On the
A380, two types are used: the conventional hydraulic actuator and a new genera-
tion of electrically powered actuators - the Electro-Hydrostatic Actuator (EHA).
EHA has been developed mainly from the viewpoint of reducing the number of
hydraulic systems, generating significant weight and cost savings, and providing
additional dissimilarity[10]. Electrical Backup Hydraulic Actuators (EBHA) are
2 A.k.a as ADIRU (Air Data Inertial Reference Units).
also used on the A380. An EBHA can be viewed as an actuator with two modes:
a conventional hydraulic one that can switch to an EHA mode.
• Installation segregation: computers are not physically installed at the same place
on the aircraft, to avoid total loss in the case of any damage. Such an event could
be for example an engine rotor-burst that cuts the electrical wires supplying the
computers. The same reasoning leads to segregation of hydraulic and electrical
routes.
• Flight Control Computer architecture: this is divided into two parts, a command
channel (COM) and a monitoring channel (MON). Each channel monitors the
other but each channel has a specific task. The COM channel provides the main
functions allocated to the computer (flight control law computation and the servo-
control of moving surfaces). The MON channel ensures (mainly) the permanent
monitoring of all the components of the flight control system (sensors, actuators,
other computers, probes, etc.). It is designed to detect failure cases and to trigger
reconfiguration by signalling the failure detection to the COM channel and to the
other computers.
• A perfect robustness for software and system equipment: e.g. no monitoring
false alarms, protection against ElectroMagnetic Interference and severe light-
ning strikes, no upset in the case of total air cooling loss, etc.
5.4 Flight Control Computer Functional Specification

The specification of a computer includes, on the one hand, an ‘equipment and soft-
ware development’ technical specification used to design the hardware and (partly)
the software. On the other hand, a functional specification accurately defines the
functions implemented by the software. This functional specification is another key
point for designing a Fault Tolerant EFCS. The main specified functions are: flight
control laws, monitoring functions, slaving of control surfaces and reconfigurations.
In the first step, a graphical tool allows specification of these functions (computer
aided-specification). A limited set of graphical symbols (adder, filter, integrator,
look-up tables) is used to describe each part of the algorithm in dedicated ‘func-
tional specification sheets’. This specification is under the control of a configuration
management tool and its syntax is partially checked automatically. In a second step,
an automatic generation tool produces the code to be directly implemented in the
flight control computer. Such a tool has as input the functional specification sheets,
and a library of software packages, one package for each symbol used. The auto-
matic programming tool links together the symbol packages. The software produced
is also intensively checked at this step[5]. The use of such tools is part of the Fault
Tolerant design of the EFCS and thus has a positive impact on safety. An automatic
tool ensures that a modification to the specification can be coded easily even if this
modification needs to be embodied rapidly (situation encountered during the flight
test phase for example). Automatic programming, through the use of a formal spec-
ification language, also allows onboard code from one aircraft program to be used
on another.
162 P. Goupil
Fig. 5.2 System reconfiguration. In the case of two actuators per control surface, a first pri-
mary computer P1 ensures the servo control of the active actuator powered by a first hydraulic
system. A second primary computer P2, in stand-by mode, is associated with the second actu-
ator in passive mode. A second hydraulic system powers this second actuator. When a failure
is detected, a hand-over between P1 and P2 changes the active actuator to passive mode and
the passive one becomes active. S1 and S2 are the secondary computers ensuring a second
line of redundancy with the same principle.
5.5 System Validation and Verification

The system validation and verification proceeds through several steps:
• Peer review of the specifications, and their justification. This is done in light of
the lessons learned by scrutinizing incidents that occur in airline service.
• Analysis, most notably the SSA which, for a given failure condition, checks that
the monitoring and reconfiguration logic allows the fulfillment of the quantitative
and qualitative objectives, but also analysis of system performance, and integra-
tion with the structure.
• Tests on a desktop simulator using the automatically produced software coupled
to a rigid aircraft model.
• Tests on a System Integration Bench (SIB), a test bench used to tune the servo-
control of a given control surface, with simulated inputs and observation of com-
puter internal variables. This bench offers the possibility of validating degraded
configurations: e.g. low hydraulic pressure and high aerodynamic loads on the
control surface.
• Tests on the ‘Iron Bird’: a test bench that is a kind of very light aircraft, without
the fuselage, the structure, the seats, etc, but with all system equipment installed
and powered as on an aircraft (e.g. hydraulic and electric circuits).
• Tests on a flight simulator: a test bench with a real aircraft cockpit, flight con-
trol computers and coupled to a rigid aircraft model. The Iron Bird can also be
coupled to the flight simulator.
• Flight tests, on several aircraft, fitted with ‘heavy’ flight test instrumentation.
More than 10000 flight control parameters are permanently monitored and
recorded.
5.6 An Example of Monitoring: A380 Oscillatory Failure Case

Detection
As previously mentioned, the EFCS is a safety-critical system designed to meet
very stringent requirements in terms of safety and availability. The detection of all
related failures is therefore a very important point to be considered in the aircraft de-
sign. In particular, in the context of overall aircraft optimization and their increasing
size, system design objectives originating from structural load design constraints
are more and more stringent. The main issue is weight saving to improve the air-
craft performance (e.g. fuel consumption, noise, range). Consequently, for system
failures impacting the aircraft structure, the performance of detection methods must
be improved, while retaining perfect robustness. EASA regulations CS 25.302 used
for aircraft certification state that the system must be designed so that it cannot pro-
duce hazardous loads on the aircraft. EFCS-failure cases having an influence on
structural loads are mainly runaway or jamming of a control surface, the loss of
limitations (e.g. rudder deflection limitation as a function of aircraft speed), loss of
an EFCS special function to reduce structural design loads (e.g. Load Alleviation
Function) or degradation of deflection rates. Some EFCS failures may also result
in unwanted control surface oscillations, generating loads on the structure when lo-
cated within the actuator bandwidth. This failure case is called an Oscillatory Failure
Case (OFC)[11]. These failures, coupled with the aeroelastic behaviour of the air-
craft, may lead to unacceptably high loads or vibrations. The worst case corresponds
to resonance phenomena with the aircraft natural modes. This is very improbable as
the OFC frequencies are uniformly distributed. But one cannot prove that it is im-
possible, so this case has to be covered. OFC amplitude must be contained by the
system design within an envelope function of the frequency. The ‘usual’ monitoring
techniques cannot guarantee staying within an envelope with acceptable robustness
and a specific OFC detection must be used. The ability to detect these failures is
very important because it has an impact on the structural design of the aircraft since
the load envelope constraints must be respected. More precisely, if an OFC of given
amplitude cannot be detected and passivated, this amplitude must be considered in
the load computations. The result of this computation can lead to reinforcement
of the structure. In order to avoid reinforcing the structure and consequently to
save weight, low amplitude OFCs must be detected in time. Only OFCs located
164 P. Goupil
Fig. 5.3 OFC source location in the control loop.
in the servo-loop control of the moving surfaces are considered, that is, between the
Flight Control Computer and the control surface, including these two elements (Fig.
3). Consequently, the failures under consideration impact only one control surface.
OFCs are mainly due to electronic components in fault mode generating spurious si-
nusoidal signals. This oscillatory signal propagates through the servo-loop control,
leading to control surface oscillations. The faulty components are located inside the
Analog Inputs/Outputs, the position sensors or the actuators. The flight control com-
puter may also generate unwanted oscillations of the command current sent to the
actuator servo-valve. OFC signals are considered as sinusoids with frequency and
amplitude uniformly distributed over the frequency range 0-10 Hz. Beyond 10 Hz,
OFCs have no significant effects because of the low-pass behaviour of the actua-
tor. For structure-related system objectives, it is necessary to detect OFCs beyond
a given amplitude in a given number of periods, whatever the OFC frequency. For
example, it could be necessary to detect an OFC with minimal amplitude of 1 de-
gree in 5 periods, in the frequency band 5-10 Hz. The time detection is expressed
in period numbers, which means that, depending on the failure frequency, the time
allowed for detection is not the same. Two kinds of OFC have to be considered:
‘liquid’ and ‘solid’ failures. The liquid failure adds to the normal signal (inside the
control loop) while the solid failure substitutes the normal signal. The OFC detec-
tion methodology must take into account the specifics of these two different cases.
To detect an OFC on the A380, the concept of analytical redundancy is used. This
is a conventional approach well known in the Fault Diagnosis community[12, 13].
The principle consists of comparing the real functioning of the monitored control
surface with an ideal functioning expected in the absence of failure, in order to
exhibit the failure. A nonlinear knowledge-based model of the actuator is used to
Fig. 5.4 Synopsis of OFC detection by analytical redundancy.
provide this ideal functioning. The overall method is usually built in two steps[6]:
residual generation and residual evaluation. Firstly, a residual is generated by com-
paring the real position p of the control surface (obtained by a sensor) with an es-
timated position produced by the actuator model. The input of the model is the
flight control law (the command used in the servo-control of the control surface).
Then secondly, the residual is decomposed in several spectral sub-bands. In each
166 P. Goupil
sub-band, counting oscillations of the filtered residual, performs the OFC detection.
The overall method is summarized in Fig. 4. Specific counting is applied for each
failure type (liquid and solid). In this approach, the flight control law is considered
as fault-free. All its oscillations are calculated in order to compensate for any normal
perturbation (e.g. an external disturbance such as turbulence). The hypothesis of a
fault-free command is justified because the flight control law is also monitored by
dedicated techniques. For more details, the reader can refer to Ref [6]. This model-
based method is currently used on the A380 and gives highly satisfactory results
in term of robustness and detection and permits very stringent load requirements to
be met.
5.7 Conclusions
Safety is the first priority: in service experience has shown that the Airbus EFCS is
safe, and even features safety margins. For future and upcoming programs, in par-
ticular in the context of aircraft overall optimization and their increasing size, more
stringent requirements will be demanded. Consequently, new solutions should be
studied. The example given in Section 6 shows that Airbus is continuously improv-
ing, in an innovative way, the Fault Tolerant design of its aircraft. The collaborative
work done in a research group like GARTEUR AG-16 is a good chance to study the
capabilities and viability of novel Fault Tolerant Control techniques. With respect
to Fault Tolerance, one of the future challenge to be faced is to get the system right
’first time’. Future work will focus on this challenge.
References
1. Anon. Certification Specifications for Large Aeroplanes, Amendment 1, CS-25. Euro-
pean Aviation Safety Agency (EASA) (former JAA)
2. Anon. FAR/CS 25, Airworthiness Standards: Transport Category Airplane, vol. 14, part
25. FAA
3. Briére, B., Favre, C., Traverse, P.: A familly of fault-tolerant systems: electrical flight
controls, from a320/330/340 to future military transport aircraft. Micoprocessors and
Microsystems 19(2) (1995)
4. Favre, C.: Fly-by-wire for commercial aircraft: the airbus experience. International Jour-
nal of Control 59(1), 139–157 (1994)
5. Traverse, P., Lacaze, I., Souyris, J.: Airbus fly-by-wire: A total approach to dependability.
In: Proc. 18th IFIP World Computer Congress, Toulouse, France (2004)
6. Goupil, P.: Oscillatory Failure Case detection in A380 Electrical Flight Control System
by analytical redundancy. In: 17th IFAC Symposium on Automatic Control in Aerospace,
Toulouse (2007)
7. Anon. ARP 4754/ED79, Certification Considerations for Highly-Integrated or Complex
Systems. SAE, no. ARP4754, and EUROCAE, no. ED79 (1996)
8. Anon. DO178B/ED12, Software Considerations in Airborne Systems and Equipment
Certification. ARINC, no. DO178B, and EUROCAE, no. ED12 (1992)
9. Anon. DO254/ED80, Design Assurance Guidance for Airborne Electronic Hardware.
ARINC, no. DO254, and EUROCAE, no. ED80 (2000)
10. Van den Bossche, D.: The A380 Flight Control Electrohydrostatic Actuators, Achieve-
ments and Lessons Learnt. In: Proc. 25th Congress of the International Council of the
Aeronautical Sciences, Hamburg (2006)
11. Besch, H.M., Giesseler, H.G., Schuller, J.: Impact of Electronic Flight Control System
(EFCS) Failure Cases on Structural Design Loads. AGARD Report 815, Loads and Re-
quirements for Military Aircraft (1996)
12. Zolghadri, A., Goetz, C., Bergeon, B., Denoise, X.: Integrity monitoring of flight pa-
rameters using analytical redundancy. In: UKACC International Conference on Control
(CONTROL 1998), Swansea, UK, pp. 1534–1539 (1998)
13. Frank, P.M.: Fault diagnosis in dynamic systems using analytical and knowledge-based
redundancy: A survey and some new results. Automatica 26(3), 459–474 (1990)
Part II
RECOVER: The Benchmark Challenge
Chapter 6
RECOVER: A Benchmark for Integrated Fault
Tolerant Flight Control Evaluation
Hafid Smaili, Jan Breeman, Thomas Lombaerts, and Diederick Joosten
6.1 Introduction
Fault tolerant flight control (FTFC), or intelligent self-adaptive control, enables im-
proved survivability and recovery from adverse flight conditions induced by faults,
damage and associated upsets. This can be achieved by ’intelligent’ utilisation of
the control authority of the remaining control effectors in all axes consisting of the
control surfaces and engines or a combination of both. In this technique, control
strategies are applied to restore vehicle stability, manoeuvrability and conventional
piloting techniques for continued safe operation and a survivable landing of the
aircraft.
The design of the GARTEUR REconfigurable COntrol for Vehicle Emergency
Return (RECOVER) benchmark was driven by the requirement to demonstrate, both
offline and in real-time (piloted) simulation, the performance and viability of new
fault tolerant flight control schemes when applied to a realistic, nonlinear advanced
Hafid Smaili
The Netherlands
Jan Breeman
The Netherlands
Thomas Lombaerts
Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1,
2629 HS Delft, The Netherlands
Diederick Joosten
Delft University of Technology, Delft Center for Systems and Control, Mekelweg 2,
2628 CD Delft, The Netherlands
e-mail: d.a.joosten@tudelft.nl
172 H. Smaili et al.
flight control application. The test scenarios of the benchmark provide challenging
assessment criteria, based on a review of operational requirements, to assess the
effectiveness and potential of the FTFC methods to improve aircraft survivability.
The assessment criteria of the GARTEUR RECOVER benchmark scenarios are fur-
ther described in detail in Chapter 7. This Chapter provides a description of the
flight data reconstruction, analysis and simulation modelling of the 1992 Amster-
dam Bijlmermeer aircraft accident case (Flight 1862) using the Digital Flight Data
Recorder (DFDR) recovered after the accident. This study, based on accident inves-
tigation work conducted for the Flight 1862 case [17, 18], resulted in high fidelity
non-linear aircraft and fault models for a large transport aircraft that are part of the
GARTEUR RECOVER benchmark. Section 6.2 of this Chapter first starts with a
description of the Flight 1862 accident case in order to provide a background on the
events that led up to the accident, associated flight technical issues, aircraft handling
characteristics and survivability aspects. The application of flight data from the acci-
dent aircraft’s DFDR is described for the reconstruction and simulation of the Flight
1862 benchmark scenario. Section 6.3 provides a description of the GARTEUR RE-
COVER benchmark including design specifications, simulation model architecture,
analysis and visualisation tools and some examples demonstrating the use of the
benchmark. Chapter 7 provides a detailed description of the defined operational as-
sessment criteria, which are an integral part of the RECOVER benchmark, for the
evaluation of new fault tolerant flight control algorithms.
A quick reference guide to the GARTEUR RECOVER benchmark is provided
as part of the software package [6]. The additional literature references [8, 9, 12]
provide further details of the basic simulation architecture, mathematical models,
signal definitions and conventions.
6.2 Flight 1862 Accident Reconstruction and Simulation

On October 4, 1992, a Boeing 747-200F freighter, Flight 1862, went down near
Amsterdam Schiphol Airport after the separation of both right-wing engines. In an
attempt to return to the airport for an emergency landing, the aircraft flew several
right-hand circuits in order to lose altitude and to line up with the runway as in-
tended by the crew. During the second line-up, the crew lost control of the aircraft.
As a result, the aircraft crashed, 13 km east of the airport, into an eleven-floor apart-
ment building in the Bijlmermeer, a suburb of Amsterdam. Results of the accident
investigation, conducted by several organisations including the Netherlands Acci-
dent Investigation Bureau [2] and the aircraft manufacturer, were hampered by the
fact that the actual extent of the structural damage to the right-wing, due to the loss
of both engines, was unknown. The analysis from this investigation concluded that
given the performance and controllability of the aircraft after the separation of the
engines, a safe landing was highly improbable.
In 1997, the division of Control and Simulation of the Faculty of Aerospace
Engineering of the Delft University of Technology (DUT), in collaboration with
the Netherlands National Aerospace Laboratory NLR, conducted an independent
6 RECOVER: A Benchmark for Integrated FTFC Evaluation 173
analysis of the accident [17, 18]. In contrast to the analysis performed by the
Netherlands Accident Investigation Bureau, the parameters of the digital flight data
recorder (DFDR) were reconstructed using comprehensive modelling, simulation
and visualisation techniques. In this alternative approach, the DFDR pilot control
inputs were applied to detailed flight control and aerodynamic models of the acci-
dent aircraft. The purpose of the analysis was to acquire an estimate of the actual
flying capabilities of the aircraft and to study alternative (unconventional) pilot con-
trol strategies for a safe recovery and landing. The application of this technique
resulted in a simulation model of the impaired aircraft that could reasonably predict
the performance, controllability effects and control surface deflections as observed
on the DFDR. The analysis of the reconstructed model of the aircraft, as used for
the GARTEUR RECOVER benchmark, indicated that from a flight mechanics point
of view, the Flight 1862 accident aircraft was recoverable if unconventional control
strategies were used [17, 18].
6.2.1 Sequence of Events

The events that led up to the crash of Flight 1862 are described using Fig. 6.3 illus-
trating the aircraft’s flight trajectory and time of the events.
The Flight 1862 accident aircraft was scheduled for a cargo flight to Ben Gurion
International Airport, Tel Aviv, with an intermediate stop at Amsterdam Schiphol
Airport after a flight from John F. Kennedy International Airport, New York. The
flight crew received an air traffic control slot time of 17:20 (UTC) for departure.
The aircraft was refueled with 72 metric tons of Jet A1 fuel and was loaded with
a total of 114.7 metric tons of cargo. The takeoff gross weight of the aircraft was
338.3 metric tons.
At the time of departure, the preferred runways at Amsterdam Schiphol Airport
consisted of runway 01L (Zwanenburgbaan) for takeoff and 06 (Kaagbaan) for land-
ing. The aircraft was cleared for push back at 17:04 and taxied out at 17:14 (Fig.
6.1). The first officer was assigned as the pilot flying (PF). The takeoff from runway
01L was started at 17:21 and the aircraft was cleared by air traffic control (ATC) for
the Pampus departure.
At 17:27.30, while climbing through an altitude of about 6,500 feet, the air-
craft encountered a separation of the engines No. 3 and 4. The captain immediately
took control of the aircraft. Following the separation of both right-wing engines,
the emergency call ”mayday, mayday, mayday, we have an emergency”, was trans-
mitted by the co-pilot. The aircraft started a right turn to return to the airport for
an emergency landing. According to eyewitnesses, dumping of the onboard fuel
started immediately (Fig. 6.2). Amsterdam Radar confirmed the emergency call and
directed the flight during the emergency procedure. After the crew acknowledged
their intentions, they were instructed to turn to a westerly heading of 260 degrees.
At 17:28.17, the crew reported a fire on engine No. 3 and they indicated a loss of
thrust on both engines No. 3 and 4. At 17:28.57, the aircraft was informed that the
main runway for landing was runway 06. The wind at that time was coming from a
Fig. 6.1 The Flight 1862 accident aircraft taxiing before takeoff at Amsterdam Schiphol
Airport, October 4, 1992 (copyright Werner Fischdick)
Fig. 6.2 The Flight 1862 accident aircraft returning to the airport after separation of the No.
3 and 4 engines (picture: R. Plooy, Diemen)
heading of 40 degrees at 21 knots. The crew of the flight, however, requested the use
of runway 27 for landing. Because the aircraft was only 7 miles from the airport at
an altitude of 5,000 feet, a straight-in approach was not possible. ATC instructed the
crew to a northerly heading of 360 degrees to fly a circuit and to descend to 2,000
feet. By then the wind was coming from a heading of 50 degrees at 22 knots.
At 17:31.17, the crew indicated that they needed “12 miles final for landing”.
During the transmission of this reply, the crew commenced the selection of flaps 1
for landing. While instructed to turn right to a heading of 100 degrees, the crew re-
ported ”No. 3 and 4 are out and we have problems with the flaps”. After the aircraft
Fig. 6.3 Flight 1862 ground track showing time (UTC) of events (copyright Google Earth)
was established on a heading of 120 degrees, the crew maintained an indicated air-
speed of 260 knots and a gradual descent. ATC cleared Flight 1862 for approach and
instructed a westerly heading of 270 degrees to intercept the final approach course.
Indicated airspeed remained at about 260 knots at an altitude of 4,000 feet. After
the heading instruction from ATC, it took about thirty seconds before the heading
change was actually performed. When it became clear that the aircraft was going to
overshoot the runway centerline, ATC instructed Flight 1862 to turn to a heading of
290 degrees to intercept the localizer from the south. Twenty seconds later a new
heading of 310 degrees was instructed by ATC, along with the clearance to descend
to 1,500 feet.
At 17:35.03, the crew acknowledged the clearance by reporting “1,500, and we
have a controlling problem”. At this point, the DFDR shows that indicated airspeed
decreased below 260 knots which appeared to be causing a further significant reduc-
tion in controllability. The crew was losing control of the aircraft and approximately
25 seconds later the captain called, ”going down 1862, going down”. During this
transmission, the crew tried to recover the aircraft by raising the flaps and by lower-
ing the gear. The stick shaker1 and ground proximity warning system were audible
in the background of the transmission. The remaining engines No. 1 and 2 were set
at maximum thrust.
At 17:35.42, the aircraft impacted in the Amsterdam Bijlmermeer area (Fig. 6.4)
at a roll angle of approximately 104 degrees to the right, a load factor of about 2.5g
and approximately 70 degrees pitch down.
1 The stick shaker is a component of the aircraft’s Stall Protection System that rapidly vi-
brates the control column to warn the pilot of an imminent stall.
Fig. 6.4 Impact area of the Flight 1862 accident aircraft (picture: Jos Wiersema)
6.2.2 Analysis of Flight 1862

Following the accident, the digital flight data recorder of the aircraft was found and
analysed [2]. This section provides an analysis of the accident flight based on the
data as observed on the DFDR. This includes a description of the aircraft’s perfor-
mance and control capabilities following the separation of the right-wing engines.
The results of this analysis are further described in [17, 18].
The Flight 1862 controllability and performance analysis in this Section was
used for the validation of the reconstructed aircraft model and the piloted sim-
ulator checkout preceding the experimental evaluations in this Action Group
(Part IV).
6.2.2.1 Control Capabilities

The aircraft design and certification requirements [3, 4] state that there should be
enough controllability to handle a multiple engine failure on one side in order to
continue flight. For certification, this requirement has to be demonstrated during
flight test up to the so called air minimum control speed or Vmca . This speed is
defined as the minimum speed during a failure of the most critical engine at which
aircraft control and a fixed heading can be maintained with full rudder and with
sufficient lateral control authority to bank 5 degrees into the operating engine(s).
The first sign of an engine failure will be a sudden roll (φ ) of the aircraft. If direc-
tional control with the rudder pedals is not applied, or with a fixed rudder deflection
(δr ), thrust asymmetry will cause the aircraft to yaw. Assuming a right multiple en-
gine failure for the nominal case with no structural wing damage, the resulting yaw
will create a negative sideslip angle (β ) that creates a positive rolling moment to the
right (L̄β ). Instant control compensation in an engine failure flight condition may
consist of applying a rudder pedal input to counteract the yawing moment due to
thrust asymmetry (N̄t ), a control wheel deflection to counteract the rolling moment
due to sideslip (L̄β ) and rudder deflection (L̄δr ) or applying a thrust reduction on the
remaining engines to decrease the yawing moment.
For the case of Flight 1862 (Fig. 6.5), the wing damage caused an additional
lift loss (Δ Ldamage ) and drag increase (Δ Ddamage ) on the right wing. Because these
effects are a function of angle-of-attack, an increase in angle-of-attack will create
an additional rolling moment (Δ L̄damage ) and yawing moment (Δ N̄damage ) into the
direction of the dead engines. This in turn will require more opposite control wheel
deflection, especially to counteract bank steepening during manoeuvring. Banking
into the dead engines will increase the minimum control speed and therefore reduce
the available controllability.
The Flight 1862 accident aircraft was designed to have enough rudder authority
to keep the control wheel almost neutral with two engines inoperative on one side.
This flight condition can be maintained up to the remaining engines set at maximum
continuous thrust (MCT) corresponding to an engine pressure ratio (EPR) of 1.35
(MCT/EPR 1.35). Note that maximum continuous thrust is defined as the maximum
thrust setting at which the engines may be operated for unlimited time. The engine
pressure ratio is used here as a measure for the applied power setting and represents
the total pressure ratio across the engine (according to the Flight 1862 DFDR, an
EPR of about 1.45 was used as the takeoff thrust setting). For the Flight 1862 case,
the DFDR indicates that control wheel deflections between 20 to 60 degrees to the
left were needed for lateral control and straight flight (Fig. 6(a)). The aerodynamic
effects due to the wing damage and degraded effectiveness of the right-wing inboard
aileron required larger left wing down control wheel deflections than in the nominal
case. The largest deflection of approximately 60 degrees was required for straight
and almost level flight. This condition could only be maintained at full rudder pedal
and at high thrust (engine #1 set at EPR 1.56 and engine #2 set at EPR 1.45).
As observed on the DFDR data, maximum available rudder was needed during
straight flight (constant track angle) to counteract the yawing moment caused by
the separated right-wing engines. The traces of the rudder control surface activity
as a response to the rudder pedal inputs are shown in Fig. 6(b). In this figure, it
can be seen that, between about t=490s and t=790s into the flight, the lower rudder
lags the upper rudder when full pedal is applied. The simulation model of the Flight
1862 aircraft, developed during the study in [17, 18], enabled a reconstruction of the
DFDR rudder deflections and an analysis of the contribution of their control author-
ity to the aircraft’s control capabilities. By applying the DFDR pilot control inputs
to the simulation, taking into account the rudder surface hinge moments and partial
loss of hydraulic pressure, rudder deflections could be reconstructed subjected to the
effects of calculated aerodynamic blowdown and sideslip. As the cause of the lim-
ited lower rudder control authority was unknown [2], the lower rudder deflections,
as observed in Fig. 6(b), were approximated in the simulation study in [17, 18] by
Fig. 6.5 Flight 1862 aircraft forces and moments for equilibrium flight with separated right-
wing engines and wing damage
10
100
Rudder surface deflection (deg)

8
Control wheel position (deg)
50 6
4
0
2
0
−50
−2 Upper rudder
Lower rudder
−100 −4
0 200 400 600 800 0 200 400 600 800
Time (sec) Time (sec)
(a) DFDR control wheel position (maxi- (b) DFDR rudder surface deflections
mum deflection +/- 88 deg)
Fig. 6.6 Flight 1862 Digital Flight Data Recorder (DFDR) control wheel and rudder surface
deflections
assuming a reduced lower rudder actuator hinge moment as a failure mode showing
a reasonable match with the DFDR rudder deflections.
6.2.2.2 Performance Capabilities

The maximum performance capability indicates the climb capability of an aircraft,
for the current condition, that is available with constant airspeed. The actual climb
rate of the aircraft may not be equal to the maximum climb capability. In this con-
dition the aircraft acceleration is not equal to zero. The maximum performance ca-
pability is calculated by differentiation of the aircraft’s specific energy according to
the following equation:
dhe dH V dV
= + ∗ (6.1)
dt dt g dt
Where:
dhe
dt = rate of change of specific energy (feet/minute)
dH
dt = altitude or climb rate (feet/minute)
V 2
g = acceleration along the flight path (feet/minute )
g= gravitational acceleration (feet/minute2)
V = airspeed along the flight path (feet/minute)
The DFDR indicates that the Flight 1862 controllability and performance con-
dition, after separation of the right-wing engines, required engine thrust settings
between approximately MCT (EPR 1.3) and overboost thrust (EPR 1.62) (Fig. 6.7).
A high thrust setting (engine #1 set at EPR 1.56 and engine #2 set at EPR 1.45) was
needed to sustain almost straight and level flight.
1.6
Engine pressure ratio (−)

1.5
1.4
1.3
1.2
1.1
1 Engine #1
Engine #2
0.9
0 200 400 600 800
Time (sec)
Fig. 6.7 Flight 1862 DFDR engine No. 1 and 2 thrust settings
An energy analysis of the flight using the DFDR data [2] indicated that after the
separation of the engines, the aircraft had level flight capability at go-around thrust
and at an indicated airspeed (IAS) of approximately 270 knots. Maneuvering ca-
pabilities were marginal and resulted in a loss of altitude. A normal load of 1.1g,
equivalent to 25 degrees of bank, reduced the maximum climb capability to approx-
imately minus 400 feet per minute. At MCT thrust and at an indicated airspeed of
approximately 270 knots, maximum climb performance was about minus 350 feet
per minute. Below 260 knots, a normal load factor of 1.15g and an angle-of-attack
above approximately 8 degrees resulted in significant performance degradation. At
an airspeed of 256 knots, a normal load factor of 1.2g (corresponding to about 33
degrees of bank angle) and MCT thrust, maximum climb performance was reduced
to minus 2000 feet per minute.
6.2.3 Failure Mode Configuration

Fig. 6.8 provides an overview of the sustained damage to the Flight 1862 aircraft’s
structure and onboard systems after the separation of both right-wing engines. An
analysis of the engine separation dynamics concluded [2] that the sequence was ini-
tiated by the detachment of the right inboard engine and pylon (engine No. 3) from
the main wing due to a combination of structural overload and metal fatigue in the
pylon-wing joint. Following detachment, the analysis shows that the right inboard
engine struck the right outboard engine (engine No. 4) in its trajectory while ruptur-
ing the right-wing leading edge up to the front spar. The associated loss of hydraulic
systems resulted in limited control capabilities due to unavailable control sur-
faces aggravated by aerodynamic disturbances caused by the right-wing structural
damage.
The crew of Flight 1862 was confronted with a flight condition that was very
different from what they expected based on training. The damage to Flight 1862
resulted in degraded flying qualities that required unconventional (untrained) con-
trol strategies and operating procedures to manoeuvre the aircraft. Additionally, the
failure mode configuration caused an unknown degradation of the nominal flight
Fig. 6.8 Failure modes and structural damage configuration of the Flight 1862 accident air-
craft, suffering right-wing engine separation, partial loss of hydraulics and change in aerody-
namics
envelope of the aircraft in terms of minimum control speed and maneuverability

precluding safe operation using the remaining control capabilities. For the heavy
aircraft configuration at a weight of 317,460 kg (700,000 lb) and at a relative low
indicated airspeed of around 260 knots, the DFDR indicates that flight control was
almost lost requiring full rudder pedal, 60 to 70 percent maximum control wheel
deflection and a high thrust setting on the remaining engines.
6.2.4 Flight Data Reconstruction and Simulation

The DFDR (Fig. 6.9) of the Flight 1862 accident aircraft was recovered in a highly
damaged state and the tape was broken in four places. The data used for the Flight
1862 reconstruction was obtained from the Netherlands National Aerospace Labora-
tory NLR. The quality of the DFDR data, with a sample rate of 1 Hz, was improved
by applying several interpolation routines to the original raw data parameters (Table
6.1) for the estimation of missing or damaged parts. During the reconstruction, sev-
eral repeated revisions and corrections to this data were made, based on engineering
judgement, using the original raw data dump.
The Flight 1862 reconstruction and simulation is based on a model validation
method using inverse simulation [5] (Fig. 6.10). The DFDR pilot control inputs U p
are directly applied to the nonlinear simulation model of the aircraft and the flight
control system. The response error of the simulation output Xc and measured DFDR
Fig. 6.9 Digital Flight Data Recorder (picture: NTSB)
Table 6.1 DFDR parameters used for the Flight 1862 accident reconstruction and simulation
Parameter DFDR notation

Lapsed time (sec) LAPSE
Vane angle-of-attack (deg) AAT
Altitude (feet) ALT
Control column position (deg) CCP
Control wheel position (deg) CWP
EPR engine 1 EPR1
EPR engine 2 EPR2
EPR engine 3 EPR3
EPR engine 4 EPR4
Flap handle position (deg) FLAPH
Heading (deg) HEAD
Indicated airspeed (knots) IAS
Lateral acceleration (g) LATG
Longitudinal acceleration (g) LONG
Mach number MACH
Pitch angle (deg) PITCH
Roll angle (deg) ROLL
Rudder pedal position (deg) RPP
Lower rudder deflection (deg) RUDLO
Upper rudder deflection (deg) RUDUP
Stabilizer trim (units) STAB
Vertical acceleration (g) VERG
data Xm are input to a feedback controller. The output of the feedback controller
is a measure of the fidelity of the reconstructed model. The reconstruction method
has the advantage that the combined effect of structural and flight control system
failures can be visualised using the simulation inputs and outputs. The estimation of
the aerodynamic effects due to structural damage caused by engine separation can be
performed by adjusting the parameters of an a-priori model structure of the damaged
Fig. 6.10 Inverse simulation principle for flight data reconstruction [5]
wing until the controller output is minimised. An additional advantage of the method
is that the DFDR data, with a low sample rate, can be used directly to excite the
simulation model. The Flight 1862 reconstruction and simulation modelling process
is illustrated in Fig. 6.11. A proportional feedback controller was used to feed back
the DFDR and calculated pitch and roll state error responses to obtain a proof-of-
match between DFDR measurements and simulation data.
Initial reconstruction of the DFDR data was conducted for the departure phase of
the undamaged aircraft using the published Flight 1862 weight and configuration.
This allowed a validation of the nonlinear baseline aircraft model and reconstruction
methodology by means of a proof-of-match with the DFDR data. The additional ef-
fects due to engine separation could then be identified for the damaged aircraft in the
subsequent flight phases using the model reconstruction process. The example flight
parameters, illustrated in Fig. 6.12, show that the applied reconstruction methodol-
ogy achieves a close match between the DFDR and baseline aircraft model before
the separation of the right-wing engines. The effect of wind conditions on the recon-
structed data was taken into account by including a wind model in the simulation
using meteorological data recorded at the time of the crash. Gust and turbulence
effects were not included in the simulation.
6.2.4.1 Model Reconstruction

The amount of structural damage to the Flight 1862 aircraft’s right wing, after the
separation of both right-wing engines, is shown in Fig. 6.13. The damage indicated
in this figure was estimated by examining wing debris recovered along the flight path
of the aircraft. The figure shows that most damage is concentrated in the vicinity of
engine No. 3 with smaller damaged parts in the direction of engine No. 4. Based
on the reconstructed wing structure, it can be concluded that the right wing was
damaged up to the front spar of the leading edge. The figure also indicates that the
right inboard aileron and spoiler panels No. 10 and 11 are located behind the most
severely damaged wing parts. This condition leads to a reduction of the control
effectiveness of these surfaces directly behind the disturbed flow causing a further
reduction of lateral control capabilities.
Fig. 6.11 Flight 1862 reconstruction and simulation modelling setup [17]
A similar incident in 1993, in which a Boeing 747 freighter (Flight 46E) lost its
left inboard engine [16], substantiates the amount of structural damage most proba-
bly incurred by the Flight 1862 accident aircraft (Fig. 6.14). In the 1993 incident, the
flight crew managed to recover the aircraft and conduct an emergency landing de-
spite the severe performance and controllability problems caused by the separated
engine. The Flight 46E control and performance capabilities were representative
of those encountered on Flight 1862. Ref. [16] shows that the pilot required up to
full right rudder pedal, approximately 60 degrees of right wing down control wheel
deflection and overboost thrust on engine No. 1 to control the aircraft towards a
survivable landing.
The aerodynamic effects due to engine separation and structural wing damage
were estimated using the Flight 1862 reconstruction and simulation modelling pro-
cess as illustrated in Fig. 6.11. The reconstructed aerodynamic effects were added
as contributions to the baseline aerodynamic coefficient equations of the validated
undamaged aircraft model. An initial estimation of the aerodynamic drag effects
of a partially damaged wing, having the most significant impact on aircraft perfor-
mance, was done using literature wind-tunnel data for a representative wing having
a cut-out, up to the front spar, at mid-span [17]. The loss of lift as a function of
angle-of-attack, caused by the damaged wing, is based on Boeing wind-tunnel data.
Additional effects were estimated to take into account the contribution of the sepa-
rated right-wing engines and leading edge structural damage to the aircraft’s pitch-
ing moment and control effectiveness of the right-wing inboard aileron and spoilers.
8000 300
Indicated airspeed (knots)

6000 250
Altitude (feet)
4000 200
2000 150
DFDR DFDR
Simulation Simulation
0 100
50 100 150 200 250 300 350 50 100 150 200 250 300 350
Time (s) Time (s)
(a) DFDR and reconstructed altitude (b) DFDR and reconstructed indicated air-
speed
30
15
Pitch angle (deg)
20
Roll angle (deg)
10 10
0
5
−10
DFDR DFDR
−20 0
50 100 150 200 250 300 350 50 100 150 200 250 300 350
Time (s) Time (s)
(c) DFDR and reconstructed roll angle (d) DFDR and reconstructed pitch angle
5
30
Control column position (deg)
4
20 3
10 2
0 1
−10 0
−1
−20
DFDR −2 DFDR
−30 Simulation Simulation
−3
50 100 150 200 250 300 350 50 100 150 200 250 300 350
Time (s) Time (s)
(e) DFDR and reconstructed control wheel (f) DFDR and reconstructed control col-
position umn position
Fig. 6.12 Validation of the unfailed nonlinear baseline aircraft model and DFDR reconstruc-
tion methodology for the Flight 1862 departure phase (t=47-371s)
Fig. 6.13 Flight 1862 estimated right-wing structural damage configuration (black and
shaded parts indicating loss of leading edge structure)
Fig. 6.14 Structural wing damage due to separation of engine No. 2, Evergreen Boeing 747-
121, Anchorage, 1993 [16]
The applied reconstruction methodology, as shown in Fig. 6.11, allows an iterative

adjustment of the initial aerodynamic estimates in an a-priori model structure, that
accounts for the overall effect of the separated right-wing engines, to obtain a match
with the DFDR data. The objective of the simulation tuning process was to closely
match the Flight 1862 trends in performance and control capabilities as provided by
the DFDR throughout the different flight phases.
Fig. 15(a), 15(b), 15(c) and 15(d) illustrate the effects of the estimated right-
wing damage aerodynamic contributions on example reconstructed model inputs
and outputs for the flight stage between t=378s and t=647s. It can be seen that,
under the prevailing flight conditions, a reasonable match between the DFDR and
100 100
DFDR DFDR

50 50
0 0
−50 −50
−100 −100
400 450 500 550 600 650 400 450 500 550 600 650
Time (s) Time (s)
(a) Reconstructed control wheel position (b) Reconstructed control wheel position
without aerodynamic estimates including aerodynamic estimates
40 40
20 20
Roll angle (deg)
Roll angle (deg)
0 0
−20 −20
DFDR DFDR
−40 Simulation −40 Simulation
400 450 500 550 600 650 400 450 500 550 600 650
Time (s) Time (s)
(c) Reconstructed roll angle without aero- (d) Reconstructed roll angle including aero-
dynamic estimates dynamic estimates
Fig. 6.15 Effect of estimated aerodynamic contributions due to right-wing engine separation
on reconstructed control wheel deflection and roll angle (t=378-647s)
reconstructed control wheel deflection (Fig. 15(a) and 15(b)) and roll angle (Fig.
15(c) and 15(d)) can be achieved.
Fig. 16(a) shows the estimated amount of aerodynamic drag increase, due to the
loss of the right-wing engines, obtained by reconstruction of the DFDR aircraft per-
formance capabilities [17]. The shown reconstructed DFDR data includes the flight
segment up to the loss of control and with the inboard trailing edge flaps extended
to the flaps 1 detent. The figure indicates that, for the amount of right-wing leading
edge structural damage as shown in Fig. 6.13, a drag increase of about 10 percent
at low angle-of-attack may be expected as compared to the unfailed case. At higher
angle-of-attack, local flow separation at the right-wing damaged section (mid-span)
occurs, resulting in a rapid increase of drag of about 20 to 30 percent. This effect
resulted in a significant reduction of the aircraft’s maximum climb capability down
to approximately minus 1500-2000 feet/min, as observed on the DFDR, and can
be predicted well by the reconstructed model as shown in Fig. 16(b). The reduced
control authority of the damaged aircraft was insufficient to recover from the sig-
nificant performance degradation using the remaining engines as shown in Fig. 6.16
for both the DFDR data and reconstructed model. Post-accident visualisation of the
Flight 1862 loss of control sequence using the DFDR data is shown in Fig. 6.17
illustrating the relevant flight parameters as reconstructed by the simulation model.
Further validation and analysis results of the baseline aircraft model and Flight
1862 DFDR reconstruction can be obtained from [17, 18].
6.2.4.2 Simulation Analysis and Piloted Validation

A simulation analysis and piloted validation of the reconstructed Flight 1862 aircraft
model was performed to demonstrate the flight mechanical capabilities of the dam-
aged aircraft as a guidance for the FTFC control design teams in this Action Group.
Additionally, the analysis provided a reference for the definition of the benchmark’s
operational assessment criteria and flight envelope limitations (Chapter 7).
Fig. 18(a) indicates the estimated performance capabilities of the Flight 1862 ac-
cident aircraft, after separation of both right-wing engines, as a function of thrust
and aircraft weight [17, 18]. The reconstructed model indicates that in these con-
ditions and at a heavy weight of 317,460 kg (700,000 lb), level flight capability
was available between maximum continuous thrust (MCT) and take-off/go-around
thrust (TOGA). At or above approximately TOGA thrust, the aircraft had limited
climb capabilities. The required control wheel deflections, or lateral control mar-
gins, as a function of thrust and weight are indicated in Fig. 18(b). It can be seen
that adequate lateral control capabilities remained available to achieve the estimated
performance capabilities as shown in Fig. 18(a). Fig. 18(a) and 18(b) indicate a sig-
nificant improvement in performance capabilities and lateral control margins when a
weight reduction up to 261,972 kg (577,648 lb) achieved by fuel jettison is assumed
[17]. In general, the analysis shows that aircraft performance, following the sepa-
ration of both right-wing engines, remains sufficient to continue stabilised flight in
preparation for an emergency landing or further weight reduction by means of fuel
jettison.
The Flight 1862 simulation predicts sufficient performance and controllability,
after the separation of the right-wing engines, to fly a low-drag/low power approach
profile at a higher than nominal glide slope angle of about 3.5 degrees for a high-
speed landing or ditch at an airspeed of 200/210kts and at a lower weight of 261,972
kg (577,648 lb) (Fig. 18(c)). Note again that this weight could have been obtained by
jettisoning more fuel. The lower thrust requirement for this approach profile results
in a further improvement of lateral control margins that are adequate to compensate
for additional thrust variations (Fig. 18(d)).
The above data was obtained by calculating a stabilised (trimmed) flight con-
dition for the reconstructed nonlinear damaged aircraft model in the conditions
as specified by the Flight 1862 DFDR. Results from piloted validation, as part of
the simulator checkout prior to the Action Group’s experimental campaign (Part
IV), generally confirm the performance and control capabilities as observed on the
DFDR and found during the offline analyses. Fig. 6.19 and 6.20 provide simulator
data for the validation of the loss of control sequence and predicted gliding capa-
bilities of the damaged aircraft. For the validation, the pilot was briefed to try to
maintain above 260 knots for stabilised flight and to set the flaps to the first detent
Maximum climb capability (feet/min*1000)

0.1
Nominal airplane drag 1
DFDR
Airplane drag coefficient (−) Flight 1862 airplane drag
Simulation
0.08
0
0.06 −1
0.04 −2
0.02 −3
650 700 750 800 850 650 700 750 800 850
Time (s) Time (s)
(a) Estimated aerodynamic drag in- (b) DFDR and reconstructed maxi-
crease due to loss of right-wing engines mum climb capability
5000 340
DFDR
320 Simulation

4000
300
Altitude (feet)
3000 280
2000 260
240
1000
DFDR 220
Simulation
0 200
650 700 750 800 850 650 700 750 800 850
Time (s) Time (s)
(c) DFDR and reconstructed altitude (d) DFDR and reconstructed indicated
airspeed
120 10
DFDR
100 Simulation
0
Pitch angle (deg)
80
Roll angle (deg)
−10
60
−20
40
−30
20
0 −40
DFDR
Simulation
−20 −50
650 700 750 800 850 650 700 750 800 850
Time (s) Time (s)
(e) DFDR and reconstructed roll angle (f) DFDR and reconstructed pitch an-
gle
100 DFDR
DFDR
Control column position (deg)
10 Simulation
Simulation
50
5
0
0
−50
−100 −5
650 700 750 800 850 650 700 750 800 850
Time (s) Time (s)
(g) DFDR and reconstructed control (h) DFDR and reconstructed control
wheel position column position
Fig. 6.16 DFDR and reconstructed flight parameters of the Flight 1862 final stage of flight
up to the loss of control (inboard trailing edge flaps 1, t=648-874s)
(a) t=815s: Maximum climb capability: -1500 feet/min, Control

wheel deflection: 60 deg left, Angle-of-attack: 6.5 deg, MCT
thrust
(b) t=855s: Maximum climb capability: -700 feet/min, Con-

trol wheel deflection: 88 deg full left, Angle-of-attack: 7.5 deg,
Takeoff/Go-around thrust
(c) t=874s: Control wheel deflection: 88 deg full left, Angle-of-

attack: 12 deg, Maximum thrust
Fig. 6.17 Post-accident visualisation of the Flight 1862 DFDR data illustrating loss of control
sequence and relevant flight parameters as reconstructed by the simulation model (NLR)
Maximum climb capability (feet/min*1000)

1.5
317,460 kg (700,000 lb) 317,460 kg (700,000 lb)
261,972 kg (577,648 lb) 0 261,972 kg (577,648 lb)

1
−20
0.5
−40
0
−60
−0.5 MCT TOGA

MCT TOGA −80
1 1.1 1.2 1.3 1.4 1.5 1.6 1 1.1 1.2 1.3 1.4 1.5 1.6
EPR engines #1 & #2 (−) EPR engines #1 & #2 (−)
(a) Effect of engine thrust and weight on (b) Effect of engine thrust and weight on
maximum climb performance for straight control wheel position for straight flight at
flight at 260kts 260kts
−2 100
317,460 kg (700,000 lb) 317,460 kg (700,000 lb)
261,972 kg (577,648 lb) 261,972 kg (577,648 lb)
Glide slope angle (deg)
−3
50
−4
0
−5
−50
−6
−7 −100
160 170 180 190 200 210 220 −7 −6 −5 −4 −3 −2
Indicated airspeed (knots) Glide slope angle (deg)
(c) Effect of indicated airspeed and weight (d) Effect of glide slope angle and weight
on glide slope angle for simulated low- on control wheel position for simulated
drag/low power approach profile low-drag/low power approach profile
Fig. 6.18 Flight 1862 estimated aircraft performance, lateral control and gliding capabilities
following the separation of the right-wing engines (inboard trailing edge flaps 1, full rudder
pedal)
(flaps 1) for approach according to the DFDR. For the engine separation scenario,
the simulator data confirms that larger control wheel deflections are required when
airspeed reduces or load factor increases. After the failure, a moderate climb re-
quires takeoff/go-around thrust (EPR 1.45-1.5) on the remaining engines No. 1 and
2, further control wheel deflections between approximately 40 and 60 degrees to the
left and full rudder pedal for straight flight. The climb capability in these conditions
is between approximately 200-500 feet/min. For the current aircraft configuration,
loss of flight control (Fig. 6.19) occurs at around 260kts while the aircraft is in a
30 degrees bank turn and the engines set at maximum continuous thrust. The result-
ing climb capability is reduced to approximately minus 1,000-1,500 feet/min prior
to the loss of control. Fig. 6.20 provides a validation of the offline predicted glid-
ing capabilities of the damaged aircraft. The data shows that at almost idle thrust,
310
2000 300

290
Altitude (feet)
1500 280
270
1000
260
250
500
240
0 230
0 50 100 150 200 250 300 350 0 50 100 150 200 250 300 350
(a) Altitude (b) Indicated airspeed
50 8
40
Angle−of−attack (deg)
30 6
Roll angle (deg)
20
10 4
−10 2
−20
−30 0
0 50 100 150 200 250 300 350 0 50 100 150 200 250 300 350
(c) Roll angle (d) Angle-of-attack
Maximum climb capability (feet/min * 1000)
1.6
1
1.5
0
1.4
1.3 −1
1.2
−2
1.1
1 −3
0 50 100 150 200 250 300 350 0 50 100 150 200 250 300 350
(e) Engine #1 and #2 EPR (f) Maximum climb capability
100 14
Rudder pedal position (deg)
12
50
10
8
0
6
4
−50
2
−100 0
0 50 100 150 200 250 300 350 0 50 100 150 200 250 300 350
(g) Control wheel position (h) Rudder pedal position
Fig. 6.19 Piloted simulator validation of aircraft loss of control sequence for engine separa-
tion failure mode occurring at t=150s (Flight 1862 scenario)
300

2000
280
Altitude (feet)
1500
1000 260
500 240
0 220
0 100 200 300 400 500 600 0 100 200 300 400 500 600
(a) Altitude (b) Indicated airspeed
50 3
40 2
Flight path angle (deg)

30 1
Roll angle (deg)
20 0
10 −1
0 −2
−10 −3
−20 −4
−30 −5
0 100 200 300 400 500 600 0 100 200 300 400 500 600
(c) Roll angle (d) Flight path angle
Maximum climb capability (feet/min * 1000)
1.6
1.5 1
1.4
0
1.3
−1
1.2
−2
1.1
1 −3
0 100 200 300 400 500 600 0 100 200 300 400 500 600
(e) Engine #1 and #2 EPR (f) Maximum climb capability
100 14
Rudder pedal position (deg)
12
50
10
8
0
6
4
−50
2
−100 0
0 100 200 300 400 500 600 0 100 200 300 400 500 600
(g) Control wheel position (h) Rudder pedal position
Fig. 6.20 Piloted simulator validation of aircraft gliding capabilities for engine separation
failure mode occurring at t=215s (Flight 1862 scenario)
stabilised flight is maintained while decelerating along a 3-4 degrees glide slope
requiring control wheel deflections between neutral and 20 degrees to the right.
The estimated control capabilities of the Flight 1862 aircraft only satisfy a part
of the critical requirements for survivability and safe operation of a damaged air-
craft. Additional operational requirements include knowledge concerning the air-
craft’s limited operating envelope following a failure or damage, information on the
configuration of the damaged aircraft and piloting skills.
6.3 GARTEUR RECOVER Benchmark

For the (real-time) assessment of new fault tolerant flight control techniques, as per-
formed in this Action Group, a simulation benchmark was developed based on the
reconstructed and validated Flight 1862 aircraft model. The basic architecture of the
GARTEUR REconfigurable COntrol for Vehicle Emergency Return (RECOVER)
simulation benchmark is based on the Delft University Aircraft Simulation and
Analysis Tool DASMAT [12]. The DASMAT package was developed by the Delft
University of Technology in order to meet the requirements for computer assisted
design (CAD) using Matlab R
/Simulink R
and the evaluation of flight control sys-
tems. The DASMAT tool was further enhanced with a full nonlinear simulation
of the Boeing 747-100/200 aircraft and its hydro-mechanical flight control system
(Flightlab747/ FTLAB747) for the Flight 1862 accident study conducted by Delft
University [17, 18]. The simulation environment was subsequently utilised and fur-
ther enhanced as a realistic platform for the evaluation of fault detection and fault
tolerant control schemes within other research programmes [14, 15].
6.3.1 Description
The GARTEUR RECOVER software package is equipped with several simulation
and analysis tools, all centered around a generic nonlinear aircraft model for six-
degrees-of-freedom nonlinear aircraft simulations. For high performance compu-
tation and visualisation capabilities, the package has been integrated as a toolbox
in the computing environment Matlab R
/Simulink R
. The tools of the RECOVER
benchmark include trimming and linearisation for (adaptive) flight control law de-
sign, nonlinear off-line (interactive) simulations, simulation data analysis and flight
trajectory and pilot interface visualisations. Customisation of the RECOVER soft-
ware by applying user-generated models to the generic package is possible for the
simulation of any specific aircraft type or fault scenario. In conjunction with the
Matlab R
/Simulink R
Real-Time Workshop R
, the benchmark model is suitable for
integration on simulation platforms for piloted hardware in the loop testing.
The GARTEUR RECOVER benchmark provides enhanced graphical and high
resolution aircraft visualisation capabilities supporting tool-based advanced control
system design and evaluation. This includes, for instance, the replay and anima-
tion of offline (or piloted) simulation data, the visualisation of fault or aircraft up-
set recovery scenarios or analysis of flight control system states and performance.
Fig. 6.21 GARTEUR RECOVER benchmark software architecture and tools
Additionally, the capabilities of the software are suitable for any educational or
demonstration purposes providing insight into the design of advanced flight con-
trol algorithms, aircraft flight dynamics and handling qualities and human factors
interfaces.
The software architecture of the RECOVER simulation benchmark (Fig. 6.21)
comprises a generic aircraft model and aircraft specific modules including aero-
dynamics, flight control system and engines. The baseline flight control system
model reflects the hydro-mechanical system architecture of the Boeing 747-100/200
(a) Original benchmark model with classic controller and pilot control inputs
(b) RECOVER benchmark model with modern controller and control surface inputs
Fig. 6.22 Adaptation of original benchmark model for simulation of ’fly-by-wire’ aircraft
aircraft [1, 8]. All modelled control surfaces are subjected to aerodynamic effects
and mechanical (rate) limits throughout the flight envelope to account for actua-
tor force limitations and control surface floating in the case of (multiple) hydraulic
system failures. Through the graphical user interface (Section 6.3.4), the user has
access to the RECOVER benchmark simulation and analysis tools.
The original aircraft model of the RECOVER benchmark [15, 17] was based on
the classical Boeing 747-100/200 aircraft with a hydro-mechanical flight control
system (Fig. 22(a)) and with the pilot cockpit controls as inputs. For the research
goals in this Action Group, a ’fly-by-wire’ version of the Boeing 747-100/200 air-
craft was created where all twenty-six aerodynamic control surfaces and four en-
gines can be controlled individually. This allows new fault tolerant flight control
designs, as developed in this Action Group, to have the capability to completely
reconfigure the utilisation of the available flight control effectors (Fig. 22(b)).
Fig. 6.23 illustrates a schematic overview of the GARTEUR RECOVER bench-
mark including relationships between the different model components of the bench-
mark. The basic aircraft model contains airframe, actuator, engine and turbulence
models and is represented by the outline in the diagram designated as B747 model.
As described above, the input of this model was initially based on the pilot’s control
inputs, which have a fixed linkage to the control surfaces. To control the surfaces
separately, as required for the reconfigurable control algorithms, the Pilot controls
Fig. 6.23 Detailed schematic of the GARTEUR RECOVER benchmark showing model
component relationships including test manoeuvre and failure scenario generation and fault
injection
to actuators block is separated from the baseline aircraft model. A basic classical
controller is available in the benchmark, based on the Boeing 747 classic autopilot
including autothrottle, to serve as a reference for new adaptive control algorithm
designs. Any newly designed FTFC controller, to be evaluated with the benchmark
model, is meant to replace the classic autopilot and autothrottle and should drive
the separate control surfaces directly. This is indicated in the diagram by the outline
called Modern Controller. In order to operate the benchmark, a scenario and failure
mode generator is added. The scenario consists of commands fed into the autopilot
and autothrottle, while the failures are directly introduced into the airframe, flight
control system and propulsion models via Matlab R
/Simulink R
Goto/From blocks
as indicated by the broken lines.
6.3.2 Implementation
The GARTEUR RECOVER benchmark model consists of a combination of
Matlab R
scripts and Simulink
R
block diagrams. In order to ensure consistency, the
top-level models have been built from common blocks that are linked to libraries.
All blocks and libraries are contained in the root directory of the benchmark called
’RECOVERv65’ (extension ’v65’ referring to the current Matlab R
version 6.5.1).
A basic library (B747 library.mdl) contains the basic aircraft, engine and actu-
ator models, complete with failure models (Fig. 6.24). For the purpose of the GAR-
TEUR applications, an additional library was developed (ag16 library.mdl),
based on the basic library, that contains the larger and more extensively modified
sub-models out of which the top-level benchmark is built (Fig. 6.25). This extended
Fig. 6.24 GARTEUR RECOVER benchmark basic aircraft simulation library

(B747 library.mdl)
library contains models of the aircraft, the actuators, the sensors, the classic flight
control system and the benchmark failure generator.
The actual benchmark model (b747 auto g.mdl) is depicted in Fig. 6.26. The
most important block is airframe which is the combination of the aircraft aerody-
namic model, engines and actuators. It also contains the fault models and the turbu-
lence and wind models. The inputs to this block are twenty-six separately control-
lable aerodynamic surfaces and four engine controls. The autoflight block represents
the implementation of the classic Boeing 747-100/200 autoflight system based on
[11]. This is the block that is to be replaced by any new FTFC controller design and
is intended as a working example of how the new controller is supposed to fit into the
aircraft. The classic autoflight system block consists internally of the B747-100/200
hydro-mechanical flight control system model (FCS) which forms the inner con-
trol loop and the autopilot and autothrottle systems, which together form the outer
control loop.
It is important to note that in the actual aircraft the autoflight block is driven by
switches and dials operated by the pilot. The pilot can independently select a pitch
mode and a roll mode and an autothrottle setting. The pitch mode is used to control
the aircraft in the vertical plane (up and down) and the roll mode is used to control
the aircraft in the horizontal plane (left and right). The autothrottle in the classical
autoflight system is needed to keep the airspeed at a constant reference value during
manoeuvres in the vertical and horizontal plane (advanced flight control concepts,
such as Multi-Input Multi-Output (MIMO) controllers, do not necessarily use thrust
Fig. 6.25 GARTEUR RECOVER benchmark component library (ag16 library.mdl)
Fig. 6.26 GARTEUR RECOVER benchmark main model components

(b747 auto g.mdl)
to control airspeed). In the benchmark, the pilot commands are replaced by signals
generated by the benchmark scenario generator. A new FTFC controller is not re-
quired to work in independent axes like the classical autopilot controller; however,
it should be able to accept the same commands.
The Test Scenarios block uses two pitch modes: altitude select and landing
(glideslope) and three roll modes: bank angle command, heading select and landing
(localizer). The Standard Sensors block represents three standard sensor systems
that are available in a modern aircraft, i.e. an Inertial Reference System (IRS), an
Air Data Computer (ADC) and an Instrument Landing System (ILS) receiver. The
ILS model in this block generates the glideslope deviation angle, the localiser devi-
ation angle and the distance to the threshold. Since the ILS signals have a limited
coverage area, ’glideslope valid’ and ’localizer valid’ signals are available to deter-
mine when the ILS is in range. The Standard Sensors block also contains realistic
measurement noise levels for these sensors. Since the classic Boeing 747-100/200
autoflight system [11] did not exactly use the standard sensors, there is a dedicated
measurements block (B747 Sensors) for this purpose. It should be noted that there
is not more information in these measurements than in the Standard Sensors block,
so any new controller should not use the B747 Sensors block.
The Failure Generator block activates any failure mode, as currently imple-
mented and described in Section 6.3.3.2, that is selected by the user during the
benchmark initialisation and trim procedure (Section 6.3.6). For the Flight 1862
scenario, all reconstructed failure modes associated with the physical loss of the
two right-wing engines (Fig. 6.8) are activated. The time delay after which a failure
mode is activated during any simulation can be customised in this block.
For interactive (manual) simulation purposes, an open loop simulation model
(b747 funpc d.mdl) is available (Fig. 6.27). It contains the same aircraft, engine
and actuator model as the benchmark. Also the failure generator is exactly the same.
The RECOVER open loop model is in a functional form, i.e. it has explicit inputs
(12) and outputs (140). The inputs basically consist of the pilot’s controls as found
on the Boeing 747 flight deck. The structure of this model is very similar to the
model that is used for trimming (b747 trim d.mdl).
6.3.3 Fault Scenarios Specification

For the specification of the GARTEUR RECOVER benchmark fault scenarios, the
Action Group conducted a survey to identify commonly encountered failure modes
and damage to large transport aircraft. There was a contribution from Airbus to this
study, which ensured that the studied problems are indeed practical. The other part
of this study was an aircraft loss of control analysis based on accident and incident
databases. The selected fault scenarios from this analysis have proven to be criti-
cal in recent accident and incident cases and represent a combination of structural
damage and stuck or erroneous control surfaces. An additional requirement for the
selection of the fault scenarios was the availability of sufficient information or flight
test data for the modelling and validation of the failure modes. The final result of the
study was a recommendation for a list of standard faults to be studied, a standard
flight scenario and a set of operational assessment criteria (Chapter 7).
Fig. 6.27 GARTEUR RECOVER functional model for open loop simulation
(b747 funpc d.mdl)
6.3.3.1 Flight Scenario

The geometry of the GARTEUR RECOVER benchmark flight scenario is roughly
modelled after the Flight 1862 accident profile (Fig. 6.28). The scenario consists of
a number of phases. First, it starts with a short section of normal flight, after which
the fault occurs, which is in turn followed by a recovery phase. If this recovery
is successful, the aircraft should again be in a stable flight condition, although not
necessarily at the original altitude and heading. After recovery, an optional identi-
fication phase is introduced during which the flying capabilities of the aircraft can
be assessed. This allows for a complete parameter identification of the model of the
damaged aircraft as well as the identification of the safe flight envelope. Hopefully,
the knowledge gained during this identification phase can be used by the controller
to improve the chances for a safe landing. In principle, the flight control system is
now reconfigured to allow safe flight within the identified limited operating bound-
aries. The performance of the reconfigured aircraft is subsequently assessed in a
series of five flight phases. These consist of straight and level flight, a right-hand
turn to a course intercepting the localizer, localizer intercept, glideslope intercept
and the final approach. During the final approach phase, the aircraft is subjected to
a sudden lateral displacement just before the threshold, which simulates the effect
of a low altitude windshear. The landing itself is not part of the benchmark, because
a realistic aerodynamic model of the damaged aircraft with ground effect is not
Fig. 6.28 GARTEUR RECOVER benchmark flight scenario for qualification of fault tolerant
flight control systems for safe landing of a damaged large transport aircraft (source: Jerome
Cieslak / IMS-Bordeaux)
available. However, it is assumed that if the aircraft is brought to the threshold in a

stable condition, the pilot would be able to take care of the final flare and landing
(taking into account any operational limitations of the damaged aircraft).
The RECOVER benchmark scenario and in particular the definition of the fault
tolerant flight control assessment criteria are further elaborated in Chapter 7.
The Table 6.2 summarises the test scenario phases that can be selected in the
benchmark. The aircraft is trimmed to the required steady initial condition for each
of the test scenarios. If the previous test was unsuccessful, the next test can be exe-
cuted anyway. The user should transfer any control reconfiguration scheme and any
other built-up knowledge about the state of the aircraft from one test scenario to the
next.
6.3.3.2 Fault Cases and Models

A description of the selected fault cases and their effect on the aircraft handling
qualities is shown in Table 6.3. Although the first four failure modes in the table are
serious, it might be expected that continued flight to the original destination would
be possible. That is not true for the last two fault cases which are extremely serious
and where a landing at the nearest airport becomes very critical. The next to last
case is directionally unstable due to the loss of the vertical tail and rudder controls.
It is similar to aircraft accident cases in which a loss of the vertical tail occurred
(e.g. JAL Flight 123), although it is not intended to be an accurate representation.
The last fault case is an accurate representation of the Flight 1862 accident case
as described in this Chapter. In this case, the aircraft is not unstable, but handling
Table 6.2 GARTEUR RECOVER benchmark test scenario phases
Test Name Description

sce-
nario
0 Failure event This is the test phase during which the failure
is supposed to occur first. It is scheduled to oc-
cur after 5 seconds of normal steady flight. The
main task of the control system is to recover
from any adverse flight situation and to regain
steady flight in an arbitrary (safe) flight condi-
tion.
1 Straight flight This is the first assessment test of the recovered
aircraft. It is primarily to show that a trimmed
condition can be maintained.
2 Right turn and localizer inter- This is the second assessment test to show that
cept the aircraft can be safely manoeuvred in the hor-
izontal plane so that the aircraft is lined up for
landing.
3 Glideslope intercept This is the third assessment test to show that the
aircraft can be safely manoeuvred in the vertical
plane so that a landing can be made.
4 Final approach with sidestep This is the fourth assessment test to show that
the aircraft can recover from an additional dis-
turbance very close to the runway.
-1 Parameter identification (user This is an optional test that can be freely used
supplied) by the developer for purposes like determining
a new dynamic model of the failed aircraft or
a safe flight envelope. It is supposed to occur
after the failure event, but before any of the test
scenarios, so that any obtained results could be
used in these scenarios.
qualities are degraded and the flight envelope is severely limited. In the last two
cases, it cannot be expected that the aircraft will be able to follow the reference
trajectory closely. The benchmark assessment criteria have been designed to take
this into account by emphasising end conditions in the specifications (Chapter 7).
Appendix 1 of Chapter 17 shows a complete overview of the failure mode test matrix
for the (piloted) evaluation of the FTFC methods indicating available means of flight
control reconfiguration and assessment criteria.
Fig. 6.29, 6.30, 6.31, 6.32 and 6.33 illustrate how the selected fault cases are mod-
elled and implemented in the Matlab R
/SimulinkR
RECOVER benchmark model.
As an example, Fig. 6.29 shows the model for the rudder failure modes, including
the rudder hardover and vertical tail loss fault cases. The first part of the rudder
failure model implements fault case #4 (Table 6.3) which is the rudder runaway or
rudder hardover failure mode. In this failure mode, the rudder surfaces are deflected
Table 6.3 GARTEUR RECOVER benchmark standard fault cases and effect on aircraft han-
dling qualities
Failure Name Description Effect on aircraft Criticality

mode
0 No failure Baseline undamaged aircraft
1 Stuck elevators All elevator surfaces are stuck Sustained pitch Major
in a faulty position with a down moment
downward offset from trim of 3
degrees.
2 Stuck aileron All aileron surfaces are stuck in Reduction of lat- Major
a faulty position with a down- eral control effec-
ward offset from trim of 3 de- tiveness
grees.
3 Stabiliser run- The stabiliser surface moves Sustained pitch Catastrophic
away quickly to a downward offset down moment
from trim of 2 degrees.
4 Rudder run- All rudder surfaces move Sustained left yaw- Catastrophic
away quickly to the left aerodynamic ing moment
blowdown deflection limit.
Maximum rudder deflection is
speed dependent.
5 Stuck ele- As failure mode #1 with turbu-
vators (with lence and wind
turbulence)
6 Stuck aileron As failure mode #2 with turbu-
(with turbulence and wind
lence)
7 Stabiliser run- As failure mode #3 with turbu-
away (with tur- lence and wind
bulence)
8 Rudder run- As failure mode #4 with turbu-
away (with lence and wind
turbulence)
9 Loss of vertical Rudder control surfaces not Loss of all damping Catastrophic
tail available in the roll and yaw
axes
10 Flight 1862 Separation of right-wing en- Loss of lateral Catastrophic
case (dynamic gines #3 and #4 control margins
method) and effectiveness,
sustained right
rolling moment,
sustained pitch
down moment,
reduction of air-
craft performance
capabilities
11 Flight 1862 As failure mode #10. Allows
case (static comparison with the original
method) Flight 1862 failure model.
Implemented using values in
masked entries and cannot be
used for test scenario #1, which
requires a failure to occur at
t=5s.
Fig. 6.29 Rudder fault model including rudder hardover and vertical tail loss failure modes
to the maximum left aerodynamic blowdown limit, which is dependent on airspeed

(at 270kts the maximum rudder deflection is about 15 deg while at 165kts the rud-
der is deflected to a maximum of 25 deg). The flag failure4 for the rudder hardover
failure mode is generated by the benchmark failure generator and enters the diagram
via a From block. The model first holds the current value of the rudder surface and
then adds a constant value via an offset (currently set to zero) and a positive ramp.
The ramp is set at the published maximum B747-100/200 rudder deflection rate.
The second part of the rudder failure model implements fault case #9 which is the
loss of the vertical tail. The vertical tail loss is approximated by assuming that there
is no rudder and therefore the effect of the rudder is made equal to zero. The other
models for the control surface fault cases are very similar and are shown in Fig.
6.30, 6.31 and 6.32.
The Flight 1862 scenario is the most complicated failure mode implemented in
the benchmark and consists of a combination of both hydraulic system and struc-
tural failure modes. The separation of both right-wing engines will result in a loss
of hydraulic systems No. 3 and 4 and a loss of control surfaces according to the
B747-100/200 hydraulic systems architecture as described in Ref. [1]. Additional
effects on the weight and balance of the aircraft, including a lateral shift of the
center-of-gravity and an estimated weight loss due to the missing engines, are taken
into account. The aerodynamic effects due to the loss of the right-wing engines, es-
timated using the Flight 1862 DFDR data, are calculated in a separate model (Fig.
6.33) and added as contributions to the baseline aerodynamic coefficients.
Fig. 6.30 Elevator fault model including stuck elevator failure mode
Fig. 6.31 Aileron fault model including stuck aileron failure mode
6.3.4 Graphical User Interface

The GARTEUR RECOVER benchmark is operated via a Matlab R
graphical user
interface (Fig. 6.34) from which the different benchmark tools may be selected.
The user options in the main menu are divided into three main sections allowing
benchmark initialisation and simulations to be performed, run the analysis tools and
opening the user manual for reference purposes. A typical evaluation of a designed
control algorithm (Section 6.3.6) will start with the initialisation of an open loop
or closed loop simulation including the calculation of the trim condition and se-
lection of test scenario and fault case. This is done via the Open-Loop Simulation
Fig. 6.32 Stabiliser fault model including stabiliser runaway failure mode
Fig. 6.33 Fault model including estimated aerodynamic effects due to separation of the right-
wing engines No. 3 and 4 (Flight 1862 scenario)
Fig. 6.34 GARTEUR RECOVER benchmark main menu
or Closed-Loop Simulation button. The closed loop simulation is conducted with

the preset benchmark test scenarios as defined in Table 6.3. Following simulation
(open loop, closed loop or via manually controlled inputs in the open loop func-
tional model (Fig. 6.27)), the performance of the designed control algorithms can
be evaluated by running the benchmark assessment criteria (Show Assessment Cri-
teria button). Additional time responses of the aircraft states following a simulation
can be generated using the plot sim.m script via the Plot Simulation Results but-
ton. For control law design purposes, the nonlinear aircraft model can be linearised
using an integrated linearisation routine (Linearise Aircraft button). This routine al-
lows a linear model of the aircraft to be obtained with thirty control inputs consisting
of all control surfaces and engine thrust settings. A visualisation tool (Section 6.3.5)
is integrated with the benchmark for aircraft manoeuvre and trajectory analysis or
interactive (real-time) simulations and can be selected using the Recover Visualisa-
tion button. A user reference to the RECOVER benchmark is available via the Help
Recover button.
6.3.5 Aircraft Visualisation

The GARTEUR RECOVER benchmark aircraft visualisation and animation tool
provides a graphical solution for the visualisation of the benchmark’s specified ap-
proach and landing scenario and flight trajectory. (Fig. 6.35). The tool provides high
resolution graphic representations of the aircraft, cockpit flight instrumentation and
airport environment (Amsterdam Schiphol airport and surroundings) for interac-
tive (real-time) simulations or manoeuvre and flight path analysis. The pilot inter-
face (Fig. 36(a) and 36(b)), showing the main aircraft, control system and engine
state parameters, is based on specifications of the electronic flight instrument sys-
tem (EFIS) displays as found on the B747-400 aircraft. Additional features on the
displays, not found on the standard B747-400 instrumentation, are included to as-
sess human-machine interfacing (HMI) aspects of new fault tolerant flight control
algorithms and flight envelope protection measures. For these design applications,
the standard primary flight display (PFD) can be configured to display the aircraft’s
bank angle, pitch angle and airspeed envelope protection limits as calculated by a
new intelligent self-adaptive control system. The lower display (Engine Indicating
and Crew Alerting System (EICAS) display) provides the parameters of the four
engines, using Engine Pressure Ratio (EPR) as the main thrust setting reference,
and inboard trailing edge flap position. Additional aircraft state information on the
EICAS display includes angle-of-attack and sideslip. The status of the flight con-
trol system and control laws is provided by the presentation of the control surface
deflections. A basic 3D aircraft model, representing the B747-100/200 aircraft, and
Fig. 6.35 GARTEUR RECOVER benchmark high resolution aircraft visualisation tool
showing out-of-the-window view and electronic flight instrument system (EFIS) displays for
interactive (real-time) simulation and analysis of new fault tolerant flight control systems
(a) Primary Flight Display: indicated air- (b) EICAS display: engine EPR (1), in-
speed (1), altitude (2), aircraft attitude and board trailing edge flap position, angle-of-
envelope protection limits (3), aircraft head- attack, sideslip and load factor (2), control
ing (4) surface and stabiliser deflections (3)
Fig. 6.36 GARTEUR RECOVER benchmark electronic flight instrument system (EFIS) dis-
play elements
a view of the aircraft’s flight path in the out-of-the-window view allows analysis of
the flight trajectory and manoeuvres. The RECOVER interactive simulation window
can be started via the RECOVER Visualisation button following initialisation of an
open loop or closed loop simulation.
6.3.6 User Example

This section demonstrates the steps necessary for a typical closed loop simulation
within the GARTEUR RECOVER benchmark (b747 auto g.mdl) for an investi-
gation of the aircraft behaviour. A separation of both right-wing engines is selected
as an example failure mode (Flight 1862 scenario). The Matlab R
command line
scripts are set up to give reasonable default values for all questions during initiali-
sation of the simulation. The user may enter the correct data if he wants to deviate
from the default values. The user input prompt is indicated by a semicolon during
initialisation.
Fig. 6.37: After selecting Closed-Loop Simulation in the main menu, the closed
loop initialisation is started in the Matlab
R
command window and the first step is
to define the failure model. For this example, the dynamic version of the Flight 1862
failure case is chosen (failure mode #10).
Fig. 6.38: The next step is to choose the test scenario. The Failure event scenario
is chosen, which shows the effect of the sudden occurrence of the failure after five
seconds of flight. In addition, turbulence and predefined wind conditions can be
selected.
Fig. 6.39: The program continues by giving the selected choices together with
the aircraft and flight condition that were set by the test scenario. This includes the
Fig. 6.37 Selection of failure mode
Fig. 6.38 Selection of test scenario
weight and balance of the aircraft, altitude and airspeed and aircraft configuration.
For the Failure event scenario, the pitch mode is selected as Altitude select with a
reference altitude (1000m in this example) and the roll mode is selected as Bank
angle command with a reference bank angle of 0 deg. No further information to the
trim routine is required since everything is prescribed by the test scenario.
Fig. 6.40: The user is then able to set initial values for the controls used for trim-
ming, but it is usually sufficient to accept the default values here. For trimming, the
b747 trim d.mdl model is used. This completes the setup of the trim routine for
the optimisation. The trim routine runs and gives a trim result in terms of stabiliser
deflection and thrust. The user is asked if he is satisfied with the trim results.
Fig. 6.41: If the optimisation is acceptable, the required engine EPR setting is
derived from the thrust in the next step and the trim results can be saved.
Fig. 6.42: The simulation is performed using the closed loop model given in
b747 auto g.mdl which contains the test scenario generator. When the simula-
tion has ended, the user is able to save the results and to make some plots. These
Fig. 6.39 Confirmation of test scenario and aircraft and control mode variables set by the test
scenario
plots are generated by the plot sim.m script that can also be activated via the
main menu.
Fig. 6.43: The plotted simulation results of the aircraft states demonstrate that
up to t=5s the flight condition is stable. When the failure is inserted at t=5s the
aircraft begins to diverge. The simulation run has been ended at t=35s because the
angle-of-attack (α ) is outside the validated model boundaries.
Fig. 6.44: The calculated specific forces show the effect of the sudden loss of
thrust, due to the separation of the right-wing engines, on the longitudinal accel-
eration (Axb ) at t=5s. Lateral acceleration (Ayb ) shows an increase following the
detachment of the engines at t=5s due to sideslip caused by the asymmetrical thrust
and wing damage configuration.
6.3.7 Aircraft Characteristics

The Boeing 747-100/200 aircraft is a large jet transport aircraft designed for long
distance operations. All systems aboard the aircraft are made operational by four
fan jet turbo-engines that deliver the required thrust. Through a mechanical gear-
box underneath each engine, the engine high pressure shaft (N2) is connected with
pressure and electrical generating units. In addition, engine compressor bleed air is
taken from the engine for pneumatic air supply.
The hydraulic system of the B747 series aircraft consists of four independent
main hydraulic supply systems. The systems No. 1 and 4 are the primary sys-
tems whereas the systems No. 2 and 3 are the secondary systems. Each system is
Fig. 6.40 Controls initialisation for trimming and trim routine results
associated with an engine. Pressurization units for hydraulic power to the flight con-
trol and landing gear systems are located at every engine.
The B747-100/200 flight control system comprises a primary flight control sys-
tem and a secondary flight control system. The primary flight control surfaces are
powered by irreversible hydraulic actuators which are supplied by the four inde-
pendent hydraulic systems. The actuators for the elevator, aileron and rudder sur-
faces are driven by single dual tandem type actuators supplied by two independent
Fig. 6.41 Trimmed engine EPR settings and end of the optimisation procedure
Fig. 6.42 Execution of the closed loop simulation
hydraulic systems (full boost). The spoilers of the secondary flight control system
are driven by conventional single cylinder actuators. The availability of the control
surfaces will be affected in case of the loss of hydraulic supply. The control surface
actuators are designed to allow unrestricted operation of the surface in the event of
the loss of one actuator (half boost). When hydraulic supply to both actuators is lost,
the surface reverts to a zero-hinge moment floating position. The arrangements of
the hydraulic power supply distribution for the B747-100/200 flight control system
is summarised in Table 6.4.
The B747-100/200 high lift system consists of the trailing edge flaps and the lead-
ing edge flaps with selectable detents of 1, 5, 10, 20, 25 and 30 degrees. Automatic
flap retraction to the 25 detent (flap load relief) is provided to prevent structural
overload of the fully extended trailing edge flaps when indicated airspeed exceeds
Fig. 6.43 State variables during benchmark run with closed loop model
(b747 auto g.mdl) and Flight 1862 failure case starting at t=5s
Fig. 6.44 Specific forces in body axes during benchmark run with closed loop model
(b747 auto g.mdl) and Flight 1862 failure case starting at t=5s
Table 6.4 Arrangements of the hydraulic power supply distribution for the B747-100/200
flight control system
Hydraulic Longitudinal axis Lateral axis Directional axis High lift

system
#1 Left outboard elevator Left outboard aileron Upper rudder Inboard
Right inboard elevator Left inboard aileron Upper rudder turn flaps
coordinator
#2 Right inboard elevator Left outboard aileron Lower rudder
Stabiliser Right inboard aileron Lower rudder yaw
Spoilers #2,#3,#10,#11 damper
#3 Left inboard elevator Right outboard aileron Upper rudder
Stabiliser Left inboard aileron Upper rudder yaw
Spoilers #1,#4,#9,#12 damper
#4 Right outboard elevator Right outboard aileron Lower rudder Outboard
Left inboard elevator Right inboard aileron Lower rudder turn flaps
Spoilers #5,#6,#7,#8 coordinator
Table 6.5 B747-100/200 flight control surface operating limits (positive sign: surface deflec-
tion downward / spoiler panel up)
Control surface Symbol Mechanical Two hydraulic One hydraulic

limit (deg) system rate (Full system rate (Half
boost, deg/sec) boost, deg/sec)
Inboard elevator δei +17/-23 +37/-37 +30/-26
Outboard elevator δeo +17/-23 +37/-37 +30/-26
Stabiliser ih +3/-12 +/-0.2 to +/-0.5 +/-0.1 to +/-0.25
Inboard aileron δai +20/-20 +40/-45 +27/-35
Outboard aileron δao +15/-25 +45/-55 +22/-45
Spoilers #1 - #4 δsp1−4 +45 +75 0
Spoilers #9 - #12 δsp9−12 +45 +75 0
Spoilers #5, #8 δsp5 , δsp8 +20 +75 0
Spoilers #6, #7 δsp6 , δsp7 +20 +25 0
Upper rudder δru +25/-25 +50/-50 +40/-40
Lower rudder δrl +25/-25 +50/-50 +40/-40
169kts at flaps 30. Extension of the outboard trailing edge flaps will unlock the
outboard ailerons.
The B747-100/200 flight control surface arrangements and operating limitations
are illustrated in Fig. 6.45 and Table 6.5. Fig. 6.46 and Table 6.6 provide aircraft op-
erational data and geometric dimensions for both the B747-100/200 and B747-200F
(freighter version). For the benchmark simulation, the B747-100/200 hydraulic and
flight control system specifications, as described in this Section, were taken from
[1, 8].
Fig. 6.45 Boeing 747-100/200 flight control surface arrangements and body axes and mo-
ment definitions (L̄ = rolling moment, M = pitching moment, N̄ = yawing moment, p = roll
rate, q = pitch rate, r = yaw rate)
Table 6.6 B747-100/200 series operational data and geometric dimensions
B747-100/200 B747-200F (Freighter)

Wing area m2
511 511 m2
Wing mean aerodynamic chord (MAC) 8.324 m 8.324 m
Wing span 59.65 m 59.65 m
Length overall 70.66 m 70.66 m
Height overall 19.33 m 19.33 m
Engines Pratt & Whitney JT9D- Pratt & Whitney JT9D-
3 7J
Takeoff thrust rating (standard day / sea 193 kN (43,500 lb st) 222 kN (50,000 lb st)
level)
Maximum takeoff weight 321,995 kg (710,000 377,842 kg (833,000
lb) lb)
Maximum landing weight 255,782 kg (564,000 285,763 kg (630,000
lb) lb)
Maximum zero fuel weight 238,776 kg (526,500 267,619 kg (590,000
lb) lb)
Load factor range flaps up -1.0/+2.5 -1.0/+2.5
Load factor range flaps down 0/+2 0/+2
Fig. 6.46 Boeing 747-100/200 large transport aircraft
6.4 GARTEUR RECOVER Benchmark Applications

Earlier versions of the GARTEUR RECOVER benchmark aircraft model have
been used by a number of investigators and organisations in several studies
[7, 10, 14, 15, 19]. For example, in a recent study, performed by the University of
Cambridge [13], a reconfiguration scheme was developed and applied to the Flight
1862 benchmark scenario using Model Predictive Control (MPC). The MPC scheme
aims to restore the original functionality of the pilot’s controls using a reference-
model based approach. For the initial demonstration of the MPC reconfiguration
capabilities in this study, the assumption was made that all necessary information
about the failed condition of the aircraft was available from the fault detection and
isolation (FDI) unit. The investigation demonstrated that when precise information
regarding the failure condition of the aircraft is available, a reconfigurable control
scheme exists that enables safe landing of a heavily damaged aircraft (Fig. 6.47). An
extension of this research, in which the FDI information requirements for successful
Fig. 6.47 Simulation demonstrating flight control reconfiguration and safe landing of the
Flight 1862 accident aircraft using Model Predictive Control (MPC) (red: accident aircraft,
green: reconfigured aircraft) [13]
reconfiguration are addressed, formed the basis of a PhD project at the Delft Uni-
versity of Technology financed by the Dutch Technology Foundation STW. Some
of the developed reconfiguration schemes in this project were further evaluated in
this Action Group.
6.5 Conclusion
A simulation benchmark for the integrated evaluation of new fault detection, isola-
tion and reconfigurable control techniques has been developed within the framework
of the GARTEUR Flight Mechanics Action Group FM-AG(16) on Fault Tolerant
Control. The REconfigurable COntrol for Vehicle Emergency Return (RECOVER)
benchmark addresses the need for high-fidelity nonlinear simulation models to im-
prove the prediction of the performance of newly designed fault tolerant flight con-
trol system algorithms in degraded modes. The GARTEUR RECOVER benchmark
provides accurate failure models, realistic scenarios and assessment criteria for a
civil large transport aircraft with fault conditions ranging in severity from major to
catastrophic. The benchmark aircraft model has been validated against data from
the Digital Flight Data Recorder (DFDR) recovered after the crash of a Boeing
747-200 freighter aircraft (Flight 1862), caused by the separation of its right-wing
engines, in the Amsterdam Bijlmermeer in 1992. For the reconstruction of the ac-
cident flight data, a methodology based on inverse simulation was used to obtain a
proof-of-match between the Flight 1862 DFDR measurements and simulation. This
assured the validity of the simulation, as part of the benchmark, in terms of aircraft
performance and controllability representative of a damaged large transport aircraft
operating in a degraded and limited flight envelope. The identified operational con-
straints of the Flight 1862 accident aircraft provided a guidance for the fault tolerant
control design challenge in the GARTEUR FM-AG(16) Action Group and a refer-
ence for the definition of the benchmark assessment criteria.
The GARTEUR RECOVER benchmark is suitable for both offline design and
analysis of new fault tolerant flight control systems and integration on simulation
platforms for piloted hardware in the loop testing. The enhanced graphical tools of
the benchmark, including high resolution aircraft visualisation, support tool-based
advanced flight control system design and evaluation within research, educational
or industrial framework.
Acknowledgements. The authors recognise the contributions of the members of the GAR-
TEUR FM-AG(16) Action Group to this Chapter. The authors also appreciate the funding
that the Dutch Technology Foundation STW has provided as part of the GARTEUR activities.
Special thanks to Jaap Groeneweg and Ronald Verhoeven of NLR for their contribution to the
RECOVER aircraft visualisation tools. Finally, a word of thanks to all those who have con-
tributed to the further improvement of the GARTEUR RECOVER benchmark model within
their flight control research programmes, especially Andres Marcos of DEIMOS Space and
Gary Balas of the University of Minnesota.
References
1. Anon. Boeing 747 Aircraft Operations Manual (1976)
2. Anon. EL AL Flight 1862, aircraft accident report 92-11. Netherlands Aviation Safety
Board, Hoofddorp, The Netherlands (1994)
3. Anon. MIL-HDBK-1797 Flying qualities of piloted aircraft (1997)
4. Federal Aviation Administration, Department of Transport. FAR/JAR 25 Airworthiness
Standards: Transport Category Airplanes
5. Fischenberg, D.: Ground effect modeling using a hybrid approach of inverse simulation
and system identification. In: AIAA Modeling and Simulation Technologies Conference
and Exhibit, AIAA-1999-4324, Portland, OR (August 1999)
6. GARTEUR. GARTEUR RECOVER benchmark quickstart guide (2009)
7. Hallouzi, R., Verhaegen, M., Kanev, S.: Model weight estimation for FDI using convex
fault models. In: IFAC Conference 2006 (2006)
8. Hanke, C.R.: The simulation of a large transport aircraft. Modeling data, vol. II. NASA
CR-114494 (September 1970)
9. Hanke, C.R.: The simulation of a large transport aircraft. Mathematical model, vol. I.
NASA CR-1756 (March 1971)
10. Harefors, M., Bates, D.G.: Integrated propulsion-based flight control system design for a
civil transport aircraft. In: Proceedings of the IEEE Conference on Control Applications,
Glasgow (September 2002)
11. van Keulen, R.: Real-time simulation and analysis of the automatic flight control sys-
tem of the Boeing 747-200. Final thesis, Delft University of Technology, Faculty of
Aerospace Engineering, Delft, The Netherlands (1991)
12. van der Linden, C.A.A.M.: DASMAT- Delft University Aircraft Simulation Model and
Analysis Tool. Report LR-781, Delft University of Technology, Faculty of Aerospace
Engineering, Delft, The Netherlands (1996)
1862. In: IFAC Safeprocess Conference (2003)
14. Marcos, A., Balas, G.J.: Linear parameter varying modeling of the Boeing 747-100/200
longitudinal motion. American Insitute of Aeronautics and Astronautics 2001, AIAA-
2001-4347 (2001)
15. Marcos, A., Balas, G.J.: A Boeing 747-100/200 aircraft fault tolerant and fault diagnostic
benchmark. Technical Report AEM-UoM-2003-1, University of Minnesota, Minnesota
(June 2003)
16. National Transportation Safety Board. In-flight engine separation Japan Airlines, Inc.
Flight 46E, Boeing 747-121, N473EV, Anchorage, Alaska, March 31 (1993); Aircraft
accident report NTSB/AAR-93/06 (October 1993)
17. Smaili, M.H.: Flight data reconstruction and simulation of El Al Flight 1862. Final thesis,
Delft University of Technology, Faculty of Aerospace Engineering, Delft, The Nether-
lands (1997)
18. Smaili, M.H., Mulder, J.A.: Flight data reconstruction and simulation of the 1992 Ams-
terdam Bijlmermeer airplane accident. In: AIAA Modeling and Simulation Technologies
Conference and Exhibit, AIAA-2000-4586, Denver, CO (August 2000)
19. Szaszi, I., et al.: Application of FDI to a nonlinear Boeing 747 aircraft. In: 10th Mediter-
ranean Conference on Control and Automation - MED 2002 (2002)
Chapter 7
Assessment Criteria as Specifications for
Reconfiguring Flight Control
Thomas Lombaerts, Diederick Joosten, Hafid Smaili, and Jan Breeman
7.1 Introduction
To obtain a quantitative measure of predicted FTFC system performance in degraded
modes, specifications need to be defined to assess proper functioning under realistic
operational flight conditions. The goal of the benchmark specifications modelling,
as described in this chapter, is to create a set of assessment criteria in order to eval-
uate the quality of the performance of fault detection and identification (FDI) and
reconfigurable control algorithms. The lay-out of this chapter is as follows. First,
the specifications modelling process is introduced by discussing the benchmark sce-
nario. Subsequently, the general evaluation criteria will be considered by defining
two classes of test manoeuvres. Thereafter, focus is placed on the test manoeuvres
for FTFC qualification, which is the major topic of this chapter. After the discus-
sion on how the assessment quantities of interest can be divided into two categories,
four qualification test manoeuvres are discussed in depth. These include straight
Thomas Lombaerts
Diederick Joosten
Delft University of Technology, Delft Center of Systems and Control,
Mekelweg 2, 2628 CD Delft, The Netherlands
Hafid Smaili
The Netherlands
Jan Breeman
The Netherlands
224 T. Lombaerts et al.
flight, right turn and localizer intercept, glideslope intercept and final approach with
sidestep. Finally, a summary of the specified assessment quantities is given for the
different FTFC qualification test manoeuvres. These criteria have also been pub-
lished in Ref. [3].
7.2 Specification Modelling

The goal of specifications modelling is to create a set of assessment criteria in order
to evaluate the quality of the performance of fault detection and identification (FDI)
and controller reconfiguration algorithms. A schematic overview of the benchmark
scenario, as introduced in chapter 6, is provided in Fig. 7.1.
Fig. 7.1 Benchmark scenario with test manoeuvres for qualification of FTFC techniques
Obviously, after the introduction of a failure to the aircraft, a total catastrophe is

to be avoided. Therefore, it is necessary that a failure is detected promptly. Further-
more, a new trim condition, or quasi-trim condition, must be established quickly
for safe continuation of the flight. This phase is called initial recovery, as illustrated
in Fig. 7.1, and needs to be completed as soon as possible, even before firm flight
control reconfiguration takes place. The normal operating limits of the non-crippled
aircraft, i.e. maximum and minimum velocity, maximum g-load, can be seen as
worst-case bounds on the allowable manoeuvres during all subsequent phases. Af-
ter fault identification and reconfiguration, the four qualification manoeuvres are
performed according to the scenario as shown in Fig. 7.1.
The FTFC assessment criteria are defined for two different phases during the
flight control reconfiguration process. First, criteria are enumerated for the Fault
Detection and Identification phase. After control reconfiguration has taken place,
some test manoeuvres for qualification have been selected for which specifications
have been defined. These criteria enable the assessment of the correct functioning
of the reconfigured control system under realistic operational conditions.
7 Assessment Criteria as Specifications for Reconfiguring Flight Control 225
7.2.1 General Evaluation Criteria

For the assessment of Fault Detection and Identification algorithms, it is customary
to define the following list of criteria, as can be found in Ref. [1]:
• the time needed to detect a failure;
• the ratio of successful detection of failures versus the number of false alarms;
• the time needed to give a first reaction or control input and re-establish trim;
• the operating limits of the aircraft may not be exceeded after failure introduction;
• the ability to reconfigure the controller such that the aircraft states are controlled
with adequate performance, and preferably with desired performance.
The above criteria are usually applied for FDI in general. However, for the RE-
COVER benchmark emphasis is placed on operational assessment criteria that im-
pose constraints on the total flight trajectory instead of the technical FDI criteria
only. Therefore, the operational criteria have been defined by using the FDI require-
ments, as mentioned above, as a basis. The result of this study can be found in the
remainder of this chapter.
Some graphic examples of the applied operational assessment criteria, which
hold for one of the aircraft states or variables, are depicted in Figs. 7.2 and 7.3. Fig.
7.2 applies for test manoeuvres with trajectory constraints, where Fig. 7.3 applies
for test manoeuvres with end-point position constraints.
The specifications apply to certain variables which are relevant and critical for
each flight phase, e.g. position information, linear rates, angular rates, linear accel-
erations, angular accelerations and g-forces, each in the three axes of the aircraft
reference system. The list of relevant assessment quantities will be enumerated later
for each test manoeuvre separately. These variables have to comply with certain
Fig. 7.2 Graphic representation of FDI and control reconfiguration assessment criteria rep-
resenting test manoeuvre with trajectory constraints
Fig. 7.3 Graphic representation of FDI and control reconfiguration assessment criteria rep-
resenting test manoeuvre with end-point position constraints
operational limitations, which can be divided over two categories, according to the
relevant part of the time span. When a failure occurs at time t0 , the flight control
systems have some time for identification and reconfiguration up to the moment
trecovery , whereafter a test manoeuvre is performed in order to analyse if the recon-
figuration was successful.
In the first part, where identification and reconfiguration take place, the variables
are limited by structural and crew capability (human performance) boundaries. Af-
ter trecovery the qualification test manoeuvre is performed. In the case of a test ma-
noeuvre with trajectory constraints, some fairly stringent manoeuvre limitations are
defined for the relevant assessment quantity values from trecovery onward till the end
of the test manoeuvre. These limitations define a box which specifies if the manoeu-
vre performance is desired or adequate (Fig. 7.2). On the other hand, when a test
manoeuvre is considered with end-point position constraints, the relevant assess-
ment quantity values are restricted to a larger range defined by slightly reduced safe
flight boundaries as initial trajectory constraints (critical manoeuvre limitations, Fig.
7.3). More stringent boundaries to evaluate the manoeuvre quality are then defined
at the end point tfinal , where the boundaries represent a limitation box specifying
whether the manoeuvre performance is desired or adequate. The aircraft must be in
(quasi) steady state at tfinal , otherwise the performance criteria cannot be guaranteed
persistently.
A possible definition of adequate and desired performance boxes for the bench-
mark flight phases including straight flight, right turn and localizer intercept, glides-
lope intercept and final approach with sidestep down to decision height will be
discussed later in this chapter. The performance limitations may depend on many
other variables, like indicated airspeed of the aircraft and altitude. Therefore, it is
important to define one representative reference trajectory with fixed altitude and
velocity as initial conditions, because in that way the complexity is already reduced
considerably. Here, most interest is in low altitudes because of the small margins
there.
The manoeuvres are a very important aspect in this work. It should be noted that
there are two kinds of manoeuvres. The first kind are manoeuvres for parameter
identification that take place in the identification and reconfiguration phase, before
trecovery in Fig. 7.2 and 7.3, these are facultative manoeuvres. The other kind of
manoeuvres are test manoeuvres for qualification which are performed during the
second part of the time span in Fig. 7.2 and 7.3, after trecovery . These are mandatory
for qualification of the fault tolerant flight control system.
7.2.2 Test Manoeuvres for Qualification

As discussed in the foregoing paragraph, four qualification test manoeuvres have
been defined which are mandatory and will be used to obtain the RECOVER bench-
mark criteria. The straight flight and glideslope intercept are two manoeuvres with
trajectory constraints. On the other hand, right turn with localizer intercept and final
approach with sidestep have end-point position constraints. The motivation for this
is that there are no critical requirements on the turn and the approach themselves,
as long as the aircraft ends up at the right location at the end of the manoeuvre. The
straight flight and final approach test manoeuvres have longitudinal as well as lateral
constraints. The other two manoeuvres deal only with one axis at a time. As such,
the right turn manoeuvre has only lateral constraints where the glideslope intercept
has only longitudinal constraints.
The aircraft should be in (quasi-)equilibrium at tfinal for the end-point position
constraints and after trecovery for the trajectory constraints. To achieve this require-
ment for all four test manoeuvres, all angular rates (p,q,r) as well as the three linear
acceleration components (ax ,ay ,az ) should be as small as possible within certain
boundaries. For any failure scenario, the time to reach equilibrium is a very impor-
tant criterion.
The assessment variables can be defined in two different categories, namely spec-
ification boundary variables and competitiveness variables. Specification boundary
quantities provide limits which cannot be exceeded, like safe flight boundaries and
performance boxes. On the other hand, competitiveness criteria have been defined
that allow to distinguish between the performances of different reconfigurable con-
trol strategies. For any manoeuvre, the time to accomplish the manoeuvre is a very
important competitiveness criterion. In some situations, assessment variables can
belong to both categories simultaneously. For each test manoeuvre, a list of relevant
quantities is enumerated in Table 7.2, 7.3, 7.4 and 7.5. In the first two columns of
each table, an indication is given about the category the quantity belongs to. The
abbreviations ’sb’ and ’cc’ represent specification boundary and competitiveness
variables respectively.
Table 7.1 Initial conditions for the three benchmark scenario’s: nominal flight, heavy weight
(Flight 1862) and low weight (Flight 1862)
manoeuvre straight right turn GS int final

flight LOC int approach
h [m] 600 600 600 90
V [m/s] 92.6/133.8 92.6/133.8 92.6/133.8 85/133.8/108
flap setting 20/1 20/1 20/1 25/1/1
landing gear up up down down
The initial conditions for the benchmark qualification test manoeuvres are de-
fined in Table 7.1. A distinction is made between a nominal flight scenario, a heavy
weight Flight 1862 scenario and a low weight Flight 1862 scenario, since each of the
Flight 1862 scenarios has a different aircraft weight value. In the nominal situation,
the aircraft weight is approximately 263 tons and the touchdown speed is 165 knots.
As the Flight 1862 accident happened just after take off, the aircraft weight was
considerably higher, namely 317 tons (after separation of the right-wing engines).
This resulted into the fact that the crew had to maintain a high speed of about 260
knots, which reduced the chances for a survivable landing significantly. Based on
the Flight 1862 performance capability analysis [4], the aircraft was able to main-
tain level flight in order to reduce the landing weight by dumping fuel. A weight
reduction due to fuel jettison down to approximately 263 tons would have led to a
more survivable landing at a speed of about 210 knots.
With the flap setting stuck at 1 and an aircraft weight of 317 tons, the minimum
speed is limited to the relatively high value of 133.8 m/s. The stuck flap setting at
position 1 in the case of the Flight 1862 accident scenario results into a minimum
allowable speed of 108 m/s in the final approach phase at a weight of 263 tons in
the case of fuel jettison.
The benchmark qualification test manoeuvres are based on operational proce-
dures in order to approximate realistic flight conditions as much as possible. To
achieve this, some manoeuvres have been based upon the instrument approach chart
to runway 27 of Amsterdam airport Schiphol (ICAO-code EHAM). This chart is
included in the appendix of this chapter. In this chart, a red line marks the trajectory
of the flight 1862 accident aircraft. Indicated in green in this chart is the approx-
imate trajectory of the proposed benchmark scenario. Note that closely following
this trajectory is not part of the benchmark criteria. The end-point is more relevant
than the trajectory in this set-up.
7.2.2.1 Straight Flight

The first benchmark qualification test manoeuvre is performing a straight flight
downwind, with the presence of some turbulence. Analysing the closed loop sys-
tem time responses of course χ and flight path angle γ allows comparison of the
quality of the different reconfiguring control strategies. During this test manoeuvre,
the aircraft should remain in a predefined box, like a virtual tunnel in the sky. In
Table 7.2 Specified assessment quantities for the straight flight qualification manoeuvre
sb cc symbol quantity
✓ ✓ V velocity
✓ ✓ χ course or track angle
✓ ✓ γ flight path angle
✓ α angle of attack
✓ ✓ β sideslip angle
✓ ✓ nz load factor
✓ ✓ φ roll angle
order to analyse this manoeuvre, the assessment quantities of interest are defined in
Table 7.2. The abbreviations sb and cc in the first two columns of the table represent
specification boundary (sb) and competitiveness criteria (cc) respectively.
Applying the above mentioned specifications and criteria to the benchmark simu-
lation model with the classical (mechanical) flight control system results in the plots
shown in Fig. 7.5. The performance of each fault tolerant control design can be as-
sessed by generating similar plots for the relevant outputs. The routines to generate
the performance plots are an integral part of the benchmark simulation software
package.
In Fig. 7.5, competitiveness criteria apply on all shown states, except for the angle
of attack α . The light regions indicate where the desired performance is not met,
where failure to achieve adequate performance is indicated by the darker regions.
It is clear that for the straight flight phase, trajectory constraints apply. Fig. 7.5
shows that the baseline aircraft model, with classical control system, satisfies all
assessment criteria for the straight flight phase with considerable margins.
7.2.2.2 Right Turn and Localizer Intercept

The second benchmark test manoeuvre starts by performing a right turn, with the
presence of some turbulence. After 10 seconds of straight flight, a right turn is ini-
tiated in order to reach the localizer (LOC) intercept course. No special limitations
Fig. 7.4 Definition of performance boxes for straight flight qualification manoeuvre
States with specs Straight flight

100 2
[m/s]
χ [°]
TAS 0
90
V
−2
0 10 20 30 40 50 0 10 20 30 40 50
2 15
10
α [°]
γ [°]
0
5
−2 0
0 10 20 30 40 50 0 10 20 30 40 50
10
2
nz [−]
β [°]
0
0
−10 −2
0 10 20 30 40 50 0 10 20 30 40 50
time [s]
40
20
φ [°]
0
−20
−40
0 10 20 30 40 50
time [s]
(a) aircraft states
Kinematic accelerations in body axes

0.1
0.05
axb [m/s2]
−0.05
−0.1
0 5 10 15 20 25 30 35 40 45 50
0.05
ayb [m/s2]
−0.05
0 5 10 15 20 25 30 35 40 45 50
0.6
0.4
azb [m/s2]
0.2
−0.2
0 5 10 15 20 25 30 35 40 45 50
time [s]
(b) kinematic accelerations
Fig. 7.5 Specifications on the aircraft states for the downwind straight flight qualification
manoeuvre
are imposed on the turn manoeuvre itself1 , except for the fact that the time necessary
to complete the turn is a competitiveness criterion. The specific lateral force Ay and
1 E.g. also a left turn is allowed, as can be seen in Fig. 7.6.
Table 7.3 Specified assessment quantities for the right turn and localizer intercept qualifica-
tion manoeuvre
✓ xrunway distance from runway threshold
✓ ✓ λ localizer deviation during end phase
Λ LOC intercept angle
✓ ✓ V velocity
✓ φ roll angle during turn
✓ ✓ φ roll angle during end phase
✓ p roll rate during end phase
✓ q pitch rate during end phase
✓ r yaw rate during end phase
✓ ax longitudinal acceleration during end phase
✓ ay lateral acceleration during end phase
✓ az vertical acceleration during end phase
✓ ✓ β sideslip angle
✓ ✓ Ay lateral specific force
✓ ✓ Δh altitude deviation
altitude changes Δh during this manoeuvre should be minimal for the sake of passen-
ger comfort and trajectory accuracy respectively. The localizer intercept manoeuvre
is performed with a 45◦ heading change, where ±5◦ deviation is still acceptable
and velocity should be close to the reference value. After this manoeuvre, the air-
craft should be on the localizer beam. In order to analyse this final position and the
equilibrium at the end of this manoeuvre, an end phase for evaluation is defined.
This end phase starts on the moment the aircraft crosses a vertical plane at 15 km
distance from the runway threshold. From this moment onward, the end phase lasts
for the following 10 seconds, during which angular rates and linear accelerations
should remain within their predefined equilibrium limits to show that the aircraft is
fully stabilized. The relevant assessment quantities during the complete manoeuvre
are enumerated in Table 7.3. The abbreviations sb and cc in the first two columns
of the table represent specification boundary (sb) and competitiveness criteria (cc)
respectively. As illustrated by the performance box in Fig. 7.6, it is clear that the
allowed cross track deviation is presented as the localizer angular deviation, while
the longitudinal deviation is linear. The roll angle φ is an assessment quantity to
verify if the aircraft rolled out properly to end the turn manoeuvre. As the localiser
and glideslope are presented to the pilot on an uncalibrated scale, the deviations are
indicated in ”dots” (1 dot is 1.25◦ ). During tracking of the localizer, 0.5 dot localiser
deviation is allowed as a maximum, see also Fig. 7.7. The right turn and localizer
intercept performance criteria are as follows:
Applying the above mentioned specifications and criteria to the benchmark sim-
ulation model with the classical control system results in the plots shown in Fig. 7.8.
Fig. 7.6 Definition of performance boxes for right turn and localizer intercept
Fig. 7.7 Primary Flight Display (PFD) with the Localizer (LOC) deviation scale and magenta
diamond shaped LOC signal indicator in the middle of the scale
In Fig. 7.8, competitiveness criteria apply on all shown states, except for the angle
of attack α . The light regions indicate where the desired performance is not met,
where failure to achieve adequate performance is indicated by the darker regions.
It is clear that end-point position constraints can be found for certain states in the
right turn and localizer intercept phase. It can be seen in Fig. 7.8 that not all criteria
are met. More precisely, the roll angle φ the aircraft achieves is slightly too large.
States with specs right turn and LOC intercept

5 100
lambda [°]
VTAS [m/s]
0
90
−5
0 50 100 150 200 0 50 100 150 200
40 2
20
p [°/s]
φ [°]
0 0
b
−20
−40 −2
0 50 100 150 200 0 50 100 150 200
2 2
qb [°/s]
r [°/s]
0 0
b
−2 −2
0 50 100 150 200 0 50 100 150 200
15 10
10
α [°]
β [°]
0
5
0 −10
0 50 100 150 200 0 50 100 150 200
2 2
nz [−]
n [−]
0
0
y
−2
−2
0 50 100 150 200 0 50 100 150 200
time [s] time [s]
(a) aircraft states
2
axb [m/s2]
−2
0 20 40 60 80 100 120 140 160 180 200 220
2
ayb [m/s2]
−2
0 20 40 60 80 100 120 140 160 180 200 220
2
azb [m/s2]
−2
0 20 40 60 80 100 120 140 160 180 200 220

time [s]
Fig. 7.8 Specifications on the aircraft states for the right hand turn and localizer intercept
flight qualification manoeuvre
Table 7.4 Specified assessment quantities for the glideslope intercept qualification
manoeuvre
✓ xrunway longitudinal distance from runway threshold
✓ ✓ V velocity
✓ ✓ Γ glideslope deviation during end phase
✓ ✓ λ localizer deviation
However, for comfort reasons, it is advisable to enforce that the fault tolerant flight
control designs satisfy this requirement.
7.2.2.3 Glideslope Intercept

The third benchmark test manoeuvre is the interception of the glideslope in the pres-
ence of some turbulence. Note that also in actual practice, localizer intercept occurs
before glideslope intercept according to operational practices. After 10 seconds of
straight flight, the glideslope interception point is met at 11.5 km from the runway
threshold and the aircraft starts following the 3◦ glideslope downward. After the
interception point, the aircraft should remain within a predefined box, like a virtual
funnel in the sky. In order to analyse this final position and the equilibrium at the
end of the manoeuvre, an end phase for evaluation is defined. This end phase starts
at the moment the aircraft intercepts the extension of the runway center line at 11.5
km distance from the threshold. From this moment onward, the end phase lasts for
the following 10 seconds during which angular rates and linear accelerations should
remain within their predefined equilibrium limits. For this manoeuvre, assessment
quantities of interest are included in Table 7.4. The abbreviations sb and cc in the
first two columns of the table represent specification boundary (sb) and competitive-
ness criteria (cc) respectively. The deviation from the glideslope is also expressed
in dots, where one dot equals 0.35◦. An illustration for this can be found in Fig. 7.9.
The angle of attack α is a primary assessment quantity of interest because it
is an important parameter in order to keep the aircraft within its stall limits. As
illustrated in Fig. 7.10, it is clear that vertical deviation is expressed in an angular
way, analogously as the right turn and localizer intercept scenario.
Applying the above mentioned specifications and criteria to the benchmark
simulation model with the classical control system results in the plots shown in
Fig. 7.11.
Fig. 7.9 Primary Flight Display (PFD) with the Glideslope (GS) deviation scale and magenta
diamond shaped GS signal indicator in the middle of the scale
Fig. 7.10 Definition of performance boxes for glideslope intercept qualification manoeuvre
In Fig. 7.11, competitiveness criteria apply on all shown aircraft states, except
for the angle of attack α . As with the foregoing specifications, the light regions
indicate where the desired performance is not met and failure to comply with ade-
quate performance is indicated by the darker regions. For this test phase, end-point
constraints apply after the glideslope interception point. For this particular exam-
ple with the baseline classical control system, the aircraft satisfies all assessment
criteria for the glideslope intercept phase with considerable margins, except for the
localizer error angle λ . However, this maximum localizer deviation can still be used
as a design guideline for the fault tolerant control designs.
States with specs glideslope intercept

1 100
[m/s]
Γ [°]
0
TAS
90
V
−1
0 20 40 60 80 0 20 40 60 80
15 2
p [°/s]
10
α [°]
0
5
b
0 −2
0 20 40 60 80 0 20 40 60 80
2 2
q [°/s]
r [°/s]
0 0
b
b
−2 −2
0 20 40 60 80 0 20 40 60 80
5
2
n [−]
λ [°]
0 0
z
−2 −5
0 20 40 60 80 0 20 40 60 80
time [s]
5
γ [°]
−5
0 20 40 60 80
time [s]
(a) aircraft states
2
axb [m/s ]
2
−2
0 10 20 30 40 50 60 70 80
2
ayb [m/s ]
2
−2
0 10 20 30 40 50 60 70 80
2
azb [m/s ]
2
−2
0 10 20 30 40 50 60 70 80
time [s]
Fig. 7.11 Specifications on the aircraft states for the glideslope intercept qualification ma-
noeuvre
7.2.2.4 Final Approach with Sidestep

The last benchmark test manoeuvre is the final approach down to decision height,
with a 300 feet lateral offset around half a nautical mile from the runway threshold.
Table 7.5 Specified assessment quantities for the final approach with sidestep qualification
manoeuvre
sbcc symbol quantity

✓ ✓ Δx longitudinal deviation at end-point
✓ ✓ Δy lateral deviation at end-point
✓ ✓ u forward velocity
✓ ✓ w vertical velocity
✓ ✓ χ track angle
✓ ψ heading angle
✓ ✓ φ roll angle at end-point
✓ ✓ vr transversal velocity above runway at end-point
Some turbulence is included during this manoeuvre. No special limitations are im-
posed on the approach manoeuvre itself, except for the fact that the time necessary
to complete the approach is a competitiveness criterion. Additionally, lateral spe-
cific force Ay and glideslope deviations Γ during this manoeuvre should be minimal
for the sake of passenger comfort and trajectory accuracy respectively. However,
after this manoeuvre, the aircraft should arrive in a predefined performance box on
decision height above the runway (note that the flare manoeuvre is not included in
this study). The origin of the reference frame for these performance boxes is placed
at decision height on the centerline of the runway above the runway threshold and is
defined as the end-point. It is assumed that the aircraft ends up in the vicinity of this
point at the end of the manoeuvre. In order to analyse this final position and the equi-
librium at the end of this manoeuvre, an end phase for evaluation is defined. This end
phase starts 10 seconds before the aircraft reaches the runway threshold and ends on
the moment the aircraft crosses the threshold. During this test phase, angular rates
and linear accelerations should remain within their predefined equilibrium limits. To
analyse the complete manoeuvre, the assessment quantities of interest are enumer-
ated in Table 7.5. The abbreviations sb and cc in the first two columns of the table
represent the specification boundary (sb) and competitiveness criteria (cc) respec-
tively. As can be seen from the illustration of the performance box in Fig. 7.12, the
allowed cross track deviation Δ y is more restricted than the wider longitudinal Δ x
range. Also in this phase, the roll angle φ is an assessment quantity to verify if the
aircraft rolled out properly to end the turn manoeuvre. The vertical speed w can be
deduced from the glideslope angle γ and forward speed u. The heading ψ is a mea-
sure of the alignment of the aircraft with the runway. A measure of the alignment
of the velocity vector with the runway is indicated by the track angle χ . Because
arriving at the runway is the main challenge, the track should be aligned with the
runway and not necessarily the heading. The heading deviates from the track angle
due to the wind components. Normally the aircraft will align the heading with the
runway to put the landing gear wheels in the direction of the ground velocity. This is
called a de-crab manoeuvre, but this is not a strictly necessary practice during Boe-
ing 747 crosswind landings according to the Aircraft Operation Manual, so it is not
considered here. However, it should be noted that de-crab is still required for other
types of aircraft. For the Boeing 747 aircraft, the roll angle φ should be kept small
close to the ground in order to prevent one of the outboard engines and/or wingtips
hitting the runway. For this reason, a roll angle deviation of maximum ±8◦ is ac-
ceptable. Lateral velocity vr with reference to the runway is also relevant here, since
lateral velocity is not consistent with sideslip angle β in the presence of turbulence.
Also the angular rates p, q, r (pitch, roll and yaw) should be minimal in order to
guarantee a smooth touchdown. Finally the angle of attack α should be well within
its stall limits.
Applying the above mentioned specifications and criteria on the simulation model
with the classical controller results in the plots shown in Fig. 7.13.
In Fig. 7.13, competitiveness criteria apply on all shown states, except for the
angle of attack α . Again, the light regions indicate where the desired performance
is not met, and adequate performance failure is indicated by the darker regions. It
is clear that for this phase, end-point position constraints apply. For this particular
example with the baseline aircraft model including classical control system, a num-
ber of criteria have been violated. However, these requirements can still be used as a
design guideline for the fault tolerant control systems. Since these advanced control
systems have more freedom to control the aircraft, it can be expected that they are
capable of meeting these requirements.
Fig. 7.12 Definition of performance boxes for approach with sidestep qualification manoeu-
vre
States with specs final approach with sidestep

100
w [m/s]
u [m/s]
8
90 6
4
0 10 20 30 40 50 0 10 20 30 40 50
2 10
ψ [°]
χ [°]
0 0
−2 −10
0 10 20 30 40 50 0 10 20 30 40 50
10
vr [m/s]
0.2
φ [°]
0 0
−10 −0.2
0 10 20 30 40 50 0 10 20 30 40 50
p [m/s]
qb [m/s]
0.2 0.2
0 0
−0.2 −0.2
b
0 10 20 30 40 50 0 10 20 30 40 50
15
r [m/s]
0.2
α [°]
10
0 5
−0.2
b
0
0 10 20 30 40 50 0 10 20 30 40 50
time [s]
2
n [−]
0
z
−2
0 10 20 30 40 50
time [s]
(a) aircraft states
2
axb [m/s ]
2
−2
0 5 10 15 20 25 30 35 40 45 50
2
ayb [m/s ]
2
−2
0 5 10 15 20 25 30 35 40 45 50
2
azb [m/s ]
2
−2
0 5 10 15 20 25 30 35 40 45 50
time [s]
Fig. 7.13 Specifications on the aircraft states for the final approach with sidestep qualification
manoeuvre
7.3 Discussion
The proposed assessment criteria, as discussed in this chapter, can be used to eval-
uate the performances of the different fault tolerant control methods and strategies.
Table 7.6 Summary of all benchmark assessment quantities and their relevance for each
qualification test manoeuvre
symbol description straight right turn glideslope final

flight LOC int intercept approach
xrunway longitudinal distance from runway threshold ✓ ✓
x longitudinal position ✓
y lateral position ✓
Δx longitudinal deviation at end-point ✓
Δy lateral deviation at end-point ✓
Δh altitude deviation ✓
u forward velocity ✓
vr transversal velocity above runway at end-point ✓
w vertical velocity ✓
V velocity ✓ ✓ ✓
φ roll angle ✓ ✓ ✓
θ pitch attitude angle
ψ heading angle ✓
p roll rate during end-phase ✓ ✓ ✓ ✓
q pitch rate during end-phase ✓ ✓ ✓ ✓
r yaw rate during end-phase ✓ ✓ ✓ ✓
ax longitudinal acceleration during end-phase ✓ ✓ ✓ ✓
ay lateral acceleration during end-phase ✓ ✓ ✓ ✓
az vertical acceleration during end-phase ✓ ✓ ✓ ✓
α angle of attack ✓ ✓ ✓ ✓
β sideslip angle ✓ ✓
γ flight path angle ✓
χ track angle ✓ ✓
λ localizer deviation ✓ ✓
Γ glideslope deviation ✓
Λ LOC intercept angle ✓
Ay lateral specific force ✓
nz load factor ✓ ✓ ✓ ✓
t time ✓ ✓ ✓ ✓
By making a distinction between the described four different qualification test ma-
noeuvres, instead of considering one global sequence of manoeuvres, it is possible
to identify particular advantages and disadvantages of each FTFC method. The test
scenarios have been integrated in the FTFC benchmark simulation environment for
analytical evaluation purposes. A final assessment using piloted simulation (as con-
ducted on the SIMONA research simulator of Delft University of Technology as
part of this study) will provide pilot opinions on the operational acceptability of the
designed FTFC methodologies. Real-time piloted simulation also makes it possible
to analyse objectively the failure accommodation capabilities and handling qualities
of reconfigurable flight control systems for aircraft subjected to critical structural
and system failure modes. By flying the benchmark scenario with the baseline non-
damaged aircraft model, a comparison can be made to determine the overall quality
of all control algorithms with reference to the standard situation.
As a final remark, it should be noted that the assessment criteria, as described

in this chapter for each qualification test manoeuvre, are an evaluation tool. How-
ever, they should be put in the right perspective. The ultimate goal is to perform a
survivable recovery of the damaged aircraft and this is also the final and paramount
evaluation criterion.
Table 7.6 shows a summary of all the benchmark assessment variables and an
indication for which qualification test manoeuvre they are relevant.
Acknowledgements. Valuable contributions to the benchmark specifications document, Ref.

[2], which served as a source for this chapter, came from Remco van der Sluis, aerospace
engineer and KLM-pilot, and Bob Mulder, head of the Control and Simulation division at
Delft University of Technology and Boeing 767 captain.
Appendix: Instrument Approach Chart EHAM RWY 27 ILS

References
1. Hajiyev, C., Fikret, C.: Fault diagnosis and reconfiguration in flight control systems.
Kluwer Academic, Boston (2003)
2. Lombaerts, T.J.J., Breeman, J., Joosten, D.A., van den Boom, T.J.J., Chu, Q.P., Mulder,
J.A., Verhaegen, M.: Specifications modelling document for Garteur AG16 fault tolerant
control. Technical report, Delft University of Technology (December 2005)
3. Lombaerts, T.J.J., Joosten, D.A., Breeman, J.A., Smaili, M.H., van den Boom, A.J.J., Chu,
Q.P., Mulder, J.A., Verhaegen, M.: Assessment criteria as specifications for reconfiguring
control. In: AIAA Guidance, Navigation and Control Conference and Exhibit, AIAA-
2006-6331, Keystone, CO (August 2006)
4. Smaili, H., Mulder, J.A.: Flight data reconstruction and simulation of the 1992 Amster-
dam Bijlmermeer airplane accident. In: AIAA Modeling and Simulation Technologies
conference and exhibit, AIAA-2000-4586 (August 2000)
Part III
Design Methods and Benchmark Analysis
Chapter 8
Fault Tolerant Control Using Sliding Modes with
On-Line Control Allocation
Halim Alwi and Christopher Edwards
8.1 Introduction
8.1.1 Sliding Mode Control
Sliding mode control was conceived in the USSR during the 1950’s and spread to
the ‘west’ after the end of the ‘cold war’. Sliding mode control (SMC) is a non-
linear type of control methodology and a special case of variable structure control.
An interesting account of early developments in this area appears in [26]. SMC is a
robust control methodology and it is quite unique compared to other controller de-
sign paradigms, since the performance of the controller depends on the design of the
‘sliding surface’ and not the state tracking directly. The idea of sliding mode control
is to force the trajectory of the states onto a predefined surface in the state space.
Once reached (usually in finite time), the states are forced to remain on that surface
for all subsequent time. Sliding mode control has an inherent robustness property
to a certain type of uncertainty which makes SMC a strong candidate for passive
fault tolerant control (FTC). Recent accounts of the theory associated with sliding
modes appear in [14, 27]. Sliding mode control systems are, in theory, completely
insensitive to a class of uncertainty called matched uncertainty [14]. This represents
uncertainty which occurs in the channels associated with the control inputs. Intu-
itively this suggests SMC schemes should inherently have passive FTC capability
with respect to actuator faults. The work by Hess & Wells [19] argues that sliding
mode control has the potential to become an alternative to reconfigurable control
Halim Alwi
Control and Instrumentation Research Group, Department of Engineering,
University of Leicester, University Road, Leicester, LE1 7RH, UK
Christopher Edwards
e-mail: ce14@le.ac.uk
248 H. Alwi and C. Edwards
and has the ability to maintain the required performance without requiring fault de-
tection and isolation (FDI).
There are two stages for designing SMC controllers. First to be designed is the
sliding surface. Only then can the control law be designed so that sliding is achieved
in finite time, and once achieved, is maintained on the surface. Once sliding occurs,
robustness to matched uncertainty is guaranteed and the system behaves as a re-
duced order motion independent of the control. The closed loop performance of
the scheme depends on the choice of the sliding surface. Traditional sliding mode
control laws consist of linear and nonlinear components. The nonlinear control law
drives the states towards the sliding surface and once on the surface, the linear con-
trol law becomes more dominant. This chapter considers the design of a certain type
of sliding mode controller based on an uncertain linear representation of the plant.
For this class of system, under the assumption that all states are available, there is a
good deal of literature to describe the different design approaches – ostensively for
the selection of the sliding surface (see for example [14]). In this chapter, a so–called
unit–vector controller [22] will be adopted.
8.1.2 Sliding Mode Control and Control Allocation

Recently sliding mode controllers have been shown to handle actuator faults without
requiring any FDI [1] and sensor fault reconstruction schemes using sliding modes
have avoided reconfiguring the controller when sensor faults occur [2]. Although
sliding mode schemes have an inherent ability to deal with actuator faults, as with
many other conventional modern control methods (e.g. LQR, H∞ , μ -synthesis) there
is no inherent ability to deal with total actuator failures [20].
In most safety critical systems e.g. passenger aircraft [7], there is actuator re-
dundancy. The use of these redundant control surfaces has been shown to raise the
survivability level of an aircraft during an in–flight emergency resulting from faults
or failures. It has been argued and shown that, with clever manipulation of the re-
maining available actuators, safe return flight and landing is possible (see [10] for
examples of many flight incidents where redundant actuators have been used).
One of the challenges of using traditional control ideas for over–actuated sys-
tems, or systems with redundancy, is how to deal with these additional degrees of
freedom. A typical solution is to group or factorize similar actuators together so that
a single control signal is distributed to all the ‘similar’ actuators (see for example
[12]). This is based on the idea that the redundant actuators are an exact duplication
of the actuators used for design. In real engineering systems however, the actuators
might not be the same and may have different dynamics. Control allocation (CA)
has emerged as one of the most studied techniques when dealing with systems with
redundancy (see for example [15, 6, 9, 13]). One benefit of using CA is that the
controller remains the same and the control is distributed to all available actuators
without reconfiguration. This is vital in terms of simplicity of design and for fault
tolerant control.
8 Fault Tolerant Control Using Sliding Modes with On-Line Control Allocation 249
The combination of sliding modes and CA therefore seems to have great potential
for the development of simple, robust fault tolerant flight controllers. Shin et al.[23],
Wells & Hess [28] and Shtessel et al.[24] are some of the researchers actively work-
ing on this combination. However most of this literature uses only CA schemes,
without formally exploring in detail the stability of the closed loop system. In [3],
a rigorous design procedure has been developed from a theoretical perspective to
achieve FTC while proving stability for a class of faults and failures. This chapter
describes designs, and the associated performance analysis of the sliding mode FTC
scheme from [3], on the GARTEUR AG16 benchmark.
8.2 Controller Design

8.2.1 Problem Formulation
This chapter considers a situation where a fault associated with the actuators de-
velops in a system. It will be assumed that the system subject to actuator faults or
failures, can be written as
ẋ(t) = Ax(t) + Bu(t) − BK(t)u(t) (8.1)
where A ∈ IRn×n and B ∈ IRn×m . The effectiveness gain K(t) = diag(k1 (t), . . . , km (t))
where the ki (t) are scalars satisfying 0 ≤ ki (t) ≤ 1. These scalars model a decrease
in effectiveness of a particular actuator. If ki (t) = 0, the ith actuator is working per-
fectly whereas if ki (t) > 0, a fault is present, and if ki (t) = 1 the actuator has failed
completely. In this chapter, information about K(t) will be incorporated into the
control allocation algorithm. In most CA strategies, the control signal is distributed
equally among all the actuators [23, 24, 28] or distributed based on the limits (posi-
tion and rate) of the actuators [13, 5, 6, 18]. In this chapter, the control is distributed
based on the efficiency of the actuators, and redistributed to the remaining ‘healthy’
actuators when faults/failures occur.
The information necessary to compute K(t) on–line in real time can be supplied
by a fault reconstruction scheme as described in [25] for example, or by using a mea-
surement of the actual actuator deflection which is available in many systems e.g.
passenger aircraft [7]. Alternatively fault reconstruction schemes based on Kalman
filters [29] can be used. The idea is that if an actuator fault occurs, the control input
u(t) is reallocated to minimize the use of the faulty control surfaces.
8.2.1.1 Control Allocation

In much of the control allocation literature it is assumed that rank(B) = l < m. As
shown in [18], the input distribution matrix B is then factorized as
B = Bν N (8.2)
where Bν ∈ IRn×l , N ∈ IRl×m and both matrices have rank l < m [18]. Then a ‘virtual
control input’ is defined as
ν (t) := Nu(t)
The control law ν (t) is designed based on the pair (A, Bν ) which is assumed to be
controllable. Once the design of ν (t) is complete, by direct manipulation, the true
control signal u(t) is recovered as u(t) = N † ν (t) where N † ∈ IRm×l is a right pseudo-
inverse of the matrix N. The choice of N † is not unique and different approaches
have been proposed in the literature [23, 13, 5, 6, 18] for the choice of the pseudo
inverse N † . However for most systems with actuator redundancy, the assumption
that rank(B) = l < m is not valid and hence the perfect factorization in (8.2) cannot
hold. However usually the system states can be reordered, and the matrix B from
(8.1) can be partitioned as:
B1
B= (8.3)
B2
where B1 ∈ IR(n−l)×m and B2 ∈ IRl×m has rank l. The partition is in keeping with
the notion of splitting the control law from the control allocation task [17, 13, 4].
This separation comes naturally with design methods like feedback linearization
and backstepping [17, 4]. In most aircraft systems the control objectives can be
achieved by commanding some desired moment to be generated by the control sur-
faces [17, 4]. Therefore in aircraft systems, B2 is associated with the equations of
angular acceleration in roll, pitch and yaw [18]. However this can be extended to
any system even for systems which have no obvious splitting of control law and
control allocation [4]. Here it is assumed that the matrix B2 represents the dominant
contribution of the control action on the system, while B1 generally will have ele-
ments of small magnitude compared with B2 . Compared to the work in [23] where
it is assumed that B1 = 0, here B1 = 0 will be considered explicitly in the controller
design and in the stability analysis. It will be assumed without loss of generality
that the states of the system in (8.1) have been transformed so that B2 BT2 = Il and
therefore B2 = 1. This is always possible since rank(B2 ) = l by construction. As
in [3], let the ‘virtual control’
ν (t) := B2 u(t) (8.4)
so that
u(t) = B†2 ν (t) (8.5)
where the pseudo inverse is chosen as
B†2 := W BT2 (B2W BT2 )−1 (8.6)
where W ∈ IRm×m is a symmetric positive definite (s.p.d) diagonal weighting matrix.

It can be shown that the pseudo-inverse in (8.6) arises from the optimization problem
min uTW −1 u subject to B2 u = ν (8.7)

u
In this chapter a novel choice of weighting matrix W will be considered. Specifically,

the weight W will be chosen as
W := I − K (8.8)
and so W = diag{w1 , . . . , wm } where wi = 1 − ki . Note in a fault free situation W = I.

As ki → 1, wi → 0 and so the associated component ui in (8.7) is weighted heavily
since w1i becomes large. With the choice of u(t) from (8.5) the fault term from (8.1)
can be written as BKu(t) = BKB†2 ν (t); and therefore (8.1) becomes
B1 B†2 B KB†
ẋ(t) = Ax(t) + ν (t) − 1 2† ν (t) (8.9)
Il B2 KB2
8.2.1.2 Sliding Mode and Control Allocation

Sliding mode control (SMC) techniques [14, 27], will now be used to synthesize the
‘virtual control’ ν (t). Define a so–called switching function σ (t) : IRn → IRl to be
σ (t) = Sx(t)
where S ∈ IRl×n and det(SBν ) = 0. The matrix S represents design freedom. Let S
be the hyperplane defined by
S = {x(t) ∈ IRn : Sx(t) = 0}
If a control law can be developed which forces the closed–loop trajectories onto the
surface S in finite time and constrains the states to remain there, then an ideal slid-
ing motion is said to have been attained [14]. During the sliding motion, some of the
dynamics of the closed–loop system collapse, and the sliding dynamics associated
with the motion once constrained to S will be of order n − m. The selection of the
sliding surface is the first part of any design and defines the system’s closed–loop
performance. The sliding surface will be designed based on the nominal no fault
condition (K = 0). The second aspect of the control design, is the synthesis of a
control law to guarantee that the surface is reached in finite time and a sliding mode
is subsequently maintained.
First define
ν̂ (t) := (B2W 2 BT2 )(B2W BT2 )−1 ν (t) (8.10)
then as argued in [3], after a coordinate transformation, x → Tr x = x̂, where
I −B1 BT2
Tr = (8.11)
0 Il
equation (8.9) becomes:

x̂˙1 (t) Â11 Â12 x̂1 (t) 0 B BN B+

˙x̂2 (t) = Â21 Â22 + ν̂ (t) + 1 2 2 ν̂ (t) (8.12)
x̂2 (t) I 0
, -. / ,-./
Â B̂
where
B+ 2 T −1
2 := W B2 (B2W B2 )
2 T
(8.13)
and
BN2 := (I − BT2 B2 ) (8.14)
It is important to point out that there is an upper bound on the norm of the pseudo-
inverse B+2 in (8.13) which is independent of W . Specifically:
Proposition 8.1. There exists a scalar γ0 , which is finite, such that
B+ 2 T −1
2 = W B2 (B2W B2 )
2 T
< γ0 (8.15)
for all W = diag(w1 . . . wm ) such that 0 < wi ≤ 1.
Proof: see [3].

The virtual control law will now be designed based on the fault-free system in which
the top partition of the last term in (8.12) is zero since B1 BN2 B+
2 |W =I = 0. In the x̂(t)
coordinates in (8.12), a choice for the sliding surface is

Ŝ := STr−1 = M Il (8.16)
where M ∈ IRl×(n−l) represents design freedom. Define
γ1 := MB1 BN2 (8.17)
If (Â, B̂) is controllable, then (Â11 , Â12 ) is controllable [14] and a matrix M can
always be found to make Ã11 = Â11 − Â12M stable. Also since
MB1 BN2 B+
2 < MB1 B2
N
B+
2 < γ1 γ0
provided γ1 < γ10 , MB1 BN2 B+2 < 1 for all 0 < W ≤ I. To facilitate the subsequent
analysis, define
G̃(s) := Ã21 (sI − Ã11 )−1 B1 BN2 (8.18)
where s represents the Laplace variable and the matrix Ã21 := M Ã11 + Â21 − Â22 M.
By construction the transfer function G̃(s) is stable. If
G̃(s) ∞ = γ2 (8.19)
then the following is true:
Proposition 8.2. During a fault or failure condition, for any combination of 0 <
wi ≤ 1, the closed–loop system will be stable if
γ2 γ0
0≤ <1 (8.20)
1 − γ1γ0
where the positive scalar γ0 is defined in Proposition 8.1.

Proof: see [3].

Remark 1: Both γ1 and γ2 depend on the design of the sliding surface since they
depend on M. However they are independent of W . The scalar γ0 depends on W but
is independent of M.
Remark 2: If B1 = 0 (which is an assumption in many schemes: for example [23]),
then γ1 = 0 and γ2 = 0 and Proposition 8.2 is trivially satisfied. Furthermore, as
B1 → 0, the scalar 1−γ2γγ10γ0 → 0 and so the requirements of Proposition 8.2 are
satisfied. This suggests for weakly coupled systems in which B1 is small, the
approach will be feasible.
The control law from [3] has a structure given by ν̂ (t) = ν̂l (t) + ν̂n (t) where
ν̂l (t) := −Ã21x̂1 (t) − Ã22σ (t) (8.21)
where Ã22 := M Â12 + Â22 and the nonlinear component is defined to be

σ (t)
ν̂n (t) := −ρ (t, x) σ (t) for σ (t) = 0 (8.22)
where σ (t) = Ŝx̂(t).

Proposition 8.3. Suppose the hyperplane matrix M has been chosen so that the ma-
trix Ã11 = Â11 − Â12 M is stable and condition (8.20) from Proposition 8.2 holds,
then choosing
γ1 γ0 ν̂l (t) + η
ρ (t, x) := (8.23)
1 − γ1γ0
ensures a sliding motion takes place on S in finite time.
Proof: see [3].

Remark 3: It can be shown that ν̂l (t) as defined in (8.21) can be written as
ν̂l (t) = −(ŜB̂)−1 ŜÂx̂(t)
which is more in keeping with the notation in [14]. Note here ŜB̂ = Il and so this
simplifies to ν̂l (t) = −ŜÂx(t).
Remark 4: The control structure in (8.22) is known as a ‘unit vector’ controller
since the vector component σσ has unity norm [22].
Remark 5: Whilst SMC has been successfully tested on systems with faulty actua-
tors, it was claimed that SMC cannot deal directly with total failures [21]. However,
in this chapter, provided that the choice of sliding surface matrix M satisfies the sta-
bility condition (8.20), the SMC for the ‘virtual’ system proposed above, can handle
actuator failures in the original system provided that det(B2W BT2 ) = 0.
8.2.2 Design Issues

The design problem can be summarized as follows:
1. Pre–design calculations:
a. Make an appropriate re–ordering of the states in (8.1) so that the input distri-
bution matrix B is partitioned to identify B1 and B2 .
b. Scale the states so that B2 BT2 = I.
c. Change coordinates using the linear transformation x(t) → x̂(t) = Tr x(t)
where
I −B1 BT2
Tr := (8.24)
0 I
to achieve the canonical form in (8.12) and isolate the submatrices Â11 , Â12 ,
Â21 and Â22 .
d. Compute the smallest possible scalar γ0 so that W 2 BT2 (B2W 2 BT2 )−1 < γ0 , ∀
0 < W ≤ I.
2. Design of matrix M:
a. The design objective is to compute M from (8.16) so that Ã11 := Â11 − Â12 M
is stable.
3. Stability analysis:
a. Compute and check if γ1 := MB1 BN2 < γ1o is satisfied. Otherwise consider
re–designing the matrix M.
b. Calculate G̃(s) := Ã21 (sI − Ã11 )−1 B1 BN2 . Then if G̃(s) ∞ := γ2 < γ10 − γ1 ,
the closed loop is guaranteed to be stable ∀ 0 < W ≤ I. Otherwise consider
re–designing the matrix M.
4. Obtaining the control law:
a. Compute the sliding mode control law ν̂ (t) from equations (8.21)-(8.23).
b. The final control law is given by
u(t) = W BT2 (B2W 2 BT2 )−1 ν̂ (t) (8.25)

The 12 rigid body states of the B747 aircraft can be divided into 6 longitudinal
axis states and 6 lateral and directional axes states which are all determined from
the 6-degree of freedom equations of motion. For the longitudinal axis, the states
are pitch rate q, true airspeed Vtas , angle of attack α , pitch angle θ and altitude he .
Meanwhile for the lateral and directional axes, the states are roll rate p, yaw rate r,
sideslip angle β , roll angle φ and yaw angle ψ . For the design in this chapter, the
control surfaces comprise 4 ailerons (inner and outer on each wing), 12 spoilers (2
inner spoilers and 4 outer spoilers on each wing), 2 rudders (upper and lower), 4
elevators (an inner and outer on each left and right elevator), a horizontal stabilizer
and 4 engine thrusts (which are controlled through engine pressure ratios (EPR)).
The controller design objective considered here is to bring a faulty aircraft to
a near landing condition. This can be achieved by a change of direction through a
‘banking turn’ manoeuvre [8], followed by a decrease in altitude and speed. This can
be achieved by tracking appropriate roll angle (φ ) and sideslip angle (β ) commands
using the lateral controller, and tracking flight path angle (FPA) and airspeed (Vtas )
commands using the longitudinal controller. For lateral control, the settling time
when there is no fault/failure should be approximately 20s for φ and 20s for β . These
specifications are chosen to ensure that there is almost zero side force and therefore
passenger comfort is maintained (page 233 of Bryson [8]). For longitudinal control,
the settling time when there is no failure should be 20s for FPA and 45s for Vtas .
A linearization has been obtained around an operating condition of 263,000Kg,
92.6m/s true airspeed, and an altitude of 600m at 25.6% of maximum thrust and
at a 20◦ flap position. The result is a 12th order linear model (separated into two
6th order models) associated with the lateral and longitudinal states. For design
purposes, only the first four longitudinal (xlong = [q Vtas α θ ]T ) and lateral states
(xlat = [p r β φ ]T ) have been retained. For lateral control, the 4 individual engine
pressure ratios (EPR) and the 4 individual ailerons have been used. The 10 spoilers1
have been aggregated to produce two control inputs on each wing (spoilers 1-4, 5,
8 and 9-12 have been grouped respectively). The other input represents rudder de-
flection (the upper and lower rudder has been aggregated to produce a single control
signal). For longitudinal control, the 4 elevators have been aggregated to produce
one control input while the 4 EPRs can be controlled independently. The other input
represents horizontal stabilizer deflection. The following state-space system pairs
represent the lateral and longitudinal systems about the trim condition
⎡ ⎤
−1.0579 0.1718 −1.6478 0.0004
⎢ −0.1186 −0.2066 0.2767 −0.0019 ⎥
Alat = ⎢⎣ 0.1014 −0.9887 −0.0999 0.1055 ⎦
⎥ (8.26)
1.0000 0.0893 0 0
⎡
−0.0832 0.0832 −0.2285 0.2285 −0.2625 −0.0678 0.0678
⎢ −0.0154 0.0154 −0.0123 0.0123 −0.0180 −0.0052 0.0052
Blat =⎢
⎣ 0 0 0 0 0.0017 0.0006 −0.0006
0 0 0 0 0 0 0
⎤
0.2625 0.1187 0.0246 0.0140 −0.0140 −0.0246 %
0.0180 −0.2478 0.1269 0.0724 −0.0724 −0.1269 ⎥ B
⎥ % lat,2 (8.27)
−0.0017 0.0174 0.0005 0.0005 −0.0005 −0.0005 ⎦ Blat,1
0 0 0 0 0 0
and
1 Spoilers 6 & 7 are ground spoilers and are not used during flight [16].
⎡ ⎤
−0.5137 0.0004 −0.5831 0
⎢ 0 −0.0166 1.7171 −9.8046 ⎥
Along = ⎢
⎣ 1.0064 −0.0021 −0.6284
⎥ (8.28)
0⎦
1.0000 0 0 0
⎡ ⎤
−0.6228 −1.3578 0.0082 0.0218 0.0218 0.0082 %
⎢ 0 −0.1756 1.4268 1.4268 1.4268 1.4268 ⎥ B
Blong = ⎢ ⎥ % long,2(8.29)
⎣ −0.0352 −0.0819 −0.0021 −0.0021 −0.0021 −0.0021 ⎦
Blong,1
0 0 0 0 0 0
The lateral control surfaces are
δlat = [δair δail δaor δaol δsp1−4 δsp5 δsp8 δsp9−12 δr e1lat e2lat e3lat e4lat ]T
which represent aileron deflection (right & left - inner & outer)(rad), spoiler deflec-
tions (left: 1-4 & 5 & right: 8 & 9-12) (rad), rudder deflection (rad) and lateral con-
tributions to the engine pressure ratios (EPR). The longitudinal control surfaces are
δlong = [δe δs e1long e2long e3long e4long ]T
which represent elevator deflection (rad), horizontal stabilizer deflection (rad), and
longitudinal contributions to EPR. The partition of B in (8.27) and (8.29) shows the
terms B1 and B2 (although a further change of coordinates is necessary to obtain the
form in (8.3) to scale B2 to ensure B2 BT2 = I).
The controlled output distribution matrices are
0010 0 0 −1 1
Cclat = , Cclong =
0001 01 00
which represent the states φ and β for lateral control and flight path angle (FPA)
and Vtas for longitudinal control. These linear models will be used to design the
control schemes which will be described in the next sections.
8.3.1 Fault Tolerant Controller Design

To include a tracking facility, integral action has been employed for both longitudi-
nal and lateral control. The incorporation of integral action follows Section 4.4.2 in
[14] (and is shown schematically in Figure 8.1). For the generic system in (8.1), let
xr (t) represent integral action states:
ẋr (t) = r(t) − Cc x(t) (8.30)
where Cc ∈ IRl×n is the distribution matrix associated with the controlled outputs
and the differentiable signal r(t) is assumed to satisfy
ṙ(t) = Γ (r(t) − rc ) (8.31)

Fig. 8.1 Integral action controller structure
with Γ ∈ IRl×l a stable design matrix and rc a constant demand vector [14]. Aug-
menting the states from (8.26)-(8.29) with the integral action states and defining
xa (t) = col(xr (t), x(t)) it follows that
ẋa (t) = Aa xa (t) + Bau(t) + Br r(t) (8.32)
where
0 −Cc 0 Ip
Aa = Ba = Br = (8.33)
0 A B 0
If (A, B) is controllable and (A, B,Cc ) does not have any zeros at the origin then
(Aa , Ba ) is controllable [14]. Define a switching function σa (t) : IR(n+l) → IRl to be
σa (t) = Sa xa (t) (8.34)
where Sa ∈ IRl×(n+l) and Sa Ba = Il . As in equation (8.21)-(8.22), the proposed ‘vir-

tual control’ law comprises two components ν̂ (t) = ν̂l (t) + ν̂n (t). Now because of
the reference signal r(t), the linear component has a feed-forward reference term
and so ν̂l (t) = Lxa (t) + Lr r(t) where L = −Ŝa Âa and Lr = −Ŝa B̂r . Here Â, B̂r and Ŝ
are the matrices from (8.33) and (8.34) after a transformation to achieve the regular
form in equation (8.12) has been performed. The nonlinear component is defined as
σa (t)
ν̂n (t) = −ρ (t, xa ) σa (t) for σa (t) = 0 (8.35)
This controller is a special case of the one in [14] because the reference dependent
aspect of the sliding surface adopted in [14] has been dropped. From (8.5) and (8.10)
it follows that
u(t) = W BT2 (B2W 2 BT2 )−1 ν̂ (t) (8.36)
i.e. the control which is sent to the actuators is dependent on the effectiveness gains
ki (through the diagonal weighting matrix W ).
8.3.1.1 Lateral Controller Design

For lateral control, the sliding surface matrix M is chosen to minimize for system
(8.32) the following quadratic performance index
0 ∞
1
J= xa (t)T Qxa (t) dt (8.37)
2 ts
where Q is a s.p.d matrix and ts is the time at which the sliding motion com-
mences (see for example [27, 14]). The matrix Q is used to tune the closed loop
response. The cost function in (8.37) is a special case of the more familiar LQR
cost. In (8.37) the weighting of the control cost penalizing the use of control effort
has been dropped. As such it represents a singular LQR control problem associated
with ‘cheap control’. Consider a coordinate transformation z(t) = Ta xa (t) so that
the system is in ‘regular form’ [27, 14]. In regular form, the matrix Q and Aa (from
(8.32)) can be written as:
Q11 Q12 Aa11 Aa12 0

Ta QTaT = , Ta Aa TaT = , and Ta Ba = (8.38)
Q21 Q22 Aa21 Aa22 B2
where Q21 = QT12 and B2 ∈ IRm×m . After some factorization and algebraic manipu-
lation, equation (8.37) can be written as
0 ∞
1
J= (zT1 Q̂z1 + υ T Q22 υ )dt (8.39)
2 ts
where
Q̂ := Q11 − Q12Q−1
22 Q21 (8.40)
and
υ := z2 + Q−1
22 Q21 z1 . (8.41)
The minimization of (8.39) is associated with the dynamical system given by
ż1 = Âa11 z1 + Aa12 υ (8.42)
where Âa = Aa11 − Aa12 Q−1

22 Q21 and z1 represents the first n components of z. The
‘optimal control law’ is
υ = −(Q−1 22 Aa12 P1 )z1
T
(8.43)
where P1 satisfies
ÂTa P1 + P1Âa − P1Aa12 Q−1

22 Aa12 P1 + Q̂ = 0
T
(8.44)
Further manipulation is required to obtain the sliding surface matrix M. During

sliding [27, 14], s(t) = 0 and therefore
z2 = −Mz1 (8.45)
The manipulations resulting from solving for z2 from equation (8.41) and (8.43)
yield
z2 = −Q−1
22 (Aa12 P1 + Q21 )z1
T
(8.46)
and therefore the matrix M is defined as
M = Q−1
22 (Aa12 P1 + Q21 )
T
(8.47)
The s.p.d weighting matrix has been chosen as Qlat = diag(0.005, 0.1, 6, 6, 1, 1).
The first two terms of Qlat are associated with the integral action and are less heav-
ily weighted. The third and fourth term of Qlat are associated with the equations
of the angular acceleration in roll and yaw (i.e. Blat,2 term partition in (8.3)) and
thus weight the virtual control term. Thus by analogy to a more typical LQR frame-
work, they affect the speed of response of the closed loop system. Here, the third
and fourth terms of Qlat have been heavily weighted compared to the last two terms
to reflect fairly a fast closed loop system response. The poles associated with the
reduced order sliding motion are {−0.0707, −0.3867, −0.3405 ± 0.1481}. The pre-
filter matrix from (8.31) has been designed to be Γlat = diag(−0.5, −0.5). This may
be viewed as representing the ideal response in the φ and the β channels. In the sim-
ulations the discontinuity in the nonlinear control term in (8.35) has been smoothed
by using a sigmoidal approximation
σlat
ν̂nδ = σlat +δlat
where the scalar δlat = 0.05 (see for example §3.7 in [14]). This removes the dis-
continuity at σlat = 0 and introduces a further degree of tuning to accommodate the
actuator rate limits – especially during actuator fault or failure conditions. The gain
ρ from (8.35) has been chosen as ρ = 1. In normal operation, the ailerons will be
the primary control surface for φ tracking, whilst the spoilers introduce redundancy.
Meanwhile for β tracking, the rudder will be the primary control surface and dif-
ferential engine thrust is the associated redundancy. It will be assumed that at least
one of the control surfaces for both φ and β tracking will be available when a fault
or failure occurs (i.e. one of either the two ailerons or the two spoilers will be avail-
able and one of either the rudder or the two engine thrusts are available). Based on
these assumptions, it can be verified from a numerical search that γ0lat from (8.15) is
γ0lat = 8.1314. Simple calculations from (8.17) show that γ1lat = 0.0145, therefore
γ0lat γ1lat = 0.1180 < 1 and so the requirements of Proposition 8.2 are satisfied. Also
for this particular choice of sliding surface, G̃lat (s) ∞ < γ2lat = 0.0764 from (8.19).
Therefore from Proposition 8.2,
γ2lat γ0lat
= 0.7043 < 1
1 − γ1lat γ0lat
which shows that the system is stable for all 0 < wi ≤ 1.
8.3.1.2 Longitudinal Controller Design

As in the lateral controller design, a quadratic optimal design has been used to
obtain the sliding surface matrix. The s.p.d weighting matrix has been chosen as
Qlong = diag(0.1, 0.1, 10, 50, 1, 1). Again, similar to the lateral controller design,
the first two terms of Qlong are associated with the integral action and are less heav-
ily weighted. The third and fourth term of Qlong are associated with the Blong,2 term
partition in (8.3) (i.e. states q and Vtas ) which weight the virtual control term and has
been heavily weighted compared to the last two terms. The poles associated with the
reduced order sliding motion are {−0.7066, −0.2393 ± 0.1706, −0.0447}. The pre-
filter matrix from (8.31) has been designed to be Γlong = diag(−0.5, −0.125). As
in the lateral control, the discontinuity in the nonlinear control term in (8.35) has
been smoothed by using a sigmoidal approximation where the scalar δlong = 0.05.
The gain ρ from (8.35) has been chosen as ρ = 1. In normal operation, the elevators
will be the primary control surface for FPA tracking, whilst the horizontal stabilizer
introduces redundancy. Meanwhile for Vtas tracking, the collective thrust will be the
only actuator without any redundancy. It will be assumed that at least one of the
control surfaces for FPA tracking will be available when a fault or failure occurs
(i.e. one of either the elevator or the horizontal stabilizer is available). Since the
collective engine thrust is the only actuator available for Vtas tracking, the engines
are assumed to be fault free. Based on these assumptions, it can be verified from a
numerical search that γ0long = 8.2913 from (8.15). Simple calculations from (8.17)
show that γ1long = 1.9513 × 10−4, therefore γ0long γ1long = 0.0016 < 1 and so the re-
quirements of Proposition 8.2 are satisfied. Also for this particular choice of sliding
surface G̃long (s) ∞ < γ2long = 0.0122 from (8.19). Therefore from Proposition 8.2,
γ2long γ0long
= 0.0931 < 1
1 − γ1long γ0long
which shows that the system is stable for all choices of 0 < wi ≤ 1.
Remark 6: In terms of the control laws, no actuator magnitude or rate saturations
are accounted for explicitly, although, in the tests and evaluations which have been
carried out, these effects are present. However, if a rate limit or position limit is
exceeded, a difference between the expected actuator position and the commanded
one occurs, which would be interpreted as a fault. The proposed scheme would then
inherently attempt to reduce the burden in this channel and redistribute the control
effort to other actuators, which would mitigate the effect of the saturation.
Remark 7: Although the controller design and analysis is based on a linear LTI
system, and no specific analysis has been carried out for a wide flight envelope,
SMC has the ability to handle a certain degree of plant–model mismatch caused by
varying operating conditions. It will be shown later that the designed SMC controller
still performs well in a wide flight envelope away from its designed operating point.
8.3.2 Heading and Altitude Control and EPR Control Mixing

To emulate real aircraft flight control capability, two outer loop heading and al-
titude control laws were designed based on PID control, to provide roll and FPA
commands to the inner loop (lateral and longitudinal) sliding mode controllers. In
the SIMONA implementation, the outer loop heading and altitude controls can be
activated by switches in the cockpit. The lateral proportional gain and the deriva-
tive gain was set as K plat = 0.5 and Kdlat = 0.1 respectively. The longitudinal
proportional gain and the derivative gain was set as K plong = 0.001 and Kdlong = 0.05
respectively.
Note that both the lateral and longitudinal controller manipulate the engine EPRs.
For lateral control, differential engine EPR is required as a secondary ‘actuator’ for
β tracking; whilst for longitudinal control, collective EPR is used for Vtas tracking.
In the simulations, ‘control mixing’ was employed, where the signals from both the
lateral controller (e1lat , e2lat , e3lat and e4lat ) and longitudinal controller (e1long , e2long ,
e3long and e4long ) were added together before being applied into each of the engines
(page 14 of Burcham et al.[11]). This is similar to the control strategy used for the
NASA propulsion control aircraft described in Burcham et al.[11]. This is possible
since, during a turn manoeuvre, differential thrust from the two left and the two right
engines is required, but if at the same time an increase (or decrease) in the forward
speed is needed, a collective amount of thrust can be added (or deducted) to both
the left and right engines and so the difference between the thrust on the left wing
and right wing remains the same and does not contradict the turning manoeuvre.
8.3.3 ILS Landing

An additional outer loop PID control for tracking and capturing the localizer (LOC)
and glide slope (GS) has also been added to allow the aircraft to land using a typi-
cal ILS (Instrument Landing System) landing procedure. A sensor which measures
the deviation from the LOC angle/beam error combined with the current aircraft
heading and VOR (VHF Omni-directional Radio Range) course radial, is used for
aligning the aircraft with the runway. The output of this outer loop is a roll demand
for the LOC controller and an FPA demand for the GS controller. These demand sig-
nals replace the pilot commands to the main SMC controller to allow for an almost
States x(t) & sensors
LOC & GS
logic
Aircraft model
LOC & GS
Roll
PID
FPA
Roll=0
FPA=0 Roll Linear Ȟl Ȟ(t) Control u(t) (equation (35))
Command: LOC & GS logic switch FPA component allocation
Heading
Altitude
PID Roll
Command: FPA APP switch W
Roll
FPA Command:
Adaptive Ȟn FDI
Roll
unit vector (W=I-K)
MCP switch Sideslip
term States & actuator deflections
FPA
Vtas ȡ(t) ||s||
Command:
Sideslip Adaptation
Vtas scheme
Sliding mode (virtual) control
Fig. 8.2 Overall controller structure
Fig. 8.3 Mode control panel (MCP)

100 2
track angle
Vtas (m/s)
χ (deg)
0
90
−2
0 50 100 150 0 50 100 150
2 15
angle of attack
flightpath angle
10
γ (deg)
α (deg)
0
5
−2 0
0 50 100 150 0 50 100 150
10
sideslip angle
loading factor
2
β (deg)
nz
0
0
−10 −2
0 50 100 150 0 50 100 150
Time (sec)
40
roll angle
20
φ (deg)
0
−20
−40
0 50 100 150
Time (sec)
Fig. 8.4 Straight and level flight with Horizontal stabilizer runaway: states with specifications
1.5
axb [m/s2]
0.5
0
0 50 100 150
0.2
ayb [m/s2]
0.1
0
−0.1
−0.2
0 50 100 150
−8
−9
azb [m/s2]
−10
−11
−12
0 50 100 150
Time (sec)
Fig. 8.5 Straight and level flight with Horizontal stabilizer runaway: kinematic accelerations
in body axes
automatic landing procedure. The outer loop controller (LOC and GS) is armed by
the pilot by engaging the APP (approach) button on the MCP (see Figure 8.3) when
the aircraft is near the LOC signal coverage. In normal operation, the LOC will
be the first to be engaged (LOC valid) when the aircraft is inside the LOC cover-
age (i.e. the DME2 (Distance Measuring Equipment) is less than 46.3km, LOC is
2 DME is used by aircraft to determine their distance from a land-based transponder which
is typically collocated with VORs or ILS localizer.
4
x 10
0.99 1100
0.992
1050
0.994
0.996
1000
0.998
ye (East) (m)
start end
Altitude (m)
1
950
1.002
1.004 900
1.006
850
1.008
1.01
−4.4 −4.2 −4 −3.8 −3.6 −3.4 −3.2 −3
4 800
x 10 0 2000 4000 6000 8000 10000 12000 14000
xe (North) (m) Distance (m)
(a) horizontal trajectory (b) vertical trajectory
Fig. 8.6 Straight and level flight with Horizontal stabilizer runaway
LOC deviation
5
λ (deg)
0
−5
0 100 200 300 400
roll angle
100 40
(m/s)
20
φ (deg)
Vtas
90 0
−20
−40
0 100 200 300 400 0 100 200 300 400
angle of attack pitch rate
2 2
roll rate
(deg/s)
(deg/s)
0 0
−2 −2
0 100 200 300 400 0 100 200 300 400
yaw rate
2 15
α (deg)
10
(deg/s)
0 5
−2 0
0 100 200 300 400 0 100 200 300 400
factor ny
10
sideslip
loading
2
β (deg)
0 0
−10 −2
0 100 200 300 400 0 100 200 300 400
Time (sec)
factor ny
loading
2
0
−2
0 100 200 300 400
Time (sec)
Fig. 8.7 Right turn and localizer intercept with aileron jam: states with specifications
within ±10◦ and the GS is within (-7◦ ,-0.75◦)). During the armed phase, the LOC
controller is in standby mode and the aircraft is controlled either by heading or roll
commands from the pilot. When the LOC is engaged (LOC valid), the LOC con-
troller will provide the inner roll command to the core lateral sliding mode controller
and the whole process becomes an automatic landing mode: no input from the pi-
lot is needed. The GS is then engaged (GS valid) when the aircraft is inside the GS
axb (m/s2)
0
−2
0 50 100 150 200 250 300 350 400
ayb (m/s2)
0
−2
0 50 100 150 200 250 300 350 400
2
azb (m/s2)
−2
0 50 100 150 200 250 300 350 400

Time (sec)
Fig. 8.8 Right turn and localizer intercept with aileron jam: kinematic accelerations in body
axes
1000
−5000 995
990
End
0
985
Altitude (m)
ye (East)
980
5000
975
Start
10000
970
965
15000
960
−3.5 −3 −2.5 −2 −1.5 −1 0.5 1 1.5 2 2.5 3 3.5 4
xe (North) 4
x 10
Distance (m) x 10
4
Fig. 8.9 Right turn and localizer intercept with aileron jam: trajectories
coverage (i.e. the DME is less than 18.5km, LOC is within ±8◦ and the GS is within
(-1.35◦,-5.25◦)). The GS is in armed phase (after the APP button is engaged), and
the GS controller is in a standby mode with the aircraft controlled using altitude or
via FPA commands from the pilot. When the GS controller is engaged (GS valid),
the GS controller will provide the FPA command to the core longitudinal SMC con-
troller: again no input from the pilot is needed. If for some reason during the LOC
and GS manoeuvre to the runway the LOC or GS becomes invalid (i.e. if the aircraft
goes outside the LOC and GS coverage), then the LOC and GS controller provide
zero roll and FPA commands respectively. Then, the pilot can disengage the APP
button to retake full control of the aircraft.
8.3.4 Fault Tolerant Control Simulation Results

The simulations presented in this chapter are all based on the benchmark. Note
that in this chapter, the information necessary to compute W will be supplied by
GS deviation 1 100
Γ (deg)
Vtas
(m/s)
0
90
−1
0 100 200 300 0 100 200 300
angle of attack
15 2
roll rate
10
α (deg)
(deg/s)
0
5
0 −2
0 100 200 300 0 100 200 300
2 2
pitch rate
yaw rate
(deg/s)
(deg/s)
0 0
−2 −2
0 100 200 300 0 100 200 300
LOC deviation
loading factor
λ (deg)
2
nz
0 0
−2 −5
0 100 200 300 0 100 200 300
Time (sec)
5
γ (deg)
FPA
−5
0 100 200 300
Time (Sec)
Fig. 8.10 Glide slope intercept with elevator jam: states with specifications
2
axb (m/s2)
−2
0 50 100 150 200 250 300
2
ayb (m/s2)
−2
0 50 100 150 200 250 300
2
azb (m/s2)
−2
0 50 100 150 200 250 300

Time (sec)
Fig. 8.11 Glide slope intercept with elevator jam: kinematic accelerations in body axes
assuming a measurement of the actual actuator deflection is available. This is

not an unrealistic assumption in aircraft systems [7]. Information provided by the
actual actuator deflection can be compared with the signals from the controller to
indicate the effectiveness of the actuator. The idea is to use a ‘least squares’ method
to estimate the coefficients wi and ci in a relationship of the form
u(i,a) = wi ui + ci
1000
−100
900
−80
800
−60
700
−40
600
Altitude (m)
−20
end
ye (East) (m)
start
500
0
400
20
300
40
200
60
80 100
100 0
−3 −2.5 −2 −1.5 −1 −0.5 0 0 0.5 1 1.5 2 2.5 3
xe (North) (m) x 10
4 Distance (m) 4
x 10
Fig. 8.12 Glide slope intercept with elevator jam: trajectories
100 w (m/s)
u (m/s)
8
90 6
4
0 50 100 150 200 250 0 50 100 150 200 250
yaw angle
2 10
χ (deg)
course
ψ (deg)
0 0
−2 −10
0 50 100 150 200 250 0 50 100 150 200 250
transversal vel
roll angle
10
vr (m/s)
0.2
φ (deg)
0 0
−10 −0.2
0 50 100 150 200 250 0 50 100 150 200 250
pitch rate
roll rate
0.2 0.2
angle of attack (deg/s)
(deg/s)
0 0
−0.2 −0.2
0 50 100 150 200 250 0 50 100 150 200 250
yaw rate
0.2 15
α (deg)
10
loading factor (deg/s)
0 5
−0.2 0
0 50 100 150 200 250 0 50 100 150 200 250
Time (sec)
2
nz
0
−2
0 50 100 150 200 250
Time (sec)
Fig. 8.13 Final approach and side step with rudder missing: states with specifications
where u(i,a) represents the actual deflection and ui represents the demanded deflec-
tion i.e. the controller output. The scalars wi and ci can be obtained from a least
squares optimization and W := diag(w1 , ..., wm ). If the ith actuator is working per-
fectly, wi = 1 and ci = 0. If wi < 1 then a fault is present. During the simulation, 10
data samples from a ‘moving window’, collected at 100Hz are used to compute the
wi and ci . Both the lateral and longitudinal controller have their own fault estimation
blocks based on the control surfaces to be controlled.
a b (m/s2)
0
x
−2
0 50 100 150 200 250
a b (m/s2)
0
y
−2
0 50 100 150 200 250
2
a b (m/s2)
0
z
−2
0 50 100 150 200 250

Time (sec)
Fig. 8.14 Final approach and side step with rudder missing: kinematic accelerations in body
axes
600
−20
end
500
0
20 400
Altitude (m)
ye (East) (m)
40
300
60
200
80
100
100
start
120 0
−1 −0.5 0 0.5 1 1.5 0 0.5 1 1.5 2 2.5
xe (North) (m) x 10
4 Distance (m) 4
x 10
Fig. 8.15 Final approach and side step with rudder missing: trajectories
In this chapter, five different simulations based on the GARTEUR benchmark

will be presented. The benchmark tests correspond to a single actuator (either ele-
vator, horizontal stabilizer, aileron or rudder) failure, tested on five different flight
scenarios: straight and level flight, a right turn and LOC intercept, a GS intercept, a
final approach with sidestep, and lastly the overall manoeuvre. In this chapter, only
some of the most significant results will be presented due to space limitations.
8.3.4.1 Stabilizer Runaway

Figures 8.4-8.6 show the results of a stabilizer runaway during straight and level
flight. The failure occurs at 10s after the start of the simulation at an altitude of
980m with a speed of 92.6m/s. Figure 8.4 shows that only the FPA state is signif-
icantly affected. The FPA only enters the ‘adequate performance’ level (the lightly
coloured region) during the runaway to the maximum deflection. After the stabilizer
has reached the maximum deflection of 3◦ , the FPA returns to the ‘desired perfor-
mance’ level and is not affected further by the failure. Figure 8.5 shows a very small
variation in the specific forces, therefore maintaining the comfort of the passengers
1 100
GS deviation
Γ (deg)
(m/s)
tas
0
V
90
−1
0 100 200 300 400 500 0 100 200 300 400 500
angle of attack
15 2
roll rate
10
α (deg)
(deg/s)
0
5
0 −2
0 100 200 300 400 500 0 100 200 300 400 500
2 2
pitch rate
yaw rate
(deg/s)
(deg/s)
0 0
−2 −2
0 100 200 300 400 500 0 100 200 300 400 500
LOC deviation
5
loading factor
λ (deg) 0
nz
−2 −5
0 100 200 300 400 500 0 100 200 300 400 500
10 5
γ (deg)
max
FPA
0 0
RC
−10 −5
0 100 200 300 400 500 0 100 200 300 400 500
Fig. 8.16 Full manoeuvre with missing rudder: states with specifications
2
axb (m/s2)
−2
0 50 100 150 200 250 300 350 400 450 500
2
ayb (m/s2)
−2
0 50 100 150 200 250 300 350 400 450 500
2
azb (m/s2)
−2
0 50 100 150 200 250 300 350 400 450 500

Time (sec)
Fig. 8.17 Full manoeuvre with missing rudder: kinematic accelerations in body axes
even during the catastrophic failure. As expected, Figure 6(a) shows no impact of
the stabilizer runaway on the lateral performance with no alteration in the course of
the aircraft. Figure 6(b) shows that there is a small drop in altitude which could be
corrected using the altitude hold setting. (In the current configuration the controller
is set at zero FPA and roll angle demand.)
1000
−2000
900
end
0 800
700
2000
600
Altitude (m)
ye (East) (m)
4000
500
6000 400
300
8000
200
10000
start 100
12000 0
−4 −3.5 −3 −2.5 −2 −1.5 −1 −0.5 0 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5
xe (North) (m) x 10
4 Distance (m) 4
x 10
Fig. 8.18 Full manoeuvre with missing rudder: trajectories
8.3.4.2 Aileron Jams
Figures 8.7-8.9 show the results when an aileron jams at a nonzero offset after 10 s.
There is no effect of the aileron offset jam on the performance. At around 50s, the
aircraft performs a right bank before capturing the LOC at about 100s by banking
further to the right and aligning to the centreline of the extended runway (see LOC
deviation). Figure 8.7 shows that all performance requirements are satisfied. Fig-
ure 8.8 shows that the end-point performance requirement is also satisfied and the
specific forces stabilize and maintain almost zero kinematic accelerations. Figure
8.9 shows the trajectory of the aircraft. Figure 9(a) clearly shows that the LOC is
intercepted. Figure 9(b) shows that the altitude enters the critical (red) region dur-
ing the two banking manoeuvres but stabilizes into the desired performance during
level flight.
8.3.4.3 Elevator Jams

Figures 8.10-8.12 show the results when the elevator jams with an offset at 10s
with a GS capture manoeuvre. Figure 8.10 shows that all states maintain required
performance throughout the manoeuvre. When the elevator jams, only pitch rate
and FPA is affected, but the change is small. The GS deviation shows a very small
error shortly after GS capture but the deviation is virtually zero less than 100s later.
The FPA angle is maintained at 3◦ until the end of the simulation. All other lateral
states are not affected by the failure. Figure 8.11 shows that the specific body forces
in the x and y direction are not affected by the failure. Only the z-axis kinematic
acceleration shows small changes during the failure (at 10s) and during GS capture
(at approximately 130s). As expected Figure 12(a) shows no deviation in the course.
8.3.4.4 Missing Rudder

Figures 8.13-8.15 show the final approach manoeuvre and side step with a missing
rudder. The loss of the rudder affects directional control and the stability of the
aircraft. This simulation starts at an altitude of 500m with 92.6m/s speed at a 20◦ flap
setting. During this test, the aircraft descends at 3◦ FPA to an altitude of 50m above
ground while a 100m right sidestep is applied (see Figure 8.15). In the absence of the
rudder, differential thrust and a banking turn are required to achieve the manoeuvre.
Figure 8.13 shows that most states satisfy the required performance. The transversal
velocity and roll remain zero after the side step. Only the rate of descent (w) enters
the adequate (lightly coloured) performance region due to the absence of rate of
descent control (in this test descent is achieved through FPA control). Figure 8.14
shows small changes in the y and z-axes kinematic forces.
Since the missing rudder has an effect on both lateral and longitudinal control
(due to the loss of directional control and because of the EPR mixing for speed
control), the test is repeated for the overall flight manoeuvre from straight and level
flight until the final approach. The simulation starts at an altitude of 980m, 92.6m/s
speed with a 20◦ flap setting. The simulation results are presented in Figures 8.16-
8.18. Figure 8.16 shows that the required heading and altitude change is obtained
even without the rudder. The LOC and GS deviation and FPA plots show that the
LOC and GS are intercepted and tracked with high accuracy. All pitch, roll and yaw
rates show steady state is achieved during the last 100s of the simulation. Figure
8.17 shows some changes to the kinematic acceleration especially in the y and z-axis
during the banking turn and the LOC intercept. Figure 8.18 shows the full trajectory
of the aircraft until a near landing condition on the runway. The figure shows that
the runway is reached and near landing is achieved.
8.4 Conclusions
This chapter has described the application of a recently developed on-line sliding
mode control allocation scheme for fault tolerant control to the GARTEUR bench-
mark problem. The effectiveness level of the actuators is used by the control alloca-
tion scheme to redistribute the control signals to other functioning actuators when a
fault or failure occurs. This chapter has described the design of the sliding surface
and has determined the nonlinear gain required to maintain sliding. Sufficient con-
ditions have been given to ensure the closed loop system remains stable for a class
of faults and failures. Very good performance has been achieved on the GARTEUR
benchmark evaluations.
References
1. Alwi, H., Edwards, C.: Fault tolerant control of a civil aircraft using a sliding mode based
scheme. In: 44th IEEE Conference on Decision and Control (2005)
2. Alwi, H., Edwards, C.: Robust sensor fault estimation for tolerant control of a civil air-
craft using sliding modes. In: Silver Anniversary American Control Conference (2006)
3. Alwi, H., Edwards, C.: Fault tolerant control using sliding modes with on-line control
allocation. Automatica 44(7), 1859–1866 (2008)
4. Beck, R.E.: Application of Control Allocation Methods to Linear Systems with Four or
More Objectives. PhD thesis, Virginia Polytechnic Institute and State University, Blacks-
burg, Virginia (2002)
5. Bordignon, K.A., Durham, W.C.: Closed-form solutions to constrained control allocation
problem. Journal of Guidance, Control, and Dynamics 18(5), 1000–1007 (1995)
6. Bošković, J.D., Mehra, R.K.: Control allocation in overactuated aircraft under position
and rate limiting. In: Proceedings of the American Control Conference, pp. 791–796
(2002)
7. Brière, D., Traverse, P.: Airbus A320/A330/A340 electrical flight controls: A family of
fault-tolerant systems. In: Digest of Papers FTCS-23 The Twenty-Third International
Symposium on Fault-Tolerant Computing, pp. 616–623 (1993)
8. Bryson, A.E.: Control of spacecraft and aircraft. Princeton University Press, Princeton
(1994)
9. Buffington, J., Chandler, P., Pachter, M.: On-line system identification for aircraft with
distributed control effectors. International Journal of Robust and Nonlinear Control 9,
1033–1049 (1999)
10. Burcham, F.W., Fullertron, C.G., Maine, T.A.: Manual manipulaton of engine throttles
for emergency flight control. Technical Report NASA/TM-2004-212045, NASA (2004)
11. Burcham, F.W., Maine, T.A., Kaneshinge, J., Bull, J.: Simulator evaluation of simplified
propulsion–only emergency flight control system on transport aircraft. Technical Report
NASA/TM-1999-206578, NASA (1999)
12. Corradini, M.L., Orlando, G., Parlangeli, G.: A fault tolerant sliding mode controller for
accommodating actuator failures. In: 44th IEEE Conference on Decision and Control
(2005)
13. Davidson, J.B., Lallman, F.J., Bundick, W.T.: Real-time adaptive control allocation ap-
plied to a high performance aircraft. In: 5th SIAM Conference on Control & Its Appli-
cation (2001)
14. Edwards, C., Spurgeon, S.K.: Sliding Mode Control: Theory and Applications. Taylor &
Francis, London (1998)
15. Enns, D.: Control allocation approaches. In: AIAA Guidance, Navigation and Control,
pp. 98–108 (1998)
16. Hanke, C., Nordwall, D.: The simulation of a jumbo jet transport aircraft. Modelling
data, vol. II. Technical Report CR-114494/D6-30643-VOL2, NASA and The Boeing
Company (1970)
17. Härkegård, O.: Backstepping and Control Allocation with Applications to Flight Con-
trol. PhD thesis, Division of Automatic Control, Department of Electrical Engineering
Linköping University, Sweden (2003)
18. Härkegård, O., Glad, S.T.: Resolving actuator redundancy - optimal control vs. control
allocation. Automatica 41, 137–144 (2005)
19. Hess, R.A., Wells, S.R.: Sliding mode control applied to reconfigurable flight control
design. Journal of Guidance, Control and Dynamics 26, 452–462 (2003)
20. Jones, C.N.: Reconfigurable flight control: First year report. Technical report, Cambridge
University Engineering Department (2005)
21. Jones, C.N., Maciejowski, J.M.: Fault tolerant flight control: An overview. GARTEUR
action group 16: Fault tolerant control. draft for deliverable D1.1 (task T1.2). Technical
report, Cambridge University Engineering Department (2005)
22. Ryan, E.P., Corless, M.: Ultimate boundedness and asymptotic stability of a class of
uncertain dynamical systems via continuous and discontinuous control. IMA Journal of
Mathematical Control and Information 1, 223–242 (1984)
23. Shin, D., Moon, G., Kim, Y.: Design of reconfigurable flight control system using adap-
tive sliding mode control: actuator fault. Proceedings of the Institution of Mechanical
Engineers, Part G (Journal of Aerospace Engineering) 219, 321–328 (2005)
24. Shtessel, Y., Buffington, J., Banda, S.: Tailless aircraft flight control using multiple time
scale re-configurable sliding modes. IEEE Transactions on Control Systems Technol-
ogy 10, 288–296 (2002)
25. Tan, C.P., Edwards, C.: Sliding mode observers for robust detection and reconstruction
of actuator and sensor faults. International Journal of Robust and Nonlinear Control 13,
443–463 (2003)
26. Utkin, V., Guldner, J., Shi, J.: Sliding Mode Control in Electromechanical Systems. Tay-
lor & Francis, London (1999)
28. Wells, S.R., Hess, R.A.: Multi–input/multi–output sliding mode control for a tailless
fighter aircraft. Journal of Guidance, Control and Dynamics 26, 463–473 (2003)
29. Zhang, Y.M., Jiang, J.: Active fault-tolerant control system against partial actuator fail-
ures. IEE Proceedings: Control Theory & Applications 149, 95–104 (2002)
Chapter 9
An Adaptive Fault-Tolerant FCS for a Large
Transport Aircraft
Adolfo Sollazzo, Gianfranco Morani, and Andrea Giovannini
9.1 Fault-Tolerant FCS

The final design of the flight control system with fault-tolerant characteristics is
shown in Fig. 9.1. Such an FCS is made-up of several parts, first of all the robust
control laws that represent the core module of the controller, then a control allo-
cation module which has the capability of distributing the control effort depending
on the availability of the actuation devices, whose efficiency condition is given by
Fig. 9.1 The scheme of the final design of the Fault-Tolerant FCS
Adolfo Sollazzo
Italian Aerospace Research Center - CIRA
e-mail: a.sollazzo@cira.it
Gianfranco Morani
e-mail: g.morani@cira.it
Andrea Giovannini
e-mail: a.giovannini@cira.it
274 A. Sollazzo, G. Morani, and A. Giovannini
Fig. 9.2 The scheme of the current design of the Fault-Tolerant FCS
the Fault-Detection and Identification module. The FDI module also gives informa-
tion about the aircraft’s general behaviour and efficiency, thus allowing a supervisor
module to manage the FCS in terms of estimated envelope protection, in addition
to the attitude and rate limitations. Finally, an autopilot module, whose mode is se-
lected by the panel, gives the attitude reference to the robust control law module for
the aircraft state regulation.
The current state of the research in CIRA in the field of fault-tolerant flight
control systems is focused on how to achieve robustness against actuator faults by
means of adaptive control techniques. While this topic and the control allocation are
already well assessed, the FDI techniques represent the next step forward towards
the final design. In this chapter, the core module involving the robust control laws is
described and reported in detail, along with some descriptions of the autopilot mod-
ule. The control module is based on the adaptive model-following technique, while
the latter is designed by means of the classical sequential loop closure approach.
The FCS is the main focus of this chapter and is depicted in Fig. 9.2. Its theoretical
background is recalled in the next section.
9.1.1 Adaptive Model-Following

Amongst the many different fault-tolerant control techniques [1], an Adaptive
Model Following strategy (AMF) [2], [3] has been selected. The AMF belongs to the
Model Reference Control Strategy paradigm and it earns its robustness by means of
the adaptive control technique [4]. This is a direct adaptive technique, whose strat-
egy is to apply a control law, with a fixed structure, and with a gain matrices set that
ensures two objectives, specifically demand tracking and stability. This technique
consists of a gain variation of the control loops to minimize the difference between
the reference model and the real plant behaviour. Several methods are present in
the literature with regard to the adaptation algorithm [2]-[5]. The one adopted in
the AMF is based on a Lyapunov strategy [2], [3]. It is worth remarking that the
direct adaptive strategy differs slightly from the indirect one [4]. The latter method
is based on the identification of the current plant parameters and the use of a fixed
structure control law, whose gains depend on the plant parameters. All the adaptive
techniques, in principle, do not imply the use of an FDI subsystem. This is a feature
9 An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft 275
that makes these methods very attractive, because it allows the designer to focus
on achieving the desired robustness level for the closed loop system. A further fea-
ture of the AMF technique is its strong robustness against parameter uncertainty in
the system model, compared to classical control techniques. Moreover, the model
following strategy lets the designer fix in a clear and simple way the reference dy-
namics for the system. This is attractive for the designer who can also schedule
the control laws across the whole flight envelope, even though the design has been
carried out in only one flight condition.
In this section, some details about the AMF control technique [2] are reported.
Consider the linear model of the plant:
ẋ = Ax + Bu + d
(9.1)
y = Cx
where the term d represents the trim data for the state derivatives. The reference
system dynamics are written as:
ẏm = Am ym + Bm r (9.2)
where ym is the desired output for the plant, r is the given demand, and Am and
Bm represent the reference linear system dynamics. The control law structure is the
following:
u = C0 (G0 x + v + r + K0 ym ) (9.3)
where G0 , C0 and v are terms evaluated by the adaptation rules, and K0 is a feed-
forward gain matrix evaluated once. It is now possible to calculate the error function
(tracking error) as follows:
e = ym − y (9.4)
and it is particularly interesting to evaluate the error dynamics, in terms of the plant
parameters and the reference system dynamics:
ẏm − ẏ = (CA + CBC0G0 ) x + CBC0 r + CBC0 v

+CBC0 K0 ym + Cd − Am ym − Bm r (9.5)
Assuming the desired error system dynamics, expressed as:
ė = Ae e + Φ (9.6)
where Ae is a stable and properly chosen matrix and Φ represents a bounded forc-
ing function, it is possible to write the following identities to ensure the tracking
objective (ym = y):
CA + CBC0∗ G∗0 = AeC
CBC0∗ = Bm
(9.7)
CBC0∗ v∗ = −Cd
CBC0∗ K0 = Am − Ae
The identities (9.7) facilitate writing expressions for the optimal terms G∗0 , C0∗ , v∗
and K0 to obtain a perfect model inversion that guarantees the asymptotic stability
of the plant and asymptotic zero error:
G∗0 = B−1
m (AeC − CA)
C0∗ = (CB)−1 Bm
(9.8)
v∗ = −B−1
m Cd
K0 = B−1
m (Am − Ae )
It is evident that it is necessary for both Bm and CB matrix to be invertible. While

the former is a design parameter and can be chosen to be invertible, the latter, called
high frequency gain, is a structural characteristic of the plant. In fact, the right invert-
ibility of the high frequency gain is linked to the capability of the control variables
to directly affect the output variables passing through the state variables. It is worth
remarking that this is different from controllability and observability of the state-
space representation since the realization of the double integrator A = [ 0 1 ; 0 1 ],
B = [ 0; 1 ] and C = [ 1 0 ] is both controllable and observable, but has a null high
frequency gain matrix. The foregoing discussion does not take into account system
parameter variations. The non-linearity of the real system can be taken into account
by means of proper variation of the dynamic (A), input (B), output matrices (C), and
trim data (d). Moreover, uncertainty on the system parameters can also be modelled
by proper variation of the aforementioned matrices and data. So, an adaptation rule
set is necessary to react to variations in the system parameters and uncertainty. The
algorithm which will be adopted is a Lyapunov based and its structure is described
here. First of all, define the differences between the actual adaptive parameters and
the optimal ones as follows:
Δ G = G0 − G∗0
ΔΨ = C0∗−1 − C0−1 (9.9)
Δ v = v0 − v∗0
It is now possible to write expressions for the error dynamics taking into account
parameter variations. After some calculations [2] it can be shown:
ė = Ae e + Bm Δ Gx + Bm ΔΨ u + Bm Δ v (9.10)
Now, Lyapunov stability condition for the error system will be investigated. Con-
sider the Lyapunov candidate function:
Δ GT Δ G ΔΨ T ΔΨ Δ vT Δ v
V = eT Pe + tr{ } + tr{ }+ (9.11)
γ1 γ2 γ3
where γi with i = 1, . . . , 3 are three positive scalars and P is the symmetric and
positive definite matrix solution of the Lyapunov equation:
ATe P + PAe = −Q with Q > 0 (9.12)

The derivative of V in (9.11) has the following expression (see [2]):
1
V̇ = −eT Pe + 2tr{ Δ GT Δ Ġ + γ1 BTm PexT +
γ1
1
ΔΨ T Δ Ψ̇ + γ2 BTm PeuT } +
γ2
1
Δ vT Δ v̇ + γ3 BTm Pe (9.13)
γ3
Choosing:
Ġ0 = −γ1 BTm PexT
Ċ0 = −γ2C0 BTm PeuT C0 (9.14)
v̇0 = −γ3 BTm Pe
nullifies the last three terms in the expression for the derivative in (9.13). Expres-
sions (9.14) represent the adaptation rules for the control law parameters, affected
by the three scalars γi with i = 1, . . . , 3 in terms of adaptability rate. Finally, by tak-
ing into account (9.14), (9.13) and (9.9) it is possible to obtain the non-positiveness
of Lyapunov candidate function derivative:
V̇ = −eT Pe ≤ 0 (9.15)
That ensures asymptotic stability for the error dynamic system.

The next section describes how the technique above is actually implemented to
achieve the required fault-tolerance.
9.1.2 The SCAS Architecture

The SCAS module is made of two nested sub-modules both designed by means of
the adaptive technique described in the previous section. The inner module takes
care of the angular rates, while the outer one copes with the control of the attitude
angles. This solution exploits the separation between the faster angular rate dynam-
ics and the attitude angles dynamics, which are slower. The approach achieves a
sensible reduction in the control law complexity, that is to say the total number of
controller states is decreased with respect to an all-in-one control module. A de-
tailed schematic of the SCAS architecture is depicted in Fig. 9.3, while the detailed
graphical description of each module is reported in Fig. 9.4.
The variables reported in Fig. 9.4 directly refer to the adaptive model-following
theory described in Section 9.1.1. It is, now, worth giving a detailed description
about how it is implemented. With reference to the variables of Section 9.1.1, the
state, the output, the control and the reference vectors for the outer loop, the angular
rates regulator, are set-up as follows:
Fig. 9.3 The SCAS architecture
Fig. 9.4 The internal architecture of each SCAS module

x = vTAS , α , φ , θ

y = φ, θ

u = pdem , qdem , rdem

r = φdem , θdem
For the inner loop, the variables are set-up as:

x = vTAS , α , p, q, r

y = p, q, r

u = δa , δe , δr

r = pdem , qdem , rdem
where the control variable, u, is left generically as the ailerons, the elevator and
the rudder commands. The design parameters of both the inner and the outer loops
consist of a few matrices. First of all, the dynamics of the reference model are ex-
pressed in terms of the two matrices Am and Bm with the limitation that the former
must be chosen with negative eigenvalues and the latter invertible. The desired error
dynamics are chosen by means of Ae . The tuning of this matrix allows the modifica-
tion of the system performance, in conjunction with the reference model parameters,
but it also affects the capability of rejecting noise and disturbances, so it has meaning
in terms of the real control system bandwidth. The matrix Q, used in the calculation
of the Lyapunov matrix P (see equation 9.12), can be interpreted as a weighting
matrix. The tuning of this matrix makes it possible to trade off the tracking require-
ment, in terms of adaptability, of one or more output variables with respect to the
others. Finally, the three parameters γ1 , γ2 and γ3 are used to change the adaptive ca-
pability, the higher the values of these parameters, the faster the adaptability. These
parameters have been designed by means of a trial and error analysis.
9.1.3 Limitations and Practical Solutions

Adaptive model-following is a very robust control technique, but it also requires
several strong hypotheses to be verified. The first hypothesis concerns the necessity
to avoid unmodelled dynamics. This need arises trivially because the control laws,
and particularly the adaptation rules, cannot properly process the dynamics of the
system, if this information is incomplete. The invalidity of the aforementioned hy-
pothesis may lead to instability. Some authors [4] express this need by assuming the
transmission zeros have a negative real part. Even though the two assumptions are
substantially different, they both deal with the same problem. In the case of unmod-
elled dynamics, they can be made stable in closed loop if the zeros of transmission
are located in the negative real half plane.
In the benchmark, both the actuators and sensors models do not have a dynamic
representation, they only concern the nonlinearities and noise (in the case of the sen-
sors). This is a particularly favourable condition for the adaptive model-following
technique and facilitates successful results.
The second fundamental hypothesis for adaptive model-following concerns the
high frequency gain, that is the CB matrix. This matrix, as already discussed in Sec-
tion 9.1.1, needs to be full rank. In the benchmark no sensor failures are considered,
this avoids problems with the equivalent C matrix, whose rank never decreases.
Similar assertions may be made concerning the equivalent B matrix. In fact, even
though actuator failures are considered in the benchmark, the high redundancy level
of the control devices always ensures a sufficient number of control variables, hence
avoiding non-right invertibility issues of the high frequency gain matrix.
Finally, adaptive model-following is a control technique for linear plants. This
means that the nonlinearities in the plant may give problems, particularly those non-
linearities that cause abrupt variations in the plant behaviour. Some examples of
these kinds of nonlinearities are the actuators limits, both in terms of rate and posi-
tion, but also those like the stall conditions. All the nonlinearities are not treated in
the implementation of the adaptive model-following, here discussed. To deal with
the actuator limitations, it would be necessary to adopt techniques such as control
allocation [8]-[13] or similar techniques to rearrange the control effort [3]. The re-
arrangement could be based on the knowledge of the limitations concerning the
control variables and, in the case of failures, of the current actuator condition. In the
FCS here described, the only way to avoid this kind of problem has been to reduce
the performance as far as possible without going below an acceptable level.
A harder problem is the stall condition. It is always necessary to include a proper
envelope protection system. For instance, as is typically done in classical control, it
would be possible to consider a module to override the control laws when the flight
condition approaches stall. In the case of an FTC technique, in the case of structural
damage, this is a very critical topic due to the higher complexity level of such a FCS
and the interactions between the control laws and the envelope protection module.
Moreover, in the case of heavy structural damage (as in the case of the Bijlmermeer
accident [6]) the stall angle may change significantly (from 15 to 8.5 degrees), so,
while designing the envelope protection strategy, it is necessary to avoid destructive
interactions between the control laws and the stall prevention system. Thus, two
opposite philosophies are possible: one could try to identify the new value of the
stall angle by means of a proper FDI technique and to use it as a new threshold. The
latter would adopt a safety rule by considering blindly a reduction in the supposed
stall angle of a certain percentage of the nominal one. This technique was taken
into account in order to retain one of the main features of the FCS, that is to say,
the absence of an FDI subsystem. On the other hand, this represents a drawback
due to the performance reduction caused in all cases that do not involve a stall
angle variation with respect to the nominal one. In practice, this assertion relates
to all the benchmark cases except for the EL AL 1862 test scenario. This results
from the weakness of a strategy that tries to recover stability in the case of severe
structural damage without having knowledge of what has actually happened. In the
FCS, described here, the stall prevention module involves two actions. The first
concerns the attitude angles (φ , θ ), whose references are both limited by means of a
couple of variable thresholds that depend on the current value of the angle of attack.
The second action refers to the attitude rates (p, q, r), whose references are modified
to counteract the stall condition when a stall condition is approached.
9.2 The Classic A/P

The Autopilot mode module employs a total of six modes, three longitudinal modes
and three lateral modes. Both lateral and longitudinal autopilot modes are designed
by means of classical control techniques, involving sequential loop closure, and by
adopting schemes that use proportional/integral regulators (see [14]). A list of the
modes is given in the following table. Moreover, in addition a classical autothrottle
module has been designed for true airspeed regulation.
9.3 Numerical Validation

The Fault-Tolerant FCS has been tested by means of the benchmark software en-
vironment, described in chapter 6. The SCAS architecture has been customised in
terms of the control variables, u, to match the control effectors set. The full set of
Table 9.1 List of Autopilot available modes
Longitudinal Lateral
Altitude Hold/Select Heading Hold/Select
Glideslope Intercept Localizer Intercept
Approach Lon Approach Lat
Table 9.2 List of control variables
variable description
δaiL the left inboard aileron command
δaiR the right inboard aileron command
δaoL the left outboard aileron command
δaoR the right outboard aileron command
δsp the spoilers command
δspb the speedbrakes command
δe i the inboard elevators command
δe o the outboard elevators command
δr u the upper rudder command
δr l the lower rudder command
ih the horizontal stabilizer command
Δ th the differential throttle command
control variables is reported in Table 9.2. It is worth adding that the A/P module
provides the demand for the attitude angles, φ and θ , and the mean value of the
throttle command to the engines.
The benchmark environment includes a detailed model of the vehicle, and is able
to reproduce the actual behaviour even in faulty conditions. Figures 9.5 and 9.6
report the considered surface failure scenarios and the EL AL 1862 flight failure
condition [6], [7]. The FCS has been tested in the face of each failure condition,
while performing all the available manoeuvres (see chapter 6 for details). These
manoeuvres represent the four phases of an emergency landing manoeuvre after a
failure occurs during the initial climb phase. These manoeuvres are: straight flight,
a right turn and localizer beam intercept, glideslope beam intercept and the final
approach. All the tests have been carried out in turbulence and windy (uwind = 11
m/s, vwind = 12 m/s, wwind = 0 m/s) conditions.
The results of the numerical tests are reported in terms of time histories of the
main quantities with respect to the fixed manoeuvre along with their desired and
acceptable limits (see chapter 7 for details). Even though all the combinations of
faulty conditions and manoeuvres have been explored, it is not practical to report all
the figures here. Only the most meaningful results are reported here and, at the end
of the section, a table with a summary of the test results is added to give an overview
of the fault-tolerance achieved thanks to the proposed FCS.
Fig. 9.5 The surfaces failure scenario
Fig. 9.6 The EL AL 1862 flight failure scenario
One of the worse failure cases is the rudder runaway. In this situation, the rud-
der generates a strong yawing moment that reduces the directional manoeuvrability.
This problem is particularly evident in the case of the right turn manoeuvre (see
Fig.9.7), when it is necessary to generate a yawing moment opposite to the disturb-
ing one to perform the turn. The performance is not really good, but stability is
maintained.
The loss of the vertical fin seems not to be a critical failure (see Fig.9.8). The
adaptive FCS is able to handle this condition without any problem, the performances
States with specs Right Turn and LOC intercept

5 1
λ [deg]
0 0.5
−5 0
0 50 100 150 200 0 0.2 0.4 0.6 0.8 1
100 40
vTAS [m/s]
φ [deg]
20
0
90 −20
−40
0 50 100 150 200 0 50 100 150 200
2 2
p [deg/s]
q [deg/s]
0 0
−2 −2
0 50 100 150 200 0 50 100 150 200
2 15
r [deg/s]
α [deg]
10
0
5
−2 0
0 50 100 150 200 0 50 100 150 200
10
2
β [deg]
0 nz
0
−10 −2
0 50 100 150 200 0 50 100 150 200
RCmax [m/s]
4
2 2
ny
0 0
−2 −2
−4
0 50 100 150 200 0 50 100 150 200
Fig. 9.7 Right turn and Localizer intercept with rudder runaway
States with specs Right Turn and LOC intercept

5 1
λ [deg]
0 0.5
−5 0
0 50 100 150 200 0 0.2 0.4 0.6 0.8 1
100 40
vTAS [m/s]
φ [deg]
20
0
90 −20
−40
0 50 100 150 200 0 50 100 150 200
2 2
p [deg/s]
q [deg/s]
0 0
−2 −2
0 50 100 150 200 0 50 100 150 200
2 15
r [deg/s]
α [deg]
10
0
5
−2 0
0 50 100 150 200 0 50 100 150 200
10
2
β [deg]
nz
0 0
−10 −2
0 50 100 150 200 0 50 100 150 200
RCmax [m/s]
4
2 2
ny
0 0
−2 −2
−4
0 50 100 150 200 0 50 100 150 200
Fig. 9.8 Right turn and Localizer intercept with loss of vertical tail

1 100
vTAS [m/s]
Γ [deg]
0
90
−1
0 50 100 150 0 50 100 150
15 2
p [deg/s]
α [deg]
10
0
5
0 −2
0 50 100 150 0 50 100 150
2 2
q [deg/s]
r [deg/s]
0 0
−2 −2
0 50 100 150 0 50 100 150
5
2
λ [deg]
nZ [g]
0
0
−2 −5
0 50 100 150 0 50 100 150
2
RCmax [m/s]
0
0
γ [deg]
−2
−4 −2
−6 −4
−8
0 50 100 150 0 50 100 150
Fig. 9.9 Glideslope beam intercept with elevators stuck
are also acceptable. The stuck elevator failure also does not represent a critical con-
dition in any of the considered manoeuvres, thanks to the stabilizer being used as
an alternative control surface. As an example the glideslope intercept manoeuvre is
considered, and it is evident the control laws manage the failure with no difficulties
(see Fig.9.9).
However, the stabilizer runaway is a quite important failure. During the glides-
lope intercept, it is evident (see Fig.9.10) that the pitch down disturbing moment,
generated by the failed stabilizer, makes the aircraft dive quickly. The control laws
”work hard” to react and to reach the proper altitude to follow the beam. Here, the
absence of an FDI subsystem is evidently a drawback. The control laws suppose all
the surfaces are available and the control effort is distributed on this basis. If FDI
information is available, starting from the knowledge of the failure, all the control
effort would have been moved onto the elevators.
In Fig.9.11 the whole manoeuvre is performed in the case of rudder runaway. As
discussed earlier the right turn is the critical phase, but in this case the failure occurs
during the early straight flight, so the aircraft has time to acquire a proper attitude to
approach the turn and the successive phases of the manoeuvre.
The EL AL 1862 failure scenario is surely the most difficult condition (see
Fig.9.12). This failure is particularly critical not only due to the reduced number
of control effectors available, but also due to the structural damage on the right
wing that makes strong and abrupt variations in the inertial and aerodynamical pa-
rameters, such as the stall angle. This important parameter is significantly reduced

1 100
vTAS [m/s]
Γ [deg]
0
90
−1
0 50 100 150 0 50 100 150
15 2
p [deg/s]
α [deg]
10
0
5
0 −2
0 50 100 150 0 50 100 150
2 2
q [deg/s]
r [deg/s]
0 0
−2 −2
0 50 100 150 0 50 100 150
5
2
λ [deg]
nZ [g]
0
0
−2 −5
0 50 100 150 0 50 100 150
2
RCmax [m/s]
0
0
γ [deg]
−2
−4 −2
−6 −4
−8
0 50 100 150 0 50 100 150
Fig. 9.10 Glideslope beam intercept with stabilizer runaway
States
10 20
p [deg/s]
φ [deg]
0 0
−10 −20
0 100 200 300 400 500 0 100 200 300 400 500
1 10
q [deg/s]
θ [deg]
0 5
−1 0
0 100 200 300 400 500 0 100 200 300 400 500
5 400
r [deg/s]
ψ [deg]
0 200
−5 0
0 100 200 300 400 500 0 100 200 300 400 500
95 800
vTAS [m/s]
h [m]
90 600
85 400
0 100 200 300 400 500 0 100 200 300 400 500
4
x 10
8 0
α [deg]
x [m]
6 −2
4 −4
0 100 200 300 400 500 0 100 200 300 400 500
4
x 10
20 1
β [deg]
y [m]
0 0
−20 −1
0 100 200 300 400 500 0 100 200 300 400 500
time [s] time [s]
Fig. 9.11 Entire emergency manoeuvre with rudder runaway

States
10
20
p [deg/s]
φ [deg]
0 0
−20
−10
0 100 200 300 400 500 0 100 200 300 400 500
10
2
q [deg/s]
θ [deg]
0 5
−2
0
0 100 200 300 400 500 0 100 200 300 400 500
2 400
r [deg/s]
ψ [deg]
0 300
200
−2
0 100 200 300 400 500 0 100 200 300 400 500
140
600
vTAS [m/s]
h [m]
135
400
130 200
0 100 200 300 400 500 0 100 200 300 400 500
4
x 10
10 0
α [deg]
x [m]
5 −2
0 −4
0 100 200 300 400 500 0 100 200 300 400 500
5 10000
β [deg]
5000
y [m]
0
0
−5 −5000
0 100 200 300 400 500 0 100 200 300 400 500
Fig. 9.12 Entire emergency manoeuvre in the case of flight EL AL 1862 failure scenario
as a result of the damage. As the right turn phase starts, the angle of attack increases
quickly, approaching the new stall value, thus a persistent oscillation arises, slightly
damped, but it only fades out when the right turn is almost accomplished.
The following table gives a summary of the test results. First of all it is necessary
to define a classification able to give an idea of the overall effectiveness of the FCS
to achieve stable flight and, if possible, good quality of performance. A four levels
scale is used as follows:
• Not critical (). The failure condition is not critical both in terms of stability and
performance achieved;
• Negligibly critical (). The failure does not compromise the stability, but the per-
formances are slightly degraded;
• Critical (). The failure results in strong reduction in performance even though
stability can be maintained;
• Dramatically critical (•). The failure causes instability;
It is evident that stuck elevators, stuck ailerons and the loss of the vertical tail are
easily manageable failure conditions. However, stabilizer runaway and even more
dramatically rudder runaway are critical failure conditions. Finally, the EL AL 1862
failure case is quite manageable by means of the adaptive FCS, even though it is not
always possible to achieve acceptable performances.
Table 9.3 Summary of results
Straight Flt RT and LOC Glideslope Full Manoeuvre

Stuck Elevators
Stuck Ailerons
Stabilizer runaway
Rudder runaway •
Loss of Vertical Tail
EL AL 1862 case
9.4 Future Development

In this section some preliminary results of further developments are shown. A Con-
trol Allocation module is used to improve robustness of the closed loop system and
to achieve a better management of the control effector ranges. The module exploits
the Active Set method whose original implementation is fully discussed in [10].
With reference to the scheme of Fig.9.1, the aforementioned module would need a
FDI module (not developed yet) and so a strong hypothesis is made here. A sim-
ple actuator monitoring system is assumed to be present and fully efficient, thus a
stuck or runaway failure is supposed to be accurately reported within a delay of 4
seconds. It is worthwhile remarking that the only data the monitor provides, is a
logical one such as healthy/failed and therefore information about the kind of fail-
ure which has occurred or the position of the failed surface are not assumed to be
available.
Two failure conditions make evident the improvement which can be achieved
by adopting a control allocation strategy in conjunction with the adaptive model
Fig. 9.13 Rudder runaway failure case, improvements achievable thanks to control
allocation: trajectory
20 400
15 350
ψ [deg]
10 300
φ [deg]
5 250
0 200
−5 150
0 50 100 150 200 0 50 100 150 200
5 4
2
0
p [deg/s]
r [deg/s]
0
−5
−2
−10 −4
0 50 100 150 200 0 50 100 150 200
10000
5000
y [m]
0 AMF
AMF+CA
−5000
0 20 40 60 80 100 120 140 160 180 200 220
(a)
25
Upper Rudder [deg]
20
15 AMF
10 AMF+CA
0
0 20 40 60 80 100 120 140 160 180 200 220
20
Inner Ailerons [deg]
10
−10
−20
0 20 40 60 80 100 120 140 160 180 200 220
20
Outer Ailerons [deg]
10
−10
−20
−30
0 20 40 60 80 100 120 140 160 180 200 220
2
(eng 1,2 − eng 3,4)
1.5
Throttles [pu]
0.5
0 20 40 60 80 100 120 140 160 180 200 220
(b)
Fig. 9.14 Rudder runaway failure case, improvements achievable thanks to control alloca-
tion: time histories
following, one is the rudder runaway while performing the right turn manoeuvre.
Figure 9.13 shows both the achievable trajectory with and without the Control
Allocation module. Moreover, in Fig.9.14 the time histories of some state variables
are reported. The black dashed lines represent the results obtained with the control
allocation, while the blue solid lines represent the ‘adaptive only’ technique. It is
evident how the control allocation module gives smoother manoeuvres. The second
condition chosen is the horizontal stabilizer failure, while flying straight and with
level wings. The results are reported in Fig.9.15, using the line style meaning as
previously used. The improvements achieved are evident.
98 7
6
96
[m/s]
α [deg]
5
94
TAS
4
V
92
3
90 2
0 10 20 30 40 50 0 10 20 30 40 50
10 2
1
5
q [deg/s]
θ [deg]
0
0
−1
−5 −2
0 10 20 30 40 50 0 10 20 30 40 50
700
600
altitude [m]
500
400 AMF
AMF+CA
300
0 5 10 15 20 25 30 35 40 45 50
(a)
3
2.5
Stabilizer [deg]
2 AMF
AMF+CA
1.5
0.5
0
0 5 10 15 20 25 30 35 40 45 50
−5
Inner Elevators [deg]
−10
−15
−20
−25
0 5 10 15 20 25 30 35 40 45 50
−4
−6
Outer Elevators [deg]
−8
−10
−12
−14
−16
0 5 10 15 20 25 30 35 40 45 50
time [s]
(b)
Fig. 9.15 Stabilizer runaway failure case, improvements achievable thanks to control
allocation
9.5 Conclusions
The numerical tests demonstrate that the adaptive model-following technique can
be applied successfully to recover from the surface failures in the presence of suf-
ficient remaining control efficiency. In the face of structural damage, (El Al 1862
case) the control laws adopted are again efficient as long as their applicability hy-
potheses remain valid, that is to say controllability, observability and the absence of
unmodelled dynamics. In fact, the main weak point of the FCS, as has been shown
by the numerical tests, is the poor ability to recover steady flight, while the enve-
lope limits are exceeded. In this condition the aircraft behaviour abruptly changes,
thus representing a critical situation for the adaptive control and a real threat to sta-
bility. This condition is particularly critical in the case of structural damage, when
the envelope limits may change significantly. A proper solution should be adopted
to achieve more efficient envelope protection, so preserving the validity of the hy-
potheses necessary for the applicability of the adaptive control technique.
Concerning the performances achieved in faulty conditions, it is fair to say that
they are slightly degraded if compared with those of the nominal conditions. In de-
tail, in the case of surface damage, the performance loss is not so evident, but in
the case of structural damage, the behaviour of the aircraft is significantly different
from the nominal case. Furthermore, the aircraft dynamics are also made worse by
the flight conditions which are really close to the stall limit. It is worthwhile remark-
ing that, in the case of stuck surfaces, the damaged ones are considered locked at a
nearly neutral position. In these conditions, the disturbing moment which is gener-
ated is almost negligible, thus the unfailed surfaces are efficient enough to provide
the manoeuvrability necessary for attitude control. This is the reason that these fail-
ure conditions are quite simple to recover from.
In the case of surfaces locked out of their neutral position (e.g. see the stabilizer
and rudder runaway), the adaptive model-following control laws may not be suffi-
cient to recover stable flight and they need the help of a specific technique such as
control allocation - along with a broader set of information about the current state
of the actuators (need of a FDI subsystem).
The adaptive model-following scheme represents an attractive starting point to
build up a fault-tolerant FCS. That is to say, it can be used successfully as the core
control law, but it should be integrated with several other modules such as a con-
trol allocation system (to efficiently and quickly redistribute the control effort) a
FDI subsystem (for providing information to the control allocation system to give
information about the new flight envelope limits) and to ensure a consolidated set
of feedback signals. A further optional module could be a proper supervisor able
to reconfigure the trajectories starting from knowledge of the current flight enve-
lope limits (e.g. right turn not safe but left turn possible) and the control devices
availability.
References
1. Patton, R.J.: Fault-Tolerant Control Systems: The 1997 Situation. In: Proc. of the IFAC
Symposium on Fault Detection, Supervision and Safety for Technical Processes, vol. 2
(1997)
2. Kim, K.S., Lee, K.J., Kim, Y.: Reconfigurable Flight Control System Design Using Di-
rect Adaptive Method. Journal of Guidance, Control, and Dynamics 26(4) (2003)
3. Tandale, M., Valasek, J.: Structured Adaptive Model Inversion Control to Simultane-
ously Handle Actuator failure and Actuator Saturation. In: Proc. of the AIAA Guidance,
Navigation and Control Conf. (2003)
4. Bodson, M., Groszkiewicz, J.E.: Multivariable Adaptive Algorithms for Reconfigurable
Flight Control. IEEE Transactions on Control Systems Technology 5(2) (1997)
5. Boskovic, J.D., Mehra, R.K.: Multiple-Model Adaptive Flight Control Scheme for Ac-
commodation of Actuator Failures. Journal of Guidance, Control, and Dynamics 25(4)
(2002)
6. Smaili, M.H.: Flight Data Reconstruction and Simulation of the 1992 Amsterdam Bi-
jlmermeer Airplane Accident. In: AIAA Modeling and Simulation Technologies Conf.
(2000)
7. Smaili, M.H., Breeman, J., Lombaerts, T.J., Joosten, D.A.: A Simulation Benchmark for
Integrated Fault Tolerant Flight Control Evaluation. In: AIAA Modeling and Simulation
Technologies Conf. (2006)
8. Durham, W.C.: Constrained Control Allocation. AIAA Journal of Guidance, Control,
and Dynamics 16(4) (2002)
9. Bodson, M.: Evaluation of Optimization Methods for Control Allocation. AIAA Journal
of Guidance, Control, and Dynamics 25(4) (2002)
10. Harkegard, O.: Efficent Active Set Algorithms for Solving Constrained Least squares
Problems in Aircraft Control Allocation. In: Proc. of the 41st IEEE Conf. on Decision
and Control (2002)
11. Virnig, J., Bodden, D.: Multivariable Control Allocation and Control Law Conditioning
when Control Effector Limit. In: Proc. of the AIAA Guidance, Navigation and Control
Conf. (2000)
12. Enns, D.: Control Allocation Approaches. In: Proc. of the AIAA Guidance, Navigation
and Control Conf. (1998)
13. Buffington, J., Chandler, P.: Integration of on-line system identification and optimization-
based control allocation. In: AIAA Guidance, Navigation, and Control Conf. (1998)
14. van Keulen, R.: Real-time Simulation and Analysis of the Automatic Control System of
the Boeing 747/200. MA Thesis, Technical University of Delft (1991)
Chapter 10
Subspace Predictive Control Applied to
Fault-Tolerant Control
Redouane Hallouzi and Michel Verhaegen
10.1 Introduction
Subspace identification is a technique that can be used for identification of state-
space models from input-output data. This technique has drawn considerable in-
terest in the last two decades [1, 2], especially for linear time-invariant systems. A
reason for this is the efficient way in which models are identified for systems of high
order and with multiple inputs and outputs. Subspace identification can be used to
form a subspace predictor for prediction of future outputs from past input-output
data and a future input-sequence. This subspace predictor can be computed without
realization of the actual state-space models, which significantly reduces computa-
tional requirements. In [3] the subspace predictor has been combined with model
predictive control [4], resulting in a control algorithm that has been given the name
subspace predictive control (SPC). In SPC, the output predicted by the subspace
predictor is part of the cost function of the predictive controller. As a result of the
subspace predictor being generated completely from input-output data, the SPC al-
gorithm is a data-driven one.
In this chapter, which is partly based on [5], extensions are made to the SPC algo-
rithm that include the derivation of the subspace predictor in a stochastic closed-loop
setting and the recursive update of this predictor. In previous papers in which SPC
has been used [3, 6, 7], the subspace predictor has been derived using open-loop sub-
space identification techniques. However, when the SPC algorithm is active, the data
gathered to update the predictor inherently is closed-loop data. It has been proven
that using closed-loop data from a stochastic system for subspace identification
Redouane Hallouzi
ReliaCon, Rotterdamseweg 145, 2628AL Delft, The Netherlands
e-mail: hallouzi@reliacon.nl
Michel Verhaegen
Delft University of Technology, Delft Center for Systems and Control, Mekelweg 2,
2628CD Delft, The Netherlands
e-mail: m.verhaegen@moesp.org
294 R. Hallouzi and M. Verhaegen
results in a biased predictor [8]. Therefore, a number of different methods have ap-
peared in literature to deal with this issue [8, 9, 10]. Most of these methods require
explicit knowledge of the controller or are based on (overly) stringent assumptions
that limit their applicability. Recently, a practically applicable closed-loop subspace
identification method that does not require explicit knowledge of the controller has
been developed in [11]. Based on this method a subspace predictor under closed-loop
conditions can be derived [12], which is also used in this chapter.
Another novel feature of the SPC algorithm presented in this chapter is the way
in which the subspace predictor is updated in a recursive manner. This updating
scheme differs from others that are based on the “receding horizon” principle, such
as, for example, the scheme proposed in [6]. In the “receding horizon” updating
scheme the predictor is based on input-output data from a fixed time window lag-
ging behind the current time sample. In the recursive updating scheme new data is
appended to the old data, which is discounted with an exponential forgetting fac-
tor. This scheme has the advantage that it can be implemented in a computationally
efficient manner by using Givens rotations [13].
The implementation of SPC as an adaptive controller makes it very suitable for
fault-tolerant control (FTC) of aircraft. Most FTC systems deal with faults by using
pre-designed or parameter dependent controllers depending on the type of fault that
has occurred [14]. These systems require that the faults either be known in advance
or be modelled by a variation of specific parameters [15, 16, 17]. In this way control
designs can be made for each anticipated fault. Besides the fact that this approach
can be very involved, unanticipated faults or faults that cannot be modelled by pa-
rameter changes such as severe structural damage can occur. An advantage of SPC
is that it can adapt on-line to this type of fault. This property is the result of the
subspace predictor that is continuously updated using new input-output data. The
main contribution of this chapter is to display the usefulness of SPC for realistic
FTC problems. The developed SPC-based FTC system is applied to the benchmark
model. Simulations are performed with this model, in which the objective is to fly a
pre-defined flight trajectory even after the occurrence of a number of critical faults.
The considered fault conditions are stuck control surfaces and the fault condition
of the aircraft during the disaster with EL AL flight 1862, that crashed into an
apartment building in Amsterdam in 1992. This disaster is also referred to as the
“Bijlmerramp”.
Most aircraft flying today have control laws that are designed using classical
single-loop control methods. These methods are preferable over multivariable con-
trol methods from a clearance point of view [18]. However, single-loop control
methods are likely to display a degraded performance in case of faults that cause
cross-couplings between flight modes. These cross-couplings are the result of loss
of symmetry of the aircraft after faults. Multivariable control methods can cope bet-
ter with these cross-couplings because they simultaneously achieve several control
objectives. Multivariable control methods are therefore to be preferred over single-
loop control methods from an FTC point of view [19, 20]. This is one of the reasons
that research into multivariable flight control recently has attracted considerable
10 Subspace Predictive Control Applied to Fault-Tolerant Control 295
interest. From this perspective the FTC application of SPC, which is also a mul-
tivariable control method, is well motivated.
This chapter is organized as follows. First, the architecture of the FTC system
is explained in Section 10.2. Subsequently, the closed-loop SPC algorithm is de-
scribed in Section 10.3. In Section 10.4 the mechanism that (re-)configures the SPC-
based FTC system is explained. The simulation results of this system applied to the
benchmark given in Section 10.5. Section 10.6 explains how the proposed FTC is
implemented in a real-time simulation environment. Finally, concluding remarks are
provided in Section 10.7.
10.2 Architecture of the Fault-Tolerant Control System

The architecture of the SPC-based FTC system consists of two control loops. The
task of the outer control loop is to provide reference signals for the manipulated
variables to be tracked by the inner loop. The manipulated variables are roll angle
φ , pitch angle θ , and true airspeed VTAS , each of which is a function of one of
three controlled variables. These controlled variables are the altitude h, the heading
angle ψ , and the true airspeed VTAS , respectively. A desired flight trajectory can
be generated by choosing appropriate reference signals for the controlled variables.
The architecture of the SPC-based FTC system is depicted in Fig. 10.1. In this figure
it can be seen that, besides the two control loops, a fault isolation system is present.
Both the control loops and the fault isolation system are explained in more detail in
the following.
href , ψref , φref , θref ,

VTAS,ref VTAS,ref us y
Trajectory SPC Aircraft
Generation
Fault
Isolation
Fm
Fig. 10.1 Architecture of the SPC-based FTC system.
10.2.1 Control Loops

The outer loop is implemented by means of a straightforward proportional integral
derivative (PID) scheme. In order to track a desired altitude href , a pitch angle com-
mand is generated as follows
0
d(h − href )
θref = Pθ (h − href ) + Iθ (h − href )dt + Dθ , (10.1)
dt
where Pθ , Iθ , and Dθ are design parameters that determine the behaviour of the outer
loop. The desired heading angle ψref is tracked by issuing a roll angle command to
the inner loop. This command is generated as follows
0
d(ψ − ψref )
φref = Pφ (ψ − ψref ) + Iφ (ψ − ψref )dt + Dφ , (10.2)
dt
where Pφ , Iφ , and Dφ are the design parameters. An anti-windup scheme is im-
plemented for both (10.1) and (10.2) to prevent the integrators from continuing to
integrate in case of saturated control signals. The command for true airspeed is gen-
erated in the outer loop by directly issuing the true airspeed command to the inner
loop. The inner loop is implemented using SPC, which is explained in detail in
Section 10.3.
10.2.2 Fault Isolation

When SPC is used for FTC, in principle no fault information is required because
SPC has the ability to adapt to changed system conditions. However, this adapta-
tion process can take some time. In case of anticipated faults the adaptation can be
expedited by using prior knowledge of the fault. This prior knowledge includes in-
formation as to which controls should be used to accommodate the anticipated fault.
The requirement for the fault isolation scheme used in this chapter is therefore to
obtain this information by determining which controls cannot be used anymore due
to anticipated faults. This requirement is more easily achieved than the requirements
for fault detection and isolation (FDI) systems commonly used for FTC. For unan-
ticipated faults a more general scheme is used that contains a number of redundant
controls.
An important requirement for FDI systems commonly used for FTC is that the
faults should be estimated with a certain accuracy, since they are directly used by
the FTC system [15, 21, 16]. If these faults are not estimated accurately enough,
poor performance of the FTC system may result. There also exist methods that ex-
plicitly take uncertainty of the FDI information into account, such as for example
the methods developed in [22]. A requirement for the application of these methods
is that the uncertainty of the FDI information must be known. Obtaining this uncer-
tainty, however, is not a straightforward task. Therefore, the SPC algorithm uses a
different philosophy to deal with fault model uncertainty. This philosophy is to let
the controller adapt to a changing system using available input-output data. In this
way, no fault model is used and also no fault model uncertainty is required.
Fault isolation is implemented by using multiple-model estimation. A multiple-
model system consists of a model set that contains local models, each corresponding
to a specific condition of the system. In an FDI setting, the local models usually rep-
resent different fault conditions of the monitored system [23]. Besides fault models,
the model set also contains the nominal fault-free model of the system. When the
system is in its fault-free operation mode, the model corresponding to the nominal
case has maximum activation, which corresponds to a model weight of one, and all
other models in the model set have a model weight of zero (minimum activation). In
case of a fault, one or more of the local models corresponding to faults have model
weights greater than zero.
The model set used for fault isolation is derived using the convex model structure
presented in [24] and the model set design method presented in [25]. Since the local
models in this model set are valid in a limited region around the operating point
at which they have been derived, they are used accordingly. This means that fault
isolation is performed only near this operating point in the simulations.
10.3 Closed-Loop Subspace Predictive Control

The SPC algorithm [3] elegantly combines a subspace predictor with a generalized
predictive control law. When the subspace predictor is updated recursively, SPC has
the ability to adapt to unanticipated conditions. In this section, it is first explained
how the subspace predictor is derived in a closed-loop setting and how it can be
updated recursively, then it is explained how the predictor is integrated with a pre-
dictive controller.
10.3.1 Closed-Loop Subspace Predictor

Contrary to previous papers in which SPC was used [3, 6, 7], the subspace predic-
tor is derived using closed-loop identification techniques. In these previous papers,
open-loop identification techniques were used under closed-loop conditions. This
results in a biased predictor due to correlation between inputs and measurement
noise [8]. In [9] an SPC method has been described, in which the subspace pre-
dictor is based on a closed-loop identification method, but this method is based on
explicit controller knowledge and also assumes that the controller is time-invariant.
This assumption prohibits the use of SPC as an adaptive controller. Therefore, the
subspace predictor is derived using the closed-loop identification techniques devel-
oped in [11], which do not have the aforementioned limitations. In [12] a complete
explanation is given of how these identification techniques can be used to derive
a subspace predictor that can be integrated with a predictive control law. In this
section, only the elementary steps are treated.
10.3.1.1 Derivation of the Subspace Predictor
The model considered for deriving the subspace predictor is a state-space model in
innovation form
xk+1 = Axk + Buk + Kek , (10.3)

yk = Cxk + ek , (10.4)
where xk ∈ Rn is the state of the system, uk ∈ Rm is the input of the system, yk ∈ Rl is

the output of the system, and ek is assumed to be a zero-mean white noise sequence.
The matrices A, B, C, and K are the state-space matrices that describe the system.
The model described by (10.3)-(10.4) can also be written as
xk+1 = Φ xk + Buk + Kyk , (10.5)
where Φ = A − KC is assumed to be stable. Subspace identification is based on

relations between matrices that are systematically filled with input-output data. Two
of such data matrices that are required for the derivation of the subspace predictor
are created as follows

Yk = yk yk+1 · · · yk+ j−1 , (10.6)
⎡ ⎤
uk−p uk−p+1 · · · uk−p+ j−1
⎢ yk−p yk−p+1 · · · yk−p+ j−1⎥
⎢ ⎥
⎢uk−p+1 uk−p+2 · · · uk−p+ j ⎥
⎢ ⎥
⎢ ⎥
Z[k−p,k) = ⎢yk−p+1 yk−p+3 · · · yk−p+ j ⎥ , (10.7)
⎢ .. .. .. ⎥
⎢ . . ··· . ⎥
⎢ ⎥
⎣ uk−1 uk · · · uk+ j−2 ⎦
yk−1 yk · · · yk+ j−2
where p denotes the “past” time horizon, the subscript [k − p, k) denotes the range of
the time indices of the first column of Z[k−p,k) , and j denotes the number of columns
that is used to create the data matrix Z[k−p,k) . Usually it holds that j p. Let f
denote the “future” time horizon, then the following matrix relation can be derived
[11, 12]
⎡ ⎤ ⎡ ⎤ ⎡ ⎤
Yk 0 0 ··· 0 Ek
⎢ Yk+1 ⎥ ⎢ C[B K] 0 · · · 0⎥ ⎢ Ek+1 ⎥
⎢ ⎥ ⎢ ⎥ ⎢ ⎥
⎢ .. ⎥ = ⎢ .. . . . ⎥ Z[k,k+ f ) + ⎢ . ⎥
⎣ . ⎦ ⎣ . .. . . .. ⎦ ⎣ .. ⎦
Yk+ f −1 CΦ f −2 [B K] · · · C[B K] 0 Ek+ f −1
⎡ s−1 ⎤
CΦ [B K] CΦ [B K] · · ·
s−2 ··· ··· C[B K]
⎢ 0 C Φ s−1 [B K] · · · · · · · · · C Φ [B K] ⎥
⎢ ⎥
+⎢ .. . . . . .. ⎥ Z[k−p,k) , (10.8)
⎣ . . . . . . . . . . ⎦
0 ··· 0 CΦ [B K] · · · CΦ
s−1 f −1 [B K]
where Ek+i and Yk+i , ∀i ∈ {0, 1, . . . , f − 1}, are defined in a similar manner as Yk in
(10.6). Note that an important property of (10.8) is that the first block row does not
depend on “future” inputs, i.e. uk , ∀i ∈ {0, 1, . . . , f − 1}. It is this property that allows
for an unbiased estimate of the system matrices. In order to estimate the predictor,
it suffices to only consider the first block row, which can be written in the compact
form
Yk = Ξ0 Z[k−p,k) + Ek . (10.9)
Subsequently, Ξ0 can be estimated by solving the least squares problem
Ξ̂0 = arg min Yk − Ξ0Z[k−p,k) F.

2
(10.10)
Ξ0
This least squares problem can be solved by performing an RQ-decomposition [13]

R
. /, -
Z[k−p,k) R 0 QT1
= 11 , (10.11)
Yk R21 R22 QT2
from which the estimate Ξ̂0 can be computed as
Ξ̂0 = R21 R−1

11 . (10.12)
Let t denote the current time instant, then based on the estimate Ξ̂0 , a subspace
predictor of the following form can be derived
wp
.⎡ /, ⎤- .
Γr Λr
. /, - ⎡ /, ⎤-
⎡ ⎤ ⎡ ⎤ u Λ1 0 ··· 0 ⎡ ut ⎤
ŷt+1 Γ1 ⎢ t−p⎥
⎢ ŷt+2 ⎥ ⎢ Γ2 ⎥ ⎢yt−p⎥ ⎢ .. .. ⎥ ⎢ u
t+1 ⎥
⎢ ⎥ ⎢ ⎥ ⎢ . ⎥ ⎢ Λ2 Λ1 . .⎥⎥⎢ ⎥
⎢ .. ⎥ = ⎢ .. ⎥ ⎢ .. ⎥ + ⎢ ⎥ ⎣ .. ⎥
⎢ , (10.13)
⎣ . ⎦ ⎣ . ⎦⎢ ⎥ ⎢ . .. .. ⎦
⎣ut−1⎦ ⎣ .. . . 0 ⎦ .
ŷt+ f −1 Γf −1 Λ −1 Λ −2 ··· Λ1 ut+ f −2
yt−1 f f
where Γr and Λr are the desired subspace predictor matrices and the parameters Γi
and Λi can be constructed from Ξ̂0 as
i−1
Γi = Ξ̂i + ∑ ĈΦ̂ i− j−1 K̂ Γj , (10.14)
j=0
i−1
Λi = ĈΦ̂ i−1 B̂ + ∑ ĈΦ̂ i− j−1 K̂ Λ j , (10.15)
j=1
with Γ0 = Ξ̂0 and Λ1 = ĈB̂. The parameters Ξ̂i , ∀i ∈ {1, . . . , f − 1} can be con-
structed from Ξ̂0 by using the relation
⎡ ⎤ ⎡ ⎤
ĈΦ̂ s−1 [B̂ K̂] ĈΦ̂ s−2 [B̂ K̂] ··· ··· ··· Ĉ[B̂ K̂] Ξ̂0
⎢ ĈΦ̂ s−1 [B̂ K̂] · · · ĈΦ̂ [B̂ K̂] ⎥ ⎢ ⎥
⎢ 0 ··· ··· ⎥ ⎢ Ξ̂1 ⎥
⎢ .. .. .. .. .. .. ⎥=⎢ . ⎥, (10.16)
⎣ . . . . . . ⎦ ⎣ .. ⎦
0 ··· 0 ĈΦ̂ s−1 [B̂ K̂] · · · ĈΦ̂ f −1 [B̂ K̂] Ξ̂ f −1
where the matrix on the left-hand side of (10.16) is an estimate of the corresponding
matrix from (10.8).
10.3.1.2 Recursive Implementation of R-Update

For the construction of the data matrices Yk and Z[k−p,k) explained in the previ-
ous section it was assumed that input-output data was present from time instants:
k − p, k − p + 1, . . ., k + j − 1. For an adaptive implementation of the subspace pre-
dictor, the predictor matrices should be recomputed again each time new data be-
comes present, i.e. at each sample time. In case of the receding horizon updating
scheme, this would mean that new data matrices Yk+1 and Z[k−p+1,k+1) must be gen-
erated using data from time instants: k − p + 1, k − p + 2, . . ., k + j. Subsequently,
a new estimate for the predictor matrices could be obtained by computing the RQ-
decomposition from (10.11) based on the new data matrices. However, computing
such an RQ-decomposition at each sample time can become computationally expen-
sive for large data matrices. This computation can be prevented by using Cholesky
updating and downdating of the R-matrix [6]. The principle of this method is that
old data is removed in the downdating step and new data is included in the updat-
ing step. These two steps combined require much less computational effort than
computing the whole RQ-decomposition. A drawback of using Cholesky updating
and downdating is that matrix RRT is required to be positive definite at any time.
However, this cannot be guaranteed. Therefore, a recursive updating scheme of the
R-matrix is used, which is similar to the one developed in [26]. This recursive up-
dating scheme differs from the “receding horizon” scheme in the fact that it does
not use a fixed window of data. Instead, new data is appended to the old R-matrix,
after it is discounted with an exponential forgetting factor. The recursive updating
scheme is explained in the following.
Let the upper left and bottom left block matrix of R at time instant t − 1 (R(t − 1))
be denoted by R11 (t − 1) and R21 (t − 1), respectively. If new data becomes available
at time instant t, a new vector [wTp ytT ]T can be created, where w p is defined in
(10.13). This vector can be used to update matrix R(t − 1). The updating step con-
sists of firstly appending [wTp ytT ]T to [R11 (t − 1)T R21 (t − 1)T ]T . Subsequently, by
applying a sequence of orthogonal Givens rotations [13], the matrix is made lower
triangular, i.e. updated. This sequence of manipulations is described in the following
equation
"√ #
√ λ R (t − 1) w R11 (t) 0
11 p
Ω= , (10.17)
λ R21 (t − 1) yt R21 (t) ỹt
where Ω denotes the sequence of orthogonal transformations and R11 (t) (which is
lower triangular) and R21 (t) are the matrices from which an updated Ξ̂0 can be com-
puted according to (10.12). A more detailed explanation of how Ω can be computed
is given in [25]. Note that R33 is not considered in the updating process because it
does not influence the computation of R11 (t) and R21 (t). Also, in (10.17) a forget-
ting factor λ ∈ [0, 1] is implemented to discount old data. The smaller the value of
λ that is chosen, the more old data is discounted.
10.3.2 Closed-Loop Subspace Predictor Integrated with a

Predictive Control Law
The predictive control problem can be formulated as follows. Given a future ref-
erence output r f = [rt+1 rt+2 . . . rt+Np ] and a prediction of the outputs ŷ f =
[ŷt+1 ŷt+2 . . . ŷt+Np ], find an input sequence u f = [ut ut+1 . . . ut+Nc −1 ] such that
the following quadratic cost function is minimized
Np Nc −1
J= ∑ (ŷt+k − rt+k )T Qc (ŷt+k − rt+k ) + ∑ T
ut+k Rc ut+k ,
k=1 k=0
= (ŷ f − r f )T Qa (ŷ f − r f ) + uTf Ra u f , (10.18)
where N p is the prediction horizon, Nc is the control horizon, Qc ∈ Rl×l , and

Rc ∈ Rm×m are the weighting matrices for the tracking error and the input effort,
respectively. The matrices Qa ∈ RNp l×Np l and Ra ∈ RNc m×Nc m are formed from Qc
and Rc as follows
⎡ ⎤ ⎡ ⎤
Qc 0 0 Rc 0 0
⎢ ⎥ ⎢ ⎥
Qa = ⎣ 0 . . . 0 ⎦ , R a = ⎣ 0 . . . 0 ⎦ . (10.19)
0 0 Qc 0 0 Rc
The cost function used in [3] is equal to (10.18). However, this cost function does not
permit a zero steady-state tracking error in the case of a non-zero constant reference
combined with a system that does not contain an integrator. Therefore, in [7] the
input signal in the cost function has been replaced by incremental inputs Δ u f , where
Δ = (1 − z−1 ) and z−1 is the back-shift operator of one time step. In order to also
penalize large control deflections, a cost function is used with both incremental
inputs and the regular input signals
J = (ŷ f − r f )T Qa (ŷ f − r f ) + uTf Ra u f + Δ uTf RΔa Δ u f , (10.20)

where RΔa has matrices RΔc on its diagonal and is constructed in a similar way as Ra .
This cost function requires a prediction of the future output, i.e. ŷ f . The subspace
predictor derived in (10.13) can be used for this purpose. In order to include a control
horizon, the subspace predictor is modified as follows
E
.
⎡ /, ⎤-
Im 0 ··· 0
⎢ . .. ⎥
⎢0 I .. .⎥
⎢ m ⎥
⎢ .. .. .. ⎥
⎢. . . 0⎥
⎢ ⎥
ŷ f = Γr w p + Λr ⎢ 0 ··· 0 Im⎥ u , (10.21)
⎢ ⎥ f
⎢0 ··· 0 Im⎥
⎢ ⎥
⎢. .. .. ⎥
⎣ .. . .⎦
0 ··· 0 Im
where the matrix E ensures that the input remains constant after the control horizon
Nc . Next, Δ u f can be written as a function of the optimization variable u f
SΔ
.⎡ /, ⎤- Sw
Im 0 0 · · · 0 .⎡ /, ⎤-
⎢−Im Im 0 0⎥ 0 0 ··· 0 0 Im 0
⎢ ⎥ ⎢0
⎢ .. .. ⎥ ⎢ 0 ··· 0 0 0 0⎥ ⎥
Δuf = ⎢
⎢ 0 −Im Im . .⎥⎥uf − ⎢ . .. .. .. .. .. ⎥ w p . (10.22)
⎢ .. . . . . . . ⎥ ⎣ .. . . . . .⎦
⎣ . . . . 0⎦ 0 0 ··· 0 0 0 0
0 · · · 0 −Im Im
When relations (10.21) and (10.22) are substituted into (10.20) and the terms that
do not depend on u f are discarded, the following cost function results

J(u f ) = uTf E T ΛrT QaΛr E + SΔT RΔa SΔ + Ra u f

+2 wTp ΓrT QaΛr E − rT QaΛr E − wTp SwT RΔa SΔ u f . (10.23)
Constraints should be placed on u f , Δ u f , and ŷ f according to the physical limita-

tions of the aircraft. These constraints can be formulated as follows
Umin ≤ u f ≤ Umax , (10.24)

Δ Umin ≤ Δ u f ≤ Δ Umax , (10.25)
Ymin ≤ ŷ f ≤ Ymax , (10.26)
where Umin = [uTmin · · · uTmin ]T , Δ Umin = [Δ uTmin · · · Δ uTmin ]T , Ymin = [yTmin · · ·

yTmin ]T , and the same notation also holds for the parameters with subscript max.
Since the considered optimization variable is u f , relations (10.21) and (10.22) are
substituted into constraints (10.24)-(10.26). This substitution results in the inequal-
ity constraint
Aineq u f ≤ bineq , (10.27)
with
T
Aineq = INc m − INc m SΔT − SΔT (Λr E)T − (Λr E)T , (10.28)

bineq = Umax
T
− Umin
T
(Δ Umax + Sw w p )T (−Δ Umin − Sw w p )T
T
(Ymax − Γr w p )T (−Ymin + Γr w p )T . (10.29)
The predictive control law can now be formulated as a solution of the following
quadratic programming (QP) problem at each sample time
min J(u f )
uf
s.t. Aineq u f ≤ bineq . (10.30)
Efficient solvers exist for this QP problem [4]. At each sample time only the first
input vector from u f , i.e. ut , is used for control.
The control law (10.30) is derived for linear time invariant systems of the form
(10.3)-(10.4). However, in this chapter it is applied to a nonlinear aircraft model.
This usage is justified since the nonlinear aircraft model can be approximated well
by a linear parameter-varying (LPV) model [27], which has the same structure as
(10.3)-(10.4) but with time varying system matrices. The variation of the time-
dependent parameters is relatively small most of the time. In this case SPC can
easily adapt to the time varying system. Only during fast variations of the time-
dependent parameters with respect to the dynamics of the aircraft or during strong
nonlinear behaviour of the aircraft, SPC can be less accurate.
10.4 SPC (Re-)configuration

SPC is a control method that can adapt itself to the system for which it is used.
In order to fully exploit these capabilities, preferably all relevant available inputs
and outputs should be used to estimate the subspace predictor. Since the benchmark
model has 30 control inputs and even more outputs, a selection of these inputs and
outputs must be made to minimize the computational burden of updating the sub-
space predictor. Therefore, the SPC-based FTC system is configured such that it
uses different sets of control inputs for different fault conditions. For anticipated
faults a specific set of inputs is chosen and for unanticipated faults a more general
set is chosen. In this way, the changed dynamics in case of anticipated faults can
be captured quicker than purely relying on adaptation of SPC. Both sets of control
inputs are chosen such that sufficient control redundancy is available to perform
“elementary manoeuvres” after the occurrence of a fault. By “elementary manoeu-
vres” three basic abilities of the aircraft are meant. These are: the ability to descend
or ascend, the ability to change heading, and the ability to decelerate or accelerate.
The SPC-based FTC system is demonstrated for three fault conditions, all of
which are also used as benchmark faults in GARTEUR AG-16. Two of these three
fault conditions are an anticipated elevator lock-in-place and an anticipated rudder
runaway. Lock-in-place is characterized by the freezing of a control surface at a cer-
tain position, regardless of the actuator commands. Runaway of a control surface
is characterized as when the surface suddenly deflects to its maximum or mini-
mum deflection position and locks at that position. These faults can have drastic
consequences since they make further operation of the aircraft extremely difficult.
The considered rudder runaway fault affects both the upper and lower rudder. The
elevator lock-in-place fault affects all 4 elevator surfaces. The two faults are iso-
lated using the multiple-model framework with a model set as described in [25].
This model set contains local models that correspond to “lock-in-place” faults at the
maximum and minimum deflection. The third fault condition is the condition of the
aircraft during the disastrous “Bijlmerramp” scenario. For this fault condition it is
not reasonable to assume that it can be anticipated because of the highly improbable
faults that occurred during this disaster. Therefore this fault condition is treated as
an unanticipated fault. The faults that occurred on the aircraft during this disaster
include loss of the engines and the pylons on the right wing of the aircraft. This loss
caused a shift of the center of gravity of the aircraft, a total weight loss of 10.028 kg
and damage to the right wing of the aircraft. This wing damage at its turn resulted in
lift loss, increased drag, a yawing moment and a pitching moment. On top of these
faults, hydraulic system 3 and 4 malfunctioned, which resulted in reduced or total
loss of control authority of a number of control surfaces [28].
In the nominal case, the previously mentioned manoeuvres can be performed us-
ing SPC with an input vector uk consisting of only 4 inputs, which are listed in
Table 10.1. Each input can, however, drive more than one of the controls of the
benchmark. This is because it is assumed that these controls are symmetrically ac-
tuated (or asymmetrically in case of the ailerons and spoilers). In Table 10.1 the
number of different controls driven by single SPC inputs is shown between brack-
ets. The control surfaces that are not directly driven by SPC are chosen constant and
equal to a value that is valid for a trimmed situation at the beginning of the flight
simulation. For an elevator lock-in-place fault, the SPC-based FTC system uses the
stabilizer instead of the elevator surfaces for control of the longitudinal motion. For
the rudder lock-in-place fault, the engine controls are subdivided into a control input
that controls the left engines and one that controls the right engines such that dif-
ferential engine thrust can be used when necessary. Furthermore, spoilers are used
asymmetrically to increase the control authority in the lateral direction. A positive
value of the SPC spoilers input results in a positive deflection of spoilers 5 to 8,
while spoilers 13 to 16 remain at a zero deflection. A negative value of the SPC
spoilers input results in a positive deflection of spoilers 13 to 16, while spoilers 5 to
8 remain at a zero deflection. For unanticipated faults a set of inputs is chosen with
redundant control authority for both longitudinal and lateral dynamics. Note that for
anticipated conditions, the input set can be chosen smaller. This has the additional
benefit that SPC can be implemented in a more computationally efficient manner.
Besides the input vector uk , the SPC-based FTC system also requires a number
of measurements from the aircraft to be used in the output vector yk . A selection
is made from the many available measurements taking into consideration three is-
sues. The first issue is the size of the output vector yk , which determines the size of
the data matrices defined in (10.6) and (10.7). The size of these matrices should be
kept as small as possible to keep the computational requirements of the SPC-based
FTC system low. The second issue is concerned with the quality of the subspace
predictor. For this purpose, the chosen outputs should capture the relevant dynamics
of the system. Finally, the third issue is concerned with the manipulated variables.
The control objective of the SPC-based FTC system is for the reference trajectory r f
to be tracked by the predicted output vector ŷ f (see (10.20)). Therefore, the output
vector yk should include the measurements of the physical quantities to be manip-
ulated. With the previous considerations in mind, 7 outputs are chosen, which are
listed in Table 10.2. Each of these outputs has been augmented with realistic noise
corresponding to that of conventional aircraft sensors [29].
The SPC-based FTC system should be initialized such that it does not start iden-
tifying the system from scratch when a switch is made from nominal operation to an
Table 10.1 SPC input allocation.
Ailerons (4)
Elevators (4)
Nominal case
Rudders (2)
Engines (4)
Ailerons (4)
Stabilizer (1)
Elevator lock-in-place
Rudders (2)
Engines (4)
Ailerons (4)
Spoilers (8)
Rudder lock-in-place Elevators (4)
Engines left (2)
Engines right (2)
Ailerons (4)
Spoilers (8)
Elevators (4)
Unanticipated faults Stabilizer (1)
Rudders (2)
Engines left (2)
Engines right (2)
Table 10.2 Outputs used for SPC.
Output Symbol Unit

roll angle φ deg
pitch angle θ deg
heading angle ψ deg
true airspeed VTAS m/s
angle of attack α deg
sideslip angle β deg
altitude h m
operation mode corresponding to a fault or when the simulation starts from T = 0 s.

Therefore, matrix R is initialized using input-output data obtained from simulation
of the open-loop aircraft. In case of anticipated faults, open-loop data of the model
with the anticipated fault is used to initialize the R matrix. And, in case of unantici-
pated faults, open-loop data of the nominal model is used to initialize the R matrix.
10.5 Simulation Results

In this section the results of four simulations are presented. In all four simula-
tions a flight scenario is flown consisting of an initial straight and level flight at an
altitude of 980 m. During this first flight phase, the faults are inserted. Next, a sec-
ond phase consisting of a heading change is initiated. The third and final flight phase
of the trajectory consists of a descent to an altitude of 100 m. In the first simulation,
the flight scenario is simulated without any faults. In the second, third, and fourth
simulation, faults are injected during the first flight phase. In the second simulation
a lock-in-place fault of the elevators is injected, in the third simulation a rudder run-
away fault is injected, and in the fourth simulation the faults that occurred during
the “Bijlmerramp” are injected.
Before the actual simulation results are presented, the choices for the simulation
settings and tuning parameters are described first. The aircraft model is simulated at
a frequency of 100 Hz. The operation frequency of the SPC-based FTC system is
10 Hz, which is chosen sufficiently fast relative to the aircraft dynamics. The fastest
mode of the aircraft that has been observed from linearizations of the nonlinear air-
craft model at different operating points is about 0.25 Hz. The SPC parameters are
chosen as: p = 20, f = 20, λ = 0.995, N p = f , and Nc = 5. The subspace predictor
parameters p and f are chosen relative to the aircraft dynamics. The parameter λ is
tuned such that the predictor is modified just enough at each sample time to cope
with the varying dynamics. The weights Qa , Ra , and RΔa are tuned relative to each
other based on a combination of simulation experience and “rules of thumb” from
[4]. These weights are tuned differently for the different settings described in Table
10.1. Furthermore, weight Qa only contains nonzero entries on its diagonal for the
entries that are manipulated by SPC, i.e. φ , θ , VTAS , and β . The tuning procedure
for the outer loop parameters Pθ , Iθ , Dθ , Pφ , Iφ , and Dφ is based on simulation
experience, similar to the weighting matrices. Parameter j, which determines the
number of columns in the data matrices in (10.6) and (10.7) is chosen to have a
value of 1000. This means that the data matrices contain 1000/10 Hz=100 s of data.
Note that these large data matrices are created only once for each condition. Once
an R-matrix is computed based on these data matrices, only the R-matrix is used
and updated in SPC. The R-matrix is generally much smaller than the data matri-
ces since its dimensions do not depend on j. All simulations have been performed
under closed-loop conditions with realistic measurement noise levels. Moreover,
turbulence that is modelled according to the Dryden turbulence model is added to
the simulated aircraft.
10.5.1 Trajectory Following for the Nominal Case

In this section, the simulation results for the nominal condition are presented. The
flight trajectory starts with a straight and level flight at an altitude of 980 m, a true
airspeed of 92.6 m/s, and a flap setting of 20 deg. During the first flight phase the
control objective is to maintain a constant altitude, heading angle, velocity, and
sideslip angle. Next, at T = 75 s a change in heading angle from 180 deg to 60 deg
is initiated. Finally, at T = 150 s a descent is initiated to an altitude of 100 m. This
descent is performed with a fixed flight path angle γ of −5 deg. In Fig. 10.2 the
references for the manipulated variables are represented by dashed lines. It can be
20 93.2
True airspeed [m/s]

Roll angle [deg]
93
0
92.8
−20 Reference signal
System response 92.6
−40 92.4
10 1
Sideslip angle [deg]

Pitch angle [deg]
0
5
−1
0
−2
−5 −3
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
Fig. 10.2 Roll angle, pitch angle, true airspeed, and sideslip angle of the aircraft for the
nominal condition. The dashed signals correspond to the control reference signals.
Angle of Attack [deg]
10
0
Heading angle [deg]
1000
200
150 800
Altitude [m]
100 600
50
400
1000
Altitude [m]
200 −10000
500
0 −5000
1 1.5
0 2
0 50 100 150 200 250 300 2.5 3 0 x [m]
Time [s] 4
x 10 y [m]
Fig. 10.3 Angle of attack, heading angle, altitude, and trajectory of the aircraft for the nomi-
nal condition.
seen that the reference signals are tracked very well, especially when the fact is con-
sidered that the SPC-based FTC system is completely data-driven. It can be seen
that during the heading change manoeuvre, the sideslip angle is allowed to have a
minimal tracking error, preventing large surface deflections. The flight trajectory is
depicted in Fig. 10.3 as well as the angle of attack, heading angle, and the altitude.
The actuator deflections and the engine commands are depicted in Fig. 10.4. The
engine commands are expressed in engine pressure ratio (EPR). It can be seen that
the control signals are quite smooth and remain well within their operating limits,
which is a result of the constraints on u f .
10.5.2 Trajectory Following for Elevator Lock-in-Place

In this section, the simulation results for elevator lock-in-place are presented. The
simulation starts with the same initial condition as is described in the previous
2
10
Ailerons [deg]
Rudders [deg]
1
5
0
0
−1
−5
−2
10
1.4
Elevators [deg]
EPR engines
5 1.2
1
0
0.8
−5 0.6
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
Fig. 10.4 Actuator deflections and engine commands for the nominal condition.
section for the nominal case. The elevator lock-in-place fault is injected at T = 18 s
at a deflection of 1.9 deg. The fault is correctly isolated at T = 28 s. The relatively
large isolation delay is a result of the fact that the elevator locks at a deflection po-
sition, which exactly suits the flight condition at that time. So, the faults can not
be isolated until the aircraft is sufficiently excited by turbulence. It can be seen in
Fig. 10.5 that the reference signal for the true airspeed has been increased just after
isolation of the fault. This has been done to increase the effectiveness of the sta-
bilizer surface to allow sufficient control authority. Furthermore it can be seen that
tracking of the reference signals is performed satisfactorily. Only during the descent,
which is again performed with a fixed flight path angle of −5 deg, the pitch angle
command is tracked with a small error. In Fig. 10.6, the angle of attack, heading
angle, and altitude are depicted together with the flight trajectory. For comparison
purposes, the same trajectory is also flown using the autopilot from the GARTEUR
AG-16 benchmark, the result of which is indicated by a grey signal in the figure
showing the flight trajectory. It can be seen that the result of the fault is a pitching
moment which cannot be counteracted by the autopilot since it does not have control
over the stabilizer. Therefore, when the autopilot is used, human pilot intervention
is required to accommodate this fault. Since the elevator lock-in-place fault does not
affect lateral motion, the heading change manoeuvre is still performed adequately
by the autopilot. In Fig. 10.7 the actuator deflections and engine commands of the
SPC-based FTC system are shown. It can be seen that the elevator deflection re-
mains constant after the fault is injected and that the stabilizer takes over after the
fault is isolated. Note also that the rate of change of the stabilizer input is small when
compared to the other surfaces. The reason for this is that the stabilizer surface has
a maximum deflection rate of 0.5 deg/s, which is about 100 times smaller than the
other surfaces. Generally, it can be concluded from these simulation results that the
reaction on the fault is performed quickly and adequately as a result of the available
prior knowledge being open-loop simulation data from a similar fault condition.
This prior knowledge has significantly reduced adaptation time.
10 120
True airspeed [m/s]

Roll angle [deg]
0
110
−10
−20
Reference signal 100
−30 System response
−40 90
10 0.5

Pitch angle [deg]
5 0
0 −0.5
−5 −1
−10 −1.5
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
Fig. 10.5 Roll angle, pitch angle, true airspeed, and sideslip angle of the aircraft for elevator
lock-in-place. The dashed signals correspond to the control reference signals.
2 1200
Fault injection
SPC−based FTC
Heading angle [deg]
1000
200 Autopilot
150 800
Altitude [m]
100
600
50
400
1000
Altitude [m]
200
500
−15000
0 −10000
0 0 0.5 1 −5000
0 50 100 150 200 250 300 1.5 2 2.5 0
3
Time [s] 4
x [m]
x 10 y [m]
Fig. 10.6 Angle of attack, heading angle, altitude, and trajectory of the aircraft for elevator
lock-in-place. In the trajectory plot, the gray line corresponds to the trajectory flown with the
autopilot.
10.5.3 Trajectory Following for Rudder Runaway

In this section, the simulation results for rudder runaway are presented. The rudder
runaway fault is injected at T = 18 s. After this, the upper and lower rudder surfaces
start moving with a rate of 50 deg/s from their position at T = 18 s to the maximum
deflection position of 25 deg. The rudder runaway fault is isolated at T = 22 s. It
can be seen in Fig. 10.8 that the aircraft starts to slip immediately after insertion of
the fault and that the reference signals are not tracked very well just after the fault.
This is because SPC needs some time to gather data for adapting to the faulty condi-
tion. After this has been done, the reference signals are tracked satisfactorily again,
except for the sideslip angle. The reason for this is that it cannot be controlled com-
pletely towards zero due to the severity of the fault. At T = 75 s the heading change
10 −1
Ailerons [deg]
Stabilizer [deg]
5
0 −2
−5
−3
Elevators [deg]
1 1.6
EPR engines
1.4
Rudders [deg]
1 1.2
0 1
0.8
−1
0.6
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
Fig. 10.7 Actuator deflections and engine commands for elevator lock-in-place.
is initiated. Subsequently, at T = 150 s a descent to 100 m is initiated with a fixed

flight path angle of −5 deg. Note that the aircraft picks up speed in this descent. This
is the result of the fact that the engines are required to provide differential thrust to
counteract the yawing moment of the rudder runaway and can therefore not reduce
thrust. In Fig. 10.9 it can be seen that both the heading change and the descent ma-
noeuvre are performed adequately. Furthermore, it can be observed that the autopilot
is unable to counteract the yawing moment resulting from the rudder runaway fault,
not even with a full deflection of the spoilers and ailerons. It is therefore clear that
the human pilot must intervene to try to accommodate the fault. In Fig. 10.10 it can
be seen that after the fault some time is required before the control signals become
smooth again, which is a result of the adaptation process. Also, it can be seen how
the ailerons work together with the engines (providing differential thrust), and the
spoilers to counteract the yawing moment resulting from the rudder runaway fault.
Next, it can be observed that in the time interval T = 150 − 300 s the rudders have
moved away from their maximum deflection position of 25 deg because the aircraft
picks up speed resulting in a reduced blowdown limit, which means that the rudders
are forced back towards their neutral position.
10.5.4 Trajectory Following for “Bijlmerramp” Condition

In this section, the simulation results for the “Bijlmerramp” fault condition are pre-
sented. The simulation setting in this section differs from the setting of the previous
three simulations in the fact that it can accommodate unanticipated faults. The set-
ting for unanticipated faults continuously uses 7 inputs to control the aircraft, as is
described in Table 10.1. Furthermore, no FDI is used for this setting. The simula-
tion starts at an altitude of 980 m, a true airspeed of 133.8 m/s, and a flap setting
of 1 deg according to the initial conditions defined in GARTEUR AG-16 for this
specific fault. The fault is injected at T = 10 s. Immediately after injection of the
fault, the aircraft starts to roll and slip as can be seen in Fig. 10.11. However, the
20 160
True airspeed [m/s]

Roll angle [deg]
140
0
120
−20 Reference signal
System response 100
−40
80
20

10
Pitch angle [deg]
5 10
0
0
−5
−10 −10
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
Fig. 10.8 Roll angle, pitch angle, true airspeed, and sideslip angle of the aircraft for rudder
runaway. The dashed signals correspond to the control reference signals.
10
5
0
Fault injection
1200
Heading angle [deg]
200
1000 SPC−based FTC
150 Autopilot
800
Altitude [m]
100
600
50
400
1000
Altitude [m]
200 −15000
500 −10000
0 −5000
0 0.5 0
0 1 1.5 2
0 50 100 150 200 250 300 2.5 3 5000
3.5 x [m]
Time [s] x 10
4 y [m]
Fig. 10.9 Angle of attack, heading angle, altitude, and trajectory of the aircraft for rudder
runaway. In the trajectory plot, the gray line corresponds to the trajectory flown with the
autopilot.
SPC-based FTC system manages to quickly regain control and track the reference
signals again after a period of about 15 s. In Fig. 10.12 it can be seen that the tra-
jectory can be flown safely even after occurrence of the very severe fault condition.
Furthermore, it can be seen that the autopilot is not capable of safely flying the air-
craft, since it crashes about 50 s after the injection of the fault. In Fig. 10.13 the
actuator deflections and the engine commands for the “Bijlmerramp” scenario are
shown. It can be seen that the right engines immediately stop providing thrust after
the fault is injected. Furthermore, it can be observed that the stabilizer is used in a
limited range to prevent overly large altitude fluctuations due to the slow operation
of this surface. An important conclusion that can be drawn from this simulation is
that the SPC-based FTC system is able to adapt to an unanticipated condition, which
severely changes the dynamics of the aircraft.
20 30
Ailerons [deg]
Rudders [deg]
20
0 10
0
−20
EPR right engines EPR left engines

Elevators [deg]
20 1.6
10 1.4
1.2
0 1
−10 0.8
0.6
40
Spoilers [deg]
20 1.6
1.4
0 1.2
−20 1
0.8
−40 0.6
Time [s] 0 50 100 150 200 250 300
Time [s]
Fig. 10.10 Actuator deflections and engine commands for rudder runaway.
10 135
True airspeed [m/s]
Roll angle [deg]
0
134
−10
−20 Reference signal 133
−30 System response
−40 132
10 5
Pitch angle [deg]
5 0
0 −5
−5 −10
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
Fig. 10.11 Roll angle, pitch angle, true airspeed, and sideslip angle of the aircraft for the
“Bijlmerramp” fault condition. The dashed signals correspond to the control reference
signals.
10.5.5 Discussion of the Simulation Results

The presented simulation results show that by using the proposed methodology it is
possible to design a controller for the nominal and faulty aircraft using only input-
output data. This conclusion is remarkable, especially when the complexity of the
aircraft model is considered. Two desirable properties of the proposed control design
methodology are
1. Modeling of the system to be controlled takes up a large part of the design process
of model-based controllers. Since the proposed methodology provides a frame-
work to derive a controller using only input-output data, a significant amount of
time can be saved in the design process.
2. For fault-tolerant control it is often required to have a model of the post-fault
system. This requirement results in the impossibility of providing fault-tolerant
Angle of Attack [deg] 8

6
4
2
SPC−based FTC
Fault injection Autopilot
Heading angle [deg]
1200
200
1000
150
800
Altitude [m]
100
600
50
400
1000 200
Altitude [m]
−15000
0
500 −10000
−200
0.5 1 −5000
0 1.5 2
0 50 100 150 200 250 300 2.5 3
4 3.5 0 x [m]
Time [s] x 10
y [m]
Fig. 10.12 Angle of attack, heading angle, altitude, and trajectory of the aircraft for the “Bi-
jlmerramp” fault condition. In the trajectory plot, the gray line corresponds to the trajectory
flown with the autopilot.
Spoilers [deg] Elevators [deg] Ailerons [deg]
20
Rudders [deg]
20
0
0
−20
−20
20
0
EPR left engines
1.6
−20 1.4
1.2
30 1
20 0.8
10 0.6
0
−10
EPR right engines
2
Stabilizer [deg]
2
1
0
−2 0
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
Fig. 10.13 Actuator deflections and engine commands for “Bijlmerramp” fault condition.
control for all possible faults since not all possible faults can be anticipated.
However, the proposed methodology can even deal with unanticipated faults by
adapting on-line to faults using input-output data. Therefore, it is a very suitable
method for fault-tolerant control.
10.6 Real-Time Implementation

The simulation results of the SPC-based FTC system presented in the previous sec-
tion have been obtained using off-line simulations. An important property of a con-
trol method that is meant for real-time on-line implementation is its computational
requirements. These requirements should not be too large such that they restrict
a practical implementation for realistic systems. In order to demonstrate that the
presented SPC-based FTC system does not have too restrictive computational re-
quirements, an on-line version has been developed. This on-line version has been
created in the scope of GARTEUR AG-16. In this project the participants have been
invited to develop on-line FTC schemes for implementation on the SIMONA re-
search flight simulator [30]. A real-time simulator environment has been developed
specifically for this research simulator. This environment, which has been named
Delft University Environment for Communication and Activation (DUECA) [31],
poses different requirements to the FTC system than the off-line simulation envi-
ronment, which is MATLAB/Simulink.
An important requirement of the on-line simulation environment is that all com-
putations required for the FTC system should be finished well within the sample
time of the benchmark model, which is 0.01 s. Since the computations required for
the developed SPC-based FTC system are too heavy to be finished within 0.01 s,
a multi-rate real-time architecture has been developed. This architecture consists
of 2 blocks that run at different operating frequencies. One block runs at the same
frequency as the aircraft model and one block runs at a frequency of 10 Hz. A
schematic diagram of the multi-rate architecture is shown in Fig. 10.14. In Block
2 the time-consuming computations that cannot be finished within 0.01 s are per-
formed. These computations include the update of the subspace predictor and the
solver for the quadratic programming problem (10.30). Block 1 contains the less
intensive computations, such as the computations required for the multiple-model
FDI system. It should be noted that the frequency of 10 Hz of Block 2 is chosen
sufficiently fast relative to the dynamics of the benchmark model.
The tuning parameters of the on-line SPC-based FTC system that determine the
computational requirements are chosen as: N p = 20, Nc = 5, p = 20, f = 20, m = 5,
and l = 7. Furthermore, the maximum number of iterations of the solver for the
quadratic programming problem has been set to 100 to ensure that the available
Boeing 747
Model
100 Hz
FTC
Block 1
FTC
10 Hz
Block 2
Fig. 10.14 Schematic diagram of the multi-rate real-time architecture.

computation time is never violated. The described parameter configuration results

in an SPC-based FTC system that is fast enough to be run on the DUECA simula-
tion environment using a computer with an AMD Athlon 64 X2 5600+ processor
operating at 2.8 GHz and 4 Gb of RAM. It should be remarked, however, that it has
not been possible to implement the setting for unanticipated faults sufficiently fast
on this computer. Because for this setting it holds m = 7, ceteris paribus. Since the
on-line results are similar to the off-line results, which have been previously pre-
sented, no on-line results are presented in this chapter. In conclusion, it is remarked
that the on-line version of the SPC-based FTC system demonstrates that it is indeed
possible to perform real-time data-driven adaptive control of a complex system such
as the benchmark model.
10.7 Conclusions
A reconfigurable fault-tolerant control system has been presented that is able to
adapt on-line to faults. This system consists of a subspace predictor, derived in
a closed-loop setting, combined with predictive control. The subspace predictor,
which does not require knowledge of a mathematical model, is continuously up-
dated on-line using new input-output data. It is this property that gives the proposed
system its ability to adapt to faults. These faults may be either anticipated or unantic-
ipated. In case of anticipated faults, prior knowledge of the faults allows the changed
dynamics to be captured faster than purely relying on adaptation. A special setting
for unanticipated faults has been designed that uses more control inputs than for
anticipated faults to fully exploit the adaptation capabilities. The proposed fault-
tolerant control system is evaluated in simulation on a detailed benchmark model.
In the performed simulations, three fault conditions have been successfully accom-
modated. These fault conditions include an elevator lock-in-place, rudder runaway,
and the “Bijlmerramp” fault condition. In the simulations it could be observed that
the controller requires some time to adapt to the new fault situation. This is an in-
evitable consequence of the data-driven adaptation concept. However, in general it
can be concluded from the simulations that the system allows to safely perform the
required elementary manoeuvres in both nominal and faulty conditions.
References
1. Van Overschee, P., De Moor, B.: Subspace identification for linear systems: theory, im-
plementation, applications. Kluwer Academic Publishers, Dordrecht (1996)
2. Verhaegen, M., Dewilde, P.: Subspace identification, part I: The output-error state space
model identification class of algorithms. International Journal of Control 56(5), 1187–
1210 (1992)
3. Favoreel, W., de Moor, B.: SPC: Subspace Predictive Control. In: Proceedings of the
IFAC World Congress, Beijing, China (July 1999)
4. Maciejowski, J.M.: Predictive Control with Constraints. Prentice Hall, Englewood Cliffs
(2002)
5. Hallouzi, R., Verhaegen, M.: Fault-tolerant subspace predictive control applied to a Boe-
ing 747 model. Journal of Guidance, Control, and Dynamics 31(4), 873–883 (2008)
6. Woodley, B.R., How, J.P., Kosut, R.L.: Subspace based direct adaptive H∞ control. In-
ternational Journal of Adaptive Control and Signal Processing 15, 535–561 (2001)
7. Kadali, R., Huang, B., Rossiter, A.: A data driven subspace approach to predictive con-
troller design. Control Engineering Practice 11(3), 261–278 (2003)
8. Ljung, L., McKelvey, T.: Subspace identification from closed loop data. Signal Process-
ing 52(2), 209–215 (1996)
9. Favoreel, W., de Moor, B., Gevers, M., van Overschee, P.: Closed-loop model-free
subspace-based LQG-design. In: Proceedings of the Mediterranean Conference on Con-
trol and Automation, Haifa, Israel (June 1999)
10. Jansson, M.: A new subspace identification method for open and closed loop data. In:
Proceedings of the IFAC World Congress, Prague, Czech Republic (July 2005)
11. Chiuso, A.: The role of vector autoregressive modeling in predictor-based subspace iden-
tification. Automatica 43(6), 1034–1048 (2007)
12. Dong, J., Verhaegen, M., Holweg, E.: Closed-loop subspace predictive control for fault
tolerant MPC design. In: Proceedings of the IFAC World Congress, Seoul, Korea (July
2008)
13. Golub, G.H., Van Loan, C.F.: Matrix Computations, 3rd edn. The John Hopkins Univer-
sity Press, Baltimore (1996)
15. Song, Y., Campa, G., Napolitano, M., Seanor, B., Perhinschi, M.G.: Online parameter
estimation techniques comparison within a fault tolerant flight control system. Journal of
Guidance, Control, and Dynamics 25(3), 528–537 (2002)
16. Shin, J.-Y., Belcastro, C.M.: Performance analysis on fault tolerant control system. IEEE
Transactions on Control Systems Technology 14(5), 920–925 (2006)
17. Belkharraz, A.I., Sobel, K.: Simple adaptive control for aircraft control surface failures.
IEEE Transactions on Aerospace and Electronic Systems 43(2), 600–611 (2007)
18. Fielding, C., Varga, A., Bennani, S., Selier, M. (eds.): Advanced Techniques for Clear-
ance of Flight Control Laws. Springer, Heidelberg (2002)
flight control. IEEE Transactions on Control Systems Technology 5(2), 217–229 (1997)
21. Pachter, M., Huang, Y.-S.: Fault tolerant flight control. Journal of Guidance, Control, and
Dynamics 26(1), 151–160 (2003)
22. Kanev, S.: Robust Fault-Tolerant Control. PhD thesis, University of Twente, Enschede,
The Netherlands (2004)
23. Zhang, Y., Rong Li, X.: Detection and diagnosis of sensor and actuator failures using
IMM estimator. IEEE Transactions on Aerospace and Electronic Systems 34(4), 1293–
1313 (1998)
24. Hallouzi, R., Verhaegen, M., Kanev, S.: Multiple model estimation: a convex model
formulation. International Journal of Adaptive Control and Signal Processing (2008),
doi:10.1002/acs.1034
25. Hallouzi, R.: Multiple-Model Based Diagnosis for Adaptive Fault-Tolerant Control. PhD
thesis, Delft University of Technology, Delft, The Netherlands (2008)
26. Lovera, M., Gustafsson, T., Verhaegen, M.: Recursive subspace identification of linear
and non-linear Wiener state-space models. Automatica 36, 1639–1650 (2000)
27. Marcos, A., Balas, G.J.: Development of linear-parameter-varying models for aircraft.
Journal of Guidance, Control and Dynamics 27(2), 218–228 (2004)
28. Smaili, M.H., Mulder, J.A.: Flight data reconstruction and simulation of the 1992 Am-
sterdam Bijlmermeer airplane accident. In: AIAA Modelling and Simulation Technolo-
gies Conference and Exhibit, Denver, Colorado USA (August 2000)
29. Breeman, J.: Quick start guide to AG 16 benchmark model. Technical report, NLR
(2006)
30. SIMONA. TU Delft - SIMONA research simulator (2007) (last checked October 8, 2007)
31. Van Paassen, M.M., Stroosma, O., Delatour, J.: DUECA - data-driven activation in dis-
tributed real-time computation. In: Proceedings of the AIAA Modeling and Simulation
Technologies Conference and Exhibit, Denver, CO, USA (August 2000)
Chapter 11
Fault-Tolerant Control through a Synthesis of
Model-Predictive Control and Nonlinear
Inversion
D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
11.1 Introduction
By itself reconfigurable and fault-tolerant control is a challenging task. In general
fault-tolerant control requires mechanisms to detect and identify a failure, further-
more, it must be flexible as to accommodate such a failure. In the more specific case
of fault-tolerant flight control, several specific challenges exist according to [1]:
• flight control is a multi-variable control problem with strong cross-couplings,
especially appearing after an asymmetric failure occurs;
• flight control is a nonlinear problem which means that trim values change with
operating conditions, requiring continuous use of nonlinear or adaptive algo-
rithms;
• an aircraft may become highly unstable after occurrence of a failure, leaving little
time for reconfiguration;
In order to tackle these challenges, we will introduce a control method that is
globally valid, easily reconfigurable and above all, constrained. The solution that
is presented here is a synthesis between model-predictive control (MPC) and a non-
linear dynamic inversion method (NDI). Section 11.2 provides the motivation for
D.A. Joosten
Delft University of Technology, Delft, The Netherlands
T.J.J van den Boom
e-mail: a.j.j.vandenboom@tudelft.nl
M. Verhaegen
e-mail: m.verhaegen@tudelft.nl
320 D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
this setup, and furthermore, the section provides a clear introduction as to how both
methods interact. Section 11.2.2 and 11.2.3 provide a discussion of the theory of
MPC and dynamic inversion, whereas Section 11.2.4 on control allocation, and the
mapping of constraints, provides the theory that is required to make the proposed
combination of MPC and dynamic inversion interact correctly. Subsequently Sec-
tion 11.3 introduces the relevant equations of motion of the benchmark aircraft and
applies NDI theory to these. The chapter continues with the introduction of sim-
ulation results in Section 11.4 and wraps up with a discussion and conclusions in
Section 11.5.
11.2 Overall Control-Setup

The goal of this section is to provide an insightful introduction to the control setup
that is presented in this chapter. Subsequent sections provide more detailed infor-
mation with respect to the different components of the setup.
The starting point of this section is the presumption that model-predictive control
(MPC) is well suited to the needs of a reconfigurable control method. The latter is
also concluded in [2] where MPC is compared with several other control methods
that are deemed suitable. The previous statement is motivated through inspection of
the following properties of MPC: as a control strategy MPC is based upon online
optimization that utilizes a model of the system under control, which means that
the internal model may be changed in between the time-steps of the optimization
algorithm; furthermore, MPC is a constrained control method which means that
actuator failures, like stuck control surfaces can relatively easily be incorporated
and hence accommodated for; and finally, MPC inherently incorporates a control
allocation method, which indicates that it is also possible to give preference to the
use of certain actuators in order to perform a manoeuvre. The multi-variable setting
is natural to MPC, hence strengthening the motivation of its suitability as a fault-
tolerant and reconfigurable control method.
MPC for nonlinear systems, however, only leads to tractable optimization prob-
lems in very specific cases. It may be concluded from different surveys and books on
MPC [3, 4, 5, 6] that MPC is well-suited to LTI systems. However, it has been stated
in the introductory chapter that aircraft pose a control problem that is nonlinear, and
hence MPC in general is not directly applicable to aircraft. It is for this reason that
it is deemed necessary to combine MPC with a nonlinear control method. Dynamic
inversion is such a method. It allows the inversion of the nonlinear kinematics of
the aircraft such that linear and time-invariant behaviour is obtained. This linear
behaviour can be controlled with one of the commonly available MPC algorithms.
Some measures are needed though, because of the interconnection and constraints.
The synthesis of MPC and NDI into one controller is not new. An example of
the combination of MPC and feedback linearization (FBL), which is a more strict
variation on NDI, in order to obtain globally valid and constrained control for the
flight of a re-entry vehicle is to be found in [7], the combination of robust MPC
and feedback linearization for an F-16 is presented in [8], and the combination of
11 FTFC Using MPC and Model Inversion 321
Reconfigurable controller Aircraft

x x x
CONTROL x
MPC NDI ẋ = f (x) + g(x)u
r ALLOCATION
AB u
FDI
fnew , gnew , Unew , Xnew
Fig. 11.1 Overview of the complete FTFC loop and the individual components. Additionally,
the FDI block is shown to stress the importance of a failure detection method that delivers a
new system description and a new set of constraints after the introduction of a failure.
robust MPC and feedback linearisation is evaluated in [9]. The theory presented
in this chapter differs from existing literature in two aspects; the first of which is
that the combination of NDI and MPC is not only applied as a form of globally
valid and constrained nonlinear control, but also as a reconfigurable method; the
second difference lies in the fact that it is assumed here that the system has control
effector redundancy in the nominal and fault-free case, i.e. that it is over-actuated.
The latter is not the case in the previously mentioned references [7], [9]. Next to
these [10] provides an application of robust MPC so as to achieve reconfigurable
behaviour, linear subspace identification and predictive control are synthesized into
one in [11], NDI and online identification of the aerodynamic derivatives of the
aircraft are combined in [12]. An example that considers the use of MPC, without
NDI, in a simulation of the Bijlmermeer accident scenario is to be found in [13].
Figure 11.1 provides an overview of how MPC and NDI are combined in this
chapter. The concept of a combination between NDI and MPC such as to form a
reconfigurable, globally valid, nonlinear, and constrained controller seems intuitive,
but there are several interconnection issues that require attention. Such issues are
caused by the fact that the number of system inputs is in general much larger than
the number of states that are to be controlled, which is actually a prerequisite for
FTFC. The latter forces us to include control allocation in between the NDI block
and the aircraft. This will be elabortated upon in Section 11.2.4. Furthermore, it is
not a priori clear how the constraints on the inputs relate to the constraints of the
MPC controller.
Subsection 11.2.1 introduces the model structure and Section 11.2.2 introduces
dynamic inversion. The next subsection provides the details of the MPC strategy that
has been applied. Finally, subsection 11.2.4 provides details on how to distribute the
desired control effort over the physical inputs.
For reasons of clarity, several assumptions, mainly because of simplicity, are
posed here that hold throughout the entire chapter. It is assumed that a new model
will become available through online identification of the aerodynamic parameters
based on the work presented in Chapter 13 and [14]. Other assumptions that are
made are that full-state information is assumed to be available, and more impor-
tantly, we assume that there are redundant control effectors, such that these can be
applied in case a primary actuator fails. Finally, it is noted that this method is best
suited for failures of actuators/control surfaces and structural failures of the air-
frame. Sensor failures are not considered here, and furthermore, it is assumed that
the current position of control surfaces is measured for purposes of control.
11.2.1 Model Structure

This section starts with an introduction of the system-type that is considered and
continues to present the aspects that are involved in the combination of feedback
linearisation and model predictive control. In this chapter we consider nonlinear
discrete-time systems that are either affine in the input, or made affine in the input
through approximation:
x(k + 1) = f (x(k)) + g(x(k))u(k), (11.1)

y(k) = h(x(k)), (11.2)
where x(k) ∈ Rn is the state vector, u(k) ∈ Rm is the vector of inputs, and k indicates
that this system is a discrete-time system with sampling-interval T . Furthermore,
f (x) ∈ Rn×1 , g(x) ∈ Rn×m . Both the input u ∈ U and x ∈ X belong to a polyhedral
set, i.e. they can be written as
U = {u ∈ Rm | A u ≤ b}, (11.3)
X = {x ∈ Rn | Ax x ≤ bx }, (11.4)
for some matrices A, Ax and vectors b, bx . Furthermore, it is assumed that the output
y(k) = x(k), is such that h(x(k)) = x(k).
It must be remarked that it is also possible to apply FBL to the system in con-
tinuous time. This, however, leads to issues with respect to the control allocation
problem such as depicted in Figure 11.1. The control allocation will consist of a
constrained quadratic programming problem and will necessarily be performed in
discrete-time. It is therefore more logical to perform all steps in discrete-time, and
as such, to discretise the nonlinear system before applying FBL.
11.2.2 Nonlinear Dynamic Inversion

Feedback linearisation is a control method that will obtain linear and decoupled
input-output behaviour through the application of a static and nonlinear feedback
law. Aspects like relative degree, partial feedback linearisation and uncontrollable
internal dynamics are important issues within the standard framework of feedback
linearisation as presented in [15, 16]. Feedback linearisation in its most basic form,
input-state linearisation, is what is applied here. Input-state linearisation to some
extent avoids the aforementioned issues but is also applicable to a smaller range of
systems. The presented implementation applies the concept of a virtual input and
hence allows the use of the available control effector redundancy in a further step,
whereas FBL in its purest form does not.
It is necessary to include dummy outputs in equation (11.1) for input-state lin-

earisation when m ≥ n in order to be able to apply FBL, since u and y, or x in this
particular case, are required to be sized equally. Alternatively, it is possible to intro-
duce a virtual input z(x(k), u(k)) = g(x(k))u(k), z ∈ Rn and to split up the problem
of input-state, or possibly partial state, linearisation and control allocation, such that
x(k + 1) = f (x(k)) + z(x(k), u(k)), (11.5)
where z(x(k), u(k)) is assumed to be a virtual input of the system that can be used
for linearisation purposes. This relation between z(x(k), u(k)) and u(k), and how to
make use of the freedom therein, is the topic of Section 11.2.4 on control allocation.
It is clear to see that in order to invert the nonlinear dynamics, a choice
z(k) = g(x(k))u(k) = − f (x(k)) + ν (k), (11.6)

will result in decoupled closed-loop behaviour that equals
x(k + 1) = ν (k), (11.7)
where ν (k) ∈ Rn is a new input to the inverted system. Optionally, through proper
selection of z(k) one can incorporate some desired dynamics such that x(k + 1) =
Ades x(k) + ν (k). The latter equation shows that the chosen control law decouples
the system, such that the closed-loop constitutes a series of integrators in parallel.
Furthermore, it is clear to see that when the number of inputs m is smaller than
the number of states n, provided that we wish to linearize all n states, it will be
impossible to invert the entire dynamics. When m = n there will exist a unique
solution to equation (11.6) and when m > n then there will exist a whole set of
solutions u(k) to this equation. It is necessary to make the remark that it is assumed
in this chapter that m > n, and hence input redundancy exists. Therefore, the input
u(k) will have to be allocated at every discrete-time step. The latter is commonly
called nonlinear dynamic inversion (NDI) instead of FBL.
In summary, the input-state linearisation that is presented in this section leads to
LTI behaviour that relates ν (k) to x(k), and retains freedom in the allocation of u(k).
A restrictive result of the above is that the original input constraints on u(k) must now
be mapped into constraints on ν , since ν (k) will be controlled using model predictive
control (see Figure 11.1). The next section will introduce an MPC algorithm that has
been tailored to this situation, such that this issue can be avoided to a large extent.
Remark: It must be noted that discretisation of nonlinear dynamic systems is not at

all trivial. In this chapter the nonlinear system is sampled with sampling interval T
and first order Euler integration is applied. The difference equation (11.1) is obtained
from the original nonlinear system as follows
x(k + 1) − x(k)
ẋ = f (x) + g(x)u ≈ x (11.8)
T
⇔,
x(k + 1) ≈ T f (x(k)) + x(k) + T g(x(k))u. (11.9)
The authors acknowledge that the Euler method, which is a first-order method,
is typically associated with an integration error that is proportional to the sampling
interval T . This makes the Euler method less accurate than higher order methods
such as the Runge-Kutta method. There are two specific reasons why Euler’s method
is applied here. For one, use of higher order methods would complicate the dynamic
inversion of the nonlinear aircraft model in Section 11.3 unnecessarily. Next to that,
and more importantly, the simulation settings for the benchmark model are such that
the Euler method is applied in the simulation. Hence, the Euler method is chosen
over higher-order methods for discretization.
11.2.3 Model Predictive Control

Now that a linear discrete-time system (11.7) has been obtained through NDI, it is
straightforward to apply model predictive control (MPC). MPC applies an internal
model of the system under consideration. It is this model that is used to predict future
values of dependent variables as a function of independent variables, in most cases
the system input, over a prediction horizon. Application of a cost-function allows
for the minimisation of this cost function over the horizon, subject to constraints.
The first input is applied to the system and the optimisation is repeated during the
next time-step.
A possible objective function, where the prediction horizon is chosen equal to N
time steps, is
N
J(νk ) = ∑ e(k + i|k)T Qe(k + i|k), (11.10)
i=1
where e(k + i|k) = x̂(k + i|k) − xr (k + i|k), and x̂(k + i|k) is the predicted value of
x(k + i) at time k. r(k) ∈ Rn is the reference signal and Q 0 is a state weighting
matrix, respectively.
We introduce the following variables
⎡ ⎤ ⎡ ⎤
x(k + 1|k) xr (k + 1|k)
⎢ x(k + 2|k) ⎥ ⎢ xr (k + 2|k) ⎥
⎢ ⎥ ⎢ ⎥
x̃ = ⎢ .. ⎥, x̃r = ⎢ .. ⎥,
⎣ . ⎦ ⎣ . ⎦
x(k + N|k) xr (k + N|k)
⎡ ⎤ ⎡ ⎤
u(k|k) ν (k|k)
⎢ u(k + 1|k) ⎥ ⎢ ν (k + 1|k)r ⎥
⎢ ⎥ ⎢ ⎥
ũ = ⎢ .. ⎥, ν̃ = ⎢ .. ⎥,
⎣ . ⎦ ⎣ . ⎦
u(k + N − 1|k) ν (k + N − 1|k)r
(11.11)
and
Q̃ = IN ⊗ Q, (11.12)
where IN is an identity matrix of size N, and where the operator ⊗ indicates the Kro-
necker product of two matrices.1 Now, using relationship (11.7) the above objective
function (11.10) can be expanded into
J(ν (k)) = (x̃ − x̃r )T Q̃(x̃ − x̃r ),

= (ν̃ − x̃r )T Q̃(ν̃ − x̃r ),
= ν̃ T Q̃ν̃ − 2x̃Tr Q̃ν̃ − 2x̃Tr Q̃r̃. (11.14)
The minimisation of J(ν̃ (k)) constitutes a quadratic programming problem (QP).

The argument of the minimisation of this QP is the vector ν̃ ∗ (k).
In order to be able to take into account the constraints on the physical input u(k) it
is necessary to incorporate equation (11.6) which denotes the relationship between
ν (k) and u(k) and the constraints on input u(k) as in (11.3). Both of these can be
expanded over the horizon as follows
⎡ ⎤
⎡ ⎤ − f (x(k))
g(x(k)) 0 . . . 0 ⎢ − f (x(k + 1)) ⎥
⎢ .. .. . . .. ⎥ ⎢ ⎥
⎣ . . . . ⎦ ũ(k) = ⎢ .. ⎥ +ν̃ (k) (11.15)
⎣ . ⎦
0 0 . . . g(x(k + N − 1))
, -. / − f (x(k + N − 1))
, -. /
=C̃(x)
=b̃eq (x)
and
T
(IN ⊗ A) ũ(k) ≤ 1 1 . . . 1 ⊗ b . (11.16)
, -. / , -. /
=Ã =b̃
Hence, it can be concluded that the optimization of cost-function (11.14) subject to

(11.15) and (11.16) will produce the optimal vector ν̃ ∗ (k). It must be noted, how-
ever, that ũ(k) appears in the equality constraint (11.15) and that the same constraint
also depends nonlinearly on the state x̃(k). The input ũ(k) is an independent variable
and therefore it is necessary to append it to the cost-function (11.14) such that the
constraints can also be incorporated in to the problem as follows
1 The Kronecker product of two matrices A and B is defined as
⎡ ⎤
a11 B . . . a1n B
⎢ . ⎥
A ⊗ B = ⎣ ... ..
. .. ⎦ , (11.13)
am1 B . . . amn B
where ai j is the i, j-th entry of matrix A ∈ Rm×n .

T T
ũ 0 0 ũ 0 ũ
min + , (11.17)
ν̃ ,ũ ν̃ 0 Q̃ ν̃ −2x̃Tr Q̃ ν̃
ũ
s.t. C̃ | − INn = b̃eq , (11.18)
ν̃
ũ
Ã 0 ≤ b̃. (11.19)
ν̃
The minimisation of (11.17), subject to (11.18) and (11.19) leads to a feasible ũ∗
and an optimal ν̃ ∗ . Note that equation (11.18) incorporates the relationship between
the virtual input z, the physical input u, and the variable ν (see remark). The lat-
ter may be interpreted as if the dynamic inversion were embedded into the MPC
problem. It must be noted, however, that it is not possible to weight the input ũ(k)
during this phase because that impairs the state-tracking capability of the controller.
The argument of the optimisation ũ∗ is not unique, since g(x(k)) is a wide matrix.
Hence, it is possible to pose a second optimisation problem in the form of a control
allocation problem, which will be the subject of the next section.
One issue, that was already mentioned in the previous paragraph, is that the equal-
ity constraint (11.18) depends on the state in a nonlinear fashion. This constraint
therefore has to be approximated such that it is either constant or linearly dependent
on the state at time k. Several possible approximations are:
1. assume that x(k) is constant over the horizon such that
T
C̃ ≈ In ⊗ g(x(k)), b̃eq ≈ 1 1 . . . 1 f (x(k));
2. apply the input that was computed for the previous time-step to predict the evo-
lution of the state over the horizon;
3. assume that the system state will follow the reference state according to a stable
and linear time-invariant (LTI) reference system;
4. exploit a Jacobian linearization of f (x(k)) and g(x(k)) to obtain a local LTI
model that can be applied to predict the evolution of the state over the horizon.
The authors acknowledge that what is presented in this section is a tailor-made MPC
implementation, and suggest referring to [6] for an in-depth investigation of MPC
and its properties in general.
Remark: The addition of ũ(k) in (11.17) may seem redundant, but it avoids the
complex and computationally expensive mapping of the polytope U that bounds
u(k) to a polytope that bounds ν (k) via the relationship
g(x(k))u(k) = − f (x(k)) + ν (k). (11.20)
This must be done every time-step and is very closely related to the subject of com-
putational geometry. It is however well-known that projection methods, as described
in [17], are computationally very intensive and therefore not suitable for this ap-
plication. Even the more advanced and much faster methods like the equality set
projection algorithm from [18] was shown to be prohibitive where computational

complexity is concerned.
11.2.4 Control Allocation

The previous sections have shown that it is possible to construct a globally valid, but
constrained and nonlinear controller by means of a combination of MPC and FBL.
Until now, however, we have only computed a feasible input u∗k . This input is not
unique, since in general the number of inputs is known to be larger than the number
of controlled states. In many cases it will be desirable to be able to redistribute this
feasible input such that, for instance, the absolute size of the inputs is minimal, or
such that the change of the input with respect to the previous time-step is minimised.
Since m ≥ n, there is freedom in choosing u. One way to solve this problem
involves the following quadratic programming problem
min uT Qu u + Δ uT Ru Δ u, (11.21)
u
∗
s.t. g(x(k))u(k) = g(x(k))u (k),
Au ≤ b,
where Δ u = u(k) − u(k − 1) and where Qu , Ru 0 are input weighting matrices.

The above optimisation problem may be interpreted as follows: given one fea-
sible input u∗ (k) that results from the MPC step, this control allocation problem
will find a u(k) that satisfies the mixed objective posed above: minimisation of the
inputs and minimisation of the change of u(k) with respect to the previous time-
step, while satisfying the control allocation goal by means of the equality constraint
g(x(k))u(k) = g(x(k))u∗ k).
It is this control allocation strategy that completes the FTFC setup that has been
presented in this section. We have provided the necessary theory and results that are
required for the integration of MPC and NDI into a single controller. The next sec-
tion will show the merits of this FTFC method by means of an example that involves
the nonlinear equations of motion of a fixed-wing aircraft which is represented by
the benchmark model.
11.3 Modeling and Dynamic Inversion of the Benchmark Model

This section applies the previously introduced NDI theory to the benchmark aircraft.
In order to do so, we introduce the relevant equations of motion that stem from a
first-principles model of the aircraft. In favour of brevity we introduce only those
kinematic equations that are relevant for NDI purposes. Furthermore, we present
these state-equations in their discrete time approximation directly. The goal of this
section is to present the nonlinear control laws that are required to arrive at linear
and time-invariant behaviour for purposes of control through MPC.
A total number of four states will be linearised using the NDI method. These
states are the roll attitude φ , the pitch angle θ , the yaw angle ψ and the indicated
airspeed V , respectively. With these four states it is possible to control both the ori-
entation and the velocity of the aircraft. Through the application of NDI we strive
for linearisation of these four state equations. In order to arrive at the required con-
trol laws we split the problem in two separate stages. First, we model the discretised
but nonlinear equation for the airspeed V of the benchmark aircraft and linearise
this. Subsequently, we perform the same actions for the equations that belong to the
three attitude states. Additionally, in the first instance we will assume that the forces
(X,Y, Z) and moments (L, M, N), that enter the system equations, are inputs to the
system.
The nonlinear and discretised state equation for the airspeed is given as follows:
⎡ ⎤
X(k)
T
V (k + 1) = V (k) + [cos α cos β sin β sin α cos β ] ⎣Y (k) ⎦ , (11.22)
m
Z(k)
where α and β are the angle of attack and sideslip angle, respectively. The variable
T is introduced here to represent the sampling interval. Hence, the time between
two time-steps k and k + 1 is T seconds. Then, using the notational convention of
Section 11.2.2 we introduce the virtual input z1 as
⎡ ⎤
X(k)
T
z1 (k) = [cos α cos β sin β sin α cos β ] ⎣Y (k) ⎦ , (11.23)
m
Z(k)
such that when

z1 (k) = (ades − 1)V (k) + ν1 (k), (11.24)
the state equation becomes linear and is represented as
V (k + 1) = adesV (k) + ν1 (k). (11.25)
Performing NDI for the attitude states requires some additional steps, whilst they do
not depend on the external forces and moments directly. We model the behaviour of
the attitude states as
⎡ ⎤ ⎡ ⎤⎡ ⎤ ⎡ ⎤
φ (k + 1) 1 sin φ tan θ cos φ tan θ p(k) φ (k)
⎣ θ (k + 1) ⎦ = T ⎣0 cos φ − sin φ ⎦ ⎣ q(k) ⎦ + ⎣ θ (k) ⎦ , (11.26)
sin φ cos φ
ψ (k + 1) 0 cos θ cos θ
r(k) ψ (k)
where p, q, r are the roll-, pitch- and yaw rate. In order to apply NDI we shift these
equations one step in time in order to arrive at
⎡ ⎤ ⎡ ⎤ ⎡ ⎤
φ (k + 2) 1 sin φ tan θ cos φ tan θ p(k + 1)
⎣ θ (k + 2) ⎦ = T ⎣0 cos φ − sin φ ⎦ (k + 1) ⎣ q(k + 1)⎦ ,
sin φ cos φ
ψ (k + 2) 0 cos θ cos θ
r(k + 1)
⎡ ⎤
φ (k + 1)
+ ⎣ θ (k + 1) ⎦ , (11.27)
ψ (k + 1)
such that we may plug in the equations that govern the states p, q, r,
⎡ ⎤ ⎛ ⎡ ⎤ ⎡ ⎤⎞ ⎡ ⎤ ⎡ ⎤
p(k + 1) 0 −r q 100 p(k) L(k)
⎣ q(k + 1)⎦ = ⎝−T J −1 ⎣ r 0 −p⎦ J − ⎣0 1 0⎦⎠ ⎣ q(k) ⎦ + T J −1 ⎣M(k)⎦ ,
r(k + 1) −q p 0 001 r(k) N(k)
where
⎡ ⎤
Ixx 0 −Ixz
J = ⎣ 0 Iyy 0 ⎦ (11.28)
−Ixz 0 Izz
and where I∗∗ indicates the inertia, in order to arrive at

⎡ ⎤ ⎡ ⎤ ⎡ ⎤
φ (k + 2) φ (k + 1) 1 sin φ tan θ cos φ tan θ
⎣ θ (k + 2) ⎦ = ⎣ θ (k + 1) ⎦ + T ⎣0 cos φ − sin φ ⎦ (k + 1)
sin φ cos φ
ψ (k + 2) ψ (k + 1) 0 cos θ cos θ
⎛ ⎡ ⎤ ⎡ ⎤⎞ ⎡ ⎤
0 −r q 100 p(k)
− ⎝T J −1 ⎣ r 0 −p⎦ J − ⎣0 1 0⎦⎠ ⎣ q(k) ⎦
−q p 0 001 r(k)
⎡ ⎤
L(k)
+T J −1 ⎣M(k)⎦ . (11.29)
N(k)
Using the same method that was applied for the airspeed, we choose the virtual input
⎡ ⎤
L(k)
z2 (k) = T J −1 ⎣M(k)⎦ . (11.30)
N(k)
Choosing this virtual input to equal

⎡ ⎤ ⎡ ⎤
φ (k + 1) 1 sin φ tan θ cos φ tan θ
z2 (k) = (Ades − I) ⎣ θ (k + 1) ⎦ − T ⎣0 cos φ − sin φ ⎦ (k + 1)
sin φ cos φ
ψ (k + 1) 0
⎛ ⎡ ⎤ ⎡ cos⎤θ⎞ ⎡ cos⎤θ
0 −r q 100 p(k)
− ⎝T J −1 ⎣ r 0 −p⎦ J − ⎣0 1 0⎦⎠ ⎣ q(k) ⎦ , (11.31)
−q p 0 001 r(k)
leads to the linear and time-invariant closed-loop behaviour

⎡ ⎤ ⎡ ⎤
φ (k + 2) p(k + 1)
⎣ θ (k + 2) ⎦ = (Ades − I) ⎣ q(k + 1)⎦ + ν2 (k), (11.32)
ψ (k + 2) r(k + 1)
where Ades ∈ R3×3 is the desired linear time invariant behaviour and where ν2 is the
input to the linearised system. At this stage we may conclude that when z1 and z2
satisfy equation (11.24) and (11.31) that the linear state behaviour equals
⎡ ⎤ ⎡ ⎤
V (k + 1) V (k)
⎢ φ (k + 2) ⎥ ades 0 ⎢ ⎥
⎢ ⎥ ⎢ φ (k + 1) ⎥ ν1 (k)
⎣ θ (k + 2) ⎦ = 0 Ades ⎣ θ (k + 1) ⎦ + ν2 (k) . (11.33)
ψ (k + 2) ψ (k + 1)
What remains now is to introduce expressions for the forces F = [X,Y, Z]T and
moments M = [L, M, N]T . The forces are the sum of the external forces and the con-
tribution of the aerodynamics, and the moments are dependent of the aerodynamics
only, which leads to the expressions:
F = Fgrav + Fwind + Faero, (11.34)

M = Maero , (11.35)
where the subscripts indicate the contribution of gravity, the wind and the aerody-
namic model, respectively. We model the aerodynamics as follows
T
1 2
Faero = ρV S CFx 1 α α 2 α 3 β β 2 β 3 2V
pb qc rb
2V 2V
+C Fu u , (11.36)
2
⎡ ⎤
b00 T
1 2 ⎣
Maero = ρV S 0 c̄ 0⎦ CMx 1 α α 2 α 3 β β 2 β 3 2Vpb qc rb
2V 2V
+CMu u ,(11.37)
2
00b
where ρ is the air density, S, b, c̄ are the wing area, wing span and wing chord,
respectively. The input variable u is a vector composed of the control surfaces and
engines of the aircraft. In this chapter we make use of a subset of these control
effectors. In this particular case we apply our controller to the four elevator surfaces,
the four ailerons, the two rudder halves and the four engines, hence u ∈ R14 .
The aerodynamic parameters CFx ,CMx ∈ R3×10 and CFu ,CMu ∈ R3×14 are deter-
mined online through a recursive identification method, using the approach pre-
sented in Chapter 13 and [14]. Although not strictly required in the nominal and
failure-free case, the identification method is applied in both the nominal and the
failure case. Because of the fact we apply data from recursive identification, we do
not have to model failures explicitly. As an example one might consider a rudder
that has become stuck. Such a failure will result in a change in the basic aero-
dynamic parameters to account for the static aerodynamic moment that this cre-
ates. Furthermore the effectiveness of the rudder itself will be reduced to zero.
Additionally, although not applied here, it is possible to include direct knowledge
of actuator failures in the controller. The uncertainty caused by failures of the air-
craft structure or actuators is considered to be small because of the relatively fast
response of the identification algorithm.
In summary, we may apply MPC to the linear system of equation (11.33), pro-
vided that the input u from (11.36)-(11.37) is allocated such that the virtual inputs
z1 , z2 in (11.23) and (11.30) satisfy equations (11.24) and (11.31). Additionally,
the physical constraints are entered into the problem to arrive at the MPC problem
(11.17,11.18,11.19) and the control allocation and weighting problem (11.21) from
Section 11.2.
11.4 Simulation Results

In this section we evaluate the performance of the combination of MPC and NDI
as a reconfigurable control method. We do so in two individual examples. The first
example involves a so-called stabiliser runaway of the benchmark aircraft. The sec-
ond example shows the simulation results when one of the manoeuvres from the
benchmark assessment criteria is flown.
11.4.1 Reference Tracking: Stabiliser Runaway

Here, it will be shown that the control strategy proposed in this paper allows reten-
tion of a trim condition and tracking of a reference with the benchmark aircraft in
the event of a failure.
In this particular example, it is shown that a combination of the reconfigurable
controller and the online identification algorithm can retain stability after the intro-
duction of the stabiliser runaway failure at time t = 10 [s]. At this time the stabiliser
moves to its extreme trim angle of 2o . Next to that, it is shown that, despite the sta-
biliser being inoperative and stuck at an extreme position, it is still possible to track a
doublet-like reference signal with the pitch rate q [rad/s] using another combination
of the control surfaces.
The states that are controlled, are the roll attitude φ , the pitch attitude θ and the
yaw attitude ψ , respectively. The inputs that are used in this example are the four
different aileron surfaces, the four elevator surfaces, the two rudder surfaces, and
the stabiliser trim angle. The other inputs, including the engines, remain at their
trim value for the initial condition.
Figure 11.2 depicts the results that were obtained in simulation. Several important
notions can be derived from this figure. First of all, it can be seen from the figure
that, although the online identification is initialised with data that was obtained off-
line, it takes approximately 3 [s] for the closed loop to stabilise the system for the
reference state p, q, r = 0. Furthermore, it is clear to see, that although a failure is
introduced at t = 10 [s] relatively little effect is noticeable in the state-response.
The latter indicates that the controller successfully succeeds at redistributing the
desired control effort over the remaining control surfaces and that the FDI algorithm
identifies the new situation quickly. And finally, it is easily seen from the figure that
0.1
roll rate p [rad/s]
measurement
reference
0
-0.1
0 5 10 15 20 25 30 35
0.1
pitch rate q [rad/s]
-0.1
0 5 10 15 20 25 30 35
0.1
yaw rate q [rad/s]
-0.1
0 5 10 15 20 25 30 35
time [s]
Fig. 11.2 Simulation result for the body rates p, q, r with respect to a reference after intro-
duction of a stabiliser runaway fault at t = 10 [s]
in spite of the failure of the stabiliser, it is still possible to track a reference on the
pitch rate. It is assumed that extensive tuning of parameters like the state- and input
weighting matrices Q, Qu , Ru , the selected sampling interval T , and the prediction
horizon N will lead to greatly improved tracking behaviour.
What remains to be said about this example is that the computational complexity
of the control method is quite high. It is expected that this can be greatly improved
upon through a more efficient implementation of the controller. Furthermore, al-
though not visible in the provided results, the online identification algorithm suffers
from lack of excitation when the system is controlled to be in steady-state for ex-
tended periods of time. Both of these issues are not addressed in this chapter, but
will be the topic of future research.
11.4.2 Right Turn and Localiser Intercept

What may be concluded from the previous example is that the method is very much
dependent of the quality of the model that is identified online. This holds partic-
ularly true for control based on NDI in this setting. Because of the fact that the
aircraft is simulated in closed loop with the controller, it is also very important that
States with specs right turn and LOC intercept

5 1
LOCvalid
0 0.5
λ
-5 0
0 50 100 150 200 0 100 200 300
100 40
20
VTAS
φ
90 -20
-40
0 50 100 150 200 0 50 100 150 200
2 2
0 0
p
q
-2 -2
0 50 100 150 200 0 50 100 150 200
2 15
10
0
α
r
5
-2 0
0 50 100 150 200 0 50 100 150 200
10
2
0 nz
β
0
-10 -2
0 50 100 150 200 0 50 100 150 200
2
0
ny
-2
0 50 100 150 200
Fig. 11.3 Overview of several aircraft states during a right-hand turn and subsequent localiser
intercept. The top left and top right graph in the figure depict the angle λ with respect to the
localiser beam and the signal that indicates whether the localiser signal is valid.
the quality of the initial estimate of the aircraft parameters is high. Furthermore, the
aerodynamic model of the benchmark may basically be regarded to be a black-box
system, hence it is not possible to use exact knowledge of this model for testing pur-
poses. This, combined with the fact that the control method is particularly sensitive
to tuning of the weighting matrices in both MPC and the control allocation method,
makes it difficult to achieve proper results for flying full manoeuvres from the list
of assessment criteria. In order to show the applicability of the method, provided
that the uncertainty of the aerodynamic model is not too high and that the tuning
of the controller is appropriately chosen, we show an example manoeuvre that was
obtained through simulation of the benchmark where the aerodynamics have been
replaced by a static but, still nonlinear model.
Figures 11.3, 11.4 and 11.5, which are included at the end of the chapter, show
the results when the aircraft is made to fly a turn to the right followed by a localiser
intercept. Figure 11.3 shows a subset of the aircraft states and the angle between the
aircraft heading and the localiser beam λ during this particular simulation example.
Also indicated in the figure, are the assessment specifications. Figure 11.4 and 11.5
show the accelerations of the aircraft and the horizontal trajectory of the aircraft.
The results presented here consider a flight in a fault-free scenario, but given the
simplified aerodynamic model, different failure scenarios, with stuck control sur-
faces perform equally well. What may be concluded from this simulation is that the
combination of MPC and the inversion of the nonlinear aircraft kinematics through
[ms−2 ] 2
0
axb
-2
0 20 40 60 80 100 120 140 160 180 200 220
2
[ms−2 ]
0
ayb
-2
0 20 40 60 80 100 120 140 160 180 200 220
2
[ms−2 ]
0
azb
-2
0 20 40 60 80 100 120 140 160 180 200 220
Fig. 11.4 Overview of the accelerations of the aircraft body during the right turn and localiser
intercept.
horizontal trajectory
0
1000
2000
3000
4000
ye (East)
5000
6000
7000
8000
9000
10000
-2.2 -2 -1.8 -1.6 -1.4 -1.2 -1
xe (North)
Fig. 11.5 Representation of the horizontal trajectory that was flown by the aircraft during the
right hand turn and localiser intercept manoeuvre.
NDI is valid for FTFC purposes, provided correct knowledge of the aerodynamics
of the aircraft is available.
11.5 Conclusion
This chapter has presented the combination of MPC and FBL into a constrained and
globally valid control method and is as such an evolution of previous work ([19]).
Using the proposed control method, it is possible to implement a reconfigurable
flight control-law that is valid throughout the flight envelope. The reconfigurable
properties are a result of efficient distribution of the desired control effort over the
remaining and redundant control inputs. Furthermore, the method can take into ac-
count various input, state and output constraints. The latter is particularly useful
when actuators get stuck in a certain position.
An example has been provided that shows that the combination of the proposed
control strategy an online and recursive identification can retain a trim state as well
as track a reference when the body states of the benchmark model are controlled.
Practical issues that will be the topic of future research are related to the construc-
tion of a more computationally efficient adaptation of this controller. Additionally, it
will have to be taken into account that the recursive identification scheme is applied
in a closed-loop setting whilst this is not explicitly accounted for at the moment.
From a theoretical point of view an interesting subject for future research is the
addition of robustness to the FTFC method whilst it is well-known that feedback lin-
earisation and dynamic inversion methods are not particularly robust to modelling
uncertainties. Such modelling uncertainties particularly arise in situations where
FDI information is not available instantaneously. In order to achieve this, it is nec-
essary to include theory for determination of the uncertainty in a model after having
performed feedback linearisation, as discussed in [20]. The same holds for the de-
velopment of theory that explains the effect of discretisation on model uncertainty
so as to obtain an uncertain discrete-time feedback linearised system that is suitable
for control with robust model predictive control methods like [21].
Increased robustness of the FTFC method will be of great importance in applica-
tions where there is latency in the FDI system. Robustness with respect to modeling
uncertainty is required to guarantee stability until new and accurate FDI information
becomes available after a failure has occurred.
References
1. Bodson, M.: Identification with modeling uncertainty and reconfigurable control. In: Pro-
ceedings of the 32nd IEEE Conference on Decision and Control, pp. 2242–2247 (1993)
2. Jones, C.N.: Reconfigurable flight control. Technical report, Engineering Dept., Univer-
sity of Cambridge (2002)
3. Mayne, D.Q., Rawlings, J.B., Rao, C.V., Scokaert, P.O.M.: Constrained model predictive
control: stability and optimality. Automatica 36(6), 789–814 (2000)
4. Bemporad, A., Morari, M.: Robustness in identification and control, 245 (1999)
5. Qin, S.J., Badgwell, T.A.: A survey of industrial model predictive control technology.
Control Engineering Practice 11(7), 733–764 (2003)
6. Maciejowski, J.M.: Predictive control: with constraints. Pearson Education, Harlow
(2002)
7. van Soest, W.R., Chu, Q.P., Mulder, J.A.: Combined feedback linearization and con-
strained model predictive control for entry flight. Journal of Guidance, Control and Dy-
namics 29(2), 427–434 (2006)
8. van Eduard Oort, Q.P., Chu, J.A.: Robust Model Predictive Control of a Feedback Lin-
earized F-16/MATV Aircraft Model. In: Proceedings of the AIAA Guidance, Navigation,
and Control Conference and Exhibit, AIAA-2006-6318 (2006)
9. van den Boom, T.J.J.: Robust nonlinear predictive control using feedback linearization
and linear matrix inequalities. In: Proceedings of the American Control Conference, June
1997, pp. 3068–3072 (1997)
11. Hallouzi, R., Verhaegen, M.: Reconfigurable fault tolerant control of a boeing 747 using
subspace predictive control. In: AIAA Guidance, Navigation and Control Conference
and Exhibit, AIAA 2007-6665 (2007)
12. Huisman, H.: Fault tolerant flight control based on real-time physical model identifica-
tion and nonlinear dynamic inversion. Master’s thesis, Delft University of Technology
(2007)
1862. In: IFAC Safeprocess Conference (2003)
14. Lombaerts, T., Chu, Q., Mulder, J., Joosten, D.: Real time damaged aircraft model identi-
fication for reconfiguring flight control. In: Proceedings of the AIAA Atmospheric Flight
Mechanics Conference and Exhibit, AIAA-2007-6717 (2007)
15. Isidori, A.: Nonlinear control systems. Springer, Heidelberg (1995)
16. Slotine, J.J.E., Li, W.: Applied nonlinear control. Prentice Hall, Englewood Cliffs (1991)
17. Preparata, F.P., Shamos, M.I.: Computational geometry: an introduction. Springer, New
York (1985)
18. Jones, C.N., Kerigan, E.C., Maciejowski, J.M.: Equality set projection: A new algorithm
for the projection of polytopes in halfspace representation. Technical Report CUED/F-
INFENG/TR.463, Department of Engineering, University of Cambridge (2004)
19. Joosten, D.A., van den Boom, T.J.J., Lombaerts, T.J.J.: Effective control allocation in
fault-tolerant flight control with MPC and feedback linearization. In: Proceedings of the
European Conference on Systems and control, Kos, Greece, July 2007, pp. 3552–3559
(2007)
20. Juliana, S., Chu, Q., Mulder, J., van Baten, T.: The analytical derivation of nonlinear
dynamic inversion control for parametric uncertain system. In: AIAA Guidance, Nav-
igation, and Control Conference and Exnhibit, AIAA-2005-5849, San Francisco, CA
(August 2005)
21. Kothare, M.V., Balakrishnan, V., Morari, M.: Robust constrained model predictive con-
trol using linear matrix inequalities. Automatica 32(10), 1361–1379 (1996)
Chapter 12
A FTC Strategy for Safe Recovery against
Trimmable Horizontal Stabilizer Failure with
Guaranteed Nominal Performance
Jérome Cieslak, David Henry, and Ali Zolghadri
12.1 Introduction
The need for increased flight safety and aircraft reliability leads to the design of
reconfigurable fault tolerant control systems. Such systems are meant to manage
faulty situations and help the crew to recover control capabilities quickly. Fault Tol-
erant Control (FTC) is one solution to tackle this problem and has received consid-
erable attention from the control research community and aeronautical engineering
researchers in the past couple of decades (for a survey, see for instance [1, 2, 3]).
The main objective of fault tolerant control is to maintain a specified performance
level in the presence of faults. Two approaches can be distinguished in this area:
passive and active. In the passive approach, the control algorithm is designed so that
the system is able to achieve its given objectives, in healthy as well as faulty situ-
ations. Unfortunately, achieving robustness to certain faults is only possible at the
expense of decreased nominal performance. Active approaches react to fault events
by using a reconfiguration mechanism and, in certain cases, this ensures nominal
performance in fault free situations. This is a great benefit of active FTC approaches.
Active FTC is characterized by an on-line Fault Detection and Isolation (FDI) and
a reconfiguration mechanism. This scheme requires the control law to react to faults
through reconfiguration and FDI modules [4]. Many studies, based on a potentially
known fault scenario, have contributed to the development of active FTC strategies
Jérome Cieslak
e-mail: jerome.cieslak@laps.ims-bordeaux.fr
David Henry
e-mail: david.henry@laps.ims-bordeaux.fr
Ali Zolghadri
e-mail: ali.zolghadri@laps.ims-bordeaux.fr
338 J. Cieslak, D. Henry, and A. Zolghadri
for aeronautical systems (see for instance [3, 5, 6, 7]). The goal is to maintain overall
system stability and acceptable performance in spite of the occurrence of faults by
reconfiguring the nominal control law when a fault is detected by the FDI unit.
The FDI mechanism is supposed to detect and diagnose any relevant failures which
could lead to flight performance degradation. This must be done sufficiently early
and in compliance with the stringent operational and flight dynamics constraints, to
set up timely safe recovery actions and to improve the situation and awareness of
the crew.
The main difficulty that appears when integrating the different units to build a
reliable active FTC law is that each individual subsystem is assumed to operate cor-
rectly: its output is instantaneously available to provide decisions/actions to other
subsystems. This implies some interactions between the reconfigurable controller
and the FDI unit as mentioned for instance in [8, 2, 9, 10]. To take into account this
interaction, one solution could be the progressive accommodation scheme as pro-
posed in [11]. The goal is to find in one step a stabilizing solution and to iterate step
by step to refine the solution to determine an optimal solution (in the LQ sense).
However, in this case, computational burden could be a critical factor. Some work
combines a fault tolerant controller with a diagnostic filter. In [12], the authors use
the standard H∞ setting to design a nominal controller and a robust detection filter.
In this configuration, the Youla parametrization of all stabilizing controllers is se-
lected to ensure fault compensation, with the assurance that closed-loop stability is
maintained in the presence of a fault. In [13, 14, 15], the dual Youla parametrization
is used for determining the set of all faulty processes which can be stabilized by the
(nominal) control law. It is shown how both fault diagnosis and fault tolerant control
can be combined in the same architecture and this is an interesting framework for
analyzing the relationship between FDI and FTC. However, in order to cope with
performance degradation when faults are not detected by the FDI part, the authors
proposed to activate the fault tolerant controller all the time. As a consequence, their
approach is equivalent to a passive FTC scheme. Other work in the literature is based
on Linear Parameter Varying (LPV) techniques [16, 17, 18]. The idea is to use the
residual output of the FDI scheme jointly with some subspace of the system states,
as scheduling parameters of the LPV fault tolerant controller.
In this chapter, an attempt is made to provide an active FTC strategy which ad-
dresses the aforementioned issues, i.e. the development of a FTC scheme that takes
into account within the design procedure:
• the FDI scheme performance: the final goal is to design simultaneously the FDI
and the FTC units so that they attain a guaranteed performance level when they
operate together.
• the nominal autopilot and the nominal Flight Control System (FCS) are already
in place. (This way, stability is proved and flying qualities are maintained, despite
the presence of faults and uncertainties, e.g. mass and center of gravity variations)
The proposed approach is based on H∞ control theory. This aspect is an important
issue in this contribution. The H∞ setting has been chosen since it can be extended
12 Recovery against THS Failure with Guaranteed Nominal Performance 339
to the LPV cases using the L2 -induced vector norm. In this work, the LTI setting has
been revealed to be sufficient to address the FTC problem.
12.2 Nomenclature
Throughout this contribution, the following notations are used:
The Euclidean norm is always used and is written without a subscript; for exam-
ple x . Similarly in the matrix case, the induced vector norm is used: A = σ (A)
where σ (A) denotes the maximum singular value of A. Signals, for example w(t)
or w, are assumed to be of bounded energy, and their norm is denoted by w 2 , i.e.
∞ 1/2
w 2 = −∞ ||w(t)||2 dt < ∞. Linear models, for example, P(s) or simply P, are
assumed to be in RH∞ , i.e. real rational functions with ||P||∞ = supω σ (P( jω )) < ∞.
Block diagrams are used to represent interconnections of systems. For example,
the structure shown in Fig. 12.1 represents the equations
η = Δε
ε = P11 η + P12u (12.1)
y = P21 η + P22u
In terms of the input u and output y, this can be expressed as the upper linear frac-
tional representation (LFR) y = Fu (P, Δ )u that is deduced from (12.1) using some
linear algebra manipulations:
Fu (P, Δ ) = P21 Δ (I − P11Δ )−1 P12 + P22 (12.2)
where P11 , P12 , P21 , P22 are deduced from the partition of P as illustrated in Fig. 12.1.
Similarly, the lower LFR Fl (PK) is defined according to
Fl (P, Δ ) = P12 K(I − P22K)−1 P21 + P11 (12.3)
In this formulation, it is assumed that Δ belongs to a structure Δ describing the set

of all model perturbations, so that
Δ = {block diag(δ1r Ik1 , ..., δmr r Ikmr , δ1c Ikmr +1 , ..., δmc c Ikmr +mc , Δ1C , ..., ΔmCC ),
(12.4)
δir ∈ R, δic ∈ C, ΔiC ∈ C}
Δ
η ε
u y
P
Fig. 12.1 The interconnection structure of systems.
where δir Iki , i = 1, ..., mr , δ jc Ikmr + j , j = 1, ..., mc and ΔlC , l = 1, ..., mC are known re-
spectively as the ‘repeated real scalar’ blocks, the ’repeated complex scalar’ blocks
and the ‘full complex’ blocks.
The following classical notations are used when dealing with aircraft character-
istics (the notation ”•” refer to indices):
p, q, r = roll, pitch, yaw rate.
VTAS = true air speed.
α , β = angle of attack and the side slip angle.
φ , θ , ψ = roll, pitch, yaw angle.
xe , ye , h = ground position of the aircraft.
δa • •, δe • •, δr • = aileron, elevator, rudder deflection.
δsp •, δ f • =spoiler and flap deflection.
ih = stabilizer deflection.
EPR• = thrust engine position.
12.3 Problem Statement

In the GARTEUR FM AG16 benchmark, the pilot commands are replaced by sig-
nals generated by the benchmark scenario generator. The autoflight system inte-
grates a longitudinal and a lateral controller. Each controller contains inner and
outer loops. Referring to Fig. 12.2, the autoflight system consists of the Flight Con-
trol System (FCS) which forms the inner control loop, and an outer loop represented
by the autopilot system (one autothrottle has not been considered in this study). In
addition, an on-board FDI unit has been placed within the simulator.
The faulty situation investigated in this contribution consists of the motion of
the Trimmable Horizontal Stabilizer (THS) surface at the maximum rate limit (i.e.
+0.5 deg/s) to the extreme positions. This is termed a runaway. We assume that
such faults correspond to a hardware malfunction and that it is then not possible to
act on the faulty THS surface to accommodate it or return it into its neutral position.
The goal is to develop a FTC scheme to accommodate this fault using the remaining
control surfaces.
Remark 12.1. Since the considered THS fault can be considered as a symmetric
fault, it acts only in the longitudinal motion of the aircraft. This key feature is an
important aspect for the following developments.
Fig. 12.2 Benchmark setup

Following the basic ideas presented in [19], the design of the FTC loop is tackled
according to the block diagram of Fig. 12.3. The proposed reconfigurable flight
control scheme is made-up of three parts: a FDI part represented by the dynamical
filters Hy (s), Hu (s) and a decision making rule, a FTC part represented by K̃(s)
which generates an additional control signal ũ to be added to the nominal control
signal uo in faulty situations, and a FTC activation mechanism to activate the FTC
strategy. Once again, the overall FTC strategy works in such a way that, in a fault
free situation, the FTC loop is not activated leaving the aircraft only controlled by
the autoflight control system. When the FTC strategy is activated, the control law is
reconfigured by adding the signal ũ to the nominal control signal uo . The activation
of this loop is done by using a switching logic, i.e. the autoflight control system is
not removed when no fault is present, and consequently the overall scheme ensures
nominal flight performance in fault free situations. The activation of the switch is
done by the decision making rule coming from the FDI unit.
The proposed architecture implies some important issues. The first question con-
cerns the activation delay of the strategy FTC. During this time interval, the faulty
system is controlled by the nominal control law which has not been designed for
faulty situations. This problem is also highly related to the time delay detection of
the FDI part. In this contribution, a method is discussed to address this problem ef-
ficiently. From Fig. 12.3, in a fault free situation, the FTC scheme is in open loop.
Consequently, an important requirement is that the interconnection of Hy (s), Hu (s)
and K̃(s) must be stable.
Since Hy (s) and Hu (s) are, by definition, stable detection filters since they gener-
ate a residual signal vector r(t), this problem is equivalent to a stability requirement
on K̃(s). This will be discussed and clarified in section 12.6.
Fig. 12.3 The benchmark setup associated to the proposed FTC strategy
Fig. 12.4 General FTC setup with an analytical redundancy
Another important aspect is the availability of the FDI mechanism. In the case
of analytical redundancy, the representations of the filters Hy (s) and Hu (s) are also
available. The decision making rules that activate the FTC strategy are then moni-
tored by the residual signal r. The diagram in Fig. 12.3 can be then represented by
the diagram of Fig. 12.4 where Kn (s) is the autoflight control system and G(s) is the
model of the aircraft. The FTC design problem is now equivalent to the design of a
dynamical fault tolerant controller K̃(s) that ensures in some sense, input/output
insensitivity against the fault. This problem can be formulated in the following
manner:
Problem 12.1. Suppose that the faulty system is stabilisable. The goal is to design
a stable controller K̃(s) to produce the new control signal
u(t) = u0 (t) + K̃(s)r(t) (12.5)
such that the stability of the aircraft and the required control objectives are guar-
anteed for the THS fault. Using an H∞ formulation [20, 21], this means that K̃(s)
should satisfy
Fl P1 , K̃ ∞ < γ1 (12.6)
where P1 (s) is deduced from Kn (s), G(s), Hy (s) and Hu (s) using standard algebraic
γ1denotes some FTC performance level to be achieved.
manipulations. The scalar
In this formulation, Fl P1 , K̃ corresponds to the lower LFT (linear fractional trans-
formation) of P1 (s) by K̃(s).

When the FDI mechanism is available on-board, the FTC problem can be seen as
the design of a new dynamical filter denoted by K(s), as seen in Fig. 12.5. The
on-board FDI unit is also used to manage the activation switch. In this case, the
synthesis Problem 12.1 can be formulated as follows:
Problem 12.2. Suppose that the faulty system is stabilisable. The goal is to design
a stable controller K(s) to produce the new control signal

y(t)
u(t) = u0 (t) + K(s) (12.7)
u0 (t)
such that the stability of the aircraft and the required control objectives are guaran-
teed for the THS fault. This means in the H∞ framework that K(s) should satisfy:

Fl P2 , K ∞ < γ2 (12.8)
Here, P2 (s) is deduced from Kn (s) and G(s) after some straightforward alge-
braic manipulation. Again, the scalar γ2 represents some performance level to be
achieved.

Some key features of the proposed method are:
• the simultaneous design of the FDI unit and the FTC mechanism so that they
provide a guaranteed performance level when they operate together.
• the existing systems that are available on-board are retained to reduce the certi-
fication process. This includes the flight controller Kn and a FDI unit, if available.
In terms of the AG16 benchmark, it is assumed that an on-board FDI algorithm

is available. Thus, we focus on Problem 12.2. However it is assumed that the pre-
sented developments still satisfy Problem 12.1, provided some assumptions that are
described in the following paragraph are satisfied. This means that in the context of
the AG16 problem, it is possible to take into account the model-based FDI schemes
proposed by the partners within the design procedure of the FTC scheme. This is
another important aspect of the proposed method.
Remark 12.2. In Figs. 12.4 and 12.5, it is natural to ask about the stability of the FTC
loop in the presence of the switch. Here, we assume that once a fault is detected, the
Fig. 12.5 General FTC setup with an on-board FDI scheme

switch is definitively activated and the compensation signal ũ remains active for all
subsequent time. The remaining problem concerns the transient behaviour of ũ. To
avoid ‘bumps’, a solution to manage this problem is given in the appendix.
12.4 Model-Based FDI Schemes: Some Assumptions for an

Integrated FDI/FTC Design Approach
Before proceeding to the design of the FTC loop as depicted in Fig. 12.5, the struc-
ture of the FTC system presented in Fig. 12.4 is analyzed to highlight some in-
teresting features with respect to the interaction between the FDI and FTC units.
The goal is to derive some assumptions about the FDI schemes for an integrated
FDI/FTC design approach.
12.4.1 Analysis of the FTC Loop

Consider the setup shown in Fig. 12.4. Let (A, B,C, D), (Ã, B̃, C̃, D̃), (Au , Bu ,Cu , Du )
and (Ay , By ,Cy , Dy ) be the state-space representations of G(s), K̃(s), Hu (s) and Hy (s)
respectively. The FTC loop state-space model GFTC (s), which is the transfer func-
tion between the nominal control signal u0 and the measurements y, is derived from
G(s), K̃(s), Hu (s) and Hy (s) according to:
⎧
⎪
⎪ ẋc A11 A12 xc B1
⎨ = + u0
ẋu 0 A u x u B u
GFTC : xc (12.9)
⎪
⎪
⎩ y = C1 C2 + D22 u0
xu
The matrices A11 , A12 , B1 ,C1 ,C2 and D22 are deduced from the aforementioned
state-space representations according to:
⎛ ⎞
A+ BM D̃DyC BMC̃ BM D̃Cy
A11 = ⎝ B̃Dy C + DM D̃DyC Ã + B̃Dy DMC̃ B̃ I + Dy DM D̃ Cy ⎠ (12.10)
By I + DM D̃Dy C By DMC̃ Ay + By DM D̃Cy
⎛ ⎞ ⎛ ⎞
BM D̃Cu BM(I + D̃Du )
A12 = ⎝ B̃ I + Dy DM D̃ Cu ⎠ B1 = ⎝ B̃ Du + Dy DM(I + D̃Du ) ⎠ (12.11)
By DM D̃Cu By DM(I + D̃Du )

C1 = C + DM D̃DyC DMC̃ DM D̃Cy C2 = DM D̃Cu (12.12)
−1
D22 = DM I + D̃Du M = I − D̃Dy D (12.13)
The augmented state vector xc is xc = (xT x̃T xTy )T
where x, x̃, xy and xu are the state
vectors associated with G(s), K̃(s), Hy (s) and Hu (s) respectively.
From (12.9), it can be seen that the poles of GFTC (s) are given by the eigenval-
ues of A11 and Au . Note that the expression for A11 does not contain the Au , Bu ,Cu
and Du matrices. It follows that Hu (s) (stable filter) does not impact on the stabil-
ity of GFTC (s). This property justifies the choice to take the signal uo for the FDI
part instead of u in which case, an internal loop appears affecting the stability of
GFTC (s).
Now, consider the diagram in Fig. 12.5 and let the state-space realizations of
the transfer function matrices Kn (s) and GFTC (s) (see equation (12.9)) be given by
(An , Bn ,Cn , Dn ) and (AG , BG ,CG , DG ) respectively. By definition

A11 A12 B1
AG = BG = CG = C1 C2 DG = D22 (12.14)
0 Au Bu
Let xn be the state vector of Kn (s) and denote by xG the augmented vector so that
xG = (xT x̃T xTy xTu )T . Direct calculations lead to the following closed loop state-
space model ⎧
⎪
⎪ ẋG xG
⎨ = AT + BT yre f
ẋn xn
(12.15)
⎪
⎪ xG
⎩ y = CT + DT yre f
xn
where AT , BT ,CT and DT are given by:

AG − BG Dn NCG BGCn − BG Dn NDGCn BG Dn (I − NDG Dn )
AT = BT =
−Bn NCG An − Bn NDGCn Bn (I − NDG Dn )
(12.16)
CT = NCG NDGCn DT = NDG Dn N = (I + DG Dn )−1 (12.17)
Expression (12.15) shows that the stability of the overall loop depends on the stabil-
ity of the FDI filter. This is an expected and rather evident result. Then, expression
(12.15) reveals that the FDI and FTC dynamics are highly coupled.
12.4.2 Some Outlines for the Design

The above analysis allows an outline for the design of an integrated FTC/FDI unit.
A nice feature of the proposed FTC architecture presented in Fig. 12.3, is that the
K(s) filter can be seen as the set of all admissible FDI/FTC units which achieve
some level of performance represented by γ2 (see Problem 12.2). This suggests the
following design procedure. First, design K(s) according to some FTC objectives.
Once K(s) is designed, the challenge is to deduce from K(s) the FDI part Hy (s) and
Hu (s), and the FTC part K̃(s). The proposed procedure consists of designing Hy (s)
and Hu (s) and then to integrate the FDI performance specifications into the FTC
design procedure. Thus, the FDI/FTC couple obtained is a solution to the problem
of integrated FTC/FDI unit design, if and only if this couple belongs to the set K(s),
that is if
Fl P2 , Fl F, K̃ ∞
< γ2 F(s) = (Hy (s) Hu (s)) (12.18)
12.4.3 The Case of an Observer-Based FDI Scheme

Now suppose that the FDI scheme has an observer-based architecture: that is
Hu (s) = C(sI − A − LC)−1B Hy (s) = −C(sI − A − LC)−1L − I (12.19)
where L denotes the observer gain. Now, suppose without loss of generality that
D = 0, i.e. G(s) is a strict proper transfer function. Then, equation (12.15) becomes
⎧⎛ ⎞ ⎛ ⎞⎛ ⎞
⎪ ẋ A − BDnC BCn BC̃ BD̃C x ⎛ ⎞
⎪
⎪ ⎜ ẋ ⎟ ⎜ BDn
⎪ ⎟ ⎜ ⎟
⎪
⎪⎜
⎪ n⎟ ⎜ −BnC An 0 0 ⎟ ⎜ xn ⎟ + ⎝ Bn ⎠ yre f
⎪
⎪ ⎝ x̃˙ ⎠ = ⎝ 0 0 Ã B̃C ⎠ ⎝ x̃ ⎠
⎪
⎨ 0
ζ̇ ⎛ ⎞0 0 −BC̃ A + LC − BD̃C ζ
⎪
⎪ x
⎪
⎪ ⎜ xn ⎟
⎪
⎪
⎪
⎪ y = (C 0) ⎜ ⎟
⎝ x̃ ⎠
⎪
⎪
⎩
ζ
(12.20)
where 0 and ζ denote the null matrix of appropriate dimension and the estimation
error x − x̂ respectively.
Noting that the A-matrix in (12.20) is upper block triangular, it follows that the
stability of the global FTC scheme depends on the local FTC loop K̃(s) and the
nominal control law Kn (s). In other words, (12.20) reveals a separation principle.
This suggests a very interesting design procedure that is well known in the LQG
(Linear Quadratic Gaussian) control theory namely: the local FTC and the observer-
based FDI schemes can be designed separately.
12.5 Important Issues about Stability and Performance in

Faulty Situations
Recalling the definition of GFTC , it is clear that as long as GFTC is close to G (see
Fig. 12.4 for easy reference) in some metric sense, then stability and nominal per-
formance are preserved, despite the presence of faults. Thus, the goal is to design
Hy (s), Hu (s), K̃(s) (or equivalently K(s)) so that
min M (GFTC , G) (12.21)

(Hy ,Hu ,K̃)/K
where M (.) denotes a metric.

Since this problem is addressed within the H∞ setting and more precisely within
the ‘mixed sensitivity’ approach [20, 22], it is easy to prove using H∞ theory that
this problem can be addressed using the singular value framework, or the structured
singular value formalism [23] if G and therefore GFTC , involves model perturbations
Δ ∈ Δ (see the nomenclature section 12.2 or [23] if necessary). Thus, applying the
‘mixed sensitivity’ H∞ theory leads to the following proposition:
Proposition 12.1. Consider the diagrams depicted in Figs. 12.4 and 12.5. Let S, R, T
denote respectively the (nominal) sensitivity function, the sensitivity function of the
controlled input and the complementary sensitivity function, i.e.
S = (I + GKn )−1 R = Kn (I + GKn )−1 T = GKn (I + GKn )−1 (12.22)

Denote W1 ,W2 and W3 as the weighting functions used to shape S, R and T respec-
tively. Then, a necessary and sufficient condition for the FTC loop composed by
Hy (s), Hu (s), K̃(s) (or equivalently K(s)) to preserve stability and performance is:

σ (SFTC ( jω )) ≤ σ W1−1 ( jω ) ∀ω (12.23)

σ (RFTC ( jω )) ≤ σ W2−1 ( jω ) ∀ω (12.24)

σ (TFTC ( jω )) ≤ σ W1−1 ( jω ) ∀ω (12.25)
The index .FTC is used to denote the faulty sensitivity functions. These are defined
according to (12.22) where G is replaced by GFTC .

−1 −1 −1
The gap between σ W1 ( jω ) , σ W2 ( jω ) , σ W3 ( jω ) and σ (SFTC ( jω )),
σ (RFTC ( jω )), σ (TFTC ( jω )) respectively ∀ω indicates the loss of the FTC loop
performance with regard to the nominal ones.
If σ (SFTC ( jω )) = σ (S( jω )), σ (RFTC ( jω )) = σ (R( jω )) and σ (TFTC ( jω )) =
σ (T ( jω )) ∀ω , or equivalently M (GFTC , G) = 0, then the same performance (there-
fore stability) are attained in both the fault free and faulty situations. This means, for
example, that the fault is fully compensated using the remaining fault-free actuators.
12.6 FM-AG16 FTC Problem

Now consider the problem of designing the FTC loop to compensate THS runaway
failures. We assume that an on-board fault diagnosis unit that detects and isolates
this fault type is available. Thus, the problem we focus on is Problem 12.2, i.e. the
goal is to design K(s) such that (12.7) and (12.8) are achieved.
12.6.1 Modelling the Aircraft Dynamics

The benchmark model includes aircraft aerodynamic models and engines. In addi-
tion, actuator and sensor characteristics are taken into account, together with models
for wind, atmospheric turbulence and faults. The aerodynamic forces and moments
are defined in terms of aerodynamic coefficients. These coefficients are given in the
form of look-up tables. They are functions of a wide set of parameters (pitch angle,
angle of attack, true airspeed, altitude etc...). The dimension of the aircraft output
vector is 142. However, all these output signals are not necessary to control the air-
craft. Indeed, the FCS (inner control loop) uses only 16 measured signals and the
autopilot which corresponds to the outer control loop needing 67 measured signals.
The dynamical behaviour of the aircraft is described by the following nonlinear state
representation:

ẋNL (t) = f (xNL (t), uNL (t))
(12.26)
yNL (t) = g(xNL (t), uNL (t)) + v(t)
where xNL , uNL , yNL are the state, input, and output vectors of the full aircraft non-
linear model. The signals v are the measurement noises which are assumed to be
Gaussian distributed random signals. In this formulation, it is assumed that model
parameters (mass, inertia ...etc...) are fixed at their nominal values.
The nonlinear model is then trimmed according to:
h = 1000m, VTAS = 133.8m/s, m = 263000kg, M = 0.3977 (12.27)

p = q = r = 0, θ = α = 3.95deg, β = φ = ψ = 0 (12.28)
Simplified models for the longitudinal and lateral modes can then be derived to
obtain a better physical insight into the modes and their interactions. These models
are widely used in aeronautical engineering and are not developed here. Since the
fault considered here acts only on the longitudinal motion of the aircraft (see Remark
12.1), only the longitudinal mode is considered. This boils down to the following
state space model:
ẋ(t) = Ax(t) + Bu(t)
(12.29)
y(t) = Cx(t) + v(t)
where x denotes the longitudinal state vector which is defined by x =
(q VTAS α θ h)T . The vector u = (δe•• ih )T is the control input and y =
(q θ ḣ h VTAS )T is the measured output vector.
Taking into account the THS fault and after some abuse of notation, the following
linear state-space model is derived:

ẋ(t) = Ax(t) + Be u(t) + B f fT HS (t)
(12.30)
y(t) = Cx(t) + v(t)
The input signals u = δe•• correspond to the elevator defections, and fT HS = ih de-
notes the THS fault. The state space matrices A, Be , B f and C are defined according
to
⎛ ⎞
−6, 7926.10−1 −8, 6.10−6 −8, 856.10−1 0 −3, 45.10−6
⎜ −1, 6179.10−1 −7, 588.10−3 4, 9965 −9.8 4, 59.10−5 ⎟
⎜ ⎟
A=⎜ ⎜ 1, 0084 −1, 0036.10 −3 −6, 735.10−1 0 5, 9.10−6 ⎟
⎟
⎝ 1 0 0 0 0 ⎠
0 0 −1, 338.10 1, 338.10
2 2 0
⎛ ⎞ (12.31)
−4, 965.10−3 −4, 965.10−3 −4, 794.10−3 −4, 794.10−3
⎜ 0 0 0 0 ⎟
⎜ ⎟
Be = ⎜⎜ −1, 86.10 −4 −1, 86.10−4 −1, 9.10−4 −1, 9.10 −4 ⎟
⎟ (12.32)
⎝ 0 0 0 0 ⎠
0 0 0 0
⎛ ⎞
−4, 5944.10−2
⎜ 0 ⎟
⎜ ⎟
⎜
B f = ⎜ −1, 912.10 ⎟ −3
⎟ (12.33)
⎝ 0 ⎠
0
⎛ ⎞
10 0 0 0
⎜0 0 0 1 0⎟
⎜ ⎟
C=⎜
⎜ 0 0 −1, 338.10 2 1, 338.102 0⎟⎟ (12.34)
⎝0 0 0 0 1⎠
01 0 0 0
Note that this model is clearly an approximation of the real faulty behaviour of the
aircraft. To validate the above linear model, nonlinear simulations were performed
versus linear ones. For easy reference, measurement noises have been removed in
the simulations. Figure 12.6 shows linear and non linear simulation results. It can be
seen that the linearized model responses are close to the responses of the nonlinear
model given in (12.26).
Fig. 12.6 Dynamic behaviour of the outputs predicted by the linear and nonlinear models for
the considered THS fault
Fig. 12.7 Autoflight and FCS systems for longitudinal motions
12.6.2 Modeling the Autoflight and FCS Systems

For longitudinal motion, the Autoflight and FCS systems which have been used are
represented in Fig. 12.7. It can be seen from this figure that the elevator control
system is composed of control loops that manage the elevator control surface δe•• .
The THS position is controlled by thumb switches on the pilot and co-pilot control
wheels (actions given by the test scenarios). The autoflight control system is a gain
scheduled controller where the scheduling parameters are h and VTAS . The scalars
K1 , K2 , K3 , K4 , K5 and K6 are constant gains and K7 (s) and K8 (s) are dynamical con-
trollers designed to maintain stability and performance during longitudinal flight.
12.6.3 Design of K(s)

Following the developments presented in Section 12.3, the problem of designing
a FTC loop able to accommodate the THS fault is considered as illustrated in
Fig. 12.8.
Fig. 12.8 The FTC scheme

Fig. 12.9 The “mixed sensitivity” scheme
To this end, the ‘mixed sensitivity’ H∞ approach is used [20, 22]. The setup used
for the design problem is given in Fig. 12.9. W 1 (s) and W 2 (s) are the weighting
functions used to shape the transfer functions SFTC (s) and RFTC (s) given by
−1
SFTC (s) = I + C(sI − A)−1 Be K(s)M C(sI − A)−1B f (12.35)
RFTC (s) = K(s)MSFTC (s) (12.36)

0100
where the matrix M = is introduced to select h and θ from y (see Fig.
0001
12.8 for easy reference). SFTC (s) and RFTC (s) also refer to the faulty sensitivity
function and the faulty sensitivity function of the controlled input respectively.
Using some linear-fractional algebra manipulations, the problem illustrated in
Fig. 12.9 can be re-cast in a standard H∞ form, as illustrated in Fig. 12.10. Then
K(s) can be computed using any standard H∞ control design method [22]. However,
as outlined in section 12.3, K(s) operates in an open loop manner in a fault free
situation. Therefore, K(s) must be designed to be stable. This problem is referred to
in the literature as the H∞ strong stabilization problem which can be formulated in
our context as follows:
Problem 12.3. Consider the problem depicted in Fig. 12.10. The goal is to find a
stabilizing controller K(s) ∈ RH∞ such that
Fl (P, K) ∞
<γ γ <1 (12.37)
where P(s) is deduced from Fig. 12.10 by including W 1 (s) and W 2 (s) within
Gu (s) = C(sI − A)−1Be and G f (s) = C(sI − A)−1 B f .

ARE (Algebraic Riccati Equation) solutions exist in the literature that address this
problem, see for instance [24].
As an alternative, the following technique which has been revealed to be compu-
tationally powerful, is proposed. It is based on the Youla parametrisation (the Youla
parameter is denoted Q(s)) that facilitates the definition of the set of all controllers
satisfying (12.37):
Proposition 12.2. Assume that a solution to the optimal H∞ problem above exists
for a γ < 1, i.e. there exists K(s) = Fl (K̂(s), Q(s)) with Q ∈ RH∞ and ||Q||∞ < γ
such that (12.37) holds. Denote by Fl (K̂(s), Q(s)) the set of all controllers satisfying
(12.37). Then, there exists a solution to the H∞ strong stabilization Problem 12.3 if
Aq Bq
and only if there exists Q = of some suitable order with ||Q||∞ < γ such
Cq Dq
that
Â + B̂2R̂−1 DqĈ2 B̂2 R̂−1Cq
A= (12.38)
Bq Ŝ−1Ĉ2 Aq + Bq Ŝ−1 D̂22Cq
is stable, where R̂ = I − Dq D̂22 and Ŝ = I − D̂22 Dq . The matrix A denotes the system
matrix associated with K(s) and Â, B̂1 , B̂2 , Ĉ1 , Ĉ2 , D̂11 ,⎡
D̂12 , D̂21 and D̂
⎤22 denote the
Â B̂1 B̂2
state space matrices associated with K̂(s), i.e. K̂(s) = ⎣ Ĉ1 D̂11 D̂12 ⎦.

Ĉ2 D̂21 D̂2 2
This proposition shows that Problem 12.3 is equivalent to finding a suitable Youla
parameter such that A is stable and ||Q||∞ < γ . In particular, the central controller
K(s) = Fl (K̂(s), 0) = K̂(s) is a suitable solution if a stable Â is found.
The weighting function W 1 (s) has been chosen to impose a small damping ratio
on the altitude h (m) and the pitch angle θ (rad) in the faulty situation. Moreover
an integral component is introduced in W 1 (s) to ensure rejection of the THS fault.
The transfer function W 2 (s) has been fixed to take into account actuator saturation
−1
phenomena. More precisely, W 2 (s) is a low pass filter. This choice is required
to attenuate the energy of the control signal applied to the elevator surfaces such
that the control signal behaviour remains smooth (high frequency filter action). The
transfer functions W 1 (s) and W 2 (s) are defined according to

0.5s + 1 50s + 1
W 1 (s) = diag(Wθ (s),Wh (s)) = diag 18 , (12.39)
5.10−2s + 1 10−7 s + 1
0.1s + 1
W 2 (s) = 0.1 I4 (12.40)
2.5.10−4s + 1
Fig. 12.10 The standard H∞ design problem

Fig. 12.11 Post analysis of the computed solution K(s)
From this choice, it is assumed that GFTC (s) will be ‘close’ to G(s) despite the
presence of the THS fault. Thus, following section 12.5, stability of the FTC law
is proved and nominal performance is preserved. This will be a posteriori verified
using a singular values analysis (see Fig. 12.11).
The transfer function K(s) is then synthesized applying proposition 12.2. Note
that the central solution K = Fl (K̂, 0) = K̂ is retained since Â is stable. The computed
controller K̂ is given in its state-space form in the appendix. Figure 12.11 shows the
frequency responses obtained for the computed solution K(s). It can be seen that

σ T fT HS →θ ( jω ) < σ Wθ−1 ( jω ) ∀ω (12.41)

σ T fT HS →h ( jω ) < σ Wh−1 ( jω ) ∀ω (12.42)
and
σ T fT HS →δe•• ( jω ) < σ W2−1 ( jω ) ∀ω (12.43)
indicating that the FTC controller K(s) achieves the desired performance level.
Moreover, the small gap between the singular values and the associated weighting
functions shows definitively that the nominal performance of the benchmark control
law are preserved.
12.6.4 Nonlinear Simulation Results

The controller K(s) has been implemented within the nonlinear simulator aircraft as
illustrated in Fig. 12.8.
The faulty scenario corresponds to the THS fault occurring at t = 5s. To empha-
size the benefit of the proposed FTC scheme, the same simulation is carried out in
fault free situation. In this situation, the system is controlled only by the standard
FCS. Figure 12.12 illustrates the behaviour of the aircraft in both fault free (FCS
engaged) and faulty situations (FTC strategy engaged).
It can be seen that with the designed FTC scheme, the aircraft maintains a normal
flight trajectory and is landed safely. Figures 12.13 illustrate more precisely the
behaviour of the aircraft via the altitude h(t), the pitch rate q(t), the velocity VTAS (t),
the pitch angle θ (t), the altitude rate ḣ(t) and the control signals δe•• (t). It can be
seen from the plots that the flying conditions in the faulty situation are close to the
fault free ones, i.e. quick compensation of the fault with damping ratio almost null
on input/output system signals.
Furthermore, it can be seen that, as expected, the elevator deflections do not vi-
olate the position and rate limits (the deflection and rate limits for the elevators are
[−23 deg; +17 deg] and ±37 deg/s, respectively).
Fig. 12.12 Behavior of the aircraft - Landing approach

Elevator surfaces [deg]

10 5
q [deg/s]
0
0
−10
−20 −5
0 200 400 0 200 400
10 10
theta [deg]
hdot [m/s]
5
0
0
−5 −10
0 200 400 0 200 400
1500 135
[m/s]
1000
h [m]
134
TAS
500 fault free situation

V
faulty situation
0 133
0 200 400 0 200 400
Time (s) Time (s)
Fig. 12.13 Behavior of h(t), q(t),VTAS (t), θ (t), ḣ(t) - Landing approach
Fault−free trajectory
With FTC strategy in faulty situation
1.6
1.5
1.4
1.3
Nz [g]
1.2
1.1
0.9
0.8
0 50 100 150 200 250 300 350 400 450 500
Time (s)
Fig. 12.14 Behavior of the load factor

Figure 12.14 illustrates the behaviour of the load factor nz (t). It can be seen that
the magnitude of the undesirable transients on nz caused by the occurrence of faults
is reduced. From a practical point of view, the aircraft exhibits smaller excursions
in altitude, airspeed, etc.
Remark 12.3. Following Remark 12.2, the activation of the switch may cause some
undesirable transient behaviours of both the input/output signals u/y. These phe-
nomena, known as ‘bumps’, are due to discontinuities between the two switched
control laws. To overcome this problem, a solution is discussed in the appendix A.
Here, such a ‘bumpless’ solution has been revealed not to be necessary.
12.7 Concluding Remarks

The faulty situation investigated in this contribution corresponds to a movement to
an extreme position of the Trimmable Horizontal Stabilizer (THS) occurring when
the airplane is in normal flight. As the design of the FDI is not of primary interest in
this work, information coming from available on-board detection mechanism was
assumed to activate the fault tolerant controller. From a practical point of view,
the proposed approach has some advantages over existing FTC. The proposed FTC
design method uses some well-known and robust numerical tools, commonly used
in the robust control community (the H∞ ‘mixed-sensitivity’ approach). Another
advantage is the design of the FTC loop takes into account the existing flight control
system. The FTC system works in a way that when a fault is detected, the control
law is, in real time, reconfigured by adding an additional feedback loop. This is an
interesting aspect of this design scheme since the overall scheme ensures specified
nominal flight performance in fault-free situations. When hardware redundancy FDI
mechanisms are not available, a procedure has been suggested to extract the optimal
analytical FDI unit from the set of all admissible (joint) FDI/FTC units K(s).
Appendix A: Bumpless Switching Scheme

The activation of the FTC strategy is done using a switching logic and thus may
cause some undesired phenomena such as ‘bumps’ or actuator saturation. In fact,
the difference between the states of nominal control law and the states of switching
control law leads to these bumps. Figure 12.15 presents the proposed solution to
manage these undesired bumps. The aim is to drive K(s) before the switch by a
y
matrix gain Fs , such that ũ → 0 and τ → according to:
u0
⎧
⎪
⎪ ũ =⎛K τ ⎞
⎨
x
⎝ (12.44)
⎪
⎪ τ = Fs y⎠
⎩
u0
Fig. 12.15 FTC architecture with bumpless scheme
where τ denotes the input signal from K(s) before the switch, x is the state vector
of K(s) and Fs is the static design gain.
Different approaches can be used to design Fs . Here, we propose to use the idea
initially suggested by [25].
To compute Fs , the following quadratic criterion is minimized:
0
T
1 ∞ T y y
J(ũ, τ ) = ũ Wu ũ + τ − We τ − dt (12.45)
2 0 u0 u0
where Wu and We are constant positive-definite weighting matrices of appropriate

dimensions. Wu and We allow trade-offs with respect to the desired objectives; that
is, if it is desirable to minimize the magnitude of ũ, then we should choose a high
value for Wu . At switching time ts (the time at which the fault is detected), we have
ũ(ts ) → 0, then u(ts ) → u0 (ts ). Hence,
there are no bump effects. Similarly, if we
y
want to reduce the energy of τ − , then the value of We must be set to be high.
u0

y(ts )
Then, at ts we have τ (ts ) → and so there is no discontinuity between τ and
u 0 (ts )
y
at the switching time. This means that from a practical point of view, a trade-
u0

y
off between minimizing the magnitude ũ of and τ − must be investigated.
u0
Once Wu and We have been chosen, the solution is given by:
⎛ T ⎞T
T T
B Π + D WuC
Fs = N ⎝ T
⎠ (12.46)
T T
−We + B M C Wu DNWe + Π BNWe
where M and N are defined according to:

M = (A + Π B)−1 (12.47)
−1
T
N = − D Wu D + We (12.48)
The matrix Π is the positive definite stationary solution of the following ARE:
Π A + AΠ + Π BΠ + C = 0 (12.49)
Finally, the matrices A, B and C are given by:

T T
A = A + BND WuC B = BNB (12.50)
T T T
C = C Wu (I + DN D Wu )C (12.51)
where A, B,C D denotes the state-space matrices of K(s).
Remark 12.4. Using this strategy, we assume that Fs has access to the controller
states x. This is a modest assumption because most modern controllers are realized
in software form, so the states are computer variables.
Remark 12.5. The proposed scheme is an unidirectional solution that reduces the
undesirable bump effects during the switch from the nominal situation to the failure
situation. If ts2 is the time at which the switch from the failure situation to the nom-
inal situation is done, just before the switch at time ts−2 , the controller K(s) satisfies
the following equation:
⎧ ⎛ ⎞
⎪
⎪ x
⎪
⎪ ũ = K ⎝ y ⎠
⎪
⎪
⎨
⎛ u0 ⎞ (12.52)
⎪
⎪ x
⎪
⎪ τ = Fs ⎝ y ⎠
⎪
⎪
⎩
u0
Then the control signal applied to the system at ts−2 is given by
u(ts−2 ) = u0 (ts−2 ) + ũ(ts−2 ) (12.53)
After the switch, at time ts+2 , the controller K(s) is derived from equation (12.44).
Then, we have u(ts+2 ) = u0 (ts+2 ). Hence, to avoid undesirable ‘bumps’, the suffi-
cient and necessary condition is that ũ(ts−2 ) → 0 . Unfortunately, because at time
ts−2 the FTC strategy is activated, it is not possible to modify the controller K(s).
The discontinuity due to the switch from the failure situation to the nominal situa-
tion is thus related to the dynamics of the FTC loop that would be activated at the
switching time.
Appendix B: Computed Controller K̂(s) = ĈK (sI − ÂK )−1 B̂K + D̂K
⎛
−1, 7162 3, 3565 −1, 185.10−1 6, 811.10−1 −7, 7.10−1
⎜ 2, 9558.101 −3, 7388.101 −7, 8587 −1, 7738
⎜ 1, 2848
⎜ −7, 788.10−1 9, 774.10−1 −3, 37.10−2 2, 058.10−1 7, 5.10−2
⎜
⎜ 1, 1398 −3, 4239 1, 174.10−1 −7, 375.10−1 −6, 838.10−1
⎜
⎜ −2, 339.101 2, 329.101 −3, 271.10−1 −1, 6779 3, 7997.101
⎜
⎜
ÂK = ⎜ −8, 95.10−2 2, 43.10−2 −3, 954.10−4 −1, 62.10−2 1, 052.10−1 ...
⎜
⎜ −2, 86.10−2 2, 3.10−3 −7, 8845.10−6 −2, 2.10−3 9, 5.10−3
⎜
⎜ −2, 82.10−1 1, 62.10−2 −5, 1039.10−4 −1, 75.10−2 6, 45.10−2
⎜
⎜ −1, 656.101
⎜ 1, 5729 −8, 04.10−2 6, 244.10−1 −5, 1504
⎝ 8, 11.10−2 4, 52.101 −1, 3291 7, 6391 −9, 4739
−1, 57.101 −4, 8599 1, 212.10−1 −7, 662.10−1 −4, 814.10−1
⎞
4, 78.10−4 −1, 8435.10−4 −6, 782.10−4 9, 5556 −9, 9179 1, 32.102
3, 9454.10−4 −3, 1287.10−4 −1, 4.10−3 1, 787.101 −2, 631.101 −3, 0634.102⎟ ⎟
−3, 0156.10−5 6, 363.10−6 3, 0341.10−5 −4, 226.10−1 8, 68.10−1 6, 4394 ⎟ ⎟
5, 389.10−4 1, 635.10−5 8, 234.10−5 3, 179.10−1 −5, 07 −4, 9275 ⎟ ⎟
−3, 96.10−2 −2, 8.10−3 −1, 89.10−2 5, 296.101 2, 8089.102 −3, 6264.103⎟ ⎟
⎟
... −1, 0014.101 −1, 0293.10−7 1, 9424.10−5 −3, 49.10−2 5, 067.10−1 1, 2117.101 ⎟
⎟
−4, 6584.10−6 −1, 0021.10 3, 0821.10
1 −6 −3, 14.10 −2 6, 66.10 −2 −1
8, 467.10 ⎟
⎟
−3, 4045.10−5 1, 1915.10−6 −1, 0036.101 −2, 009.10−1 4, 902.10−1 5, 9173 ⎟
⎟
4, 5.10−3 7, 026.10 −4 3, 5.10 −3 −3, 4859.10 −1, 667.10
1 1 2, 48.10 ⎟
2
⎟
7, 6.10−3 5, 0864.10 −4 3, 3.10 −3 −8, 123 −5, 3855.10 6, 9177.10 ⎠
1 2
5, 9167.10−4 1, 4594.10−4 4, 85.10−5 −9, 948 3, 1692 −2, 491.101

⎛ ⎞
1, 833.101 3, 9147
⎜ −6, 4812 −3, 692.10 ⎟1
⎜ ⎟
⎜ 5, 96.10−2 1, 056 ⎟
⎜ ⎟
⎜ 9, 0322 −3, 1293 ⎟
⎜ ⎟
⎜ 2, 3477 1, 0917.10 1 ⎟
⎜ ⎟
B̂K = ⎜⎜ −2, 1.10−3 −9, 3.10 −3 ⎟
⎟
⎜ −1, 844.10−4 −3, 599.10−4 ⎟
⎜ ⎟
⎜ 1, 211.10−4 −5, 418.10−4 ⎟
⎜ ⎟
⎜ 1, 0733.101 3, 5049 ⎟
⎜ ⎟
⎝ 3, 3436 4, 823.101 ⎠
3, 409.101 −4, 0377
⎛ −1 −1
1, 814.10 −2, 251.10 3.10−3 2, 47.10−2 −5, 0408
⎜ 1, 809.10−1 −2, 251.10−1 3.10−3 2, 47.10−2 −5, 0413
ĈK = ⎜⎝ 1, 743.10−1 −2, 165.10−1 2, 9.10−3 2, 39.10−2 −4, 8544 ...
1, 765.10−1 −2, 165.10−1 2, 9.10−3 2, 4.10−2 −4, 8534
⎞
5, 061 −6, 5826 2, 2217 3, 291.10−1 5, 739.10−1 4, 7531
2, 9577 7, 3394 3, 3558 3, 295.10 5, 738.10 4, 7518 ⎟
−1 −1
⎟
...
−8, 0836 −1, 4562 2, 8813 3, 162.10−1 5, 493.10−1 4, 5393 ⎠
−2, 446.10−1 6, 696.10−1 −8, 6756 3, 15.10−1 5, 501.10−1 4, 5458
D̂K = 0
References
1. Zhang, Y., Jiang, J.: Bibliographical review on reconfigurable fault-tolerant control sys-
tem. In: Proceedings of SAFEPROCESS 2003, Washington DC, USA, pp. 265–276.
IFAC (2003)
2. Zhang, Y., Jiang, J.: Issues on integration of fault diagnosis and reconfigurable control in
active fault-tolerant control systems. In: Proceedings of SAFEPROCESS 2006, Beijing,
China. IFAC (2006)
3. Steinberg, M.: Historical overview of research in reconfigurable flight control. Proceed-
ings of the Institution of Mechanical Engineers, Part G - Journal of Aerospace Engineer-
ing 219(4), 263–275 (2005)
4. Staroswiecki, M.: From control to supervision. Annual Reviews in Control 25, 1–11
(2001)
5. Moerder, D., Halyo, N., Broussard, J., Caglayan, A.: Application of precomputed control
laws in a reconfigurable aircraft flight control system. Journal of Guidance, Control and
Dynamics 12(3), 325–333 (1989)
6. Huzmezan, M., Maciejowski, J.: Reconfigurable flight control of a high incidence re-
search model using predictive control. In: International Conference on Control, Piscat-
away, NJ, pp. 1169–1174. Inst. of Electrical and Electronics Engineers (1998)
7. Chen, J., Patton, R.: Fault tolerant control using LMI design. In: Proceedings of European
Control Conference, Porto, Portugal. IEEE, Los Alamitos (2001)
8. Maki, M., Jiang, J., Hagino, K.: A stability guaranteed active fault-tolerant control sys-
tem against actuator failures. In: International Conference on Control, Piscataway, NJ,
pp. 1893–1898. Inst. of Electrical and Electronics Engineers (1998)
9. Cieslak, J., Henry, D., Zolghadri, A.: A methodoly for the design of active fault tolerant
systems. In: Proceedings of SAFEPROCESS 2006, Beijing, China. IFAC (2006)
10. Cieslak, J., Henry, D., Zolghadri, A.: Development of an active fault tolerant flight con-
trol strategy. AIAA Journal of Guidance, Control, and Dynamics 31(1), 135–147 (2007)
11. Staroswiecki, M., Yang, H., Jiang, B.: Progressive accomodation of aircraft actua-
tor faults. In: Proceedings of SAFEPROCESS 2006, Beijing, China, CD–ROM. IFAC
(2006)
12. Campos-Delgado, D., Palaciosa, E., Espinoza-Trejo, D.R.: Fault accomodation strategy
for LTI systems based on the gimc structure: Additive faults. In: Proceedings of Con-
ference on Decision and Control and the European Control Conference, Seville, Spain,
CD–ROM. IEEE, Los Alamitos (2005)
13. Niemann, H., Stoustrup, J.: Fault tolerant feedback control. In: Proceedings of European
Control Conference, Porto, Portugal. IEEE, Los Alamitos (2001)
14. Niemann, H., Stoustrup, J.: Reliable control using the primary and dual youla
parametrizations. In: Proceedings of Conference on Decision and Control, Las Vegas,
USA. IEEE, Los Alamitos (2002)
15. Niemann, H., Stoustrup, J.: An architecture for sampled-data fault tolerant controllers.
Int. Journal of Nonlinear Control (2004)
16. Ganguli, S., Marcos, A., Balas, G.: Reconfigurable LPV control design for boeing 747-
100/200 longitudinal axis. In: Proceedings of American Control Conference, Anchorage,
USA, pp. 3612–3617 (2002)
17. Gaspar, P., Szaszi, I., Bokor, J.: Reconfigurable control structure to prevent the rollover
of heavy vehicles. Control Engineering Practice 13(6), 699–711 (2005)
18. Gaspar, P., Bokor, J.: A fault-tolerant rollover prevention system based on a LPV method.
International Journal of Vehicle Design 42(3-4), 392–412 (2006)
19. Zhou, K., Ren, Z.: A new controller architecture for high performance, robust and fault-
tolerant control. IEEE Transactions on Automatic Control 46(10), 1613–1618 (2001)
20. Doyle, J., Glover, K., Khargonekar, P.P., Francis, B.A.: State-space solutions to standard
H2 and H∞ control problems. IEEE Transactions on Automatic Control 34(8), 831–847
(1989)
21. Gahinet, P., Apkarian, P.: A linear matrix inequality approach to H∞ control. Int. Journal
Robust Nonlinear Control 4, 421–428 (1994)
22. Zhou, K., Doyle, J., Glover, K.: Robust and optimal control. Prentice Hall, Englewood
Cliffs (1996)
23. Packard, A., Fan, M., Doyle, J.: A power method for the structured singular value. In:
Proceedings of Conference on Control Decision, pp. 2132–2137. IEEE, Los Alamitos
(1988)
24. Campos-Delgado, D.U., Zhou, K.: A parametric optimization approach to H∞ and H2
strong stabilization. Automatica 39(7), 1205–1211 (2003)
25. Turner, M., Walker, D.: Linear quadratic bumpless transfer. Automatica 36(8), 1089–
1101 (2000)
Chapter 13
Flight Control Reconfiguration Based on Online
Physical Model Identification and Nonlinear
Dynamic Inversion
Thomas Lombaerts, Ping Chu, and Jan Albert (Bob) Mulder
13.1 Introduction
There are many control approaches possible in order to achieve fault tolerant flight
control. An important aspect of these algorithms is that they should not only be ro-
bust, but even adaptive in some way, in order to adapt to the faulty situation, see
Ref. [1] and [5] in the literature. In the category of adaptive control algorithms,
a distinction is made between indirect adaptive control and direct adaptive con-
trol. Indirect adaptive control involves two stages. First, an estimate of the plant
model is generated online. Once the model is available, it is used to generate con-
troller parameters. Instead of estimating a plant model, a direct adaptive control
algorithm estimates the controller parameters directly in the controller. This can be
done via two main approaches: output error and input error. Of both main cate-
gories mentioned here, indirect adaptive control is preferable due to its flexibility
and its property of being model based. In both categories, there are also two sub-
versions, namely model reference adaptive control (MRAC) and self-tuning control
(STC). In the former, one relies on a reference model and works on minimizing
the tracking error between plant output and reference output (such as the concept
of sliding mode control). With model reference indirect adaptive control it is feasi-
ble to achieve three important goals, namely trim value adjustment for the inputs,
Thomas Lombaerts
Ping Chu
364 T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
decoupling of inputs and outputs and closed loop tracking of pilot commands, see
Ref. [1]. Self-tuning control focuses on adapting the (PID) control gains of the con-
troller by making use of the estimated parameter values and is known to be more
flexible, see Ref. [21]. Currently, much research is performed in the field of indi-
rect adaptive control, where the adaptation is more extensive than only tuning the
PID control gains. One of these new indirect control possibilities is adaptive model
predictive control (AMPC), which is an interesting algorithm thanks to its nature to
deal with (input) inequality constraints. These constraints are a good representation
for actuator faults. It should be noted that there have been already some successful
applications of MPC in the field of fault tolerant flight control, see Ref. [10] and
[14]. An alternative indirect adaptive nonlinear control approach is discussed in this
chapter, which allows to develop a reconfigurable control routine placing emphasis
on the use of physical models, and thus producing internal parameters which are
physically interpretable at any time.
This chapter discusses the combination of the two step method as an identifi-
cation procedure, and nonlinear dynamic inversion as a control method in order to
obtain a model based fault tolerant flight controller for the benchmark simulation
model used in this research project. This approach can deal with component failures
as well as structural failures. An overview of fault scenarios for which this method
is valid can be found in Table 13.1, building on a similar table with failure scenar-
ios from [9] and [7]. It should be noted that this method is not explicitly valid for
the structural loss of engine(s) and severe structural damage. However, experiments
have shown that the method is implicitly valid for these scenarios. Current research
is investigating the possible extension of the explicit validity of this method for these
failure scenarios.
The structure of this chapter is as follows. First the consecutive steps of this
two step method are discussed: Aircraft State Estimation (ASE) and Aerodynamic
Model Identification (AMI) in sections 13.2.1 and 13.2.2. Section 13.3 discusses
briefly the real time computer based aerodynamic model identification tool which
has been developed. Thereafter, as an illustration, some preliminary identification
results are shown for damaged aircraft models, see Section 13.4. The NDI based
reconfiguring control method is discussed in Section 13.6 , after the selected trigger
for reconfiguration which is briefly introduced in Section 13.5. Finally, the most im-
portant conclusions and some topics for future work will be introduced in Sections
13.8 and 13.9.
13.2 On Line Nonlinear Damaged Aircraft Model

Identification: Two Step Method
The identification method considered in this study is the so-called two step method,
which has been continuously under development at Delft University of Technol-
ogy over the last 20 years, see Ref. [15] and [3]. The last major milestones in
this development process can be found in Ref. [11] and [16]. There are many
other identification algorithms mentioned in the literature like maximum likelihood
13 Online Physical Model Identification and NDI 365
Table 13.1 Overview of fault scenarios and effects in vehicle and aerodynamic model, ✓
indicates explicit validity of the method, (✓) points out implicit validity.
method validity
structural
actuator
sensor
failure effect affected parameters

✓ sensor loss minor with sensor redundancy parameters related to (✓)
and sensor loss detection sensor output
(usually the case)
✓ sensor inertial sensor miscalibrated λaccX/Y /Z or λrg p/q/r ✓
miscalibration (accelerometer or gyro)
✓ partial hydraulics maximum rate/deflection C(Y /l/n)δ , C(X /Z/m)δ , C(Y /l/n)δ ✓
a e r
loss decrease on several
control surfaces
✓ full hydraulics one or more control C(Y /l/n)δ , C(X /Z/m)δ , C(Y /l/n)δ ✓
a e r
loss surfaces become stuck and/or C(X /Y /Z/l/m/n)0
at last position or start
floating
✓ control loss on one or more control C(Y /l/n)δ , C(X /Z/m)δ , C(Y /l/n)δ ✓
a e r
one or more surfaces become stuck and/or C(X /Y /Z/l/m/n)0
actuators at last position
✓ ✓ structural loss of effectiveness of control C(Y /l/n)δ , C(X /Z/m)δ , C(Y /l/n)δ ✓
a e r
(part of) control surfaces is reduced and/or C(X /Z/m)0/α /q
surface minor change in and/or C(Y /l/n)0/β /p/r
aerodynamics
✓ engine(s) out thrust becomes asymmetric, C(X /Y /Z/l/m/n)T ✓
(l/r)
increased drag due to and/or C(X /Z/m)0/α /q
nonzero sideslip β and/or C(Y /l/n)0/β /p/r
✓ ✓ structural loss of large change in possible all aerodynamic parameters, (✓)
engine(s) operating region; significant aerodynamic model structure,
change in aerodynamics, mass maircra f t , (x/y/z)cg and I
and moments of inertia
✓ ✓ severe structural large change in possible all aerodynamic parameters, (✓)
damage operating region; significant aerodynamic model structure,
change in aerodynamics, mass maircra f t , (x/y/z)cg and I
and moments of inertia
identification (MLI) and other one step identification routines, but not all of them
are applicable on line. One of the few procedures which can be implemented in real
time is the so-called filtering method developed at DLR, see Ref. [8]. This is a joint
state and parameter estimation algorithm, but very complex. The advantage of the
two step method is that it is easier to implement on-line. Key concept of the two
step method, is that the identification procedure has been split into two consecutive
steps, as substantiated in Ref. [4]. One of the major advantages of the two step
method, is the decomposition of a global non-linear one step identification method
in two separate steps, where the nonlinear part is isolated in the aircraft state estima-
tion step. Consequently, the aerodynamic model parameter identification procedure
in the second step can be simplified to a linear procedure. The aim is to update an
a priori aerodynamic model (obtained by means of windtunnel tests and CFD cal-
culations) by means of on-line flight data. The first step is called the Aircraft State
Estimation phase, where the second one is the Aerodynamic Model Identification
step. In the Aircraft State Estimation procedure, an Iterated Extended Kalman Fil-
ter is used to determine the aircraft states, the measurement equipment properties
(sensor biases) and the wind components, by making use of the nonlinear kinematic
and observation models, based upon redundant but contaminated information from
all sensors (air data, inertial, magnetic and GPS measurements). By means of this
state information, the input signals of the pilot and the earlier measurements, it is
possible to construct the combined aerodynamic and thrust forces and moments act-
ing on the aircraft, and by means of a recursive least squares operation, finally the
aerodynamic derivatives can be deduced. Validation tests by means of batch process
identification, least squares innovation analysis and reconstruction of velocity and
angular rate components using these aerodynamic derivatives have shown that this
method is very accurate.
13.2.1 Aircraft State Estimation

Estimating the aircraft states can be based upon redundant but contaminated infor-
mation from all sensors. Standard available sensor information on civil airliners is
classified in three categories. First there are the air data sensors, providing true air-
speed VTAS , angle of attack α , angle of sideslip β . A second class is the data from
the inertial navigation system (INS, consisting of inertial and magnetic equipment)
giving measurement values for the specific forces Ax , Ay , Az , the rotational rates p,
q, r and aircraft attitude angles φ , θ , ψ . The third and last category is a combi-
nation of INS and GPS measurements leading to data for three dimensional posi-
tion x, y, z and inertial velocity components un , vn , wn . At first sight there is some
redundancy in the velocity information, since it appears true airspeed VTAS , angle
of attack α , angle of sideslip β allows the calculation the velocity components.
Table 13.2 Instrumentation error information for measuring equipment
sensor variables bias error noise error

translational accelerometer Ax , Ay , Az ✓ ✓
rate gyro p, q, r ✓ ✓
integrating gyro φ, θ, ψ ✓
INS/GPS x, y, z ✓
INS/GPS un , vn , wn ✓
pitot tube VTAS ✓
airflow angle vane α, β ✓
However, it should be realized that these components are airspeed related, where
the inertial velocity components concern the ground speed. Comparing both sets
leads to the derivation of the wind components. Table 13.2 gives information about
the instrumentation errors which occur for each kind of measuring equipment men-
tioned above. By making use of the kinematic and observation model of the aircraft,
it is possible to estimate part of the instrumentation errors, which will be discussed
in more detail below.
13.2.1.1 Nonlinear Aircraft Kinematics Model

The state space model of the nonlinear system equations describing the kinematics
of the aircraft is given as
ẋ(t) = f(x(t), um (t), θ ,t) + G(x(t))w(t), x(t0 ) = x0 (13.1)

zm (t) = h(x(t), um (t), θ ,t) + v(t), t = ti , i = 1, 2, . . . (13.2)
where equation (13.1) is known as the kinematic state equation with input noise
vector w and expression (13.2) is called the observation equation with output noise
vector v. The nonlinear vector functions f and h may depend both implicitly (via x
and um ) and explicitly on t and it will be assumed that both f and h are continuous
and continuously differentiable with respect to all elements of x and um . The system
equation variables are defined as follows:
x = [x y z ub vb wb φ θ ψ ]T (13.3)
um = u + λ + w = [Ax Ay Az p q r] + [λx λy λz λ p λq λr ] + w
T T
(13.4)
θ = [λ wwind ] = [λx λy λz λ p λq λr uwind vwind wwind ]
T T
(13.5)
zm = [xGPS yGPS zGPS uGPS vGPS wGPS φINS θINS ψINS
VTAS αADS βADS ]T (13.6)
where the aircraft state vector x in (13.3) contains inertial position, body air veloc-
ity components and aircraft attitude angles. The measured input vector um in (13.4)
consists of specific forces and angular rates, perturbed with sensor biases and input
noise, where the sensor biases and wind ground speed components are collected in
vector θ in (13.5), which contributes to the augmented state vector xaug = [x, θ ].
Finally, there is the measured output vector zm in (13.5), consisting of GPS-aided
INS measurement data of position and velocity components (navigational frame of
reference) and INS supplied attitude angles as well as air data system (ADS) mea-
surements for true airspeed, angle of attack and angle of sideslip. Also the measured
output vector is contaminated with output noise.
Additionally, the input noise vector w(t) is a continuous time white noise process
and the output noise vector v(ti ) is a discrete time white noise sequence. Both are
mutually uncorrelated as well as between the different input and output channels
individually. Moreover, based upon the known on-board measurement equipment
characteristics, standard deviations are specified by the equipment manufacturers.

Therefore, the error model can be described as follows:
v(ti ) = [ vx vy vz vu vv vw vφ vθ vψ vV vα vβ ]T (13.7)
w(t) = [wx wy wz w p wq wr ] T
(13.8)
& '
E w(t)w (τ )
T
= Qδ (t − τ ) (13.9)
& '
E v(ti )vT (t j ) = Rδi j (13.10)
& '
E w(t)vT (ti ) = 0, f or t = ti , i = 1, 2, . . . (13.11)
where
Q = diag(σw2x , σw2y , σw2z , σw2 p , σw2q , σw2r ) (13.12)

R= diag(σv2x , σv2y , σv2z , σv2u , σv2v , σv2w , σv2φ , σv2θ , σv2ψ , σv2V , σv2α , σv2β ) (13.13)
As mentioned in the introduction and apparent from the structure above, a Kalman
Filter can be used in order to estimate the aircraft states, inertial sensor biases and
wind velocity components.
13.2.2 Aerodynamic Model Identification

The procedure for the second step is rather purpose dependent. For a pure in-flight
identification task aiming at the construction of a precise mathematical aircraft
model, the procedure must be as accurate as possible. However, in the case of an
identification task for the purpose of fault tolerant flight control, the model struc-
ture has to be representative, where a trade off is made between accuracy versus
computational speed, and thus model complexity. Since in this step the least squares
procedure is used, the model structure must be determined first, after which this
regression method can be applied in order to estimate the so-called aerodynamic
model parameters. Another important issue is the determination of the aerodynamic
model accuracy. Especially in the case of reconfiguring control, the supply of a re-
liable value for an uncertainty bound is essential in order to include some measure
of robustness in the controller synthesis phase.
13.2.2.1 Aerodynamic Aircraft Model

The measurements and the Kalman filter states, more precisely the aircraft states and
the IMU properties are the available data for the second step in the identification
procedure. With this available information, it is possible to calculate the inertial
measurements without bias, but the noise contribution cannot be compensated for.
One key issue in this step is the determination of the forces and moments acting
on the aircraft. Since these cannot be measured directly, it is possible to construct
them with the help of the measurements of specific aerodynamic forces acting on the
aircraft and angular rates and accelerations of the aircraft, which have already been
corrected by means of the instrumentation errors (biases), which were obtained in

the aircraft state estimation step. In this way the dimensionless forces and moments
can be calculated:
• dimensionless forces:
CX = X
1/2ρ V 2 S = mAx
1/2ρ V 2 S
mAy
CY = Y
1/2ρ V 2 S = 1/2ρ V 2 S (13.14)
mAz
CZ = Z
1/2ρ V 2 S = 1/2ρ V 2 S
• dimensionless moments:
L ṗIxx + qr (Izz − Iyy ) − (pq + ṙ) Ixz
Cl = 1/2ρ V 2 Sb
= 1/2ρ V 2 Sb

M q̇Iyy + rp (Ixx − Izz) + p2 − r2 Ixz
Cm = 1 = (13.15)
/2ρ V 2 Sc̄ 1/2ρ V 2 Sc̄
N ṙIzz + pq (Iyy − Ixx ) + (qr − ṗ) Ixz

Cn = 1 =
/2ρ V 2 Sb 1/2ρ V 2 Sb
At this moment mass and inertia are considered as known constants. In the absence
of a structural failure, real time mass and inertia can be calculated by integrating
fuel flow and subtracting it from the total take off values. Future research is aimed
at taking into account changing masses and inertia in the presence of structural
failures. Air density can be deduced from altitude measurements. The rotational
accelerations are obtained by differentiating the noisy rotational rates, which have
been corrected for their biases. It should be noted that current generation ring laser
gyroscope noise levels are low enough (σ pqr = 0.001◦/s) to permit differentiating
these signals.
13.2.2.2 Least Squares Procedure

As already mentioned, the aerodynamic model structure must be defined before the
model parameters are estimated by means of the least squares. This model struc-
ture has been set up by a first order Taylor series expansion with respect to the
aircraft states which are relevant for each force and moment component separately.
The resulting structures which have been chosen for the longitudinal and the lateral
situation respectively are given below:
qc̄
CX = CX0 + CXα α + CXα 2 α 2 + CXq + CXδe δeir + CXδe δeil + CXδe δeor
V ir il or
+CXδe δeol + CXih ih + CXδsp δsp1 + ... + CXδsp δsp12 + CXδ δ fo + CXδ δ fi
ol 1 12 fo fi
pb rb
+CXEPR1 EPR1 + ... + CXEPR4 EPR4 + CXβ β + CXp + CXr (13.16)
2V 2V
qc̄
CZ = CZ0 + CZα α + CZq + CZδe δeir + CZδe δeil + CZδe δeor + CZδe δeol +
V ir il or ol
+CZih ih + CZδsp δsp1 + ... + CZδsp δsp12 + CZδ δ fo + CZδ δ fi

1 12 fo fi
pb rb
+CZEPR1 EPR1 + ... + CZEPR4 EPR4 + CZβ β + CZ p + CZr (13.17)
2V 2V
qc̄
Cm = Cm0 + Cmα α + Cmq + Cmδe δeir + Cmδe δeil + Cmδe δeor + Cmδe δeol +
V ir il or ol
+Cmih ih + Cmδsp δsp1 + ... + Cmδsp δsp12 + Cmδ δ fo + Cmδ δ fi

1 12 fo fi
pb rb
+CmEPR1 EPR1 + ... + CmEPR4 EPR4 + Cmβ β + Cm p + Cmr (13.18)
2V 2V
pb rb
CY = CY0 + CYβ β + CYp + CYr + CYδa δair + CYδa δail + CYδa δaor
2V 2V ir il or
+CYδa δaol + CYδr δru + CYδr δrl + CYδsp δsp1 + ... + CYδsp δsp12
u
ol l 1 12
qc̄
+ CYα α + CYq + CYEPR1 EPR1 + ... + CYEPR4 EPR4 (13.19)
V
pb rb
Cl = Cl0 + Clβ β + Cl p + Clr + Clδa δair + Clδa δail + Clδa δaor + Clδa δaol +
2V 2V ir il or ol
qc̄
+Clδr δru + Clδr δrl + Clδsp δsp1 + ... + Clδsp δsp12 + Clα α + Clq +
u l 1 12 V
+ ClEPR1 EPR1 + ... + ClEPR4 EPR4 (13.20)
pb rb
Cn = Cn0 + Cnβ β + Cn p + Cnr + Cnδa δair + Cnδa δail + Cnδa δaor
2V 2V ir il or
+Cnδa δaol + Cnδr δru + Cnδr δrl + Cnδsp δsp1 + ... + Cnδsp δsp12
u
ol l 1 12
qc̄
+ Cnα α + Cnq + CnEPR1 EPR1 + ... + CnEPR4 EPR4 (13.21)
V
From the above expressions, it is clear that the aerodynamic model parameters,
also known as the aerodynamic derivatives, apply on states as well as control in-
puts, namely control surface deflections and engine settings. It should be noted that
the contributions indicated in boxes are the aerodynamic consequences of possi-
ble cross-couplings: they represent the contributions of longitudinal states on lateral
forces and moments and vice versa. They appear due to asymmetries after failures.
Moreover, also the aerodynamic derivatives related to the inputs have cross coupling
effects, but these are assumed to be limited by the hardware constraints of the ac-
tuator hardware of each control surface type independently, present in the hardware
logic block of the RECOVER simulation model: for example differential deflection
of flaps is not possible. For the benchmark model as given, the only valid cross
coupling control inputs feasible in reality are the engine settings. Conventionally,
Fig. 13.1 Overview of the two step method: measurements serve for ASE step, which esti-
mates the aircraft states. These states, combined with the measurements, allow the calculation
of the forces and moments. The latter are used, together with the estimated states and control
surface deflections, for the AMI step, which produces the estimated aerodynamic and control
derivatives.
all are identical and give only longitudinal steering capability, but they can provide
also some lateral degree of controllability if differential thrust is applied. However,
in a general perspective, this kind of cross couplings is completely dependent on the
aircraft model concerned.
The validation tests have shown that the identification results obtained with this
procedure are representative, accurate and reliable. These validation tests can be
found in Ref. [13]. Now that it has been confirmed that the procedure works sat-
isfactorily for nominal non-damaged aircraft, the next challenge is to analyse the
performance of this identification procedure for damaged aircraft. This will be the
subject of section 13.4.
Finally, figure 13.1 gives a high-level logical structure overview of the two step
method algorithm, pointing out the inputs and outputs of each macro-step.
13.3 Real Time Aerodynamic Model Identification

This above mentioned recursive two step method has been implemented in
SimulinkTMand combined with the conventional sensor output of a Cessna Citation
simulator next to the Boeing 747 simulator of this project. A connected joystick
provides the input. This allows real-time computer based identification calculations
while performing flight manoeuvres by hand in a SimulinkTMaircraft simulator. The
Fig. 13.2 Overview of the operator information screen for real time identification. The left
and middle columns in the screen give the aerodynamic derivative values, the right column
gives (from top to bottom) aircraft attitude, trajectory and covariances for symmetrical (left)
and asymmetrical (right) estimates.
progress of the identification process is continuously visualized on the computer

display. The development of the aerodynamic derivatives is shown in a real-time de-
veloping box plot like representation, while also the time varying covariance of the
aerodynamic derivatives is shown. The latter information provides some indication
to the user if it is needed to adapt his manual input signal in order to reduce the
uncertainty of the identification results.
13.4 Application on the Boeing 747 Simulator

Two examples will be shown here for the two step
method. One component failure, i.e. trim horizontal sta-
bilizer runaway, and a parametric failure, i.e. loss of the
vertical tail. Both give a good illustration of the two
step method’s capabilities. In order to analyse the dif-
ferences between the nominal and damaged models, the
same control inputs must be applied. Moreover, the best
identification results can only be obtained if the con-
trol inputs excite all steering channels of the aircraft.
Therefore, three different control inputs are consecu-
tively applied: first a 3-2-1-1 input on the pitch channel
and thereafter doublets on roll and yaw respectively. De- Fig. 13.3 Trajectory of the
spite excitation of roll and yaw occur simultaneously in aircraft for the stabilizer
regular flights in order to perform coordinated turns, it runaway scenario
has been chosen deliberately in this set-up to implement both control inputs con-
secutively. The reason for this is the fact that a simultaneous implementation may
lead to undesirable correlations in the identification results. For each scenario, the
identification result of the damaged simulation model is compared with the nomi-
nal non-damaged one, which is supplied in red in each graphic as a benchmark. It
should be noted that the damaged identification result for the horizontal stabilizer
runaway does not last longer than 20 seconds of the total time span. The reason for
this is the fact that the aircraft crashes after these 20 seconds, as illustrated by its
trajectory in Fig. 13.3.
13.4.1 Trim Horizontal Stabilizer (THS) Runaway

The identification results for the stabilizer related aerodynamic derivatives are
shown in Fig. 4(a), where the deflections of the horizontal stabilizer are shown in
Fig. 4(b). For the nominal situation, the stabilizer remains fixed in its trim setting.
In the runaway situation, the gradually deviating behaviour during the first 10 sec-
onds is apparent. Note that these plots start from the 5th second onward, since the
earlier identification results are not reliable because the first step of state estimation
is not yet converged in this phase. Taking this into account, it is clear that the initial
trim setting of the stabilizer is identical in both scenarios. Taking a closer look at
the identification results, it is clear that the unconventional change in force and mo-
ment contribution from the jammed THS can be identified by means of the two step
method.
13.4.2 Loss of the Vertical Tail

The identification results for the rudder related aerodynamic derivatives are shown
in Fig. 5(a), where the deflections of the rudder are shown in Fig. 5(b). Since there is
aerodynamic derivatives, symmetric contributions horizontal stabilizer 0.5

0.2 nominal
stabilizer runaway
0.1
CXih
0
0
−0.1
−0.2
0 10 20 30 40 50 60
1 −0.5
0.5
ih
CZih
−0.5 −1
−1
0 10 20 30 40 50 60
0.2
−1.5
nominal
0.1 stabilizer runaway
Cmih
−0.1
−2
5 10 15 20 25 30 35 40 45 50 55 60
−0.2 time[s]
0 10 20 30 40 50 60
(a) identification of stabilizer related (b) horizontal stabilizer runaway

aerodynamic derivatives
Fig. 13.4 Identification of stabilizer related aerodynamic derivatives for damaged Boeing
747 simulation model, horizontal stabilizer runaway scenario
6
nominal
aerodynamic derivatives, asymmetric contributions rudder
0.01 loss of vertical tail
5
0
CYdr 4
−0.01
3
−0.02
0 10 20 30 40 50 60
−3 2
x 10
10
dr
1
5
Cldr
0 0
−5 −1
0 10 20 30 40 50 60
−3
x 10
5 −2
nominal
0 loss of vertical tail
−3
Cndr
−5
−10
−4
0 10 20 30 40 50 60
−15 time[s]
0 10 20 30 40 50 60
(a) identification of rudder related (b) rudder deflections for vertical tail
aerodynamic derivatives loss scenario
0.16
nominal
loss of vertical tail
0.14
0.12
0.1
0.08
Cnb
0.06
0.04
0.02
−0.02
0 10 20 30 40 50 60
(c) directional stability for vertical

tail loss scenario
Fig. 13.5 Identification of rudder related aerodynamic derivatives for damaged Boeing 747
simulation model, vertical tail loss scenario
no rudder anymore in the situation of a vertical tail loss, the loss of yawing control
should be visible in the identification result. For the nominal situation, the rudder
makes a doublet movement. Note that this doublet is not perfect, since the com-
pensating influence of the yaw damper appears in this channel. In the vertical tail
loss scenario, no deflection is visible anymore since the rudder is lost. Note that
each control surface has redundant deflection sensors, and the absence of any mea-
surement signal leads effectively to the ‘no deflection conclusion’, as shown in this
figure. Taking a closer look at the identification results, it is clear that no conver-
gence is possible in the tail loss scenario, where the nominal scenario clearly leads
to a better convergence behaviour. Another obvious consequence of the tail loss
scenario is the huge reduction in lateral static stability. This can be seen in the be-
haviour of the aerodynamic derivative Cnβ , as shown in Fig. 5(c). A positive value
for Cnβ , also known as Weathercock stability, indicates static directional stability.
From Fig. 5(c), it is clear that the nominal aircraft is stable, but the damaged aircraft
is observed to be lightly directionally statically unstable, as would be expected for
a tailless 747 aircraft. This simulation also shows that there is no rudder deflection
necessary to observe this, even a doublet on the roll channel (ailerons) induces some
sideslip in order to make a static stability analysis. Summarizing, analysing both
results, it is clear that the loss of the tail surface can be identified by means of these
identification results.
In order to perform a validation of the accuracy of the identification results in
both applications presented above, the innovations can be calculated again. This
clearly shows that the least squares result is accurate. Also the reconstruction of
linear velocity components and angular rates confirms the trustworthiness of the
identification results.
13.4.3 Feedback of Aircraft Stability and Control Effector

Information to the Pilot
The identified parameters contain valuable information about the physical state of
the aircraft. The absolute value has less significance than its change compared to the
initial value. Also, it requires a good understanding of flight dynamics and aerody-
namic modeling to understand these parameters. For this reason, it is paramount to
translate these values to a suitable format, which can be easily interpreted by the pi-
lot. For example, the parameters Cmα and Cnβ could be presented as stability factors,
while Cmδe , Clδa , Cnδr and CXEPR could be presented as elevator-, aileron-, rudder-
and engine-effectiveness respectively. It is worthwhile to investigate the possibil-
ity to present the parameters to the pilot in a proper way, giving him insight in the
physical condition of the aircraft; as an example a possible visual presentation of
this information to the pilot is given in Fig. 13.6.
Fig. 13.6 Example of visualization of control effector effectiveness for the pilot, this in-
formation is based upon control effector effectiveness parameters, like Cmδe , Clδa , Cnδr and
CXEPR .
13.5 Trigger for Reconfiguration

In order to ensure proper adaptivity of the identification routine for failure dynamics,
there are two major options. One is to rely on a weighting factor λ in the recursive
least squares procedure, the other is to incorporate a trigger for re-identification. In
Ref. [7], an evaluation has been made between both alternatives. Since the former
has the disadvantage that older data, which might still contain useful information, is
thrown away due to the limiting history horizon, the latter option has been preferred.
This limiting history horizon has a major drawback during long periods of stationary
flight with no control inputs, like cruise, because the model is likely to become
unstable due to the lack of significant excitations. This is a very relevant issue, since
cruise flight conditions constitute the largest part of a typical flight profile.
The concept of a re-identification trigger works by increasing the covariance ma-
trix P artificially when the current model cannot be relied upon anymore. In this way,
no data will be lost during normal flight, maintaining the quality of the model also
in constant flight conditions. In case an error occurs that affects the model, the air-
craft will move (and this induced movement will be counteracted by the (auto)pilot),
creating sufficient excitation data on the input channels to identify the new model
within a limited time span. The major requirement for this procedure is that reli-
able information is available about the quality of the aerodynamic model. In [6],
the authors describe a procedure to use the innovation (the difference between the
model prediction and the actual behaviour of the system or aircraft) as a measure
of the quality of the model. The absolute value of the innovation does not only de-
pend on the model quality, but also on the noise in the input channels, which makes
it unsuitable for quality determination. Instead, the whiteness of the innovation is
used as a quality measure, since a perfect model would have a residual comparable
to the noise present in the input signals. The residual (innovation) of the estimated
aerodynamic model can be calculated as follows:
Δ (k) = z (k) − X (k) θ̂ RLS (k) (13.22)
in which Δ (k) is the innovation, z (k) is the state measurement from the actual air-
craft, X (k) is the data matrix and θ̂ LS (k) is the vector of estimated parameters. The
faults, which change the system dynamics, also change the characteristics of Δ (k)
and make it different from white noise. Two criteria, namely the autocorrelation
criterion πk and the innovation average value Δ (k), have been analysed to decide
whether this innovation is dominated by white noise, or contains a residual of an in-
correct aerodynamic model. If the latter is the case, the reconfiguration of the model
should be triggered. The former should be ignored in order to prevent false alarms.
Analysis has revealed that the average value of the innovation of a period of
time, calculated in (13.23) is the preferable criterion. This calculation reveals the
mean value of the residual, which will deviate from zero once the model becomes
inaccurate.
1 nav
Δ (k) = ∑ Δ (k − i)
nav i=0
(13.23)
Δ (k) stands for the average innovation, nav is the number of samples over which this
average is taken (a proper range appears to be 25 − 100, corresponding to 0.5s − 4s).
For the triggering of the re-identification a threshold value has been chosen based
on several simulated test flights, with and without failure.
Besides use of the residual mean value, it is possible to rely also on other criteria,
like spectral analyses. This is the subject of further research. Once this monitor-
ing criterion has suggested the current model contains errors, the re-identification
will take place. The covariance matrix P of the RLS procedure gives a measure for
quality of the data that has entered the identification. Without forgetting factor, this
data richness can only improve, since all information from previous measurements
is retained. This results in a gradual freezing of the parameter values since every
new datapoint is weighted less in the parameter identification. When it is concluded
that the real-life situation has changed to such an extent that the identified model is
not valid anymore, this old data should be disregarded. By artificially returning the
covariance matrix to its initial state - a diagonal matrix with very large values (in the
order of 106 ) - the parameters are more influenced by new measurements and can be
identified based on the flight data of the aircraft in its new, changed situation. Since
each of the six dimensionless forces and moments [CX CY CZ Cl Cm Cn ]T has a
separate innovation channel, the reconfiguration can be focused on the respective pa-
rameter set that triggers the reconfiguration. For this reason, six covariance matrices
P are stored and updated separately. When for example the criterion value of roll-
moment parameters Cl exceeds the threshold, only these parameters are triggered
for re-identification. This prevents unnecessary destabilizing the aircraft model parts
that are used in the control system.
13.6 Reconfiguring Control: Adaptive Nonlinear Dynamic

Inversion
For the reconfigurable control algorithm, a model based control method needs to be
chosen. One of the valid approaches is the so-called concept of adaptive nonlinear
dynamic inversion. Nonlinear dynamic inversion has been used before in the litera-
ture for flight control and aircraft guidance, see Ref. [2], [20] and [19], where one of
its main advantages is the absence of any need of gain scheduling over the flight en-
velope. In Ref. [18], enhanced NDI strategies have been applied for reconfigurable
flight control in the case of stuck or missing effectors. However, this reference
mentions the need for relatively noise free critical measurements and uses only one
NDI loop with a position/angle allocator. The application discussed in this section
however, can deal with noisy measurements thanks to the presence of a robust iden-
tification routine acting on the measurements. Moreover, a dual NDI loop has been
implemented here, with inner loop body angular rate and outer loop aerodynamic
angle tracking properties. This overall combination increases greatly the ability
to reconfigure the aircraft in the presence of component as well as structural failures.
The general idea of nonlinear dynamic inversion is as follows. Consider the non-
linear MIMO system dynamic model, which is assumed to be affine in the input:
ẋ = f(x) + G(x) · u (13.24)
The output y of the system is then expressed as a function h of the aircraft state
vector x:
y(x) = h(x) (13.25)
Defining the matrix ∇h (x) as the Jacobian matrix:
∂ h(x)
= ∇h(x) (13.26)
∂x
the time derivatives of the outputs (13.25) can be expressed as:
dy
= ∇h (x) [f(x) + G(x) · u] = L1f h (x) + Lg h (x) u (13.27)
dt
where L1f h (x) = ∇h (x) f(x) denotes the first order Lie derivative vector and the
Lg h (x) = ∇h (x) G(x). If the second term of eq. (13.27) is zero, more time deriva-
tives of eq. (13.27) are required, generally until the second term of eq. (13.27) is
nonzero. This nonzero time derivative order is defined as ”relative degree”. In gen-
eral, as the elements within the output vector y(x) may have different relative de-
grees, it is convenient to write the time derivative for each output as:
d ri y i d ri hi (x) m
dt ri
=
dt ri
= Lri
f h i (x) + ∑ Lg j Lrfi −1 hi (x) u j (13.28)
j=1
In eq. (13.28), ri is the relative degree for the ith output. A collection of all differen-
tiated (rith order) outputs yields:
yr (x) = l (x) + M (x) u (13.29)
with: ⎡ ⎤
d r1 h1 (x)
⎢ dt r1 ⎥
yr (x) = ⎢
⎣
..
.
⎥
⎦ (13.30)
d rm hm (x)
dt rm
⎡ ⎤
Lrf1 h1 (x)
⎢ Lrf2 h2 (x) ⎥
⎢ ⎥
l (x) = ⎢ .. ⎥ (13.31)
⎣ . ⎦
rm
L f hm (x)
and
⎡ ⎤
Lg1 Lrf1 −1 h1 (x) Lg2 Lrf1 −1 h1 (x) · · · Lgm Lrf1 −1 h1 (x)
⎢ L Lr2 −1 h (x) L Lr2 −1 h (x) · · · Lgm Lrf2 −1 h2 (x) ⎥
⎢ g1 f 2 g2 f 2 ⎥
M (x) = ⎢
⎢ .. .. .. .. ⎥
⎥ (13.32)
⎣ . . . . ⎦
Lg1 Lrfm −1 hm (x) Lg2 Lrfm −1 hm (x) rm −1
· · · Lgm L f hm (x)
Solving for u if the total relative degree r = r1 + r2 + . . . + rm = n, with n the
number of states of the system, by introducing a virtual outer loop control input
vector ν , which consists of time derivatives of control variables cvi (x) up to the
corresponding relative degree ri :
u = M −1 (x) [ν − l (x)] (13.33)
with: ⎡ ⎤
d r1 cv1 (x)
⎢ dt r1 ⎥
ν (x) = ⎢
⎣
..
.
⎥
⎦ (13.34)
d rm cvm (x)
dt rm
then this results in a closed-loop system with a linear and decoupled input-output
relation: ⎡ r1 ⎤ ⎡ r1 ⎤
d h1 (x) d cv1 (x)
⎢ dt r1 ⎥ ⎢ dt r1 ⎥
yr (x) = ⎢
⎣
..
.
⎥=ν =⎢
⎦ ⎣
..
.
⎥
⎦ (13.35)
d rm hm (x) d rm cvm (x)
dt rm dt rm
Thus the control law for tracking tasks
d ri cvi d ri hid
= − k0i e − k1i ė − . . . − k(ri−1)i e(ri −1) with e = yid (t) − yi (t) (13.36)
dt ri dt ri
for i = 1, . . . , m with the k j s chosen so that pn + kn−1 pn−1 + . . . + k1 p is a stable
polynomial, leads to the exponentially stable tracking dynamics for i = 1, . . . , m:
e(ri ) + k(ri−1)i e(ri −1) + . . . + k1i ė + k0i e = 0 with e (t) → 0 (13.37)
By making use of Nonlinear Dynamic Inversion (NDI), the nonlinear aircraft

dynamics can be cancelled out such that the resulting system behaves like a pure
single r-th order integrator. In (13.33), l(x) represents the airframe/engine model
and M(x) is the so-called effector blending model. Note that the effector blending
model M(x) needs to be inverted. See also ref. [3] and [21].
Equation (13.33) can be rewritten for an aircraft by considering the dynamic
equation of an aircraft:
⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎛ ⎡ ⎤⎞
ṗ L p p
ẋ = ⎣ q̇ ⎦ = I−1 ⎣M ⎦ − I−1 ⎣ q⎦ × ⎝I ⎣ q⎦⎠ (13.38)
ṙ N r r
T T
where p q r are the rotational rates and L M N the angular moments acting
on the aircraft. The inertia matrix I stands for:
⎡ ⎤
Ixx −Ixy −Ixz
I = ⎣−Iyx Iyy −Iyz ⎦ (13.39)
−Izx −Izy Izz
where the moments of inertia Ixy , Iyx , Iyz and Izy are assumed to be zero. As outlined
in Section 13.2.2, these angular moments can be seen as a combination of different
state and control variables. With the model described here, a controller has a com-
plete overview of aircraft behaviour as a function of states and control settings. NDI
cancels out all non-linear parts, in order to obtain a system which behaves as a pure
integrator, regardless of the state. This pure integrator can be controlled by a lin-
T
ear controller which produces the virtual control input ν p νq νr . Relying on the
information given in (13.15), (13.18) and (13.21), the aircraft dynamics in (13.38)
can be rewritten in the form of (13.33). Here it should be noted that (13.18) and
(13.21) can be split into a part describing the contribution of the states and a contri-
bution of the control surface settings, where thrust, stabilizer and flaps are grouped
together with the states in the airframe/engine model. Moreover, the individual con-
trol derivatives of the different aileron, elevator, rudder and spoiler surfaces from
the identification step have been combined into equivalent global control derivatives
which are used in the effector blending model of the control phase.
Inserting this into (13.38) yields
⎡ ⎤ ⎛⎡ ⎤ ⎡ ⎤ ⎡ ⎤⎞
ṗ bClstates bC̃lδa 0 bC̃lδr δa
1
ẋ = ⎣ q̇⎦ = ρ V 2 SI−1 ⎝⎣cCmstates ⎦ + ⎣ 0 cC̃mδe 0 ⎦ ⎣δe ⎦⎠ +
2
ṙ bCnstates bC̃nδa 0 bC̃nδr δr
⎡ ⎤ ⎛ ⎡ ⎤⎞
p p
−1 ⎣ ⎦ ⎝ ⎣ ⎦⎠
−I q × I q (13.40)
r r
where:
C̃lδa = −Clδa +Clδa −Clδaor +Clδa −Clδsp ... −Clδsp +Clδsp ... +Clδsp (13.41)
ir il ol 1 5 8 12
C̃nδa = −Cnδa +Cnδa −Cnδaor +Cnδa −Cnδsp ... −Cnδsp +Cnδsp ... +Cnδsp (13.42)
ir il ol 1 5 8 12
C̃mδe = Cmδe +Cmδe +Cmδeor +Cmδe (13.43)

ir il ol
C̃lδr = Clδru +Clδr (13.44)

l
C̃nδr = Cnδru +Cnδr (13.45)

l
and
⎡ ⎤ ⎡ Cl0 + Clβ β + Cl p 2V
pb
+ Clr 2V
rb
+ CTc Tc
⎤
Clstates
⎣Cmstates ⎦ = ⎢ ⎥
⎣Cm0 + Cmα α + Cmq V + Cmih ih + Cmδ fo δ fo + Cmδ fi δ fi + CmTc Tc ⎦
qc̄
Cnstates C + C β + C pb + C rb + C T
n0 nβ n p 2V nr 2V nTc c
(13.46)
In order to obtain rate control, the rotational rates of the aircraft are selected to be
the control variables. T
cv(x) = p q r (13.47)
Differentiation of this results in the virtual inputs:
dcv(x) T
= ẋ = ν p νq νr (13.48)
dt
T
At this point, equation (13.40) can be solved for the control inputs δa δe δr ,
resulting in a similar structure as in (13.33):
⎡ ⎤ ⎡ ⎤−1
δa bC̃lδa 0 bC̃lδr
⎣δe ⎦ = ⎣ 0 cC̃m 0 ⎦ ·
δe
δr bC̃n 0 bC̃n
⎧ δa ⎛⎡ ⎤δr ⎡ ⎤ ⎛ ⎡ ⎤⎞⎞ ⎡ ⎤⎫
⎨ I νp p p bClstates ⎬
⎝⎣νq ⎦ + I−1 ⎣ q ⎦ × ⎝I ⎣ q ⎦⎠⎠ − ⎣cCmstates ⎦ (13.49)
⎩ 12 ρ V 2 S ⎭
ν r r r bC nstates
The first part of (13.49) performs the control inversion, while the second part con-
tains the state inversion.
Subsequently, the different aileron, elevator, rudder and spoiler surfaces are cou-
pled and deflect in a fixed coordinated way. The development of a more flexible
control allocation algorithm is part of the future work. Nevertheless, the results
shown here prove that this simplification has no serious detrimental effect on the
performance of the FTFC module.
The classical weakness of NDI, its sensitivity to modelling errors which leads
to erroneous inversion and thus a possibly unstable result, is circumvented here by
making use of the real time identified physical model, which has a greater accu-
racy than an off-line model. As a result, one does not only obtain an adaptive NDI
routine which renders the aircraft behaviour like a pure integrator in nominal situa-
tions. In failure situations, the modified aircraft model is identified by the two step
method and immediately applied in the model-based adaptive NDI routine, which
allows reconfiguring for the failure in real time. The NDI routine is composed of
two loops. The inner loop allows for rate control on roll and pitch steering. Yaw
control is achieved by sideslip control. This is an optimal way of manual control
for the human pilot. The outer loop adds another NDI routine for angle control on
heading, flight path angle and sideslip. This is the so-called concept of angle control,
where it should be noted that the angles of the groundspeed velocity vector and not
the aircraft angles are controlled. These three quantities form an ideal basis for the
design of the classical autopilot modes (under development), which can be designed
in the final overall outer loop by making use of classical feedback or alternatively
NDI control. Classical feedback control can be sufficient in this outer loop, since the
closed middle and inner loop system relying on NDI twice has a linear input-output
relation.
Research has revealed that this adaptive model based control approach has an
important advantage since a very representative aerodynamic model is available by
means of the two step method described earlier. In this way, a fault tolerant control
scheme has been obtained which is virtually capable of handling any aircraft failure,
as long as it is identified and represented correctly by the on-line aircraft model.
Despite the promising impression of adaptive NDI, there are still some issues and
risks in development and implementation. Especially for fault tolerant flight control
using NDI, two issues arise. First of all, there is the problem of robustness: if the real
time identification routine is not able to make an accurate fit of the aircraft model,
the possibility exists that classical NDI leads to an unsatisfactory result. Therefore,
robust NDI should be considered for application in this context, but real time appli-
cability is a major concern here. Moreover, the risk of singularity needs precautions.
Since inversion of the effector blending model b(x) is needed, singularity require-
ments apply to this model. This is the domain of control allocation, which still needs
further investigation.
For the applications in this Garteur context, some assumptions have been made.
Namely, a sufficiently accurate aircraft model should be supplied by the identi-
fication procedure, such that NDI can be applied successfully. Generally, this is
not a problem for the two step method considering the failure cases which have
been investigated in this research project. Secondly, after the failure, every channel
(roll/pitch/yaw) of the crippled aircraft still needs to be controllable in some way,
otherwise no effector blending model inversion is possible.
The principle of Adaptive NDI (ANDI) has been applied on two levels. The lower
level is manual control, which has been verified by means of workload evaluation
runs in the SIMONA Research Simulator and is discussed extensively in Chapter
17. The upper level is full automatic autopilot control, which has been evaluated by
the previously defined assessment criteria. For both control alternatives, the same
inner loop has been established, which focuses on pure body fixed angular rate con-
trol as elaborated in equation (13.49) and as illustrated in Fig. 13.7. The distinction
between the inner and outer loop has been based upon the time scale separation
principle. Mind that in each approach, the two step method is operational and sup-
plying the real time identified model parameters, including failure characteristics
when relevant.
13.6.1 Autopilot Control: Assessment Criteria

For autopilot control, a double loop is needed over the inner loop rate control de-
scribed earlier. Similarly as for the manual control lay-out, a pure classical feedback
loop works for unfailed aircraft, but this will not perform adequately for asymmetri-
cally damaged aircraft, where a certain steady non-zero sideslip angle β and/or roll
angle φ are necessary to compensate for the asymmetry. Therefore, all loops con-
sidered here must be NDI-based. The middle loop quantities are the aerodynamic
angles, namely roll angle φ , angle of attack α and sideslip angle β . The equations
for the three quantities need to be derived.
Fig. 13.7 NDI rate control inner loop
First, in order to obtain roll angle control, an equation needs to be found which
expresses the change in roll angle in terms of the required rotational rates. Reference
[17] provides:
dφ
= φ̇ = p + (q sin φ + r cos φ ) tan θ (13.50)
dt
T
Separating the rotational rates p q r yields:
⎡ ⎤
p
φ̇ = 1 sin φ tan θ cos φ tan θ ⎣ q ⎦ (13.51)
r
Second, the angle of attack must be represented in a similar way, in terms of the
required rotational rates. Since:
α̇ ≈ θ̇ − γ̇ (13.52)
this problems boils down to finding equations for θ̇ and γ̇ . The glideslope angle γ
is the angle between the total velocity vector and its vertical component in the earth
fixed reference frame:
we
sin γ =
V w
e
γ = arcsin (13.53)
V
A descent (we > 0) results in a positive glideslope angle. Differentiating (13.53)
results in:
1 ẇe ẇe
γ̇ = ! =7
w V
2
1 − V e2 V 2 − w2e
1
= 7 · [−Ax sin θ + Ay sin φ cos θ + Az cos φ cos θ + g] (13.54)
V − w2e
2
This equation is obtained by rotating the vertical acceleration Az from the earth into
the body reference frame. Note that no rotational rates can be found in this equation.
On the other hand, the time derivative of the pitch angle θ̇ depends on the rates in
the following way:
θ̇ = q cos φ − r sin φ (13.55)
Separating the rates yields:
⎡ ⎤
p
θ̇ = 0 cos φ − sin φ ⎣ q ⎦ (13.56)
r
Combining (13.52), (13.54) and (13.56) results in the NDI equation for the angle of
attack α :
1
α̇ ≈ θ̇ − γ̇ = − 7 · [−Ax sin θ + Ay sin φ cos θ + Az cos φ cos θ + g] +
V 2 − w2e
⎡ ⎤
p
+ 0 cos φ − sin φ ⎣ q ⎦ (13.57)
r
It now becomes clear that the rotational rates can be found in this overall equation
and thus NDI can be applied.
The last outer loop is needed in order to convert the yaw rate r towards a sideslip
β command. This loop must also be NDI-based, where the feedback path makes use
of the lateral specific force Ay (which is related to the sideslip angle), the roll angle
φ and the pitch attitude angle θ .
The control law can be deduced, where a relationship must be found between the
sideslip angle β and the body fixed angular rates. From [17], the sideslip angle β
can be written as follows:
v = V sin β (13.58)
Rewriting for β and differentiating and inserting the equation for v̇ from the nonlin-
ear aircraft kinematics yields:
d v 1
β̇ = arcsin =√ · v̇
dt V V 2 − v2
1
= √ · [Ay + g cos θ sin φ + pw − ru]
V − v2
2
⎡ ⎤
1 w −u
p
= √ · [Ay + g cos θ sin φ ] + √V 2 −v2 0 √V 2 −v2 ⎣ q ⎦ (13.59)
V 2 − v2 r
The different controls for roll angle φ , angle of attack α and sideslip angle β can
now be combined in the following equation:
⎡ ⎤
⎡ ⎤ 0
φ̇ ⎢ ⎥
⎣α̇ ⎦ = ⎢− √V 2 −w2e · [−Ax sin θ + Ay sin φ cos θ + Az cos φ cos θ + g]⎥ +
1
⎣ ⎦
β̇ √ 1 · [Ay + g cos θ sin φ ]
V −v
2 2
⎡ ⎤⎡ ⎤
1 sin φ tan θ cos φ tan θ p
⎢ cos φ − sin φ ⎥ ⎣q ⎦
+⎣ 0 ⎦ (13.60)
√w 0 √ −u r
2 V −v
2 2V −v
2
The equation can now be rewritten for the required rotational velocities:
⎡ ⎤ ⎡ ⎤−1
p 1 sin φ tan θ cos φ tan θ
⎣ q⎦ = ⎢
⎣ 0w cos φ − sin φ ⎥ ⎦ ·
√ √ −u
r 0
V −v
2 2 V −v
2 2
⎧ ⎡ ⎤⎫
⎪ ⎡ ⎤ 0 ⎪
⎪ φ̇
⎨ ⎪
⎢− √ 1 · [−A θ + φ θ + φ θ + ⎥⎬
⎣α̇ ⎦ − ⎢ 2 −w2 x sin A y sin cos A z cos cos g]⎥
⎪ ⎣ V e ⎦⎪
⎪
⎩ β̇ √ 1 · [Ay + g cos θ sin φ ] ⎪
⎭
2 V −v
2
(13.61)
The outer loop quantities to be controlled in this setting are the true airspeed VTAS ,
the flight path angle γ and the course χ . It should be noted that these quantities allow
total control over the velocity vector, respectively regarding magnitude, elevation
and azimuth in the polar coordinates. Ref. [12] explains the conventional coupling
between the course χ and the roll angle φ . Regarding the demanded flight path angle
γcomm , this can be rewritten in terms of the required angle of attack α . Unfortunately
the expression α ≈ θ − γcomm is not accurate enough for this purpose, and therefore
a more elaborate expression is deduced from Ref. [22]:
sin γ = a sin θ − b cos θ (13.62)

a = cos α cos β
with:
b = sin φ sin β + cos φ sin α cos β
This equation has been rewritten:
sin γ = a sin θ − b cos θ

a = cos α cos β ≈ 1
with:
b = sin φ sin β + cos φ sin α cos β
sin γ = sin θ − (sin φ sin β + cos φ sin α cos β ) cos θ
cos φ sin α cos β cos θ = − sin γ + sin θ − sin φ sin β cos θ

sin γ tan θ
sin α = − + − tan φ tan β
cos φ cos β cos θ cos φ cos β
(13.63)
For thrust control, an NDI loop has been added parallel to the middle loop which
inverts the velocity VTAS . This velocity can be expressed as:
!
VTAS = u2b + v2b + w2b (13.64)
Differentiating (13.64):
1
V̇TAS = ! (2ub u̇b + 2vbv̇b + 2wb ẇb )
u2b + v2b + w2b
1
= ! (ub (−g sin θ + rvb − qwb + Ax ) +
ub + v2b + w2b
2
+ vb (g cos θ sin φ + pwb − rub + Ay ) + wb (g cos θ cos φ + qub − pvb + Az ))
and therefore

1 ρV 2S
V̇TAS = ! ub −g sin θ + rvb − qwb + C̃x + CxT Tc +
u2b + v2b + w2b 2m

ρV 2S
+vb g cos θ sin φ + pwb − rub + C̃y + CyT Tc +
2m

ρV 2S
+wb g cos θ cos φ + qub − pvb + C̃z + CzT Tc
2m
1
= ! (g (−ub sin θ + cos θ (vb sin φ + wb cos φ )) +
u2b + v2b + w2b

ρV 2S
+ ubC̃x + vbC̃y + wbC̃z +
2m
1 ρV 2S
+! (ubCxT + vbCyT + wbCzT ) Tc (13.65)
u2b + v2b + w2b 2m
Rewriting for the thrust lever input Tc results in:

−1
ρV 2S
Tc = (ubCxT + vbCyT + wbCzT ) ·
2m
!
V̇TAS u2b + v2b + w2b − (g (−ub sin θ + cos θ (vb sin φ + wb cos φ )) +

ρV 2S
+ ubC̃x + vbC̃y + wbC̃z
2m
−1
ρV S
= (u Cx + vbCyT + wbCzT ) ·
2m b T
g
V̇TAS − (−ub sin θ + cos θ (vb sin φ + wb cos φ )) +
V
ρV S
+ ubC̃x + vbC̃y + wbC̃z (13.66)
2m
wherein:
qc̄
C̃x = CX0 + CXα α + CXα 2 α 2 + CXq + CXδe δeir + CXδe δeil + CXδe δeor
V ir il or
+CXδe δeol + CXih ih + CXδ δ fo + CXδ δ fi (13.67)

ol fo fi
pb rb
C̃y = CY0 + CYβ β + CYp + CYr + CYδa δair + CYδa δail + CYδa δaor
2V 2V ir il or
+CYδa δaol + CYδr δru + CYδr δrl + CYδsp δsp1 + ... + CYδsp δsp12 (13.68)
ol u l 1 12
qc̄
C̃z = CZ0 + CZα α + CZq + CZδe δeir + CZδe δeil + CZδe δeor + CZδe δeol +
V ir il or ol
+CZih ih + CZδ δ fo + CZδ δ fi (13.69)

fo fi
As a result, Fig. 13.8 shows the autopilot control outer loop architecture. In this
set-up the outer loop quantities VTAS , γ and χ can provide the connection to the
Mode Control Panel, operated by the human pilot, on which he can set up specific
values for these quantities to be tracked. Alternatively, and as used in the exper-
iments considered here, the same quantities can be used to implement waypoint
control, where these quantities can be calculated from the distance between the last
and next waypoint in the three cartesian coordinate components using trigonometry.
Finally, two more remarks must be added concerning Fig. 13.8. The acronym ‘LC’
stands for linear controller. Moreover, some requirements have been implemented
on the roll angle, which is limited between +45◦ and −45◦ . These maximum roll
angles should be adapted in post failure conditions, dependent upon the extent of
the damage suffered by the aircraft, and thus how far the safe flight envelope has
been reduced.
In order to have some commonality in the evaluation of the different FTFC strate-
gies, it has been decided to focus on three cases for the off-line evaluation, namely
stabilizer runaway, rudder loss and the engine separation Bijlmermeer accident. In
order to save space, the first two scenarios are discussed jointly below.
13.6.1.1 Stabilizer Runaway and Rudder Loss

First of all, a comparison has been made between the unfailed and the failed trajec-
tory, as can be seen in Fig. 9(a). It is clear that there is almost no difference in the
trajectory between the unfailed and the stabilizer runaway situation. For the rudder
loss scenario, there is a significant difference. The reason for this is that the max-
imum safe roll angle without rudder is limited to 20◦ . This is related to the issue
Fig. 13.8 NDI autopilot outer loop, featuring VTAS , γ and χ control
of the post-failure safe flight envelope. Currently, these manoeuvre limits have been
defined heuristically following evaluating simulation runs for this analysis. Future
research will investigate the use of safe flight envelope prediction in order to derive
these manoeuvre limits based on the model estimation parameters. Two benchmark
trajectory phases have been analysed for this control setup, namely straight flight
and right hand turn. The straight flight is the time span between the failure oc-
currence and the first waypoint. The phase between first and second waypoint is
classified as the right hand turn manoeuvre. Besides, the beneficial influence of the
repeated identification procedure after failure is illustrated in Fig. 9(b). As can be
seen in this figure, the NDI controller is not capable of flying properly from the
second waypoint towards the third one without identifying the new aircraft dynam-
ics. As a matter of fact, loss of the rudder is a drastic structural failure, as already
illustrated in section 13.4.2, and the NDI controller is not able to fulfil the mission
profile with the new aircraft configuration if the mathematical model used by the
controller is not updated post-failure.
Concerning the straight flight phase, the states as well as the specific forces have
been analysed in Fig. 13.10. The state requirements are clearly all satisfied, and
also the specific forces seem acceptable. It is apparent that there is no significant
influence from the stabilizer runaway in any of the graphs. The rudder loss effect
is clearly visible in the lateral specific force Ay time history. However, the force
scale shows that this is not a significant issue. Also for the right turn, the state re-
quirements are satisfied as can be seen in Fig. 13.11. Due to the more stringent
roll angle limitation from 30 to 20 degrees after rudder loss, it takes a longer time
to execute the turn in the different scenarios, which explains the time difference in
figures 11(a) and 11(b). The same issue holds for the kinematic acceleration require-
ments in Fig. 13.12. Only body roll and yaw rates together with sideslip angle suffer
small violations of the specifications; this is connected to the behaviour explained
3D view of the trajectory
2000
NDI no failure
4000 NDI stabilizer runaway
NDI rudder loss
6000
failure
waypoint8000
10000
8000
12000
6000
14000 4000
16000 2000
0
(a) aircraft trajectory with FTFC autopilot (b) part of aircraft trajectory with FTFC au-
along three waypoints in the scenario’s un- topilot between two final waypoints in the
failed, stabilizer runaway and rudder loss scenario rudder loss without identification
Fig. 13.9 Aircraft trajectory with FTFC autopilot along three waypoints
below, together with the analysis of the lateral kinematic acceleration. Analysing
the kinematic accelerations in Fig. 13.12 shows that only the lateral kinematic ac-
celeration ay is not satisfied. This is caused by the directional stability problem, due
to the missing rudder surface. This missing rudder eliminates directional stability,
as shown in Fig. 5(c). Consequently, lateral damping is insufficient during the turn,
and after ending the right hand turn, the aircraft also has the tendency to continue
a slipping flight, which is indicated by the time history of this quantity. This prob-
lem can be solved by incorporating differential thrust in order to promote artificial
lateral damping. This is one of the points for further work.
The control surface deflections are shown and compared hereafter. Fig. 13.13
shows the control surface deflections commanded by the fault tolerant flight control
system in a nominal unfailed scenario. On the contrary, Fig. 13.14 gives the same
States with specs Straight flight Specific forces in body axes

2
[m/s]
140
chi [deg]
54
Axb [m/s2]
135 1.5
VTAS
130
52
1
40 50 60 70 40 50 60 70
0.5
2 15 40 45 50 55 60 65 70
[deg]
gamma [deg]
10
0 0.1
5
alpha
0 0.05
Ayb [m/s2]
−2
40 50 60 70 40 50 60 70
0
10
[deg]
−0.05
2
nz [−]
0 −0.1
0 40 45 50 55 60 65 70
beta
−10 −2 −9
40 50 60 70 40 50 60 70
time [s] NDI no failure
NDI stabilizer runaway
Azb [m/s2]
40 NDI rudder loss

[deg]
20 NDI no failure −9.5

0 NDI stabilizer runaway
−20 NDI rudder loss
phi
−40 −10
40 50 60 70 40 45 50 55 60 65 70
time [s] time [s]
(a) states (b) specific forces
Fig. 13.10 Straight flight phase performance check with assessment criteria for stabilizer
runaway and rudder loss
States with specs right turn and LOC intercept States with specs right turn and LOC intercept
[m/s]
[m/s]
[deg]
[deg]
140 40 140 40
20 20
135 0 135 0
[deg/s] VTAS
VTAS
130 −20 130 −20
phi
phi
−40 −40
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
[deg/s]
[deg/s]
[deg/s]
2 10 2
10 5
0 0 0
0
pbody
[deg] qbody
[deg/s] pbody
[deg] qbody
−10 −2 −5 −2
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
[deg/s]
2 15 2 15
10
0 0 10
5
alpha
alpha
rbody
rbody
−2 0 −2 5
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
[deg]
[deg]
10 10
nz [−] 2 2
nz [−]
0 0 0 0
beta
beta
−10 −2 −10 −2
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
time [s] time [s]
2 2
ny [−]
ny [−]
0 0
−2 −2
80 100 120 140 80 100 120 140 160
time [s] time [s]
(a) states nominal and stabilizer runaway (b) states rudder loss
Fig. 13.11 Right turn flight phase states performance check with assessment criteria for sta-
bilizer runaway and rudder loss
Kinematic accelerations in body axes Kinematic accelerations in body axes
2 2
axb [m/s2]
axb [m/s2]
0 0
−2 −2
70 80 90 100 110 120 130 140 150 70 80 90 100 110 120 130 140 150 160
4
2
2
ayb [m/s2]
ayb [m/s2]
0
0
−2
−2
−4
−4
−6 −6
70 80 90 100 110 120 130 140 150 70 80 90 100 110 120 130 140 150 160
2 2
azb [m/s2]
azb [m/s2]
0
0
−2
−2
−4
70 80 90 100 110 120 130 140 150 70 80 90 100 110 120 130 140 150 160
time [s] time [s]
(a) states nominal and stabilizer runaway (b) states rudder loss
Fig. 13.12 Right turn flight phase kinematic accelerations performance check with assess-
ment criteria for stabilizer runaway and rudder loss
deflections in the stabilizer runaway scenario. In this figure, it can be seen that the
elevators compensate for the disturbing stabilizer failure. Finally, Fig. 13.15 repre-
sents the control surface deflections in the vertical tail loss scenario. Here, it is clear
that there are no rudder deflections anymore after the failure, since the aircraft lacks
the complete rudder. On the contrary, aileron and spoiler deflections indicate that
they are more active compared to the unfailed scenario, since they are compensat-
ing for the lack of rudder input.
13.6.1.2 Engine Separation Bijlmermeer Accident

Comparing the unfailed and failed trajectories for the engine separation scenario
leads to the result shown in Fig. 13.16. The classic controller is by no means
capable of handling the failure, while the nonlinear dynamic inversion based fault
20 20
0 15
δ [deg]
inner elevator right

inner aileron right
inner elevator left
inner aileron left
a
10
δ [deg]
−20 outer elevator right
outer aileron right
outer elevator left
outer aileron left
e
−40 5
0 20 40 60 80 100 120 140 160 180 200
0
30
−5
spoiler #1 0 20 40 60 80 100 120 140 160 180 200
δsp [deg]
20
spoiler #2
spoiler #3
10
spoiler #4
10
spoiler #5
0 spoiler #6180
0 20 40 60 80 100 120 140 160 200 5
60
i ; δ [deg]
0
r
spoiler #7
δsp [deg]
40 −5
h
spoiler #8
spoiler #9 stabilizer angle
20 −10 upper rudder
spoiler #10
lower rudder
spoiler #11
0 spoiler #12180 −15
0 20 40 60 80 100 120 140 160 200 0 20 40 60 80 100 120 140 160 180 200
time [s] time [s]
(a) ailerons and spoilers (b) elevators, stabilizer and rudders
Fig. 13.13 Nominal scenario flight control surface deflections
20 20
15
0
δ [deg]

inner aileron right
10 inner elevator left
inner aileron left
a
δ [deg]

outer aileron right 5 outer elevator left
outer aileron left
e
−40 0
0 20 40 60 80 100 120 140 160 180 200
−5
30
−10
spoiler #1 0 20 40 60 80 100 120 140 160 180 200
δsp [deg]
20
spoiler #2
spoiler #3
10
spoiler #4
10
spoiler #5
0 spoiler #6180
0 20 40 60 80 100 120 140 160 200 5
60
i ; δ [deg]
0
r
spoiler #7
δsp [deg]
40 −5
h
spoiler #8
spoiler #9 stabilizer angle
spoiler #10
spoiler #11 lower rudder
0 spoiler #12180 −15
0 20 40 60 80 100 120 140 160 200 0 20 40 60 80 100 120 140 160 180 200
time [s] time [s]
Fig. 13.14 Stabilizer runaway scenario flight control surface deflections
20 20
0 15
δ [deg]

inner aileron right
inner elevator left
inner aileron left
a
10
δ [deg]

outer aileron right
outer elevator left
outer aileron left
e
−40 5
0 20 40 60 80 100 120 140 160 180 200
0
60
−5
spoiler #1 0 20 40 60 80 100 120 140 160 180 200
δsp [deg]
40
spoiler #2
spoiler #3
20
spoiler #4
10
spoiler #5
0 spoiler #6180
0 20 40 60 80 100 120 140 160 200 5
60
i ; δ [deg]
0
r
spoiler #7
δsp [deg]
40 −5
h
spoiler #8
stabilizer angle
spoiler #9
spoiler #10
lower rudder
spoiler #11
0 spoiler #12180 −15
0 20 40 60 80 100 120 140 160 200 0 20 40 60 80 100 120 140 160 180 200
time [s] time [s]
Fig. 13.15 Vertical tail loss scenario flight control surface deflections
3D view of the trajectory
600
400
200
0
2000 NDI no failure

NDI failure
4000
classic failure
6000failure
waypoint
8000
10000
8000
12000
6000
14000 4000
16000 2000
0
Fig. 13.16 Aircraft trajectory with autopilot along three waypoints in the scenario’s FTFC
controlled no failure, FTFC controlled with failure, classically controlled with failure
tolerant controller clearly can. Despite its failure accommodation qualities, it is clear
that there is a difference in the trajectory between the unfailed and the NDI failed
situation. The reason for this is again that the maximum safe roll angle with right
wing damage, lost right wing engines and only half the hydraulics is limited to 20◦ ,
again due to the post-failure safe flight envelope. The same two benchmark trajec-
tory phases have been analysed for this scenario too. The straight flight is the time
span between the failure occurrence and the first waypoint. The phase between first
and second waypoint is classified as the right hand turn manoeuvre.
States with specs Straight flight Specific forces in body axes

1
[m/s]
175
chi [deg]
64
Axb [m/s2]
170
VTAS
62 0.5
165
40 45 50 55 60 65 40 45 50 55 60 65
0
2 15 35 40 45 50 55 60 65 70
[deg]
gamma [deg]
10
0 1.5
5
alpha
0 1
Ayb [m/s2]
−2
40 45 50 55 60 65 40 45 50 55 60 65
0.5
10
[deg]
0
2
nz [−]
0 −0.5
0 35 40 45 50 55 60 65 70
beta
−10 −2 −9
40 45 50 55 60 65 40 45 50 55 60 65
time [s] NDI no failure
−10 NDI failure
Azb [m/s2]
40 classic failure
[deg]
NDI no failure
20 −11
NDI failure
0
classic failure −12
−20
phi
−40 −13
40 45 50 55 60 65 35 40 45 50 55 60 65 70
time [s] time [s]
(a) states (b) specific forces
Fig. 13.17 Straight flight phase performance check with assessment criteria for the three
engine separation scenarios
States with specs right turn and LOC intercept right turn and LOC intercept right turn and LOC intercept
[m/s]
[m/s]
[deg]
[deg]
40 40
170 20 150 20
165 0 0
[deg/s] VTAS
VTAS
160 −20 −20
phi
phi
−40 100 −40
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
[deg/s]
[deg/s]
[deg/s]
2 10 2
10 5
0 0 0
0
pbody
[deg] qbody
[deg/s] pbody
[deg] qbody
−10 −2 −5 −2
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
[deg/s]
2 15 2 15
10 10
0 0
alpha
alpha
5 5
rbody
rbody
−2 −2
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
[deg]
[deg]
10 10
nz [−] 2 2
nz [−]
0 0 0 0
beta
beta
−10 −2 −10 −2
80 100 120 140 80 100 120 140 80 100 120 140 160 80 100 120 140 160
time [s] time [s]
2 2
ny [−]
ny [−]
0 0
−2 −2
80 100 120 140 80 100 120 140 160
time [s] time [s]
(a) states nominal (b) states engine separation
Fig. 13.18 Right turn flight phase states performance check with assessment criteria for the
three engine separation scenarios
Concerning the straight flight phase, the states as well as the specific forces have
been analysed in Fig. 13.17.
The state requirements are satisfied, and also the specific forces seem acceptable
in Fig. 13.17. In the state graphs, it can be seen that proper energy management is
important in this failed situation as explained in chapter 6; only altitude or speed can
be maintained. The choice has been made to increase speed up to 170m/s and then
to allow the speed to decrease down to 133.8m/s, after which the throttle is opened.
From figs. 13.18 and 13.19, the same conclusions can be drawn. Due to the more
stringent roll angle limitation from 30 to 20 degrees after the engine separation fail-
ure, it takes a longer time to execute the turn in the failed scenario, which explains
the time difference. All requirements in figs. 13.18 and 13.19 are satisfied. In the
Kinematic accelerations in body axes Kinematic accelerations in body axes
2 2
axb [m/s2]
axb [m/s2]
0 0
−2 −2
80 90 100 110 120 130 140 150 80 90 100 110 120 130 140 150 160 170
4
2
2
ayb [m/s2]
ayb [m/s2]
0
−2 0
−4 −2
−6 −4
80 90 100 110 120 130 140 150 80 90 100 110 120 130 140 150 160 170
2 2
azb [m/s2]
azb [m/s2]
0
0
−2
−2
−4
80 90 100 110 120 130 140 150 80 90 100 110 120 130 140 150 160 170
time [s] time [s]
(a) kinematic accelerations nominal run- (b) kinematic acceleration engine separa-
away tion
Fig. 13.19 Right turn flight phase kinematic accelerations performance check with assess-
ment criteria for the three engine separation scenarios
20 15
10
inner aileron right 10 inner elevator right
δ [deg]
0 inner aileron left inner elevator left
δe [deg]
outer elevator right
a
outer aileron right

−10 outer aileron left 5 outer elevator left
−20
0 20 40 60 80 100 120 140 160
0
15
−5
spoiler #1 0 20 40 60 80 100 120 140 160
δsp [deg]
10
spoiler #2
spoiler #3
5
spoiler #4 4
spoiler #5
0
0 20 40 60 80 100 120 spoiler 140
#6 160 2
ih; δr [deg]
40 0
30 spoiler #7
δsp [deg]
−2
20 spoiler #8
stabilizer angle
spoiler #9
−4 upper rudder
10 spoiler #10
lower rudder
spoiler #11
0 −6
0 20 40 60 80 100 120 spoiler #12
140 160 0 20 40 60 80 100 120 140 160
time [s] time [s]
Fig. 13.20 Nominal scenario flight control surface deflections
20 15
0 10
δ [deg]

inner aileron right
inner elevator left
inner aileron left
a
5
δ [deg]

outer aileron right
outer elevator left
outer aileron left
e
−40 0
0 20 40 60 80 100 120 140 160 180
−5
60
−10
spoiler #1 0 20 40 60 80 100 120 140 160 180
δsp [deg]
40
spoiler #2
spoiler #3
20
spoiler #4
15
spoiler #5
0
0 20 40 60 80 100 120 140spoiler #6
160 180 10 stabilizer angle
upper rudder
60
i ; δ [deg]
5 lower rudder
r
spoiler #7
δsp [deg]
40 0
h
spoiler #8
spoiler #9
20 −5
spoiler #10
spoiler #11
0 spoiler #12 −10
0 20 40 60 80 100 120 140 160 180 0 20 40 60 80 100 120 140 160 180
time [s] time [s]
Fig. 13.21 Engine separation scenario with fault tolerant controller flight control surface
deflections
20 15
10
10 inner elevator right
δ [deg]
inner aileron right

0 inner elevator left
inner aileron left
δe [deg]
outer elevator right

a
outer aileron right

−10 5 outer elevator left
outer aileron left
−20
0 10 20 30 40 50 60 70 80
0
15
−5
spoiler #1 0 10 20 30 40 50 60 70 80
[deg]
10
spoiler #2
spoiler #3
sp
5
δ
spoiler #4 4
spoiler #5
0 spoiler #6
0 10 20 30 40 50 60 70 80 2
ih; δr [deg]
40 0
30 spoiler #7
[deg]
−2
20 spoiler #8
stabilizer angle
spoiler #9
sp
−4 upper rudder
δ
10 spoiler #10
lower rudder
spoiler #11
0 −6
0 10 20 30 40 50 60 spoiler #12
70 80 0 10 20 30 40 50 60 70 80
time [s] time [s]
Fig. 13.22 Engine separation scenario with classic controller flight control surface deflec-
tions
failed situation the requirements on the lateral kinematic acceleration ay are not
completely met. This is due to the asymmetric damage. A certain non-zero roll an-
gle φ , sideslip angle β and thus lateral kinematic acceleration ay are needed to keep
the aircraft in equilibrium.
The control surface deflections are shown and compared hereafter. Fig. 13.20
shows the control surface deflections commanded by the fault tolerant flight con-
trol system in a nominal unfailed scenario. Fig. 13.21 gives the same deflections in
the engine separation scenario. In this figure, it can be seen that quite some control
surfaces are inoperative due to the partial loss of hydraulics. However, the remain-
ing operative control surfaces, like two of the four elevators and a small subset of
ailerons and spoilers, are able to steer the aircraft along the predefined waypoints.
Finally, Fig. 13.22 represents the control surface deflections for the same engine
separation scenario, but with the classical controller with less control authority. The
simulation ends considerably sooner compared with figs. 13.20 and 13.21, this is
because the aircraft hits the terrain.
13.7 Computational Load

Due to the large increase in computer calculation power over recent years, the ad-
vanced computations required for parameter estimation can now be performed in
real-time on a PC with a Pentium 4 processor. Even when the calculation effort is
increased by using a larger number of parameters or multiple covariance matrices,
simulations show that modern PC systems are able to perform the calculations at
frequencies ranging from 20Hz-100Hz.
From a computational perspective, the routine applied here consists of three ma-
jor modules, namely an Iterated Extended Kalman Filter, a Recursive Least Squares
procedure and a Nonlinear Dynamic Inversion routine. Of these, the first one is the
heaviest from a computational point of view, and thus the one with the largest pos-
sible gain in computational cost. However, this Iterated Extended Kalman filter is
needed in order to deal with the disturbances which occur in sensor information (bi-
ases and noise) and to take into account atmospheric wind. The last aspect leads to
the transition from an EKF towards an IEKF with an additional iteration loop in the
update step. However, when one can assume that a state observer is included in a
separate part of the avionics, the computational cost can be reduced considerably.
Nevertheless, for all results presented in this chapter, it is important to realize that
this last assumption has not been made.
13.8 Conclusions
Summarizing, it can be stated that, following numerical as well as physical experi-
ments on the Simona Research Simulator, the fault tolerant flight control approach
based upon the real time physical model identification integrated with nonlinear dy-
namic inversion is successful in recovering damaged aircraft. The designed methods
are capable of accommodating the damage scenarios which have been investigated
in this project.
Another important result is that model identification using the two step method
has proven to be real time implementable in practice. Experiments have shown that
even a real time static stability analysis is possible with this method.
As already stated, experiments have been performed on desktop computers and
on the Simona Research Simulator. The analysis of manual control in Simona has
demonstrated superior handling qualities, the pilot workload is reduced dramatically
in failure conditions. Also autopilot control, which has been verified numerically,
shows satisfactory performance. The crippled aircraft is kept in the air and satisfies
almost all criteria which have been defined as an evaluation standard for the FTFC
strategies.
13.9 Current and Future Work

Based upon the results which have been obtained so far, current work is developing
and future work is targeted. Current work focuses on two aspects to increase the
adaptivity of the two step method for failures. While the conventional approach
works sufficiently for the set of failures studied, it is expected that its performance
will degrade for heavily structurally damaged aircraft. For these kinds of failures,
it is important to extend the aerodynamic model structure and to estimate the mass
parameters on-line. The former is done by means of piecewise sequential modified
stepwise regression or adaptive recursive orthogonal least squares.
Longer term future research work involves the further development of NDI con-
trol with control allocation and robust control, where uncertainty bounds can be
based upon the RLS covariances. Finally, it has been found that damage induced
flight restrictions are very important during post failure flight. Therefore, efforts
should also be put into the estimation of the post-failure safe flight envelope.
Acknowledgements. The material presented in this chapter is the result of a cooperation

between several people at the division of Control and Simulation at Delft University’s Faculty
of Aerospace Engineering. Apart from the authors of this chapter, credit should go to Herve
Huisman, who provided essential development material for this research project during his
MSc, see Ref. [7]. Outside the division, Diederick Joosten and his supervisors should also
be mentioned, with whom an intensive cooperation has taken place in a research project on
fault tolerant flight control. This research is supported by the Dutch Technology Foundation
(STW) under project number 06515.
References
flight control. IEEE Transactions on Control Systems Technology 3(2) (March 1997)
2. Campa, G., Seanor, B., Gu, Y., Napolitano, M.R.: Nldi guidance control laws for close
formation flight. In: American Control Conference, Portland, OR, USA, June 8-10
(2005)
3. Chu, Q.P.: Lecture Notes AE4-394, Modern Flight Test Technologies and System Iden-
tification. Delft University of Technology, Faculty of Aerospace Engineering (2007)
4. Chu, Q.P., Mulder, J.A., Sridhar, J.K.: Decomposition of Aircraft State and Parameter
Estimation Problems. In: Proceedings of fhe 10th IFAC Symposium on System Identifi-
ation, vol. 3, pp. 61–66 (1994)
5. Groszkiewicz, J.E., Bodson, M.: Flight control reconfiguration using adaptive methods.
In: Proceedings of the 34th Conference on Decision & Control, New Orleans, LA, De-
cember 1995. IEEE, Los Alamitos (1995)
Cooperative Systems, vol. 2. Kluwer Academic Publishers, Dordrecht (2003)
7. Huisman, H.O.: Fault tolerant flight control based on real-time physical model identifi-
cation and nonlinear dynamic inversion. Master’s thesis, Delft University of Technology,
Faculty of Aerospace Engineering, Control and Simulation Division, June 20 (2007)
8. Jategaonkar, R.: Flight Vehicle System Identification: A Time Domain Methodology, 1st
edn. Progress in Astronautics and Aeronautics Series, vol. 216. AIAA (2006)
9. Jones, C.N.: Reconfigurable flight control first year report. Technical report, Control
Group Department of Engineering, University of Cambridge (2005)
10. Kale, M.M., Chipperfield, A.J.: Stabilized mpc formulations for robust reconfigurable
flight control. Control Engineering Practice 13, 771–788 (2004)
11. Laban, M.: On-Line Aircraft Aerodynamic Model Identification. Ph.D. thesis, Delft Uni-
versity of Technology (May 1994)
12. Lombaerts, T.J.J., Chu, Q.P., Mulder, J.A.: Lecture Notes AE4-301, Automatic Flight
Control System Design. Delft University of Technology, Faculty of Aerospace Engi-
13. Lombaerts, T.J.J., Chu, Q.P., Mulder, J.A., Joosten, D.A.: Real time damaged aircraft
model identification for reconfiguring control. In: Proceedings of the AIAA AFM con-
ference, number AIAA-2007-6717, Hilton Head, SC (August 2007)
14. Maciejowski, J.M.: Modelling and predictive control: Enabling technologies for recon-
figuration. Annual Reviews in Control 23, 13–23 (1999)
15. Mulder, J.A.: Design and evaluation of dynamic flight test manoeuvers. PhD thesis, TU
Delft, Faculty of Aerospace Engineering (1986)
16. Mulder, J.A., Chu, Q.P., Sridhar, J.K., Breeman, J.H., Laban, M.: Non-linear aircraft
flight path reconstruction review and new advances. Progress in Aerospace Sciences,
PIAS 35, 673–726 (1999)
17. Mulder, J.A., van Staveren, W.H.J.J., van der Vaart, J.C., de Weerdt, E.: AE3-302 Flight
Dynamics, Lecture Notes. Delft University of Technology, Faculty of Aerospace Engi-
18. Ostroff, A.J., Bacon, B.J.: Enhanced ndi strategies for reconfigurable flight control. In:
Proceedings of the American Control Conference, Anchorage, AK, May 8-10 (2002)
19. Ramakrishna, V., Hunt, L.R., Meyer, G.: Parameter variations, relative degree, and stable
inversion. Automatica 37, 871–880 (2001)
20. Reiner, J., Balas, G.J., Garrard, W.L.: Flight control design using robust dynamic inver-
sion and time-scale separation. Automatica 32(11), 1493–1504 (1996)
21. Slotine, J.-J.E., Li, W.: Applied Nonlinear Control. Prentice Hall, Englewood Cliffs
(1991)
22. Stevens, B.L., Lewis, F.L.: Aircraft Control and Simulation, 2nd edn. Wiley Europe,
Chichester (2003)
Chapter 14
A Combined Fault Detection, Identification and
Reconfiguration System Based around Optimal
Control Allocation
Nicholas Swain and Shadhanan Manickavasagar
14.1 Background
The approach to the fault tolerant control problem presented here is based on many
years of research into the topic. The primary focus of this research has always
been military combat aircraft, though the application to a civil transport platform
has proved useful to further enhance the algorithms for both civil and military
application.
14.1.1 Control Allocation

The research began by considering the problem of controlling aircraft with multiple
redundant control surfaces, both with and without failures.
A standard control system will try to control the rotational rates or attitudes using
the control surface deflections to give the right combination of roll, pitch and yaw
moments. An individual control surface will, in general, create moments in all three
rotational axes (roll, pitch and yaw), and so the generation of a combined roll, pitch
and yaw demand requires a balanced combination of control surface deflections.
A conventional aircraft layout tends to have a simple arrangement of flight control
surfaces. Typically these will consist of symmetrically-coupled tail-plane or trailing
edge surfaces for pitch control, asymmetrically-coupled trailing edge surfaces for
roll control and a rudder for yaw control. This arrangement makes the flight control
task easier since the control allocation can be assumed to be decoupled with control
of each rotational axis being assigned to a distinct set of surfaces. For modern and
Nicholas Swain
QinetiQ, The Enclave, Bedford, MK44 2FQ, United Kingdom
e-mail: NJSWAIN@QINETIQ.COM
Shadhanan Manickavasagar
QinetiQ, Cody Technology Park, Farnborough, GU14 0LX, United Kingdom
e-mail: SMANICKAVASA@QINETIQ.COM
400 N. Swain and S. Manickavasagar
3 controls 6 controls
Pitch Moment 5000 5000
Pitch Moment
0 0
−5000 −5000
−5000 0 5000 −5000 0 5000
Roll Moment Roll Moment
Fig. 14.1 Illustration of the attainable moments for a 2 dimensional moment demand with 3
(on the left) and 6 (on the right) control surfaces
future aircraft the design drivers often require a less conventional layout, perhaps
with multiple trailing edge surfaces and no tail-plane or rudder. Such arrangements
mean that traditional approaches to control allocation are no longer ideal or, indeed,
possible, thus an alternative approach is necessary. With multiple (more than three)
control surfaces, each capable of generating moments in each rotational axis, there
is, in general, an infinite number of combinations of control surface deflections that
meet a given set of moment demands. It seems natural in this situation to seek a
‘best’ combination of deflections from the multiple (infinite) solutions to the control
allocation problem. This, in turn, suggests the use of some form of optimisation
method.
Initial work looked at an existing approach to this problem developed by Durham,
who had been working on a technique called direct control allocation (DCA) [1].
This approach was concerned with identifying the point where a vector intersected
the surface of a convex hull. The convex hull represented the attainable moment set
generated under the assumption of a linear transformation between the set of achiev-
able control surface deflections and the set of moments produced. The method em-
ployed by Durham searched around the outside of the convex hull to identify the
point at which a vector (representing the moment demands) intersected this hull.
This approach was effective with a small number of control surfaces, and a working
system which accommodated both rate and position limits of the available control
surfaces was quickly developed. With this system, optimal control that extracted
maximum performance in both the nominal cases (when all the surfaces were avail-
able) was demonstrated. When one or more surfaces had failed, the optimal control
allocation helps to minimise the impact of the failure [2].
As can be easily appreciated, the mapping from the set of control surfaces to the
set of attainable moments becomes much more complex as the number of control
surfaces increases, and consequently the associated convex hull becomes much more
complex. Fig. 14.1 shows two example mappings from attainable control deflec-
tion sets to a two dimensional attainable moment. In the first case, with only three
14 A Combined FDIR System Based around Optimal Control Allocation 401
control surfaces, the attainable moment set is fairly simple, being the projection of
a cube onto the plane producing an attainable moment set bounded by a hexagonal
convex hull. However, it can be seen in Fig. 14.1 that, even with as little as six con-
trol surfaces, mapping the convex hull can become very complex. This means that
even with a modest number of control surfaces, the original DCA algorithm is com-
putationally expensive and thus is not practical for real-time simulation. Therefore,
an alternative method of identifying the intersection of the demand vector and the
boundary of the attainable moment set was developed.
This alternative approach was based on the simplex linear programming tech-
nique originally developed by Dantzig [3]. The advantage of this approach was that
the algorithm was significantly faster than the original DCA algorithm. Additionally
the computational cost with the new algorithm increased in an approximately linear
fashion with increasing number of control surfaces, as opposed to the exponential
increase of the original algorithm. By implementing this modified DCA algorithm
it was possible to create a real-time system that was practical for simulation testing.
The method was tested on a combat aircraft conceptual design, with and without
failures, and the performance was compared against more conventional control allo-
cation strategies [4, 5]. This testing demonstrated the potential performance benefits
of using an optimal control allocation method that made best use of the available
control surfaces.
Though the initial testing of the modified DCA algorithm was very promising
it soon became apparent that the linear programming optimisation method was not
flexible enough to enable more complex designs to be developed. Specifically there
were two main problems:
• the three components of the moment demand could not be independently consid-
ered (and weightings applied to allow trade-off between roll, pitch and yaw)
• it was not possible to add secondary requirements into the optimisation such as
minimising overall surface deflections to improve drag or radar cross-section
These two issues suggested the introduction of a quadratic cost function. Since
the linear programming technique was no longer applicable, the move to a quadratic
programming technique was investigated.
There are many existing quadratic programming techniques available of which a
method called active set optimisation was chosen as appropriate to the task [6]. A
standard active-set algorithm was implemented in C using a combination of bespoke
components and existing published algorithms [7]. Though the resulting algorithm
worked as desired, there were again problems with real-time implementation due to
its complexity. Through application of the algorithms on many different simulation
models (including the benchmark aircraft from the GARTEUR action group) a re-
fined algorithm has been developed that is more robust and has increased efficiency
by using an optimisation algorithm that is tuned specifically to the control allocation
problem. The result is an algorithm capable of calculating the optimal control sur-
face deflections in real-time at appropriate frame rates (100Hz) on a model with a
large number of surfaces (the implementation of the benchmark used in this research
assumes 20 independent control surfaces) and has been tested on systems with very
modest computational power (see Section 14.1.3).
14.1.2 Fault Detection and Identification

The control allocation algorithm assumes that it has access to various parameters
that define the moment generation capability of the control surfaces, such as control
surface position limits and control surface effectiveness. This information can be
provided by look-up tables if the aircraft is assumed to never experience faults or
failures. However, if it is assumed that a fault or failure is possible, then these param-
eters need to be updated in flight. Therefore, in parallel to the later developments
of the DCA algorithms (especially the version based on quadratic programming),
there has been research into approaches to estimate these parameters online. This
adds fault detection and identification (FDI) capabilities to the reconfigurable con-
trol system, thus creating a fault detection, identification and reconfiguration (FDIR)
control system, or more generally a fault tolerant control (FTC) system.
Various methods and algorithms have been tested in developing an appropriate
FDI system. Initial developments looked at using online learning of the aircraft’s
control effectiveness by employing neural networks. Previous work into the use of
neural networks in FDIR was investigated, in particular the work of Napolitano
[8, 9]. Napolitano had developed some enhanced neural network update algorithms
and successfully applied them to fault detection, identification and reconfiguration,
both in simulation and in flight. However, the neural networks performing the FDI
were intrinsically embedded into the control system, which was contrary to one
of the design drivers of the system being developed at QinetiQ. The system that
QinetiQ was researching aimed to keep the ‘learning’ components of the FDIR
system separate from the main control loop since it was felt that these compo-
nents introduced reduced determinism and increased risk that could make clear-
ance/certification a problem. By keeping them separate from the main control loop
it is hoped that clearance of such novel flight control systems can be made less prob-
lematic by allowing increased visibility of how the system is adapting, and allow a
firewall or monitoring system between the FDI components and the main control
loop (see Fig. 14.2). For this reason the neural network approach of Napolitano was
modified to separate the reconfigurable control task (that was to be handled by the
DCA) and the FDI task (that was to be performed by distinct neural networks em-
ploying the Extended Back Propagation algorithms of Napolitano). The networks
were extensively tested - various set-ups and configurations were tried. Though the
networks were capable of identifying a parameter very well locally, they had prob-
lems in global identification (i.e. across the flight envelope).
Thus the complex neural networks were abandoned in favour of an alternative,
simpler approach that assumed that failures acted as a linear gain on the nominal
control effectiveness (provided by a reference model). Changes in this gain were ap-
proximated using the time history of aircraft response relative to predicted response.
This algorithm functioned very well with a high fidelity reference model and no
Fig. 14.2 An FTC sys-

tem with distinct adap-
tive/reconfigurable control
loop and fault detection and
identification system to en-
able safety monitoring of
parameters detected in flight
sensor noise. But, as the reference model deviated from the ‘true’ performance of
the model, and as sensor noise was introduced, the performance was greatly re-
duced; consequently, this approach proved to be impractical.
In order to address this, a general survey of other techniques for online parameter
identification was carried out. Kalman filters were identified as a possible way to
increase robustness, by decreasing sensitivity to model uncertainty and sensor noise.
A new FDI system that used a Kalman filter to identify a ‘mean’ gain on the control
surface effectiveness was created. Testing proved that this approach had increased
robustness, but with increased detection times. However, increased robustness and
stability is felt to be more important in this identification task; if responsiveness
proves to be an issue, then a dual system, which includes a fast component and a
slower, more robust component, may need to be developed.
14.1.3 Software and Hardware Testing

In order to understand and address implementation issues, the algorithms have been
applied to many different models including a diamond-wing planform, tailless un-
manned concepts and the ADMIRE (Aero-Data Model In Research Environment)
model from FOI (Swedish Defence Research Agency). Additionally, the system has
been tested with hardware-in-the-loop to investigate the issues of limited process-
ing power, real life noise/interference and time synchronisation. Fig. 14.3 shows the
hardware-in-the-loop test system as tested with the ADMIRE model [10].
14.2 Introduction
A modern aircraft will have a range of possible force and moment generators that
can be used to alter its trajectory. These shall be referred to as control effectors
or more simply as controls. These control effectors can be anything that is able
to generate a change in the total force and/or torque acting on the aircraft. Some
examples are listed below but the list is not exhaustive
• Moving flaps such as elevators, rudders ailerons, leading or trailing edge flaps
• Moving aerofoils such as tailplanes, canards, twisting/morphing wings, moving
wings or rotary wings/blades
• Other mechanical aerodynamic effectors such as spoilers, airbrakes, undercar-

riage
• Thrust vectoring and differential thrust
• Gyroscopic torque/force generators
• Direct flow control
In free flight, an aircraft (when considered as a rigid body) has six degrees of
freedom: three translational and three rotational. It is typical to place a Cartesian
axis system centred on a reference point in the aircraft with the x – axis pointing out
through the nose of the aircraft, the y – axis aligned level with the wings and pointing
out of the starboardside of the aircraft, and the z – axis pointing down through the
underside of the aircraft. With six degrees of freedom, a generalised force acting on
the aircraft can be resolved into six components: three forces acting in alignment
with the x, y and z axes and three moments acting about these axes. In line with
standard convention this summary shall refer to these as Fx , Fy and Fz for the forces
Fig. 14.3 Hardware in the

loop test system consisting
of:- (1) A synthetic environ-
ment running the open-loop
simulation model and a 3D
visualisation being driven by
the achieved servo deflec-
tions. Provides the sensor
feedback to the flight control
computer via serial connec-
tion. (2) Servo hardware
arranged into the control
layout of the ADMIRE air-
craft. Servo demands come
from the Flight control com-
puter and achieved servo
deflections are fed to the
synthetic environment and
back to the flight control
computer. (3) Flight control
computer based on PC104
small footprint computer
architecture (running at 133
MHz). Flight control re-
ceives inputs from a pilot
via RF receiver and sensor
feedback from the synthetic
environment via Serial con-
nection. Full FTC compo-
nents (NDI, DCA, Aero FDI
and Actuator FDI) run in
real-time on the hardware
acting in the x, y and z directions respectively and L, M and N for the moments acting
about the x, y and z axes respectively. By utilising the control effectors it is possible
to create changes in the six forces and moments, each control having an effect on
each of the forces and moments (these effects may be independent or coupled with
the effect of the other controls).
14.3 Fault Tolerant Control System Overview

The Fault Tolerant Control system is composed of several key components as il-
lustrated below in Fig. 14.4. The core control is performed by a combination of
NDI to perform dynamic inversion, and control allocation (referred to as Direct
Control Allocation) to make optimal use of the control surfaces. This is supported
by the Fault Detection and Identification (FDI) system, which consists of three
subsystems. There are two parameter identification systems, the first of which is
dedicated to identifying the actuator performance post-fault and the second to iden-
tifying changes in the aerodynamic effectiveness of each control surface. The third
is the envelope protection system that identifies changes in the aircraft limits after
failures have occurred.
14.3.1 Sensors
The FDI system requires specific information to successfully identify faults that
have occurred. In addition to the more typically available sensor data, information
such as achieved actuator deflections, feedback for the Actuator FDI and rotational
acceleration data for the NDI system have been included in the aircraft model. The
achieved actuator deflection sensors are not necessarily utilised by current flight
control systems but this information is often present within the actuator’s own in-
ternal control and could be made available to the FCS. Also, it may be uncom-
mon to find rotational acceleration sensor data in legacy aircraft, but this could be a
Fig. 14.4 FTC System Overview

requirement for future aircraft, or it may be possible to derive appropriate rotational

acceleration figures from other acceleration sensors.
14.3.2 Outer-Loop Controller/Autopilot

The flight control system (FCS) on the benchmark model is classical in nature and
comprises an integrated inner-loop and outer-loop control functionality. This FCS
takes high-level demands as input, and outputs control surface deflection demands
required by the aircraft to attain or maintain stable flight. However, to incorporate
the proposed FTC system, the direct link between the autopilot and the actuators
needed to be broken. It was then necessary to identify and generate rate demands
that would be used as inputs to the NDI system in the place of the actuator demand
outputs. A preferred approach would be to design the outer-loop controller such
that it is completely separate from the inner-loop control functionality, which would
enable the outer-loop controller to be naturally coupled with the NDI and DCA
components of the FTC system. However, this approach was not taken to enable a
more fair comparison against the benchmark model (since the nature of the outer-
loop controller can greatly change the way the aircraft responds or handles).
14.3.3 Non-linear Dynamic Inversion

Non-linear Dynamic Inversion or NDI is used because of its simplicity in implemen-
tation and high performance. It has been successfully implemented on many aircraft
models, demonstrating good flying qualities and stabilisation. Various forms of NDI
have also been successfully applied in actual flight tests [11].
The essential principle behind NDI is to invert the non-linear equations of motion
to provide a favourable response, particularly by avoiding cross-coupling effects be-
tween the rotational axes. The response of the aircraft will be as desired if the NDI
controller is provided with perfect sensor feedback and if there is sufficient control
power. However, even under situations of noisy sensors and non-instantaneous con-
trol response (due to actuator dynamics) NDI produces a very good response. The
main strength is that, being based on the non-linear rigid body equations of motion,
this control method does not need to be scheduled for different flight conditions as
would be necessary when using linear control methods.
As an example of how the NDI control system functions, consider the rotational
equation of motion for the pitch axis of the aircraft
(Izz − Ixx ) Ixz 2 M

q̇ = pr − p − r2 + (14.1)
Iyy Iyy Iyy
This relates the pitch acceleration q̇ to the pitch moment M, taking into account
the inertial cross coupling of the roll rate p and yaw rate r. This form assumes that
the aircraft has lateral symmetry such that the products of inertia Ixy and Iyz are
zero [12].
Equation 14.1 enables a relationship between a pitch acceleration demand q̇d and
the pitch moment to be derived. However, rotational acceleration is not a practical
parameter to control directly, it is far more useful for the inner-loop control to be
driven by rotational rate demands such as qd . Therefore the NDI controller derives
the pitch acceleration demand from the pitch rate demand such that
q̇d = (qd − q)bq (14.2)
where bq is a constant, referred to as the pitch bandwidth. The bandwidth is the only
part of the derived control system that has to be tuned for the specific platform. If
the bandwidth is set too low the response of the closed-loop system will be sluggish,
whilst if it is set too high there is a risk of large-scale oscillatory transients in the
response of the system. In practice, however, it is an easy task to set an appropriate
value for the bandwidth for the chosen aircraft based on the size of the aircraft and
the response rate of the actuation system.
A complete control system for roll, pitch and yaw can easily be derived based on
these simple concepts to create a simple but powerful control strategy [13]. The only
deviation from the standard NDI implementation is the addition of limit blocks on
the roll, pitch and yaw rate demands, and acceleration demands. These limit blocks
were added to allow the envelope protection system to limit the demands placed on
the aircraft.
14.3.4 Direct Control Allocation

The general basis of the control allocation assumes that the change in moments
produced by a change in surface position are based on a simple linear relationship
⎡ ⎤
ΔL
Δ m = ⎣ Δ M ⎦ = BΔ u (14.3)
ΔN
where Δ m is the change in moment, Δ u is the change in surface deflection and B is

a matrix whose components are defined as
∂ mi
Bi, j = (14.4)
∂uj
The matrix B is referred to here as the control effectiveness matrix.

The control allocation is performed by a method referred to as Direct Control
Allocation (DCA). This name is principally historical, based on the origins of the
very early research carried out at QinetiQ [2]; a better name would be Optimal
Incremental Control Allocation. The principal aim of the DCA is to take a change
in moment demand from the dynamic inversion block and to make best use of the
available control effectors to provide that demand, or at least minimise the error
between what is demanded and what is achieved. This is illustrated in Fig. 14.5.
Fig. 14.5 The role of DCA. The demanded changes in moments (with suffix ‘dem’) are
mapped to a change in control surface by the DCA block. The intention is that the achieved
change in moments (indicated with the suffix ‘ach’) caused by the new surface deflections
will be as close to the demand as possible
The specific role of the DCA is to find an optimal change in surface positions
that minimises an appropriate cost function. The exact nature of the cost function
used is dependent on the optimisation criterion that is chosen. It is perhaps obvi-
ous that minimising the change in control surface deflection used to meet a given
demand is beneficial, since excessive changes in control surface deflection increase
power requirements and actuator wear. However, testing with a control allocation
algorithm that only minimises the change in surface deflection identifies a flaw with
this approach. Though each change in surface deflection is minimised to require the
smallest amount of actuator usage, the accumulative effect with time of each indi-
vidual change in surface deflection can lead to large control deflections where the
individual surfaces can be cancelling out the effect of each other, and so providing
no net benefit to the control of the aircraft. This is not acceptable since it increases
the risk of surface saturation and can adversely affect the total drag or radar cross-
section of the aircraft. For this reason an optimisation criterion called the biased
minimum deflection criterion was proposed. Again, the basis of this criterion is to
minimise the change in control surface deflection, but not relative to the current sur-
face deflections. Instead the change in surface deflection is minimised about a sur-
face deflection biased towards a preferred control surface deflection. This preferred
deflection could simply be zero for all surfaces or could be chosen to optimise for a
secondary effect such as reduction of drag or radar cross-section.
The combined task of best meeting the change in moment demand whilst min-
imising the change in deflection relative to a preferred deflection can be formulated
as a quadratic programming task of the form,
1
min C = ν H ν + f ν (14.5)
ν 2
subject to an equality constraint (that encompasses the change in moment demand)
Aν = 0 (14.6)
and an inequality constraint that accounts for the position and rate limits of the
actuators
ν L ≤ ν ≤ νU (14.7)
There are many ways to solve such a quadratic programming problem. The DCA
algorithm uses an active set method approach that has been formulated for the spe-
cific task to increase computational efficiency. Since H in (14.5) is positive definite
then the cost function is convex and so there is a unique solution. The algorithm
will generally find this minima in a few iterations (generally less than or equal to
the number of control effectors). In a few rare situations the algorithm will run on
beyond this and it can enter a cycle. Though, theoretically, this cycle can continue
indefinitely in practice it is easy to guard against. In this state there is generally only
slight variation in the value of the cost function and for the real-world control allo-
cation problem it is acceptable to use a very near optimal solution (sensor noise and
disturbances are likely to be far more significant than a small variation away from
the optimal solution).
The function of the DCA algorithm can be seen in Fig. 14.6.For this illustration,
total moment rather than change in moment is being tested, and the demand is only
for roll and pitch moment (i.e. yaw moment demand is ignored) since it is easier to
visualise what is happening in the two dimensional case. Additionally, in this case,
the results are based on a subset of nine of the controls surfaces from the benchmark
model (two ailerons, four spoilers, two elevators and the stabiliser), with surface ef-
fectivenesses and surface deflection limits sampled at a single flight condition. Fig.
14.6 shows the output of three control allocation schemes to a range of different
moment demands as indicated by the circle (labelled ‘Moment Demand’). For any
given point on the moment demand locus, each allocation scheme will generate a set
of control surface deflections that will generate an achieved moment. Ideally the de-
manded surface deflections will generate the required moment demand, however the
surface deflections are bounded by the actuator deflection limits and so the demand
is not necessarily achievable.
The three traces (for DCA and two basic control allocation schemes BCA1 and
BCA2) show the respective loci of moments achieved for three different control
allocation schemes in response to different moment demands that generate the Mo-
ment Demand locus. DCA is the optimal control allocation algorithm that is the
basis of the FTC system being presented here. BCA1 is a simple allocation scheme
that assigns each surface a distinct role for delivering either roll or pitch moments
(in this case the two ailerons and four spoilers are used for roll control and the two
elevators and the stabiliser are used for pitch control). The strategy utilised in BCA1
is very simple, but is similar to control allocation approaches on many production
and experimental aircraft, especially when the control allocation task is embedded
in the overall inner-loop control task. BCA2 is a slightly more sophisticated version
of BCA1 that makes use of the actuator position limits. It can be easily seen that
the DCA produces a significantly larger proportion of the moment demand for the
majority of possible demands. BCA1 and BCA2 both produce much smaller pro-
portions of the moment demand, though BCA2 does cover a slightly larger area that
suggests better performance. However, there is a small region where the achieved
moment is larger than the demanded moment, which is unlikely to be acceptable.
The reason this occurs is that both BCA1 and BCA2 assume that an individual sur-
face only generates moments in one of the two axes i.e. the ailerons and spoilers
6
x 10
5
2
Pitch Moment (N.m)
−1
−2
Attainable Moments
Moment Demand
−3 DCA Achieved
BCA1 Achieved
BCA2 Achieved
−4
−5
−14 −12 −10 −8 −6 −4 −2 0 2 4 6
Roll Moment (N.m) 6
x 10
Fig. 14.6 A comparison of the moment generation capability of several control allocation
schemes.
only generate roll moments and the elevators and stabiliser only generate pitch mo-
ments. In reality, all surfaces will generate some moments in all rotational axes, and
it is the fact that these additional effects have been ignored that allows the achieved
moments to exceed the demands. Again, it is quite common for these secondary mo-
ment generation effects to be ignored in existing control allocation strategies except
in certain specific cases such as the roll-yaw coupling of rudders.
The shaded region in Fig. 14.6 indicates the total set of attainable moments for
combinations of control surface deflections within the limits of the actuator position
limits (this region being the convex hull, similar to that illustrated in Fig. 14.1). It
can be seen that DCA spans the entire shaded region that lies within the loci of
moment demands. This indicates that DCA is generating the maximum attainable
moments for any given demand, as should be expected from an optimal control
allocation scheme.
The Control Allocation algorithm is dependent on several pieces of information
being provided. The required inputs for the control allocation algorithm are:
• Demanded changes in roll pitch and yaw moments
• Control deflections
• Control effectiveness matrix
• Control rate limits
• Control position limits
The first of these is provided by the dynamic inversion component of the control
system and the second is provided by position sensors. The final three are not easily
obtained. In the nominal case, values for these three inputs can be generated from
knowledge of the actuator dynamics (for the positional and rate limits) and from a
reference model or schedule (for the effectiveness matrix). However when the air-
craft is damaged, some or all of this information will be different from the nominal
case and so it is desirable to ascertain the new values of these inputs. The higher
the accuracy of this new information, the more efficient and accurate the control
allocation can be. The identification of this information is the role of the FDI sys-
tem, which consists of two main components referred to as aerodynamic FDI and
actuator FDI.
14.3.5 Aerodynamic FDI

The task of identifying accurately the control effectiveness of each surface to pro-
duce moments in each of the three rotational axes (and forces in each of the linear
axes) is the biggest challenge of the current Fault Tolerant algorithms. Essentially,
it is an online parameter identification system working in real-time using limited
information to infer values for a large number of parameters. This is a very difficult
task and so, in the past, people have avoided this route by trying to limit the types
of faults that are covered by the FDI system. Also, on detecting a failure, many
systems require that predetermined inputs are applied to the surfaces to isolate the
effects of a given control(s) to aid the identification process. This, unfortunately,
would require the aircraft to stop its current role, adopt a straight and level flight
condition (or at the very least a benign manoeuvre) and consume time to go through
the identification process. This would have a negative impact on task or mission
performance and may put the aircraft unduly at risk.
Therefore it was the aim to try to create algorithms that were capable of detecting
‘any’ faults applied to the surface in a quick and accurate fashion, without the need
for post failure identification routines that apply predetermined inputs.
The current system is based on a Kalman filter [14]. Kalman filters are most
commonly used for state estimation of dynamic systems when the signals are noisy
and when some states are unobservable. However, Kalman filters are also employed
for system identification, which is the role they adopt in this system.
The system assumes that the change in aerodynamic effectiveness of a given
control effector can be represented as a gain on the surface effectiveness predicted
by an online reference model and that the same gain applies for all the moments
(and forces) such that

∂m ∂m
= λi (14.8)
∂ ui estimated ∂ ui re f erence
where λi is the surface effectiveness of the ith control effector, ui is the deflection of
the ith control effector and m is the moment vector. If no failure has occurred and
there is a perfect reference model then the surface effectiveness gains are expected
to be unity. An imperfect reference model or sensor noise will mean that the value of
λ will vary even when there are no failures. Since the effectiveness values that form
the reference model are also used to drive the DCA component, then this variation
Fig. 14.7 Estimation of force and moment errors and change in force and moment errors
in λ is used to correct for errors in the reference model, but there is an assumption
that such variations are small. It is only in the presence of failures that the values of
λ are assumed to greatly vary from unity.
The advantage of this approach is that, although the error is modelled as a linear
relationship, the reference model can account for non-linearity in the aircraft aero-
dynamics. As long as the percentage loss of effectiveness is not highly sensitive to
flight condition, the gain will not change rapidly with time. The obvious exception
to this is when a failure occurs. At the time of the failure a step change in one or
more of the effectiveness gains is assumed.
If the error between the reference model and actual aircraft is large and highly
non-linear then the above assumptions will no longer be valid. For this reason a
reasonably accurate model is required.
Fig. 14.8 Calculation of surface effectiveness lambda values

Right Inboard Aileron Left Inboard Aileron
1 1
0.8 0.8
0.6 0.6
λ
λ
0.4 0.4
No Failure Case
0.2 0.2 Failure Case
0 0
0 50 100 150 200 250 0 50 100 150 200 250
Time (s) Time (s)
Right Outboard Aileron Left Outboard Aileron
1 1
0.8 0.8
0.6 0.6
λ
λ
0.4 0.4
0.2 0.2
0 0
0 50 100 150 200 250 0 50 100 150 200 250
Time (s) Time (s)
Fig. 14.9 Reduced Control Surface Effectiveness
The structure of the system is illustrated in Figs. 14.7 and 14.8. The Kalman
filter uses errors in the predicted change in forces and moments to estimate a gain
on the surface effectiveness for each surface. This gain is zero when there are no
failures (since the system is based on change in forces and moments) and so λ
values are equal to the output of the filter plus one. The filter uses an error generated
between the estimated forces and moments that the aircraft has currently acting on
it and the forces and moments predicted by the reference model for the current
flight condition. The achieved forces and moments are calculated by inverting the
rigid body equations of motion though this is only approximate when the incoming
sensors signals are noisy.
Fig. 14.9 shows the results for a fault of a 40% reduction in the control surface
effectiveness of the left outboard aileron. It can be seen that the control surface
effectiveness for the first three ailerons, are at its nominal level (i.e. close to 1)
where a slight deviation can be seen in the measure of the control effectiveness.
As discussed earlier in the section, this can be attributed to small discrepancies
within the reference model and noise in the signals. However, for the left outboard
aileron, the control surface effectiveness shows a larger difference due to the fault
and settles out at approximately 55%. The nominal control surface effectiveness of
this surface is approximately 90%. In comparison to the reduced control surface
effectiveness, results in a decrease of 39% which shows both an accurate detection
and identification of the fault. The reduced control surface effectiveness takes a
significant length of time to settle out. In order to increase the robustness of the
FDI component the Kalman Filter has its sensitivity set at a fairly low level. There
is always a trade-off to be made between robustness and sensitivity but the overall
response time of the system could be increased by a higher fidelity reference model
or better sensors. This said, the current system seems to fly well in most failure
cases due to an inherent robustness within the inner-loop control. If it is required
to increase overall detection times of aerodynamic faults then it may be necessary
to modify the sensitivity of the FDI algorithm. This may be possible with a two
component aerodynamic FDI system that consists of a fast component with low
authority and a slower component with higher authority.
14.3.6 Actuator FDI

The actuator parameter identification is a much simpler task than the control ef-
fectiveness identification task. Each actuator is a single input, single output (SISO)
system with a few key parameters defining the performance, such as rate limits and
position limits. As for the aerodynamic faults, the FDI system for the actuator faults
requires some reference model of each actuator’s dynamics. This is much easier to
obtain as the dynamics of actuators are easily modelled.
One new feature present in the benchmark model that had not been addressed in
previous testing was variable position limits based on flight condition. In the bench-
mark each surface has hard limits that are set by the maximum travel of the actuator,
as is the case in simpler simulation models of actuator dynamics. But the aerody-
namic loading on individual surfaces based on flight condition can mean that there is
insufficient hydraulic power to attain the maximum deflection, thus the benchmark
model also incorporates aerodynamic limits that vary with height and Mach number.
The existence of these variable aerodynamic limits could be ignored by the actuator
FDI system. In this case, the reduced limits would be identified by the system but
would be assumed to arise from faults, which could mean that future control deflec-
tion demands are artificially restricted by the DCA system. Therefore the variable
limits were added to the actuator reference model such that, before any failures oc-
cur, the DCA uses the full deflection range (limited by current aerodynamic limits
if necessary). After an actuator failure or fault has occurred the detected reduced
limits are used.
Fig. 14.10 illustrates the actuator FDI system. By comparing sensor feedback of
achieved surface deflections against those predicted by the reference models, an er-
ror signal is generated. It is assumed that the actuator dynamic faults are in position
and rate limits only, this being the information used by the DCA scheme. An upper
and lower position limit and an upper and lower rate limit are monitored, therefore
a total of four parameters are identified for each actuator. Additional information
(such as damping and frequency) could be included, but research suggests that, for
control allocation, little benefit is gained from higher-order accuracy.
Fig. 14.10 Schematic of Actuator FDI System
Though simple, this system can detect many different faults such as:
• Control restrictions caused by a loss of hydraulic power or a physical restriction
on the surface due to damage or icing will be detected as a change in the upper
and/or lower limits to new, non-equal values.
• Surface jams caused by total failure of a stepping actuator or physical restriction.
Detected as a change of upper and/or lower position limits to new, equal, values.
• Reduced rate limits due to partial loss of actuation power. Detected as new upper
and/or lower rate limits.
• Surface runaway caused by an error in the signal driving the actuator or an inter-
nal malfunction in the actuator. Detected initially as a change in upper and lower
rate limits to the same value (that being the rate at which the surface is ‘run-
ning’ away). Once the actuator has saturated, the fault will change to the surface
jam case.
In the case of physical damage that causes the surface to become disconnected
from the actuator (and possibly in the case of a total loss of hydraulic power), the
surface will float freely. How this fault is detected depends on what signal is fed
back to the actuator FDI system; either surface deflection or actuator deflection. In
the former case the actuation system could detect the failure as zero upper and lower
rate limits, but it would not detect the latter case. However, a floating surface tends
to have a greatly reduced aerodynamic effect on the aircraft dynamics, and so the
latter case could be detected as an aerodynamic fault rather than an actuator fault.
There are other possible actuator failures such as oscillatory errors, offsets and
intermittent sticking. These failures are not accommodated by the current actuator
FDI system since such failures have not been a feature of any simulation models
investigated to date. The system could be augmented to accommodate these failures
with an extension to the logic within the actuator FDI algorithm or by separate pre-
processing of the actuator errors.
Fig. 14.11 shows the time history of two aileron surface deflections subject to a
fault (control restriction of control surface deflection of ±5 degrees) at 0 seconds.
A bank angle demand is used as an input to excite the control surfaces. The actu-
ator FDI system accurately detects and identifies the fault after 0.29 seconds of it
reaching the 5 deg deflection limit for the right outboard aileron. It can be seen that
Right Inboard Aileron Right Inboard Aileron

6
Aileron Deflection (deg)

20
5.5
10
0 5
−10
4.5
−20
4
0 10 20 30 40 50 22 22.5 23 23.5 24
Right Outboard Aileron Right Outboard Aileron

20 6

10
5.5
0
5
−10
Surface Demands
Surface Achieved 4.5
−20
Position Limits
−30 4
0 10 20 30 40 50 21 21.2 21.4 21.6 21.8 22
Time (s) Time (s)
Fig. 14.11 Control Restriction on Aileron Deflection (Right-hand plots show detail of left
hand-plots)
the actuator position limits are reduced to the aileron control restriction limits (of
±5 degrees) which ensures that the new deflection limits are used by the DCA. It
takes 0.45 seconds before the upper position limit for the right inboard aileron is
reduced compared to the 0.1 seconds detection time for the right outboard aileron.
The delay in detection time can be attributed to the sensitivity of the algorithm be-
ing limited by specified tolerances that allow greater robustness in the presence of
noise. The noisier the system the lower the sensitivity will be, if higher sensitivity is
required then a change in the sensor suite would be necessary either through using
less noisy sensors or introducing redundancy in the sensors to allow better approxi-
mation of the true signal. However, the small delays in detection time seen here are
not significant to cause a problem in maintaining control of the aircraft.
14.3.7 Flight Envelope Protection

When a control system is designed for a platform, limits are normally placed on the
demands coming into, or contained within, the inner-loop and outer-loop controllers.
These limits are introduced to protect the structural integrity of the platform and
to prevent loss of stability or departure. Modern aircraft can have what is called
‘carefree’ handling, where it is impossible (or at least, should be impossible) to
overstress the platform or cause departure.
If an aircraft experiences some sort of fault or failure then the limits proposed
for the undamaged aircraft may no longer be valid. In this case new limits should be
used, but the values for the modified limits will be highly dependent on the failure(s)
that have occurred. An on-line system is necessary to identify modified limits to try
30 4
Bank Angle Demand Limit (deg)

3.5
25
3
Roll Control Gain

20
2.5
15 2
1.5
10
1
5
0.5
0 0
40 45 50 55 60 40 45 50 55 60
Time (s) Time (s)
Fig. 14.12 Flight envelope protection output for bank angle demand limit and roll control
gain in presence of failure (at 50 seconds)
and maintain ‘carefree’ handling. This is the aim of the flight envelope protection
(FEP) component of the FDI system.
Ideally the FEP system will be able to perform online stability and control as-
sessment of the damaged aircraft’s flying qualities across the flight envelope or, at
the very least, at the current flight condition. Additionally, to protect the structure,
online stress analysis would need to be performed for various aerodynamic loadings
to identify the integrity of the platform. Obviously this involves a huge amount of
computational capability to perform in real-time and so is currently impractical.
Research into FEP is still underway to find practical methods of approximating
the new limits online but a basic system has been developed using a combination of
heuristics and interpolation/extrapolation of offline assessment results. The current
system that has been developed has two main components: the health and inner-loop
limit estimation system, and the outer-loop limit estimation system.
The health system calculates a percentage health for each of the three rotational
axes based on the platform’s current ability to deliver moments in that axis. This
takes into consideration loss of control surface effectiveness, reduced rate limits
and control surface saturation. The current health for each of roll, pitch and yaw is
used to set limits for the inner-loop rate control system (the NDI component). In the
current system, the demands on rotational rate, rotational acceleration and the rate
control bandwidth are all limited. The values used for these limits decrease as the
health in the respective channel (roll, pitch or yaw) decreases. There are two levels
of limit applied: the recovery limit and the reinforcement limit. The recovery limit
is applied if the current rotational rate demand is tending the aircraft back towards
steady-state, whilst the reinforcement limit is applied if the rotational rate demand
is moving the aircraft further away from steady-state. These two limit levels can be
set at the same value, but testing suggests that the reinforcement limit should be
lower than the recovery limit thus allowing more conservative limits on demands
that could increase the risk of departure, whilst not reducing the aircraft’s ability to
reach, or recover to, steady state.
The outer-loop estimation system uses the failure information from the other FDI
system components to identify limits for the demands in the outer-loop control such
as bank angle, angle of attack, speed, linear acceleration and height rate. These are
all higher order effects whose limits are not directly linked to the moment gener-
ation ability of the aircraft but are more to do with preserving stability. It is not
currently possible to calculate these values online due to the high computational
cost, but research is currently looking for appropriate means to estimate these limits
online. In the meantime, a system based on offline assessment has been developed.
Various failure cases were tested in simulation to identify appropriate limits on the
outer-loop parameters, and a series of look up tables were generated. For partial fail-
ures the limits from the tables were interpolated from the non-failure and complete
failure cases. For multiple failures the limits from the tables were extrapolated.
The full system as outlined above was applied to a UCAV (Unmanned Combat
Air Vehicle) concept as part of our research but time constraints have meant that a
full version of the system has not been applied to the benchmark model. However,
testing with the benchmark has highlighted the importance of the flight envelope
protection system, and a reduced system that limited the bank angle and roll rate de-
mands was necessary to prevent departure (see El-Al benchmark example in 14.4.3).
The Fig. 14.12 illustrates the output from the simplified FEP system implemented
on the benchmark model. The time history is for the full El-Al failure case, with the
failure occurring at 50 seconds. The FEP system is specifying a limit for bank angle
demand and a gain for the roll rate demands between the autopilot and the inner-
loop control. Before the failure occurs the limits remain at their nominal values (29
degrees and 3 respectively). After the failure has occurred the parameters reduce
over a period of about 1.8 seconds to reach the post-failure values of approximately
14 degrees and 1.5. The reduction is not instantaneous, since the failure detection
system takes a finite time to identify the nature of the failure and the output from
the FEP system changes as the various failed actuators are identified.
14.4 Benchmark Tests

Presented here are the results from three tests with the full benchmark model, one
with a longitudinal control failure, one with a lateral control failure and the final
case is the results from testing with the full El-Al failure.
14.4.1 Longitudinal Control Failure Test

Fig. 14.13 provides time histories for selected states in phase 1 (straight and level
flight) of the benchmark trajectory. There are two time histories overlaid, one is the
case with no failure, in the other the stabiliser starts to runaway at 40 seconds. The
stabiliser deflection increases at approximately 0.5 degrees per second until hitting
its upper limit at 50.1 seconds (running from -2.04 degrees, the deflection at 40
seconds, and running to 3 degrees, the upper limit for the stabiliser). It can be seen
that the time histories are very similar though there are a few differences in the
longitudinal response. There is a very small adjustment in the speed during the time
that the stabiliser takes to run away. Height also deviates from the no failure case but
0.02 90.01 0.01
Bank angle (deg)
Heading (deg)
Sideslip (deg)
0.01 90.005 0.005
0 90 0
−0.01 89.995 −0.005
−0.02 89.99 −0.01
0 50 100 0 50 100 0 50 100
93 6 981
Speed (m/s)
Height (m)
AoA (deg)
92.8
5.8 980
92.6
5.6 979 No Failure
92.4 Failure
92.2 5.4 978
0 50 100 0 50 100 0 50 100
Time (s) Time (s) Time (s)
Fig. 14.13 Time history for the longitudinal failure case, stabiliser runaway occurring at 40
seconds. The time history for the case with no failure is provided for comparison
only by a few centimetres. The most marked difference is in angle of attack. With
the displacement of the stabiliser the trim condition is at a slightly increased angle
of attack.
Overall, though potentially very problematic, the stabiliser runaway is handled
with practically no noticeable effect on the response of the aircraft.
14.4.2 Lateral Control Failure Test

Fig. 14.14 provides the time history for a test with a loss of the vertical tail before
entering phase 3 of the benchmark tests (right-hand turn and localiser intercept).
The failure occurs at 20 seconds but has no noticeable impact on the response of
30 220 15
200
20 10
180
Bank angle (deg)
Heading (deg)
Sideslip (deg)
10 5
160
140
0 0
120
−10 −5
100
−20 80 −10
0 50 100 150 200 250 0 50 100 150 200 250 0 50 100 150 200 250
94 9 1100
No Failure
93.5 8
1050 Failure
Speed (m/s)
93 7
Height (m)
AoA (deg)
1000
92.5 6
950
92 5
91.5 4 900
0 50 100 150 200 250 0 50 100 150 200 250 0 50 100 150 200 250
Time (s) Time (s) Time (s)
Fig. 14.14 Time history for the lateral control failure case, loss of vertical tail occurring at
20 seconds. The time history for the case with no failure is provided for comparison
the aircraft until the turn is initiated to change the heading from 90 degrees to 210
degrees. It can be seen that the turn is performed in a controlled fashion but that the
turn rate is lower than the case in which there is no failure. This is due to the flight
envelope protection system requiring the reduction in bank angle limit to prevent
departure. This is demonstrated in the full El-Al case next.
14.4.3 El-AL Case

Fig. 14.15 illustrates the time-history of key states for the case with the full El-Al
benchmark test failure. The failure is applied at 20 seconds. It can be seen that,
particularly in the bank angle, sideslip and speed time-histories, the failure causes
a disturbance that is successfully suppressed. The failed case settles into a flight
condition with non-zero sideslip due to the loss of the two engines and the damage
to the wing. It is possible that this sideslip could be removed by use of controls but
the benchmark did not have sideslip suppression and so it was not included in the
FTC version either. The aircraft starts to perform a right-hand turn from a heading of
90 degrees to a heading of 268 degrees at 200 seconds. The key point to note is that
the time history for the failure case with FTC enabled but with no flight envelope
protection departs shortly after starting the turn (most clearly seen in the angle of
attack and bank angle plots). The simulation for this case ceased at 274 seconds
when the aircraft state went out of bounds.
Fig. 14.15 Time histories for the full El-Al benchmark failure case. The Failure occurs at
20 seconds. The aircraft then performs a right-hand turn followed by a left-hand turn. Time
histories of the no failure case and the failure case with no flight envelope protection are
included for comparison
The case with an active flight envelope protection system does not depart but,
as in the lateral control failure case, has a lower turn rate. This is again due to the
reduced limits from the FEP system that have limited the maximum bank angle
demand and the roll rate control gain that reduces the demand entering the inner-
loop control system.
After the aircraft has settled on a heading of 268 degrees a left-hand turn is de-
manded from a heading of 268 degrees to a new heading of 180 degrees at 400
seconds. This extra turn is added to test whether the port-wise turn performance
is also acceptable since an asymmetric failure such as this can impact port-wise
and starboardwise performance differently. The reduced bank angle has reduced the
turn rate again but the aircraft is capable of making the turn and attaining the new
heading. Altogether this time history demonstrates that the full FTC system enables
even the extreme failure case of the full EL-Al scenario to be accommodated. After
the failure the aircraft is still able to manoeuvre, accurately acquire new headings
and would be able to proceed to and perform the landing. The time history for the
case without the FEP system highlights the importance of having an active flight
envelope protection as part of fault tolerant control.
14.5 Conclusion
A system has been successfully developed for fault tolerant control based around
non-linear dynamic inversion and optimal control allocation. This system has been
extensively tested in simulation with different aircraft models including the El-Al
747 benchmark model used in the GARTEUR action group. This testing has demon-
strated that the system provides excellent flying qualities without failures and allows
a graceful degradation of performance if the aircraft experiences failures. The spe-
cific application to the benchmark model proved very useful since it features a vali-
dated model of a real-life failure case. The experience from this testing has allowed
a more robust system to be developed.
One key lesson from this research is the importance of a flight envelope protec-
tion system. The testing with the full El-Al failure case and the ‘loss of vertical tail’
case demonstrates that failures can mean that the nominal limits in the inner-loop
or outer-loop control are no longer appropriate to prevent departure. In these cases
it was necessary to reduce the bank angle demand limit and the roll gain limit to
prevent the aircraft crashing. More extensive testing on other models has suggested
that combinations of faults can require adjustment in several control limits, not only
to prevent departure but also to maintain acceptable flying and handling qualities.
Overall, the combined FDIR system based around optimal control allocation has
allowed a full FTC system to be rapidly applied to various aircraft models, and
has demonstrated the potential of FTC to improve aircraft safety. However, there
is potential for improvements, especially in the aerodynamic and actuator FDI, and
the flight envelope protection. It is the aim that these will be investigated in future
research.
Acknowledgement. The work documented here is based on many years of research into
Fault Detection, Identification and Reconfiguration, the vast majority of which was carried
out on behalf of the Ministry of Defence. The authors would like to acknowledge the support
and guidance of the Ministry of Defence and Defence Science and Technology Laboratories
(DSTL) in this work.
References
1. Durham, W.C.: Attainable Moments for the Constrained Control Allocation Problem.
Journal of Guidance, Control and Dynamics 17(6), 1371–1373 (1994)
2. Swain, N.J.N.: Developments in direct control allocation for aeronautical vehicles. Un-
published DERA report (September 1999)
3. Fraleigh, J.B., Beauregard, R.A.: Linear Algebra, 2nd edn. Addison-Wesley Publishing,
Reading (1990)
4. Berry, A.J., Swain, N.J.N.: A comparison of several control allocation schemes for re-
configurable flight control. Unpublished QinetiQ report (July 2001)
5. D’Mello, G.W., Hegarty, S.A., King, J., Swain, N.J.N.: Reconfigurable control: A sim-
ulation study of flight control system tolerance to airframe battle damage and actuator
failures. Unpublished QinetiQ report (March 2002)
6. Optimization Toolbox 3, Eighth Printing, Matlab User’s Guide (September 2007)
7. Press, W.H., Teukolsky, S.A., Vettering, W.T., Flannery, B.P.: Numerical Recipes in C.
The Art of Scientific Computing, 2nd edn. (1992)
8. Napolitano, M.R., Neppach, C., Casdorph, V., Naylor, S., Innocenti, M., Silvestri, G.:
Neural Network Based Scheme for Sensor Failure Detection, Identification and Accom-
modation. Journal of Guidance, Control and Dynamics 18(6), 1280–1286 (1995)
9. Napolitano, M.R., Neppach, C., Casdorph, V., Naylor, S., Innocenti, M., Silvestri, G.:
Online Learning Neural Architectures and Cross-correlation Analysis for Actuator Fail-
ure Detection and Identification. International Journal of Control 63(3), 433–455 (1996)
10. Swain, N.J.N.: Research into Realisable Fault Tolerant Control. In: 19th Interantional
Unmanned Air Vehicle Systems Conference (March 2004)
11. Smith, P.R., Berry, A.J.: Flight test experience of a non-linear dynamic inversion control
law on the VAAC Harrier, AIAA-2000-3914 (August 2000)
12. Stevens, B.L., Lewis, F.L.: Aircraft Control and Simulation, 2nd edn. Wiley, Chichester
(2003)
13. Smith, P.R., Burnell, J.J.: Non-linear dynamic inversion (NDI): a top down approach to
control law design. Unpublished DRA Report (March 1994)
14. Kalman, R.E., Bucy, R.S.: New Results and Methods in Linear Filtering and Prediction
Theory. Transactions of the ASME - Journal of Basic Engineering 83, 95–107 (1961)
Chapter 15
Detection and Isolation of Actuator/Surface
Faults for a Large Transport Aircraft
Andras Varga
15.1 Introduction
In this chapter we address the problem of detection and isolation of actuator faults
for a Boeing 747-100/200 from the perspective of fault tolerant control (FTC). The
main goal of FTC is to allow, after a successful identification of faults, the applica-
tion of appropriate control reconfiguration to ensure safe operation of the aircraft in
the presence of identified failures or, in extreme cases, to guarantee a safe landing
to the nearest airport. The most relevant faults for our analysis are related to four
categories of primary control surfaces: elevator, stabilizer, rudder, and ailerons.
In numerous studies, the occurrence of actuator faults for the Boeing 747-
100/200 aircraft has been addressed in a simplistic way, by assuming that all faults
related to a surface category occur simultaneously [1, 2]. For example, it is usu-
ally assumed that all four elevators are simultaneously affected by the same fault
or, equivalently, each elevator fault is assimilated with a global fault on all elevator
surfaces. As a consequence, the typical approach to compensate for elevator faults is
to use the stabilizer for the aircraft altitude control and ignore the possibility of em-
ploying, for the same purpose, the remaining healthy elevator surfaces. For the pur-
pose of FTC, such a simplifying assumption of simultaneous elevator faults prevents
exploiting the existing freedom in using healthy surfaces which could compensate
(fully or partially) the disturbance induced by the faulty surfaces.
This way of addressing the fault occurrence aspect is clearly not appropriate
for the purpose of FTC, where precise information on the available healthy actu-
ators/surfaces and faulty ones could be vital for an appropriate control reconfigura-
tion. The existing redundancy in the control surfaces makes it easier to cope with
Andras Varga
German Aerospace Center, DLR - Oberpfaffenhofen
Institute of Robotics and Mechatronics
D-82234 Wessling, Germany
e-mail: Andras.Varga@dlr.de
424 A. Varga
partial failures providing an increased overall safety. Thus, handling only complete
surface failures is not a realistic option for FTC.
In this chapter we focus on the design of residual generators with least dynam-
ical orders to solve actuator fault detection and isolation problems for the Boeing
747-100/200 aircraft. The main result of our analysis is the proof of feasibility of
the complete isolation of all primary actuator/surface faults in the nominal case
by using a minimal number of additional surface angle sensors. The analysis of
the nominal case provides residual filter specifications which can be employed in a
more realistic design, where robustness aspects with respect to external noise (gusts,
measurements) and parametric/flight condition uncertainties are also considered.
The paper is organized as follows. First we briefly review the solution of the
fault detection problem using scalar output detectors with least dynamical order.
The corresponding design procedure is based on the nullspace method in combina-
tion with dynamic cover techniques. This method is the basis for the design of a
bank of residual generators to solve the more involved fault detection and isolation
problems, where a given fault-to-residual influence structure must be achieved. The
design methods of residual generators for fault detection and isolation have been re-
cently implemented as robust numerical software, which extends the Fault Detection
Toolbox [3] of DLR. The new tools were used to study the feasibility of complete
fault detection and isolation of actuator faults for a Boeing 747-100/200 aircraft.
Fault detection both at component (actuator) level as well as at the system level are
discussed. Residual synthesis results are presented for detecting and isolating both
longitudinal and lateral axis failures for several influence structures of increasing
complexity. The main result of our study is the solution of the complete isolation
problem by employing a minimum number of additional surface sensors.
15.2 Design of Least Order Scalar Output Detectors

Consider the linear time-invariant system described by the input-output relations
y(s) = Gu (s)u(s) + Gd (s)d(s) + G f (s)f(s), (15.1)
where y(s), u(s), d(s), and f(s) are Laplace-transformed vectors of the p-dimen-
sional system output vector y(t), mu -dimensional control input vector u(t), m f -
dimensional fault signal vector f (t), and md -dimensional disturbance vector d(t),
respectively, and where Gu (s), G f (s) and Gd (s) are the transfer-function matrices
(TFMs) from the control inputs to outputs, fault signals to outputs, and disturbances
to outputs, respectively.
To detect faults, residual generator filters (or fault detectors) having the general
form
y(s)
r(s) = R(s) (15.2)
u(s)
are employed, where r(t) is the residual signal generated from the available mea-
surements y(t) and control inputs u(t). A residual generator must fulfill two basic
15 Detection and Isolation of Actuator/Surface Faults 425
requirements: 1) to generate zero residuals in the fault-free case, for arbitrary con-
trol and disturbance inputs; 2) to generate nonzero residuals when any fault occurs
in the system. These requirements can be made precise as follows:
Fault Detection Problem (FDP): Determine a proper and stable linear residual
generator having the general form (15.2) such that:
(i) r(t) = 0 when f (t) = 0 for all u(t) and d(t);
(ii) r(t) = 0 when fi (t) = 0, for i = 1, . . . , m f .
In addition to the above requirements, it is often necessary for practical use that the
TFM of the detector R(s) has the least possible McMillan degree. Note that as a
fault detector, we can always choose R(s) as a rational row vector.
The fulfilment of requirement (ii) ensures that faults produce non-zero residual
responses. When designing fault detectors this requirement for fault detectability
is usually replaced by the stronger request that persistent (constant) faults produce
asymptotically persistent (constant) residuals. This requirement is known as strong
fault detectability and has a special importance for practical applications [22].
Let G fi (λ ) be the ith column of G f (λ ). A necessary and sufficient condition for
the existence of a solution of the FDP is the following [4, 5]:
Theorem 15.1. For the system (15.1) the FDP is solvable iff
rank [ Gd (λ ) G fi (λ ) ] > rank Gd (λ ), i = 1, . . . , m f (15.3)
The requirements (i) and (ii) of the FDP can be easily transcribed into equivalent
algebraic conditions. Condition (i) is equivalent to
R(s)G(s) = 0 (15.4)
where
Gu (s) Gd (s)
G(s) = , (15.5)
Imu 0
while the detectability condition (ii) is equivalent to
R fi (s) = 0, i = 1, . . . , m f (15.6)
where R fi (s) is the ith column of
G f (s)
R f (s) := R(s) (15.7)
0
Enforcing the strong detectability of constant faults is equivalent to ensuring finite

non-zero DC-gains for each column of R f (s), i.e.
0 < R fi (0) < ∞, i = 1, . . . , m f (15.8)

426 A. Varga
Conditions (15.4) and (15.6) (or (15.8)) lead to a straightforward design

procedure:
FD Least Order Synthesis Procedure

1. Compute a minimal basis Nl (s) for the left nullspace of G(s).
2. Choose a rational vector h(s) such that
R(s) = h(s)Nl (s)
has least McMillan degree and fulfils (15.6) (or (15.8)).

3. If necessary, replace R(s) by m(s)R(s), where m(s) is chosen to achieve a
desired dynamics for the resulting detector.
The scalar output detector R(s) at Step 2) is determined as a linear combination of

the basis vectors (rows of Nl (s)), such that conditions (15.6) or (15.8) are fulfilled.
The above expression for R(s) represents a parametrization of all possible detectors
and is the basis for the class of nullspace methods introduced in [6]. While this work
relies on using polynomial nullspace bases for Nl (s), an alternative approach relying
on proper rational bases has been proposed by the author in [7]. The main advantage
of this latter method is to rely exclusively on reliable numerical techniques based on
state-space computations (see Section 15.4).
15.3 Solving Fault Isolation Problems

The more advanced functionality of fault isolation (i.e., obtaining the exact location
of faults) can be often achieved by designing a bank of fault detectors [8] or by
direct design of fault isolation filters [9]. Designing detectors which are sensitive
to some faults and insensitive to others can be reformulated as a standard FDP, by
formally redefining the faults to be rejected in the residual as fictitious disturbances.
Let R(s) be a given detector and let R f (s) be the corresponding fault-to-residual
TFM in (15.7). We denote Rif j (s) as the (i, j) entry of R f (s). We define the fault
signature matrix S, with (i, j) entry Si j given by
Si j = 1 if Rif j (0) = 0
Si j = −1 if Rif j (0) = 0 and Rif j (s) = 0
Si j = 0 if Rif j (s) = 0
If Si j = 1 then we say that the fault j is strongly detected in residual i. If Si j = −1
then the fault j is only weakly detected in residual i. The fault j is not detected in
residual i if Si j = 0.
The following fault detection and isolation problem (FDIP) can now be formu-
lated: Given a q × m f fault signature matrix S determine a bank of q stable and
proper scalar output residual generator filters
y(s)
ri (s) = Ri (s) , i = 1, . . . , q (15.9)
u(s)
such that, for all u(t) and d(t) we have:

(i) ri (t) = 0 when f j (t) = 0, ∀ j with Si j = 0;
(ii) ri (t) = 0 when f j (t) = 0, ∀ j with Si j = 0.
In this formulation of the FDIP, each scalar output detector Ri (s) achieves an
influence structure representing the ith row of the desired fault signature structure
matrix S. For example, to achieve the complete isolation of a maximum of k simul-
taneous faults, the choice S = Ik is necessary. In many practical applications this
strong isolation can not be achieved due to the lack of sufficient number of mea-
surements. If we can assume that the faults occur one at a time, a so-called weak
isolation of k faults could be possible by using a fault signature matrix whose ith
row contains all ones except the element in column i which is zero. For example,
for 3 faults S is chosen as ⎡ ⎤
011
S =⎣1 0 1⎦
110
If this fault signature specification can be achieved, then the occurrence of fault i can
be detected if all residuals (excepting the ith residual) are non-zero. More insight into
how to specify fault signature matrices can be found in [10].
i
Let S be a given q × m f fault signature matrix and denote by Gf (s) the matrix
formed from the columns of G f (s) whose column indices j correspond to zero el-
ements in row i of S. The solvability conditions of the FDIP build up from the
solvability of q individual FDPs.
Theorem 15.2. For the system (15.1) the FDIP with given fault signature matrix S
is solvable if and only if for each i = 1, . . . , q, we have
i i
rank [ Gd (s) Gf (s) G f j (s) ] > rank [ Gd (s) G f (s) ] (15.10)
for all j such that Si j = 0.
The standard approach to determine R(s) is to design for each row i of the fault
signature matrix S, a detector Ri (s) which generates the ith residual signal ri (t), and
thus represents the ith row of R(s). For this purpose, the nullspace method can be
applied with G(s) in (15.5) replaced by
" #
i
Gu (s) Gd (s) Gf (s)
G(s) =
Imu 0 0
i (s), formed from the columns of G f (s)

and with a redefined fault to output TFM G f
whose indices j correspond to Si j = 0.
428 A. Varga
The resulting global detector can be assembled as

⎡ 1 ⎤
R (s)
⎢ .. ⎥
R(s) = ⎣ . ⎦ (15.11)
Rq (s)
and has a total McMillan degree which is bounded by the sum of the McMillan
degrees of the component detectors. Note that this upper bound can be effectively
achieved, for example, by choosing mutually different poles for the individual de-
tectors.
Using the least order design techniques described in this paper, for each row of
S we can design a scalar output detector of least McMillan degree. However, even
if each detector has the least possible order, there is generally no guarantee that the
resulting order of R(s) is also the least possible one. To the best of our knowledge,
the determination of a detector of least global McMillan degree for a given fault
signature S is still an open problem. A solution to this problem has been recently
suggested in [11] and is summarized in the following synthesis procedure:
FDI Synthesis Procedure

1. For i = 1, ..., q
a. Redefine disturbance vector d to include all faults f j for which Si j = 0.
b. Redefine fault vector f by deleting all faults f j for which Si j = 0.
c. Compute Ri (s) of order νi using the FD Least Order Synthesis Proce-
dure.
2. Ensure that for νi ≤ ν j , the poles of Ri (s) are among the poles of R j (s).
3. Form the global detector R(s) according to (15.11).
It was conjectured in [11] that the McMillan degree of R(s) resulting from this
procedure is the least possible one.
We describe now an enhanced two step approach to design a bank of detectors,
which for larger values of q, is potentially more efficient than the above standard
approach. In a first step, we can reduce the complexity of the original problem by
decoupling the influences of disturbances and control inputs on the residuals. In a
second stage, a residual generation filter is determined for a system without control
and disturbance inputs which achieves the desired fault signature.
Let Nl (s) be a minimal left nullspace basis for G(s) defined in (15.5) and define
a new system without control and disturbance inputs as

y(s) := N f (s)f(s), (15.12)
where
G f (s)
N f (s) := Nl (s) . (15.13)
0
The system (15.12) has generally a reduced McMillan degree [12] and also a re-
duced number of outputs p − rd , where rd is the normal rank of Gd (s).
For the reduced system (15.12) with TFM N f (s) we can determine, using the FDI
Synthesis Procedure, a bank of q scalar output least order detectors of the form
ri (s) = Ri (s)

y(s), i = 1, . . . , q (15.14)
such that the same conditions are fulfilled as for the original FDIP. The TFM of the
final detector can be assembled as
⎡ 1 ⎤
R (s)
⎢ .. ⎥
R(s) = ⎣ . ⎦ Nl (s) (15.15)

R (s)
q
Comparing (15.15) and (15.11) we have
Ri (s) = Ri (s)Nl (s), (15.16)
which can be also interpreted as an updating formula of a preliminary (incomplete)

design. The resulting order of the ith detector is the same as before, but this two
step approach has the advantage that the nullspace computation and the associated
least order design involve systems of reduced orders (in the sizes of state, input and
output vectors).
The above procedure has been used for the example studied in [13, Table 2],
where a 18 × 9 fault signature matrix S served as specification. Each line of S can
be realized by a detector of order 1 or 2 with eigenvalues {−1} or {−1, −2}. The
sum of the orders of the resulting individual detectors is 32, but the resulting global
detector R(s) has McMillan degree 6. Interestingly, the “least order” detector com-
puted in [13] has order 14.
15.4 Computational Aspects

For the numerical computations, state space representation based algorithms have
been developed to serve as a basis for robust software implementations. For this
purpose, a state space realization of (15.1) is employed
ẋ(t) = Ax(t) + Buu(t) + Bd d(t) + B f f (t)

(15.17)
y(t) =Cx(t) + Duu(t) + Dd d(t) + D f f (t)
with the n-dimensional state vector x(t). The corresponding TFMs of the model in
(15.1) are
Gu (s) = C(sI − A)−1 Bu + Du

Gd (s) = C(sI − A)−1 Bd + Dd
G f (s) = C(sI − A)−1 B f + D f
430 A. Varga
The FD Synthesis Procedure to design scalar output residual generators with

least dynamical orders can be performed using the numerically sound computa-
tional approach proposed recently in [11]. This approach represents an enhancement
of the minimal dynamic covers techniques introduced in [7], by employing Type I
dynamic covers (instead of Type II covers) to achieve the maximal order reduction
of the resulting detector. A basic computational ingredient to perform Step 1 is a
reliable numerical algorithm to compute least order rational nullspaces of rational
matrices using state-space methods [7]. The main computation in this algorithm
is the orthogonal reduction of the system pencil matrix of the realization of G(s)
in (15.5) to a Kronecker-like form, from which, practically without any additional
computation, a least order rational nullspace basis can be obtained. The existence
conditions of the solution (15.6) can be easily checked using the outcome of the
nullspace computation algorithm [11]. The least order fault detector at Step 2 can
be obtained by selecting an appropriate linear combination of the basis vectors by
eliminating non-essential dynamics using Type I dynamic covers based order re-
duction [11, 14]. To perform Step 3, stable coprime factorization techniques can be
used for which reliable numerical algorithms based on pole assignment techniques
are available [15].
The efficient implementation of the enhanced FDI Synthesis Procedure requires
an explicit updating of a preliminary design (15.16). State space realization based
computations of N f (s) in (15.13) as well as of the resulting least order detectors
Ri (s) in (15.16) are described in [12]. Remarkably, the matrices of the underlying
state space realizations of N f (s) can be obtained using exclusively orthogonal trans-
formations on the system matrices of the original state space realization (15.17). By
using these updating techniques, any need to determine minimal realizations (e.g.,
in (15.13)) has been practically eliminated.
For all underlying numerical computations, robust numerical software is avail-
able in the D ESCRIPTOR S YSTEMS Toolbox [16]. This software underlies the imple-
mentation of a first version of a the FAULT D ETECTION Toolbox [3], where several
tools are available to solve the main classes of fault detection problems. The recently
developed enhancements have been implemented in a new function fdsyn which
is fully documented in [17].
15.5 Monitoring Actuator Failures

The monitoring of primary actuator failures of an aircraft is of paramount impor-
tance for the safe operation and for the continuous situational awareness of the
pilots. In this section we address the fault detection and isolation of all FTC rel-
evant actuator failures by combining component level and system level fault mon-
itoring techniques. The main goal of our analysis is to prove the feasibility of a
complete fault diagnosis system capable of localizing individual or simultaneous
actuator/surface faults.
For our study we consider the Boeing 747-100/200 aircraft for which a high fi-
delity nonlinear simulation model with a full set of control surfaces is available. This
model with 11 primary control surface actuators (4 elevators, 1 stabilizer, 4 ailerons,

2 rudders) has been set up within the GARTER FM-AG16 as a benchmark for FTC
studies. The original model [18] with only pilot inputs has been used in several fault
detection studies [2], with focus on various aspects mentioned in Section 1.
For the Boeing 747-100/200 aircraft several fault scenarios are of particular in-
terest. For example, the ability to detect single primary actuator faults is of critical
importance, since it can be seen as part of the aircraft specification according to the
requirements of FAA/FAR and EASA/CS. Thus a minimum request from the FTC
perspective is the requirement that for modern aircraft design, no single failure leads
to a catastrophic consequence.
Simultaneous faults can also occur, especially when multiple surface damage oc-
curs. The detection and isolation of simultaneous faults requires a more involved
residual generation system and also the availability of a sufficiently large number
of measurements. Although surface angle sensors can be installed on each control
surface, an interesting aspect is to determine the minimum number of sensors nec-
essary to completely solve the fault isolation problem. We give an answer to this
problem by combining component level and system level fault monitoring.
The main goal of our study of detectability and isolability of actuator/surface
faults was to demonstrate the feasibility of FDI for a complete set of faults. The full
isolation requires placing a minimum number of additional surface angle sensors.
An interesting result of our study also reveals the best achievable isolation capabili-
ties in the absence of additional sensors.
Only the nominal case is studied corresponding to a normal cruise flight. The re-
sults obtained, consisting of several residual generators and the corresponding fault-
to-residual filter specifications, can serve as meaningful specifications for a more
realistic design where input/output noise and uncertainties in the model parameters
and flight conditions are also addressed. Finding the minimal number of additional
sensors allowing the isolation of all surface faults is one of the main achievements
of this study.
In what follows, we show first the capabilities of component level monitoring,
which is traditionally used on present day aircraft. The intrinsic limitations of this
approach, for example, to detect surface failures leading to loss of effectiveness, re-
quire addressing the FDIP using system level monitoring. However, the system level
approach has its own limitations due to the restricted number of available measure-
ments, therefore full FDI is not possible unless additional surface sensors are used.
As expected, the final solution of the FDIP is a combination of both approaches by
employing a minimal number of sensors.
15.5.1 Component Level Monitoring

Typically actuators are modelled as first order linear systems which together with
the corresponding control surfaces have transfer functions of the form
K
gu (s) = (15.18)
s+K
432 A. Varga
Here the value of K is determined taking into account the physical rate limits of
the respective surface, and represents an average value applicable to all flight con-
ditions. Typical choices for the Boeing actuators are: 37/(s + 37) for the elevators,
0.5/(s + 0.5) for the stabilizer, 50/(s + 50) for the ruders and ailerons. The task
of the fault detection at the actuator level is to identify typical actuator faults like
‘stuck actuator’ (also called lock-in place failure), ‘actuator runaway’ (also called
hard-over failure), ‘free-play’ (also called float-type failure), or loss of actuator ef-
fectiveness. In what follows we discuss some aspects of fault detection and isolation
for a generic actuator.
Consider the actuator model (15.18) for which we would like to design a fault
detector able to identify the fault types mentioned previously. For this purpose, a
simple detector which estimates the deviation of surface position on the basis of
measured control surface position and commanded control surface position is given
by the simple observer-like structure

R(s) = 1 −gu (s)
Note that the dynamics of the filter can be arbitrarily assigned by replacing R(s)
with m(s)R(s), where m(s) is an arbitrary stable transfer function.
With such a detector, an actuator fault can be easily detected by checking the
condition r(t) = 0. The stationary value of the residual signal r(∞) can also be
used to estimate the actual DC-gain of the actuator, say g0 , and thus the actuator
effectiveness. Since g0 = 1 − r(∞), in the fault-free case we have g0 = 1. DC-gain
values in the range [ 0, 1 ] indicate a loss of actuator effectiveness with a zero gain
indicating ‘free-play’. Values outside this domain indicate either a ‘stuck actuator’ in
a certain position or even an ‘actuator runaway’ (i.e., stuck in an extreme position).
The main weakness of this simple fault detection scheme is that it does not
work properly in the case of surface position sensor failures. This lack of reliability
against combined actuator and sensor failures could be a source of false alarms. An-
other potential problem is when the actuator is fault free but the corresponding con-
trol surface is damaged. The associated loss of effectiveness of the actuation/control
surface system can not be detected in this way.
A typical approach to overcome the first weakness is to add hardware redundancy
by increasing the number of sensors to a level which ensures a satisfactory reliability
of measurements. A standard approach is to use three sensors in a voting logic for
validity checking. This is the minimum hardware redundancy to guarantee the re-
liability of monitoring. Interestingly, using model based fault detection techniques,
it is possible to obtain practically the same level of confidence by using only two
sensors (the model based approach provides a third ‘virtual’ sensor).
The actuator system with two identical sensors is described by the transfer-
function matrix
1
Gu (s) = g (s)
1 u
The fault TFM corresponding to the actuator fault f1 and two sensor faults f2 and
f3 is
G f (s) = [ Gu (s) I2 ]
A possible least order detector for this setup can be chosen as
⎡ ⎤
1 −1 0
R(s) = ⎣ 0 1 −gu (s) ⎦
1 0 −gu (s)
and can be realized as a first order system. The resulting fault detection system
achieves the following fault signature
⎡ ⎤
011
S =⎣1 0 1⎦
110
Assuming that the actuator fault and sensor faults occur one at a time, this influ-
ence structure provides a complete isolation of a single fault by using the following
isolation logic:
– actuator fault occurred if r1 = 0, r2 = 0, and r3 = 0;
– first sensor failed if r1 = 0, r2 = 0, and r3 = 0;
– second sensor failed if r1 = 0, r2 = 0, and r3 = 0.
In this way, the occurrence of each fault can be reliably detected. For fault identifi-
cation, the information provided by either residual signal r1 or r2 can be employed.
To address the second aspect of loss of control surface effectiveness a system
level analysis could be appropriate (see next section).
For component level diagnosis more detailed actuator models can be used, by
explicitly modelling the dynamics of all actuator components. Such an approach
based on physical parametric models is also suitable for health monitoring purposes.
Another application of potential interest is to detect the so-called ‘oscillatory
failure’ (e.g., of a rudder) as a result of limit cycle oscillations. This type of failure
can trigger an aeroelastic resonance behaviour of the aircraft with unacceptably high
loads. To identify this type of fault, the detection scheme above can be supplemented
with an additional signal analysis based oscillation detection system (e.g., sub-band
filtering followed by Fourier analysis).
15.5.2 System Level Monitoring

The monitoring of actuator faults at the system level is primarily intended to in-
crease overall aircraft safety by detecting fault categories which can not be handled
by the usual component level monitoring. Such faults are, for example, the loss
of efficiency of control surfaces due to possible structural damage or as a result
of icing.
434 A. Varga
The study of the nominal case has as its main purpose getting a clear understand-
ing of the intrinsic limitations in solving the FDIP in an idealized situation. Further-
more, the achieved fault-to-residual specifications can serve as reference models for
a model-matching formulation of the FDIP [19], where system variabilities (para-
metric, flight conditions) are fully considered.
Actuator fault diagnosis for the whole aircraft can be done in several ways. An
approach advocated by several authors is to use so-called multi-models describing
the aircraft in normal flight conditions as well as in several faulty situations. A bank
of model detection filters can be designed to ensure a desired model-to-residual
signature allowing the application of simple decision logic to identify the current
model (normal or faulty). The main advantage of this approach is its simplicity, both
because of a simple design of the detectors as well as because of the simple residual
evaluation scheme. The main disadvantage is the need for a large number of models
(and thus detectors) to cover many faults and combinations of faults. Moreover,
different levels of actuator efficiency loss are usually represented as separate models,
thus making the number of necessary detectors increase exponentially.
The approach we follow in our study is to model actuator faults as additive dis-
turbances. The linearized fault model of the aircraft corresponding to a given set of
parameter values and a specific flight condition (e.g., straight-and-level flight) has
the standard input-output form (15.1) and the detector is designed in the filter form
(15.2). The linearized models which have been employed were determined using the
nominal values of the parameters in Table 15.5.2. In what follows we summarize the
results of designing fault detectors for the nominal case.
Table 15.1 Definition of variables and trim condition
Variable Nominal Value Range

Altitude 600 m (2000 ft) [ 0, 1000 ]
Air speed 92.6 m/s [ 85, 135 ]
Landing gear up
Mass[kg] 317,000 [ 263,000, 320,000 ]
Xcg 25% [ 22%, 28% ]
Ycg [m] 0 [ -1, 1 ]
Zcg [m] 0 [ -1, 1 ]
Flight path angle (γ ) 0o
Flap setting 20o
The longitudinal and full order linearized state space models of the aircraft are
given in Appendices A and B. These models correspond to the following parameter
values: mass = 317,000 kg, center of gravity coordinates: Xcg = 25%, Ycg = 0, Zcg =
0. The chosen flight condition is a straight-and-level flight at altitude 600 m, with
a speed of 92.6 m/s, with a flap setting at 20o and with landing gear up. For more
details on the employed model see [18].
15.5.3 Pitch Axis Fault Monitoring

To detect elevator and/or stabilizer faults, we use the longitudinal aircraft model
in state-space form (15.17), where the matrices A, Bu , C, and Du are defined in
Appendix A. The elevator and stabilizer fault inputs are defined as
⎡ ⎤ ⎛ ⎞
f1 right inner elevator fault[rad]
⎢ f2 ⎥ ⎜ left inner elevator fault[rad]⎟
⎢ ⎥ ⎜ ⎟
f =⎢ ⎥ ⎜
⎢ f3 ⎥ ⎜right outer elevator fault[rad]⎟
⎟
⎣ f4 ⎦ ⎝ left outer elevator fault[rad]⎠
f5 stabilizer fault[rad]
and thus B f = Bu (:, 1 : 5) and D f = Du (:, 1 : 5). For this study of the nominal case
we consider no disturbance inputs for the model.
The achievable fault signature is
⎡ ⎤
1 1 1 1 1
⎢ 0 0 1 1 1⎥
⎢ ⎥
⎢ 1 1 0 0 1⎥
⎢ ⎥
S=⎢ ⎢ 1 1 1 1 0⎥
⎥
⎢ −1 −1 0 0 0 ⎥
⎢ ⎥
⎣ 0 0 −1 −1 0 ⎦
0 0 0 0 −1
From the last three lines of S it can be observed that the isolation of faults grouped
in three groups ( f1 , f2 ), ( f3 , f4 ) and f5 is achievable, although all groups are only
weakly detectable.
System level monitoring can be used as a complementary tool to device level
monitoring in the case when sensor fault monitoring is not additionally provided.
The simplest fault detection task is to determine if any actuator fault in the pitch
axis has occurred. This comes down to the design of a fault detector achieving the
trivial signature corresponding to the first row of S

S0 = 1 1 1 1 1
by using the lowest order dynamics. To design such a detector, the function fdsyn
has been used. Using the least order design option, a first order residual generator
can be determined. The resulting fault-to-residual dynamics are
10 10 10.43 10.43 −5.188s + 58.45

R f (s) =
s + 10 s + 10 s + 10 s + 10 s + 10
If we would like to isolate elevator and stabilizer faults, only the following choice
of the signature matrix is achievable
1111 0
S1 =
0 0 0 0 −1
436 A. Varga
with the second row having only a weak detectability structure. If we assume that
elevator and stabilizer faults can not simultaneously occur, we can achieve elevator
and stabilizer fault isolation by using the specification matrix
11111
S2 =
11110
To isolate ( f1 , f2 , f3 , f4 ) and f5 the following decision logic can be used:

– elevator fault occurred if r2 = 0;
– stabilizer fault occurred if r1 = 0 and r2 = 0.
A residual generator achieving the above specification can be obtained as a bank
of two detectors using the function fdsyn. Using the least order design option,
two first order detectors can be determined, leading to a residual generator of total
order 2.
Provided we can assume that the groups of faults ( f1 , f2 ), ( f3 , f4 ) and f5 do not
simultaneously occur, the achievable specification
⎡ ⎤
00111
S3 = ⎣ 1 1 0 0 1 ⎦
11110
can be used for weak isolation using the following decision logic:
– inner elevator fault occurred if r1 = 0, r2 = 0, and r3 = 0;
– outer elevator fault occurred if r1 = 0, r2 = 0, and r3 = 0;
– stabilizer fault occurred if r1 = 0, r2 = 0, and r3 = 0.
Using the least order design option, three first order detectors can be obtained
using the function fdsyn leading to a detector of total order 3. Note that without
the least order design option, a detector of total order 10 results, while using the
standard observer based approach (see for example [20]), a detector of total order
15 is to be expected. The resulting fault-to-residual dynamics are
⎡ 10 10 862.7s − 1889 ⎤
0 0
⎢ s + 10 s + 10 s + 10 ⎥
⎢ ⎥
⎢ 10 10 −835.1s + 2028 ⎥
R f (s) = ⎢ 0 0 ⎥
⎢ s + 10 s + 10 s + 10 ⎥
⎣ ⎦
10 10 10.74 10.74
0
s + 10 s + 10 s + 10 s + 10
The step responses associated with the faults are presented in Fig. 15.1.
A more realistic setting is to add actuator dynamics to each input actuator-surface
channel [2]. As already mentioned, the elevator dynamics can be approximated by
transfer functions of the form 37/(s + 37), while for the stabilizer dynamics we take
0.5/(s + 0.5) as suggested in [2]. The resulting model has now order 10 and we can
achieve the same fault signature with a bank of three detectors of total order 6. The
step responses from the faults are presented in Fig. 15.2.
Step responses achieving specification S = [0 0 1 1 1; 1 1 0 0 1; 1 1 1 1 0]

From: f From: f From: f From: f From: f
1 2 3 4 5
10
8
6
1
To: r
4
2
0
−2
Residuals
0
2
To: r
−5
−10
0.5
3
To: r
−0.5
−1
0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1
Time (sec)
Fig. 15.1 Step responses from the faults: f 1 = 1, ..., f4 = 1, f5 = 0.01.
Further enhancement of fault isolation is possible by employing direct measure-

ments of surface positions. For example, with a single additional measurement of
the stabilizer surface angle it is possible to achieve the signature specification
⎡ ⎤
11000
S4 = ⎣ 0 0 1 1 0 ⎦
00001
and thus to isolate the inner elevator, the outer elevator and the stabilizer faults. The
above specification can be achieved using a bank of three detectors of total order 5.
The step responses from the faults are presented in Fig. 15.3.
Finally, for complete fault isolation it is to be expected that measurements from
all surfaces are necessary. Solving the fault detection and isolation problem corre-
sponds to achieving the specification S5 = I5 using the function fdsyn or employ-
ing directly the specially devised function fdi, available in the FAULT D ETECTION
toolbox [3]. This latter function is based on the method proposed in [9]. Using this
function, we obtain a detector of order 5 which solves the complete fault detection
and isolation problem. Interestingly, this detector is the same as that one obtained by
using single surface monitoring schemes. This remarkable result also illustrates the
real strengths of the recently developed minimal degree design techniques [9]. In
contrast, the methods traditionally used (e.g., using a bank of 5 observer based de-
tectors [20]) could lead to detectors of total order up to 70 in the case when actuator
dynamics are included.
Interestingly, complete isolation can also be achieved by choosing a minimal
number of three surface measurements: two from the left elevators and one from the
438 A. Varga
Step responses achieving specification S = [0 0 1 1 1; 1 1 0 0 1; 1 1 1 1 0]

From: f1 From: f2 From: f3 From: f4 From: f5
1
0
To: r1
−1
−2
2
Residuals
To: r2
−1
0.5
To: r3
−0.5
−1
0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1
Time (sec)
Fig. 15.2 Step responses from the faults (included actuator dynamics): f 1 = 1, ..., f4 = 1,
f5 = 0.01.
Step responses for block FDI specification

1 2 3 4 5
1
0.5
To: r1
−0.5
−1
1
Residuals
0.5
To: r2
−0.5
−1
1
0.5
To: r3
−0.5
−1
0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1
Time (sec)
Fig. 15.3 Step responses from the faults with stabilizer angle measurement.
stabilizer. The resulting bank of five detectors has a total order of 7 and the resulting
fault-to-residual TFM is

10 370 10 370 10
R f (s) = diag , , , ,
s + 10 s2 + 47s + 370 s + 10 s2 + 47s + 370 s + 10
Step responses for complete FDI specification

1 2 3 4 5
1
0.5
To: r1
−0.5
−1
1
0.5
To: r2
−0.5
−1
1
Residuals
0.5
To: r3
−0.5
−1
1
0.5
To: r4
−0.5
−1
1
0.5
To: r5
−0.5
−1
0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1
Time (sec)
Fig. 15.4 Step responses from the faults with left elevators and stabilizer angles measure-
ments.
15.5.4 Gear and Roll Axes Fault Monitoring

To detect rudder and/or aileron faults, we consider the full order (n = 10) aircraft
model in state-space form (15.17). The definition of state, input and output variables
and the corresponding state space matrices are given in Appendix B. The aileron and
rudder fault inputs are defined as
⎡ ⎤⎛ ⎞
f1 right inner aileron fault [rad]
⎢ f2 ⎥ ⎜ left inner aileron fault [rad] ⎟
⎢ ⎥⎜ ⎟
⎢ f3 ⎥ ⎜ right outer aileron fault [rad] ⎟
⎢
f = ⎢ ⎥⎜ ⎥ ⎜ ⎟
⎟
⎢ f4 ⎥ ⎜ left outer aileron fault [rad] ⎟
⎣ f5 ⎦ ⎝ upper rudder fault [rad] ⎠
f6 lower rudder fault [rad]
and thus B f and D f are formed from the columns {1, 2, 3, 4, 10, 11} of Bu and Du ,
respectively.
For the two inner aileron faults { f1 , f2 }, two outer aileron faults { f3 , f4 }, and two
rudder faults { f5 , f6 }, the FDIP with the fault signature
⎡ ⎤
110000
S1 = ⎣ 0 0 1 1 0 0 ⎦
000011
440 A. Varga
is achievable using a bank of three detectors with global order 3. The resulting fault-
to-residual TFM is
⎡ 10 10 ⎤
0 0 0 0
⎢ s + 10 s + 10 ⎥
⎢ ⎥
⎢ 10 10 ⎥
R f (s) = ⎢ 0 0 0 0 ⎥
⎢ s + 10 s + 10 ⎥
⎣ ⎦
11.85 10
0 0 0 0
s + 10 s + 10
Step responses for block FDI specification

From: f From: f From: f From: f From: f From: f
1 2 3 4 5 6
1
0.5
To: r1
−0.5
−1
1
Residuals
0.5
To: r2
−0.5
−1
0.5
To: r3
−0.5
−1
0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1
Time (sec)
Fig. 15.5 Step responses from the aileron and rudder faults.
We include now the actuator models and add three surface angle sensors for the
two right ailerons and for the upper rudder. With this sensor location the complete
FDIP with S2 = I6 can be solved to isolate all aileron and rudder failures. The re-
sulting detector has order 9 and the achieved fault-to-residual TFM is

10 100 10
R f (s) = diag , , ,
s + 10 s2 + 20s + 100 s + 10

100 10 −0.0002566s + 100
, ,
s2 + 20s + 100 s + 10 s2 + 20s + 100
Step responses for complete FDI specification

From: f1 From: f2 From: f3 From: f4 From: f5 From: f6
1
To: r1
−1
1
To: r2
−1
1
To: r3
0
Residuals
−1
1
To: r4
−1
1
To: r5
−1
1
To: r6
−1
0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1 0 0.5 1
Time (sec)
Fig. 15.6 Step responses from the aileron and rudder faults.
15.6 Summary of Achieved Results and Needs for Further

Analysis
The nominal design of residual generators which has been undertaken provides valu-
able insight into the nature of the FDIP for aircraft actuator failures, demonstrates
the feasibility of complete fault isolation, and provides filter specifications which
can be useful in a more realistic design of robust residual generators. The analysis
which has been performed of the FDIP for a complete set of primary flight surfaces
shows that a combination of component level monitoring with a system level mon-
itoring, allows the solution of this problem for a set of 11 actuator/surface failures.
Our study demonstrated the interesting fact that by appropriately locating a mini-
mal number of 6 surface angle sensors, complete isolation of faults is possible. The
resulting orders of the residual generators are surprisingly low: order 7 for pitch
axis monitoring and 9 for gear/roll axis monitoring. These figures lower to 3 and 3,
respectively, if no actuator models are included in the design.
By using the proposed least order detector design techniques implemented in re-
liable numerical software, a seamless switching among a large number of different
sensor configurations was possible using a single global model of larger order. Inter-
estingly, the reliability of the numerical algorithms which were employed allowed
us, to recover the same simple results in the case when sensors are used for all sur-
faces, as those obtained working with each actuator/surface component individually.
For the complete solution of the FDIP, the following aspects still need careful
consideration:
442 A. Varga
1. Surface angle sensor faults. To achieve complete reliability of the fault moni-
toring system, it is important to also consider possible faults in the surface angle
sensors. For example, by adding sensors to all surfaces, the complete isolation
of all actuator faults is possible, while additionally the isolation of a sensor fault
(e.g., stabilizer angle sensor) can be achieved. With three sensors (e.g., two for
left elevators and one for stabilizer), to achieve the isolation of one sensor fault,
we have to assume that sensor and actuator faults do not occur simultaneously.
A complete analysis of sensor location and assignment aspects is important for
practical applications (see also Part II of [21] for a recent survey).
2. Robustness against noisy inputs and noisy measurements. The effect of noisy
inputs and noisy measurements must be considered in a realistic design. Typical
noisy inputs for aircraft are gust turbulences, which can be taken into account
by feeding white noise into the system via stable and minimum-phase Dryden
spectra filters. Colouring filters driven by white noise can be used to model noise
in sensor measurements. For further details see [2] and the literature cited therein.
3. Robustness against parametric uncertainties. The robustness of the designed
detectors against parametric uncertainties is important for practical applicability.
Typical uncertain parameters to be considered for robustness studies are mass, the
coordinates of the center of gravity, as well as flight conditions (speed, altitude).
There are many possibilities to enforce the robustness of the designed detectors
[22] and this challenging aspect will be considered in further studies. The results
provided in this work can be seen as realistic specifications of what can be aimed
to be achieved in the most favourable situation.
References
1. Szászi, I., Ganguli, S., Marcos, A., Balas, G.J., Bokor, J.: Application of FDI to a nonlin-
ear Boeing-747 aircraft. In: Proc. Mediterranean Conference on Control and Automation,
Lisbon, Portugal (2002)
2. Marcos, A., Ganguli, S., Balas, G.J.: An application of H∞ fault detection and isolation
to a transport aircraft. Control Engineering Practice 13, 105–119 (2005)
3. Varga, A.: A FAULT DETECTION toolbox for M ATLAB. In: Proc. of CACSD 2006, Mu-
nich, Germany (2006)
4. Ding, X., Frank, P.M.: Frequency domain approach and threshold selector for robust
model-based fault detection and isolation. In: Proc. of IFAC Symposium SAFEPRO-
CESS 1991, Baden-Baden, Germany (1991)
5. Nyberg, M.: Criterions for detectability and strong detectability of faults in linear sys-
tems. Int. J. Control 75, 490–501 (2002)
6. Frisk, E., Nyberg, M.: A minimal polynomial basis solution to residual generation for
fault diagnosis in linear systems. Automatica 37, 1417–1424 (2001)
7. Varga, A.: On computing least order fault detectors using rational nullspace bases. In:
Proc. of IFAC Symp. SAFEPROCESS 2003, Washington D.C (2003)
8. Gertler, J.: Fault Detection and Diagnosis in Engineering Systems. Marcel Dekker, New
York (1998)
9. Varga, A.: New computational approach for the design of fault detection and isolation
filters. In: Voicu, M. (ed.) Advances in Automatic Control. The Kluwer International
Series in Engineering and Computer Science, vol. 754, pp. 367–381. Kluwer Academic
Publishers, Dordrecht (2004)
10. Gertler, J.: Designing dynamic consistency relation for fault detection and isolation. Int.
J. Control 73, 720–732 (2000)
11. Varga, A.: On designing least order residual generators for fault detection and isolation.
In: Proc. 16th Internat. Conf. on Control Systems and Computer Science, Bucharest,
Romania, pp. 323–330 (2007)
12. Varga, A.: On computing nullspace bases – a fault detection perspective. In: Proc. IFAC
2008 Word Congress, Seoul, Korea (2008)
13. Yuan, Z., Vansteenkiste, G.C., Wen, C.Y.: Improving the observer-based FDI design for
efficient fault isolation. Int. J. Control 68(1), 197–218 (1997)
14. Varga, A.: Reliable algorithms for computing minimal dynamic covers. In: Proc. of CDC
2003, Maui, Hawaii (2003)
15. Varga, A.: Computation of coprime factorizations of rational matrices. Lin. Alg. &
Appl. 271, 83–115 (1998)
16. Varga, A.: A D ESCRIPTOR S YSTEMS toolbox for M ATLAB. In: Proc. CACSD 2000
Symposium, Anchorage, Alaska (2000)
17. Varga, A.: Linear FDI-Techniques and Software Tools. FAULT D ETECTION Tool-
box V0.8 – Technical Documentation, German Aerospace Center (DLR), Institute of
Robotics and Mechatronics (2008)
18. Marcos, A., Balas, G.J.: A Boeing 747-100/200 Aircraft Fault Tolerant and Fault Diag-
nostic Benchmark. Technical Report AEM-UoM-2003-1, Department of Aerospace and
Engineering Mechanics, University of Minnesota, USA (2003)
19. Varga, A.: Numerically reliable methods for optimal design of fault detection filters. In:
Proc. of CDC 2005, Seville, Spain (2005)
20. Patton, R.J., Hou, M.: Design of fault detection and isolation observers: a matrix pencil
approach. Automatica 34(9), 1135–1140 (1998)
21. Commault, C., Dion, J.-M.: Sensor location for diagnosis in linear systems: a structural
analysis. IEEE Trans. Automat. Control 52, 155–169 (2007)
22. Chen, J., Patton, R.J.: Robust Model-Based Fault Diagnosis for Dynamic Systems.
Kluwer Academic Publishers, London (1999)
444 A. Varga
Appendix A Linearized Longitudinal Model

Definition of variables
For the trim conditions defined for the nominal values in Table 15.5.2, the corre-
sponding linearized nominal longitudinal state space model of the Boeing 747 has
the form
ẋ(t) = Ax(t) + Buu(t)
y(t) = Cx(t) + Duu(t)
where the state, input and output variables are defined as follows:
⎡ ⎤ ⎛ ⎞
δq pitch rate [rad/s]
⎢ δ VTAS ⎥ ⎜ true airspeed [m/s] ⎟
⎢ ⎥ ⎜ ⎟
x =⎢⎢ δ α ⎥ =: ⎜ angle of attack [rad] ⎟
⎥ ⎜ ⎟
⎣ δθ ⎦ ⎝ pitch angle [rad] ⎠
δ he altitude [m]
⎡ ⎤ ⎛ ⎞
δeir right inner elevator [rad]
⎢ δeil ⎥ ⎜ left inner elevator [rad] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δeor ⎥ ⎜ right outer elevator [rad] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δeol ⎥ ⎜ left outer elevator [rad] ⎟
⎢ ⎥ ⎜ ⎟
u =⎢ ⎥ ⎜ ⎟
⎢ δih ⎥ =: ⎜ stabilizer trim angle [rad] ⎟
⎢ δ EPR1 ⎥ ⎜ thrust engine #1 [rad] ⎟
⎢ ⎥ ⎜ ⎟
⎢ ⎥ ⎜ ⎟
⎣ δ EPR3 ⎦ ⎝ thrust engine #3 [rad] ⎠
δ EPR4 thrust engine #4 [rad]
⎡ ⎤ ⎛ ⎞
δα angle of attack [rad]
⎢ δ V̇TAS ⎥ ⎜ acceleration [m/s2 ] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δθ ⎥ ⎜ pitch angle [rad] ⎟
⎢ ⎥ ⎜ ⎟
y =⎢ ⎥ =: ⎜ pitch rate [rad/s] ⎟
⎢ δq ⎥ ⎜ ⎟
⎣ δ Vz ⎦ ⎝ vertical velocity [m/s] ⎠
δ he altitude [m]
State-model matrices
⎡ ⎤
−0.4861 0.000317 −0.5588 0 −2.04 · 10−6
⎢ 0 −0.0199 3.0796 −9.8048 8.98 · 10−5 ⎥
⎢ ⎥
⎢
A = ⎢ 1.0053 −0.0021 −0.5211 0 9.30 · 10−6 ⎥⎥
⎣ 1 0 0 0 0⎦
0 0 −92.6 92.6 0
⎡
−0.1455 −0.1455 −0.1494 −0.1494 −1.2860
⎢ 0 0 0 0 −0.3122
⎢
Bu = ⎢
⎢ −0.0071 −0.0071 −0.0074 −0.0074 −0.0676
⎣ 0 0 0 0 0
0 0 0 0 0
⎤
0.0013 0.0035 0.0035 0.0013
0.1999 0.1999 0.1999 0.1999 ⎥ ⎥
−0.0004 −0.0004 −0.0004 −0.0004 ⎥
⎥
0 0 0 0⎦
0 0 0 0
⎡ ⎤
0 0 1 0 0
⎢ 0 −0.0199 3.0796 −9.8048 8.98 · 10−5 ⎥
⎢ ⎥
⎢0 0 0 1 0⎥
⎢
C =⎢ ⎥
⎢1 0 0 0 0⎥⎥
⎣0 0 −92.6 92.6 0⎦
0 0 0 0 1
⎡ ⎤
0 0 0 0 0 0 0 0 0
⎢0 0 0 0 −0.3122 0.1999 0.1999 0.1999 0.1999 ⎥
⎢ ⎥
⎢0 0 0 0 0 0 0 0 0⎥
Du = ⎢
⎢0
⎥
⎢ 0 0 0 0 0 0 0 0⎥⎥
⎣0 0 0 0 0 0 0 0 0⎦
0 0 0 0 0 0 0 0 0
446 A. Varga
Appendix B Linearized Full Order Model

Definition of variables
The trim conditions are defined for the nominal values specified in Table 15.5.2. The
state, control and output variables are defined as follows:
⎡ ⎤ ⎛ ⎞
δp roll rate [rad/s]
⎢ δq ⎥ ⎜ pitch rate [rad/s] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δr ⎥ ⎜ yaw rate [rad/s] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δ VTAS ⎥ ⎜ true airspeed [m/s] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δα ⎥ ⎜ angle of attack [rad] ⎟
x =⎢⎢ ⎥ ⎜ ⎟
⎥ =: ⎜ sideslip angle [rad] ⎟
⎢ δβ ⎥ ⎜ ⎟
⎢ δφ ⎥ ⎜ roll angle [rad] ⎟
⎢ ⎥ ⎜ ⎟
⎢ ⎥ ⎜ ⎟
⎣ δψ ⎦ ⎝ yaw angle [rad] ⎠
δ he altitude [m]
⎡ ⎤ ⎛ ⎞
δair right inner aileron [rad]
⎢ δail ⎥ ⎜ left inner aileron [rad] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δaor ⎥ ⎜ right outer aileron [rad] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δaol ⎥ ⎜ left outer aileron [rad] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δeir ⎥ ⎜ right inner elevator [rad] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δeil ⎥ ⎜ left inner elevator [rad] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δeor ⎥ ⎜ right outer elevator [rad] ⎟
⎢ ⎥ ⎜ ⎟
u =⎢ ⎥ ⎜
⎢ δeol ⎥ =: ⎜ left outer elevator [rad] ⎟
⎟
⎢ δih ⎥ ⎜ stabilizer trim angle [rad] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δru ⎥ ⎜ upper rudder surface [rad] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δrl ⎥ ⎜ lower rudder surface [rad] ⎟
⎢ ⎥ ⎜ ⎟
⎢ ⎥ ⎜ ⎟
⎢ ⎥ ⎜ ⎟
⎣ δ EPR3 ⎦ ⎝ thrust engine #3 [rad] ⎠
δ EPR4 thrust engine #4 [rad]
⎡ ⎤ ⎛ ⎞
δα angle of attack [rad]
⎢ δ V̇TAS ⎥ ⎜ acceleration [m/s2 ] ⎟
⎢ ⎥ ⎜ ⎟
⎢ ⎥ ⎜ ⎟
⎢ δq ⎥ ⎜ pitch rate [rad/s] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δ Vz ⎥ ⎜ z-velocity [m/s] ⎟
⎢ ⎥ ⎜ ⎟
y =⎢ ⎥
⎢ δ he ⎥ =: ⎜
⎜ altitude [m] ⎟
⎟
⎢ δp ⎥ ⎜ roll rate [rad/s] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δr ⎥ ⎜ yaw rate [rad/s] ⎟
⎢ ⎥ ⎜ ⎟
⎢ δβ ⎥ ⎜ sideslip angle [rad] ⎟
⎢ ⎥ ⎜ ⎟
⎣ δ Vy ⎦ ⎝ y-velocity [m/s] ⎠
δφ roll angle [rad]
State-model matrices
⎡
−.8226 0 0.1666 0 0 −1.4189 0.000471
⎢ 0 −0.4861 0 0.000317 −0.5588 0 0
⎢
⎢ −.1303 0 −0.0199 0 0 0.2387 −0.00166
⎢
⎢ 0 0 0 −0.0199 3.0796 0 0
⎢
⎢ 0 1.0053 0 −0.0021 −0.5211 0 0
A=⎢
⎢ 0.139
⎢ 0 −0.9867 0 0 −0.0819 0.10505
⎢ 1 0 0.1265 0 0 0 0
⎢
⎢ 0 1 0 0 0 0 0
⎢
⎣ 0 0 1.008 0 0 0 0
0 0 0 0 −92.6 0 0
⎤
0 0 0
0 −2.04 · 10−6 ⎥
0 ⎥
0 0 0⎥⎥
0 8.98 · 10−5 ⎥
−9.8048 ⎥
0 9.30 · 10−6 ⎥
0 ⎥
0 0 0⎥⎥
0 0 0⎥⎥
0 0 0⎥⎥
0 0 0⎦
92.6
0 0
⎡ ⎤
0 0 0 0 1 0 0 0 0 0
⎢0 0 0 −0.0199 3.0796 0 0 −9.8048 0 8.98 · 10−5 ⎥
⎢ ⎥
⎢0 0 0 0 0 0 0 10 0 0⎥
⎢ ⎥
⎢0 1 0 0 0 0 0 0 0 0⎥
⎢ ⎥
⎢0 0 0 0 −92.6 0 0 92.6 0 0⎥
⎢ ⎥
C=⎢
⎢0 0 0 0 0 0 0 0 0 1⎥⎥
⎢1 0 0 0 0 0 0 0 0 0⎥
⎢ ⎥
⎢0 0 1 0 0 0 0 0 0 0⎥
⎢ ⎥
⎢0 0 0 0 0 1 0 0 0 0⎥
⎢ ⎥
⎣0 0 0 0 0 92.6 −11.6213 0 92.6 0⎦
0 0 0 0 0 0 1 0 0 0
448 A. Varga
⎡
−0.0629 0.0629 −0.1819 0.1819 0 0 0
⎢ 0.0107 0.0107 −0.0676 −0.0676 −0.1455 −0.1455 −0.1494
⎢
⎢ −0.0142 0.0142 −0.0128 0.0128 0 0 0
⎢
⎢ 0 0 0 0 0 0 0
⎢
⎢ 0 0 −0.0098 −0.0098 −0.0071 −0.0071 −0.0074
Bu = ⎢
⎢
⎢ 0 0 0 0 0 0 0
⎢ 0 0 0 0 0 0 0
⎢
⎢ 0 0 0 0 0 0 0
⎢
⎣ 0 0 0 0 0 0 0
0 0 0 0 0 0 0
⎤
0 0 0.0652 0.0185 0.0034 0.0019 −0.0019 −0.0034
−0.1494 −1.2860 0 0 0.0013 0.0035 0.0035 0.0013 ⎥ ⎥
0 0 −0.1272 −0.0929 0.0195 0.0111 −0.0111 −0.0195 ⎥ ⎥
0 −0.3122 0 0 0.1999 0.1999 0.1999 0.1999 ⎥ ⎥
−0.0074 −0.0676 0 0 −0.0004 −0.0004 −0.0004 −0.0004 ⎥
⎥
0 0 0.0078 0.0066 0.0001 0.0001 −0.0001 −0.0001 ⎥ ⎥
0 0 0 0 0 0 0 0⎥⎥
0 0 0 0 0 0 0 0⎥⎥
0 0 0 0 0 0 0 0⎦
0 0 0 0 0 0 0 0
⎡ ⎤
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
⎢0 0 0 0 0 0 0 0 −0.3122 0 0 0.1999 0.1999 0.1999 0.1999 ⎥
⎢ ⎥
⎢0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎥
⎢ ⎥
⎢0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎥
⎢ ⎥
⎢0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎥
⎢ ⎥
Du = ⎢
⎢0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎥⎥
⎢0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎥
⎢ ⎥
⎢0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎥
⎢ ⎥
⎢0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎥
⎢ ⎥
⎣0 0 0 0 0 0 0 0 0 0 0 0 0 0 0⎦
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Part IV
Real-Time Flight Simulator Assessment
Chapter 16
Real-Time Assessment and Piloted Evaluation of
Fault Tolerant Flight Control Designs in the
SIMONA Research Flight Simulator
Olaf Stroosma, Thomas Lombaerts, Hafid Smaili, and Mark Mulder
16.1 Introduction
Desktop-based simulations are extremely useful tools for the development of new
controller applications and techniques as is evident from the theoretical sections of
this book. But, in addition to testing the new controllers in an off-line, desktop-based
benchmark simulation, an online piloted moving-base simulator evaluation can give
new insights into real-time performance issues, applicability in an operational en-
vironment and if applicable, handling qualities of different aircraft configurations.
It can serve as a proof-of-concept and allows the assessment of the benefits of the
controllers in terms of compensation for impaired aircraft control, performance im-
provements in failed configurations and lowering of pilot workload. For this pur-
pose, the aircraft model and the fault-tolerant controllers can be implemented in a
pilot-in-the-loop flight simulator. Pilots with operational experience on the aircraft
in question can be used to assess the efficiency of the controllers and their influence
Olaf Stroosma
e-mail: o.stroosma@tudelft.nl
Thomas Lombaerts
Mark Mulder
e-mail: mark.mulder@tudelft.nl
Hafid Smaili
The Netherlands
452 O. Stroosma et al.
on the handling of the aircraft. Ideally the pilot should not be aware of any differ-
ences in handling with the controller engaged for the normal fault free and damaged
aircraft, and be able to perform normal flying tasks with satisfactory performance in
both cases. To ensure an acceptable level of validity of this assessment, the fidelity
of the simulator must be sufficiently high. In addition to the dynamic behaviour of
the simulated aircraft model, aspects that influence the fidelity are the appearance
and functionality of the flight displays, the feel in the flight controls, the presence
and field of view of an outside visual system, and the characteristics of any motion
system. To increase reproducibility of the evaluation, these parameters should be
documented together with the assessment results. Integration of the controllers in a
real-time aircraft simulation environment, which is necessary to perform the piloted
evaluation, can help identify implementation issues which would forbid practical
introduction in an actual aircraft flight control system. Reliance on physical pa-
rameters which are not measured in the aircraft (e.g. sideslip angle), sensitivity to
noise and delays in measurements and excessive computational loads are examples
of such problems. These issues can usually be evaluated without a pilot actively in
control and lead to relatively deterministic results. A more operationally oriented
evaluation with a human pilot in the loop introduces variability in the results. To re-
duce this variation, the experiment design benefits from a well defined test scenario,
appropriate performance measures and other human factors related measurement
variables. To select the appropriate scenario and measurements, the intended goal
of the evaluation has to be taken into account. For a general impression of the flying
qualities, a procedure such as an approach and landing can be suitable. If a more
detailed insight is required in lateral and/or longitudinal performance or handling
qualities, more stylized manoeuvres can be performed. Examples of these include
altitude captures, speed and trim changes, bank and heading captures, as well as lo-
calizer and glideslope capture and tracking. Apart from the achieved performance,
which can be objectively determined, pilot feedback in the form of comments or
rating scales for handling qualities (e.g. Cooper-Harper [2]) and Pilot-in-the-Loop
Oscillations (PIO) can be valuable subjective results.
Within the GARTEUR FM-AG(16) Action Group a number of fault-tolerant
flight control (FTFC) algorithms were developed as described in Part III of this book.
Their underlying principles ranged from H∞ (chapter 12), sliding mode control allo-
cation (chapter 8) and model-predictive control (chapter 10) to parameter estimation
and nonlinear dynamic inversion (chapter 13). As part of the Action Group’s work,
a real-time assessment and piloted evaluation was performed for several of these
algorithms. The objectives of this evaluation can be summarized as follows:
• Analyzing real-time performance and integration issues of the reconfigurable
fault tolerant flight control algorithms by integrating them in the complete air-
craft environment.
• Qualitative assessment of the FTFC algorithms in terms of aircraft handling qual-
ities in both nominal and failed conditions.
• Quantitative assessment of the FTFC algorithms benefits in terms of pilot work-
load to substantiate the handling qualities ratings.
16 Real-Time Assessment and Piloted Evaluation 453
• Providing an additional control design challenge to raise the technology readi-

ness level (TRL) of the FTFC control designs by demonstrating the capability
in ensuring a survivable recovery of a damaged aircraft in real-time operational
conditions and procedures.
The current chapter describes the evaluation method, the configuration details of
the simulator used for the piloted evaluation, and software integration issues. Also,
a summary of the evaluation results is given. An elaborate discussion of the han-
dling qualities results is part of the chapters on the evaluated algorithms themselves
(Chapters 13 and 18). This chapter will follow the standard format for reporting
human factors experiments and include implementation related issues in section
16.2.4.5.
16.2 Evaluation Method

The GARTEUR FM-AG(16) piloted evaluation campaign was performed in three
stages. The first stage was the implementation and integration into the simulator of
the particular FTFC algorithms. Any implementation issues such as computational
load and signal requirements (sensor availability and characteristics such as noise)
could be identified and resolved here. The second and third stage, as described in
the next sections, involved piloted evaluations on the simulator. The method for the
piloted evaluations was based on procedures for human factors experiments and was
designed to assess the FTFC failure accomodation capabilities in terms of aircraft
stabilization, controllability and pilot workload. Some procedures were shortened to
allow more controllers to be examined within the available time frame. The number
of pilots and repetitions were smaller than required for a full statistical analysis of
the experiment.
16.2.1 Experiment Design

A subset of the total number of controllers developed within FM-AG(16) was avail-
able for the piloted simulator evaluation during failed and unfailed flying conditions
(see Table 16.1).
The baseline condition for comparison was the conventional flight control sys-
tem, which was manually flown (FTFC-0). Some of the evaluated controllers pro-
vided full auto-flight, allowing the pilot to adjust the controller setpoints for speed,
altitude, and heading in addition to an automatic landing system (FTFC-1, -2, -5).
Others were set up such that the pilot could manually manoeuvre the aircraft (FTFC-
3, -7), much like the conventional manual control strategy (FTFC-0). In this case, the
perceived dynamics could optionally be modified by the fly-by-wire algorithm, e.g.
by using a rate command/attitude hold scheme. During the evaluation, the aircraft
was flown in the manual classical (mechanical) flight control system mode (FTFC-
0) or in FTFC mode (FTFC-1, -2, -3, -5 and -7). In the FTFC- 0 configuration,
aircraft control was achieved via the mechanical and hydraulic system architecture
Table 16.1 GARTEUR FM-AG(16) fault tolerant flight control algorithms (* evaluated in
piloted simulation)
No. FTFC algorithm Developer Control type Reference

0* Classic Flight Control System NLR Manual (classic) Chapter 6
1* Model Reference Adaptive Sliding University of Auto-flight Chapter 18
Modes Control with Control Leicester
Allocation (MRAC)
2* Integral Action Control (INTAC) University of Auto-flight Chapter 8
Leicester
3* FTC with Guaranteed Nominal University of Manual (classic) & Chapter 12
Performance (H∞ ) Bordeaux Altitude hold
4 Fault Detection, Identification and QinetiQ Manual & Chapter 14
Reconfiguration System Based Around Auto-flight
Optimal Control Allocation
5* Subspace Predictive Control Delft University Auto-flight Chapter 10
of Technology
6 Real-Time Model Identification Delft University Manual (FBW) Chapter 11
and Model Predictive Control of Technology
7* Real-Time Model Identification Delft University Manual (FBW) Chapter 13
and Nonlinear Dynamic Inversion of Technology
Control
8 Adaptive Model Following Control CIRA Auto-flight Chapter 9
modelled after the real aircraft. In the other configurations, all control surfaces apart
from the flaps, landing gear and engines, were commanded via the respective FTFC
algorithm.
Following integration of the FTFC algorithms in the simulator, the second eval-
uation stage consisted of a preliminary assessment of a variety of controllers from
different participants in the group, as summarized in Table 16.1. The goal here was
to receive feedback on all controllers from pilots flying them in a realistic setting.
The most mature manual (FTFC-7) and auto-flight (FTFC-1) controllers were se-
lected to be demonstrated at the group’s final workshop on 21st November 2007.
The experiment results of these two reconfigurable control schemes are fully de-
scribed in chapters 18 and 13.
In the third and final evaluation stage, the manual controller (FTFC-7) went
through a more in-depth evaluation, in which handling qualities were rated by sev-
eral professional airline pilots, in April 2008.
In the preliminary evaluation, all controllers were evaluated with the failures they
were designed for. The evaluation pilot first flew the scenario with the failure in the
classical aircraft, followed by the same scenario with the fault-tolerant controller
activated. For the final evaluation, the order of classical and fault-tolerant controller
was randomized over the pilots and two failure scenarios were flown: a runaway
failure of the rudder surfaces and the engine separation failure (Flight 1862). The
controller was also assessed in the nominal case with no failure.
16.2.2 Dependent Measures

The controllers were assessed on two types of dependent measures: implementation
measures and operational measures.
16.2.2.1 Implementation Measures

Apart from the controller’s ability to function within the constraints of its input sig-
nals (sensor availability, noise, delays etc.), another measure of a controller’s practi-
cal applicability is the computational load it places on the Flight Control Computer.
The amount of additional calculations necessary for fault-tolerant control must be
sufficiently low to enable actual introduction within the foreseeable future. The com-
putational loads of the FM-AG(16) algorithms were measured in the simulator soft-
ware environment without a pilot in the loop. For comparison purposes a standard
desktop PC (AMD AthlonTM X2 5600+ processor) was used to measure the time
needed by each algorithm to perform a single integration step. The simulation soft-
ware was used to time the invocation of the controller’s main function. This function
included some overhead of getting the input data from other parts of the simulation
and publishing the results, but this overhead was minimal (typically around 20 μ s)
and identical for all evaluated controllers. Because of the diverse structures of the
controllers, a relatively wide spread in computation time was expected. This mea-
surement can help in identifying the relative impact of the controller design on the
computational load. An analysis of the measured real-time computational loads of
the evaluated control algorithms can be found in section 16.3.
16.2.2.2 Operational Measures

The operational variables were concerned with the interaction between the con-
troller and pilot. Both objective and subjective operational variables were measured.
The objective measurements in the FM-AG(16) simulator assessment consisted of
the pilots control inputs as indicator of physical and mental workload, and the states
of the aircraft. The subjective measurements comprised pilot comments and han-
dling qualities ratings according to the Cooper-Harper handling qualities rating
scale (see Appendix 2 and [2]). This rating scale is commonly used to provide a
framework in assessing the handling qualities of a particular aircraft (or configura-
tion) and the required workload and performance in a particular task. As such, it
should always be accompanied by a task description and measurable “required” and
“adequate” performance criteria. The Cooper-Harper handling qualities ratings are
grouped into Level 1 (rating 1-3), Level 2 (rating 4-6) and Level 3 (rating 7-9), with
Level 1 being required for any non-degraded operational aircraft. The performance
of the reconfigured aircraft was assessed in a series of six flight phases, most of
which were explicitly rated by the pilot. These flight phases were:
• Straight and level flight (not rated)
• Altitude captures
• Bank angle captures
• Right-hand turn (not rated)

• Localizer intercept
• Glideslope intercept
Table 16.2 Evaluation maneuvers and associated performance criteria
Maneuver Description Lateral performance Longitudinal perfor-

mance
Altitude Intercept the new altitude Required: Required:
capture with a climb or sink rate
of at least 1000 feet/minute • heading: ±2◦ • altitude: ± 50 feet
and without over- or un- • speed: ± 5 knots
Adequate:
dershoots outside of the re-
Adequate:
quired performance band. • heading: ±4◦
Maintain heading and air- • altitude: ± 100 feet
speed within the required • speed: ± 10 knots
performance bands.
Bank angle Attain a 20 degree bank an- Required: Required:
capture gle as quickly and precisely
as possible and hold it sta- • bank: 20 ± 1◦ • altitude: ± 50 feet
ble. Maintain altitude and • speed: ± 5 knots
Adequate:
airspeed within the required
Adequate:
performance bands. • bank: 20 ± 2◦
• altitude: ± 100 feet
• speed: ± 10 knots
Localizer Intercept and follow the Required: Required:

intercept localizer. Maintain altitude
and airspeed within the re- • localizer offset: ± • altitude: ± 50 feet
quired performance bands. 0.5 dot • speed: ± 5 knots
Adequate: Adequate:
• localizer offset: ± 1 • altitude: ± 100 feet

dot • speed: ± 10 knots
Glideslope Intercept and follow the Required: Required:

intercept glide slope and localizer.
Maintain airspeed with the • localizer offset: ± • glideslope offset: ±
required performance band. 0.5 dot 0.5 dot
Adequate:
Adequate:
• localizer offset: ± 1
dot • glideslope offset: ±
1 dot
The wording on the scale is geared towards use during the development program
of a new aircraft type. For an aircraft with structural or mechanical failures, it is
sometimes tempting to take the degradations into account in the rating and not rate
it as a fully functional aircraft ready to go into production. In such a case, the pilot
may be willing to give a low (good) rating, even though the required workload and
degraded performance would be totally unacceptable in daily operations. It must
be stressed that the rating should be given to the aircraft ‘as is’ without taking the
mitigating circumstances of the failure into account. Only in this way can a fair
comparison be made between the nominal aircraft and the failed aircraft, as well as
between the classical and fault-tolerant control schemes. To increase the validity of
the rating, especially for inexperienced pilots, they were advised for every evalua-
tion to explicitly follow the decision tree of the rating scale and correlate the attained
performance with the experienced workload. Winning time by directly choosing a
pilot rating number or not relating the rating with the actual performance would have
seriously degraded the quality of the recorded ratings. In the FM-AG(16) evaluation,
a number of tasks and performance criteria were defined. In general, the lateral and
longitudinal handling qualities were given separate ratings. Also, in some cases the
task direction would be influenced by the specific failure, so these were split up as
well, e.g. right and left bank angle captures or up and down altitude captures. Ta-
ble 16.2 summarizes the tasks that were to be rated, along with the adequate and
required performance criteria.
The pilots were given feedback on their performance before filling in the rating
scales, as described in section 16.2.5.
16.2.3 Participants
Familiarity with the flown aircraft is one of the main requirements for the partici-
pants in a piloted evaluation. Some flight test or evaluation experience is also ben-
eficial, especially when using standard rating scales. In the FM-AG(16) simulator
campaign six professional airline pilots with an average experience of about 14.000
flight hours, participated in the evaluation. Five pilots, who conducted the handling
qualities evaluation, were type rated for the Boeing 747 aircraft while one pilot was
rated for the Boeing 767 and Airbus A330 aircraft. Some of the pilots had engi-
neering flight testing experience. Table 16.3 shows information on the individual
background and experience of the evaluation pilots.
16.2.4 Simulator Configuration

The FM-AG(16) evaluation was performed on the SIMONA Research Simulator
(SRS, Fig. 16.1) at Delft University of Technology. The SRS is a 6-DOF research
flight simulator, with configurable flight deck instrumentation systems, wide-view
outside visual display system, hydraulic control loading and motion system. As a
tool for human factors research in aviation, it has been used for fundamental and
applied research in a number of topics, including human (motion) perception, pilot
Table 16.3 Evaluation pilots in the GARTEUR FM-AG(16) assessment
Pilot Age Flight hours Type ratings

1 64 13000 Cessna Citation II, DC-3, DC-8, Boeing 747-200/300/400
2 51 14000 Boeing 747-400
3 43 15000 Boeing 747-300, Boeing 767
4 54 18000 Boeing 747-400, Boeing 737, DC-10, DC-9, Fokker F-28
5 40 12000 Boeing 747-400, Boeing 737
6 N/A N/A Cessna Citation II, Boeing 767, Airbus A330
control behaviour, aircraft handling qualities, pilot-in-the-loop oscillations, fly-by-

wire control algorithms, flight deck display and interface design, and flight proce-
dures [5]. The simulator’s middleware software architecture called DUECA (Delft
University Environment for Communication and Activation) allows rapid-access for
programming of the SRS, relieving the user of taking care of the complexities of
network communication, synchronization, and real-time scheduling of the differ-
ent simulation modules [6]. Section 16.2.4.5 describes how DUECA was used to
integrate the aircraft model and the FTFC algorithms in the simulator. To achieve
sufficient confidence in the validity of the simulator results, great care was taken to
optimize the simulator’s fidelity. It was configured to match the actual aircraft as
closely as possible.
16.2.4.1 Flight Deck Instrumentation

The flight deck of the SRS resembles a generic, two-person side-by-side cockpit
as found in many modern airliners. For the FM-AG(16) experiment, the SIMONA
cockpit was configured to represent the Boeing 747 aircraft type with glass cockpit
lay-out (Fig. 16.2). The installed hardware consisted of two aircraft seats, a hydrauli-
cally actuated control column (captain’s position) and rudder pedals, an electrically
(a) Outside view (b) Cockpit view
Fig. 16.1 The SIMONA (SImulation, MOtion and NAvigation) Research Simulator (SRS) at
Delft University of Technology, (courtesy of Delft University)
Fig. 16.2 SRS flight deck in Boeing 747 configuration for the GARTEUR FM-AG(16) sim-
ulator campaign
actuated sidestick (first officer’s position, not used in this experiment), a Boeing 777
control pedestal, four Liquid Crystal Display (LCD) screens to display the flight in-
struments and a Boeing 737 mode control panel (MCP).
The displays were based on the Boeing 747-400 Electronic Flight Instrumenta-
tion System (EFIS, see Fig. 16.3). They were shown on the LCD panels mounted
in front of the pilot at the ergonomically correct locations. Although not all dis-
play functionality was incorporated, the pilot had all the information available to
fly the given trajectory. One notable omission was the Flight Director (FD), which
normally gives steering commands to the pilot. Especially during the localizer and
glide slope capture and tracking, the use of “raw” ILS (Instrument Landing System)
data instead of the FD added somewhat to the pilot workload. To help the pilots as-
sess the reconfigurable controller’s actions, the surface deflections of the elevators
(left/right), ailerons (left/right, inner/outer) and rudders (upper/lower) were shown
in the upper right hand corner of the Engine Indication and Crew Alerting System
Display (EICAS).
16.2.4.2 Outside Visual System

The SRS has a wide field-of-view collimated outside visual system to give the
pilot attitude information, as well as to induce a sense of motion through the vir-
tual world. Three LCD projectors produce computer generated images on a rear-
projection screen, which was viewed by the pilots through the collimating mirror.
The resulting visual has a field of view of 180◦ × 40◦ , with a resolution of 1280 ×
(a) Primary Flight Display (PFD) (b) Engine Indicating and Crew Alert-
ing System (EICAS) Display showing en-
gine parameters and flight control sur-
face deflections for reconfiguration status
(aileron (AIL), elevator (ELEV) and rud-
der (RUD)) respectively
Fig. 16.3 The SRS flight deck displays representing the Boeing 747-400 Electronic Flight
Instrumentation System (EFIS)
1024 pixels per projector. The update rate of the visual was the same as the main
simulation at 100 Hz, while the projector refresh rate was 60 Hz. The display latency
was around 30 ms.
For this evaluation, a visual representation of Amsterdam Airport Schiphol was
used. All runways and major taxiways were in their correct location, complemented
with the most important buildings on the airfield. The surrounding area was kept
simpler, with a textured ground plane showing a rough outline of the Dutch coast
and North Sea.
16.2.4.3 Control Loading Feel System

The pilot used a conventional control wheel and column, which were loaded with
hydraulic actuators. The simulated dynamics of the controls were a constant mass-
spring-damper system with parameters representative of the aircraft in the evaluated
condition (Table 16.4). The simulation model did not allow for feedback of surface
forces to the controls, a feature that normally would have been present in a Boeing
747 aircraft through the aircraft’s q-feel system. The absence of surface deflection
feedback forces may have had an effect on pilot control efficiency, especially in the
mechanical failure cases.
Table 16.4 Control loading feel system characteristics
pitch roll
arm 0.714m 0.17m
spring constant 474Nm/rad 5.416Nm/rad
inertia 5.577Nms2 /rad 0.478Nms2 /rad
damping 195.3Nms/rad 1.116Nms/rad
break-out 11.1Nm 0.1313Nm
stiction/friction 11.1Nm 0.1313Nm
16.2.4.4 Motion System

The motion system of the SRS is a six degrees-of-freedom hydraulic hexapod . Its
cueing algorithm, or washout filters, can be easily adjusted to fit new aircraft dynam-
ics or manoeuvres. For the experiment, the severity of the motion was tuned down
somewhat to allow for the sometimes violent manoeuvres of the failures without
reaching the limits of the motion base.
The cueing algorithm was of the classical washout design, with high-pass filters
on all degrees of freedom and a tilt coordination channel to simulate low frequency
surge and sway cues by tilting the simulator. The sway tilt was especially apparent
in some failure cases where large sideslip angles and sideforces were persistently
present.
The SRS motion system charactersitics are provided in Table 16.5.
16.2.4.5 Aircraft Model and Flight Control Systems

For the experiment, the benchmark model and the designed fault tolerant control
algorithms were converted from Simulink R
to the real-time environment. This con-
version comprised reformatting for standardized input/output, code generation with
Table 16.5 SRS motion system characteristics (adapted from [5])
DOF Kinematics Motion cueing algorithm

minimum maximum gain high- high-pass low-pass damping
deflection deflection pass break break
filter frequency frequency
order
surge −0.981m 1.259m 0.5 2 2.0rad/s 4.0rad/s 1.0
sway −1.031m 1.031m 0.5 2 2.0rad/s 4.0rad/s 1.0
heave −0.363 0.678m 0.4 3 2.0rad/s - 1.0
roll −25.9◦ 25.9◦ 0.5 1 2.0rad/s - -
pitch −23.7◦ 24.3◦ 0.5 1 2.0rad/s - -
yaw −41.6◦ 41.6◦ 0.5 1 1.0rad/s - -
Mathworks’ Real-Time Workshop R

, integration in the real-time simulator envi-
ronment DUECA and validation. The DUECA software environment provides a
framework to compose modular, distributed, real-time simulations on a variety of
platforms (desktop PC, fixed-base and moving base simulators and flying labora-
tory). It works with a data-flow architecture using a publish-subscribe mechanism,
combined with time-tagging on the exchanged data to ensure data consistency. For
the current project, this meant that different controllers could be easily combined
with a single aircraft model as long as they conformed to the standard data channels
to be published and subscribed (Fig. 16.4). The first type of data channels in this fig-
ure are standardized input and output channels which apply to all controllers. The
second type contains the signals between the MCP and the controller, which were
linked to a fixed number of controls on the panel. These controls could be repro-
grammed to fit the needs of a particular controller. The last type of signals were the
outputs from the controller which could be freely specified and which were writ-
ten to disk for later analysis. A mechanism was set up within DUECA to be able
to switch between controllers on-the-fly, using an intermediary between the aircraft
model and the controllers, which subscribed to the output of all controllers and pub-
lished only the output of the controller which was active. All non-active controllers
could be brought in an idle state to avoid computational overhead and the aircraft
model could run without any knowledge of which controller was actually driving
it. This setup allowed a highly parallel development process where, after the overall
framework was in place, the different controllers could be developed independently
from each other.
failures
manual pilot
FTC or actuator output data
inputs aircraft model
classical FCS data
I/O I/O
MCP I/O logging

logging
data
FDI
sensor data sensors
= fixed and standardized data channels

= reprogrammable data channels
= fully flexible data channels
Fig. 16.4 Integration of fault tolerant control algorithms in the SIMONA real-time simulator
environment
The aircraft model was validated against simulator and flight test data according
to the procedures in [3] and [1]. The Digital Flight Data Recorder (DFDR) of the
Flight 1862 accident aircraft was used for the validation of the aircraft dynamics and
performance characteristics representing the physical loss of two right-wing engines
[4], [3]. Information regarding the general characteristics and operational data of the
Boeing 747-100/200 aircraft can be found in chapter 6.
To ensure the validity of the real-time simulation, a validation step was included
in the development phase. Both the online model implementation and the different
controllers were checked to conform to the offline analysis versions by means of
proof-of-match. Any differences between the two implementations were considered
small enough not to be noticeable by the pilot. The baseline aircraft model, control
feel system and Flight 1862 controllability and performance characteristics were
finally validated using pilot-in-the-loop simulation.
16.2.5 Procedure
The scenario of the FM-AG(16) piloted evaluation was designed to resemble an
operational flight profile, based on the flight path of Flight 1862 in the Amsterdam
Airport Schiphol terminal area (Fig. 16.5) [4], [3].
Each pilot would start to fly the classical control system mode in unfailed con-
dition to familiarise himself with the baseline aircraft handling qualities. This pro-
cedure was repeated several times until the pilot felt confident to proceed. The pilot
would rate if the unfailed baseline aircraft model exhibited at least Level 1 handling
Fig. 16.5 Experiment scenario and tasks of the GARTEUR FM-AG(16) piloted simulator
assessment
qualities (CHR 1-3). The same procedure was conducted to familiarise the pilot
with the fly-by-wire configuration in unfailed conditions. Apart from a general eval-
uation of the aircraft’s behaviour during the approach, additional test manoeuvres
were introduced in a number of flight phases to examine the specific performance
and handling qualities of the (damaged) aircraft.
The first flight phase was started at an altitude of 2000 feet near the airport on an
outbound course at a speed of 260 KIAS and a northerly heading of 360 degrees.
In this phase, the controller should stabilize the aircraft, identify and correct any
deviations from the nominal trimmed aircraft condition, and give the pilot a sense
of its non-failed handling qualities.
When stabilised on the outbound course, the pilot was cleared to turn 90 degrees
to an easterly heading and accelerate from 260 to 270 knots to allow a minimum
control speed margin for the Flight 1862 scenario. The experiment coordinator then
notified the pilot of the nature and timing of a failure before applying it. This was
done to consistently remove the aspect of surprise and pilot troubleshooting from
the evaluation. The evaluation’s objective was not to take these into account, but
to focus on the relative performance and workload levels of the augmented and
unaugmented aircraft configurations in a best-case scenario (i.e. the pilot being fully
aware of the failure). It is expected that an unprepared and unaware pilot will have
much greater difficulty in controlling the failed aircraft without the fault tolerant
controller, leading to an even higher observed benefit of the controller in such a
scenario. Appendix 1 provides a complete list of the simulated failure modes, their
reconfiguration strategy and assessment.
During the recovery phase, after the failure was introduced, the pilot’s task was
to bring the aircraft back from any adverse flight condition to a stable state at an al-
titude of 2000 feet and 270 knots. In this phase, the pilot was allowed to familiarise
himself with the aircraft behaviour and try different strategies to bring the aircraft
manually back under control. The recovery phase allowed any FTFC algorithm that
was active to identify the problem, determine a new dynamic model of the damaged
aircraft and reconfigure itself to the new situation. Following a succesful recovery
to a stable condition, an optional identification phase was introduced during which
the flying capabilities of the aircraft could be assessed. This allowed for a com-
plete parameter identification of the model for the damaged aircraft as well as the
identification of the safe flight envelope. The knowledge gained during this identi-
fication phase could be used by the controller to improve the chances of a safe and
survivable landing. For the control algorithms evaluated in FM-AG(16), no explicit
identification phase was necessary, because the controllers were able to identify the
failure and reconfigure the flight control system during the initial recovery. If neces-
sary, this could be done continuously during later phases. When fully reconfigured,
the flight control system would allow continuous safe flight after the identification
phase.
After the recovery phase, a straight and level flight phase was initiated during
which the pilot could assess the workload necessary to maintain the aircraft in a
stable condition. Once stabilised at 2000 feet, and selecting a flap setting of one
degree1, the pilot was asked to initiate a climb and a rapid and precise altitude
capture to 2500 feet. During the climb, airspeed and heading had to be kept constant.
This manoeuvre was meant to examine the longitudinal handling qualities of the
damaged aircraft configuration. When leveled off at 2500 feet, the pilot was asked
to perform a roll capture task that consisted of capturing 20 degrees of bank angle
to the left and right. Again, the goal was to make these captures as rapid and precise
as possible, while maintaining altitude and speed. Banking the aircraft in this way
was expected to expose any undesirable lateral handling qualities.
When the bank angle capture task was completed, the pilot would start a descent
for a new altitude capture to bring the aircraft back to 2000 feet. Speed and heading
were maintained during the descent. Finally, a right-hand turn towards a heading of
240 degrees was performed which brought the aircraft on an intercept course to the
ILS localizer of runway 27 at Amsterdam Airport Schiphol. For all failures, except
the Flight 1862 scenario, the pilot was asked to decelerate to 174 knots, which was
the reference speed for a flap setting of 20 degrees (Vref20 ) at the chosen weight
configuration (317.000 kg). Once stabilised on the new heading and airspeed, the
simulator was paused to give the pilot the opportunity to rate the altitude and bank
angle capture tasks using the Cooper-Harper rating scale and fill in a questionnaire.
To assist in providing the Cooper-Harper ratings, the pilot was presented with time
histories of the relevant flight parameters. The adequate and desired performance
boundaries for the test manoeuvres, as referenced in the Cooper-Harper scale, have
been defined according to Table 16.2 and were shown in the time histories. Fig-
ures 16.6 and 16.7 illustrate an example of time histories for a simulation run that
includes the different task manoeuvres and their performance boundaries.
To maintain a consistent geometry for the final approach phase across different
runs, the aircraft was then repositioned at a point before the localizer intercept. To
allow some time for re-stabilization after the simulator ‘unfreeze’, a point 5NM
along track from the intercept point was used. This intercept point was also moved
back 5 NM from the standard intercept point to allow for more time to capture the
localizer. Especially for the Flight 1862 failure case this was helpful because the
intercept was performed with high speeds (270kts as opposed to 174kts). For the
approach and landing phase, the tasks consisted of intercepting and capturing the
localiser to align with the runway and intercepting and capturing the glide path for
the final approach. The tasks were performed using raw ILS data presented on the
primary flight display.
The localizer was captured at an altitude of 2000 feet with an airspeed of 174
knots for all failure scenarios except for the Flight 1862 case. For this scenario, a
higher speed of 270 knots was used to maintain sufficient directional control margins
for level flight (minimum speed is about 260 knots according to the DFDR). When
the aircraft was stabilised on the localizer, the pilot would intercept the glideslope
for the final descent. During the descent, airspeed was further reduced to 220 knots
for the Flight 1862 case or 169 knots (Vref25 ) for all other scenarios. For most failure
cases the normal configuration changes of flaps up to 25 degrees and landing gear
1 The Flight 1862 aircraft model was validated for a flap setting of 1 degree. For consistency,
all evaluations were therefore performed in this configuration
(a) Altitude capture task (2000 feet and 2500 feet)
(b) Bank angle capture task (20◦ and −20◦ )
Fig. 16.6 Handling qualities task performance as shown after each run to the pilot (dashed
lines: desired performance, dotted lines: adequate performance)
(a) Localizer capture task
(b) Glideslope capture task
Fig. 16.7 Handling qualities task performance as shown after each run to the pilot (dashed
lines: desired performance, dotted lines: adequate performance)
Table 16.6 Aircraft configurations and flight conditions for the GARTEUR FM-AG(16) pi-
loted evaluation test scenario (* Flight 1862 scenario)
Flight phase Aircraft mass Altitude Airspeed Center-of-Gravity Flaps Gear

(kg*1000) (feet) (knots) (%MAC)
Failure & 317/327* 2000 270 25 1 up
Parameter Identification
Phase
Straight Flight 317 2000 270 25 1 up
Localiser Intercept 317 2000 174/270* 25 20/1* up
Glideslope Intercept 317 2000 162/220* 25 25/1* down/up*
were made. For the Flight 1862 scenario, however, the landing phase was conducted
with the approach configuration (flaps 1 degree and gear up) because this was the
only available configuration from the DFDR which was used for the validation of
the model.
At an altitude of 50 feet the run was stopped and the pilot was again asked to fill
in the rating scales and questionnaires for the localiser and glideslope capture tasks
using the specified performance metrics.
The landing itself was not part of the experiment, because a realistic aerodynamic
model of the damaged aircraft in ground effect and with the gear extended was not
available. However, it was assumed that if the aircraft was brought to the threshold
in a stable condition and within the runway boundaries, the pilot would likely have
been able to perform the final flare and landing as well.
The aircraft configurations and flight conditions, as used in the test scenario, are
summarised in Table 16.6.
16.3 Results
From the implementation and piloted evaluation, a number of results were obtained
for several of the FM-AG(16) reconfigurable control algorithms. In several cases,
these resulted in adjustments or partial redesigns of the controllers to improve their
practical applicability. One of the controllers was redesigned to be able to cope with
additional time delays in the online sensor simulation. Another was split up in a
fast (time critical) and slow (computationally intensive) part to allow real-time op-
eration. Due to the pilots entering previously untested parts of the flight envelope
(airspeeds, angles of attack), hitherto unknown instabilities were sometimes discov-
ered. Based on pilot comments, the designers of the controllers were also able to
fine-tune the outer control loops to achieve acceptable tracking behaviour.
Pilot comments also indicated that future work should include the determination,
presentation and possibly protection of the remaining safe flight envelope. Although
the fault tolerant controllers can effectively support the pilot in bringing the aircraft
safely to the ground, they cannot overcome the inherent physical limitations of the
damaged vehicle. At some point in the flight envelope, the remaining control options
Table 16.7 Computational load measured as time needed for a single integration step on a
desktop processor
No. FTFC algorithm Frame time

0 Classic Flight Control System 0.020ms
1 Model Reference Adaptive Sliding 0.15ms
Modes Control with Control
Allocation (MRAC)
2 Integral Action Control (INTAC) 0.15ms
3 FTC with Guaranteed Nominal 0.028ms
Performance
5 Subspace Predictive Control 41ms@10Hz
7 Real-Time Model Identification 2.6ms
and Nonlinear Dynamic Inversion
Control
will still be exhausted and the aircraft will become uncontrollable. A drawback of
the currently investigated controllers is the abrupt loss of control when the safe flight
envelope is abandoned, because the controller has up to that point been actively
providing the pilot with acceptable handling qualities or tracking performance. In
the classical flight control configuration, the pilot would be more aware of nearing
the limits of maximum control deflections by his own direct actions on the controls.
He would be better able to ‘back off’ somewhat to retain control than when he is
flying more detached from the physical world with the controller engaged. A way
to give the pilot back his ‘situational awareness’ would be a valuable addition to a
fault tolerant flight control scheme.
In the course of the integration process, the computational burden of the different
controllers was assessed according to the method described in section 16.2.2.1. The
required times to complete a single frame or integration step are summarized in
Table 16.7.
As can be seen from these results, the structure of the algorithm has a large in-
fluence on the computational load. The third control algorithm, for instance, added
very little computational overhead to the classical flight control system by using a
fixed linear filter. On the other hand, the seventh control algorithm employed real-
time state reconstruction using an iterated extended Kalman filter at every time step,
leading to a much larger demand on the processor.
Handling qualities and workload results were collected for the manually flown
Real-Time Model Identification and Nonlinear Dynamic Inversion Controller
(FTFC-7). From the preliminary evaluations this controller was deemed the most
interesting manual control algorithm because it allowed the collection of opera-
tional data for a number of failures. A full discussion of the evaluation results for
this controller can be found in chapter 13, but to illustrate the evaluation method,
some results are discussed here. In general, the handling qualities results for this
algorithm show that for the Flight 1862 scenario normal flight control was restored
(a) classical control (b) fault tolerant control
Fig. 16.8 Localizer capture task handling qualities ratings for classical control and fault tol-
erant control
pilot stick deflection

1
0
roll [rad]
−1
−2
0 200 400 600 800 1000 1200
0.2
0.1
pitch [rad]
−0.1
−0.2
0 200 400 600 800 1000 1200
pilot pedal deflection

0.2
classic
0.15 FTFC
yaw [rad]
0.1
0.05
0
0 200 400 600 800 1000 1200
time [s]
Fig. 16.9 Measured pilot control activities for engine separation failure mode
to acceptable levels while physical and mental workload were reduced significantly.
This is illustrated in Fig. 16.8 showing the lateral handling qualities pilot ratings
for the localizer capture task. It can be seen that, for this task, both the baseline
and fault-tolerant fly-by-wire (FBW) aircraft were rated Level 1 (Rating 1-3). After
separation of the right-wing engines the lateral handling qualities of the conven-
tional aircraft with the classical flight control system degraded to Level 2. The
reconfigured aircraft (FBW) still shows Level 1 handling qualities after incurring
significant damage due to the loss of the right-wing engines. This was substantiated
by the measured pilot control activities, representative of workload, which indi-
cated that the pilot did not need to compensate for the failure after reconfiguration
(Fig. 16.9). For the rudder runaway failure, the pilots rated the augmented aircraft
as Level 2, the same as the unaugmented configuration. Based on the ratings, pi-
lot comments, and recorded control activities, an investigation was performed on
the causes and possible solutions to this problem. Chapter 13 describes how this
process helped in identifying future research areas for this particular algorithm and
failure type.
16.4 Conclusions
The GARTEUR FM-AG(16) piloted simulator campaign provided a unique oppor-
tunity to assess novel fault tolerant flight control techniques and pilot performance
under flight validated failure mode scenarios and operational conditions. Taking the
extra step of applying the designed reconfigurable control algorithms in a pilot-
in-the-loop simulator has shown to provide new insights above those gained in an
offline analysis. Implementing the control algorithms to work with available sensor
data and in real-time requires smart design decisions and optimizations. With feed-
back from pilots, the ultimate users of the system, a new work domain is entered
where pure aircraft performance characteristics are supplemented with the need for
good handling qualities and a good pilot-vehicle interface.
The piloted assessment on the SIMONA Research Simulator, as part of the ac-
tion group’s goals, has shown to be a highly effective way of quickly producing new
versions of the reconfigurable control schemes which were better flyable and con-
formed more to pilot expectations. Therefore, having a realistic motion simulator
at hand for development and evaluation can be particularly useful if the aircraft’s
handling qualities in nominal and failed conditions must be taken into account in
the design.
From a piloting perspective, the evaluated fault tolerant control designs were
shown to add much to the survivability of a damaged aircraft. The simulation cam-
paign demonstrated that the reconfigurable fault tolerant controllers exhibited better
performance than achievable by an unsupported pilot, especially after failures. This
improved performance consisted of a reduction of pilot (physical/mental) workload,
increase of safety and a higher probability of a successful landing. Also the identi-
fication of the failure and the selection of a suitable recovery strategy were handled
better by the fault tolerant control systems. The GARTEUR FM-AG(16) experi-
ments demonstrated that future work in the area of faul tolerant flight control should
not only include a continued focus on the aircraft’s handling qualities in nominal
and failed conditions, but in particular investigate innovative methods for the deter-
mination and protection of the aircraft’s safe flight envelope.
Failure mode Aim Description Reconfiguration Assessment Criticality
472
0. No failure
1. Stuck elevators Detection of actuator / surface failure All elevator surfaces are stuck in a faulty Remaining surfaces: Major
position with an offset from trim.
• stabiliser • Transient behaviour (load factor)
• ailerons (symmetric) • Controllability (authority)
• differential thrust • Continued safe flight and landing
2. Stuck aileron Detection of actuator / surface failure All aileron surfaces are stuck in a faulty Remaining surfaces: Major
position with an offset from trim.
• ailerons (other) • Transient behaviour (load factor)
• spoilers • Controllability (authority)
• Continued safe flight and landing
3. Stabilizer runaway* Provide analytical means of identifying The stabiliser surface moves quickly to Remaining surfaces: Critical
safety critical control surface failure an extreme position
• elevator (bad stabiliser) • Transient behaviour (load factor)
• ailerons (symmetric) • Controllability (authority)
• flaps • Continued safe flight and landing
• differential thrust
4. Rudder runaway* Detection of actuator / surface failure All rudder surfaces move quickly to an Critical
extreme position.
Remaining surfaces • Transient behaviour (load factor)
Asymmetric thrust • Controllability (authority)
5. Stuck elevators (with tur- Robust detection of actuator/surface fail- All elevator surfaces are stuck in a faulty Remaining surfaces: Major
bulence) ure position with an offset from trim.
• stabiliser • No false FDI detection
Appendix 1: Failure Mode Test Matrix
• ailerons (symmetric) • Transient behaviour (load factor)

• differential thrust • Controllability (authority)
6. Stuck aileron (with turbu- Robust Detection of actuator/surface All aileron surfaces are stuck in a faulty Remaining surfaces: Major
lence) failure position with an offset from trim.
• stabiliser • No false FDI detection
• differential thrust • Controllability (authority)
O. Stroosma et al.
16
failure mode aim description reconfiguration assessment criticality

7. Stabilizer runaway (with Provide robust analytical means of iden- The stabiliser surface moves quickly to Remaining surfaces: Critical
turbulence) tifying safety critical control surface fail- an extreme position
ure • elevator (bad stabiliser) • No false FDI detection
• flaps • Controllability (authority)
• differential thrust • Continued safe flight and landing
8. Rudder runaway (with Robust detection of actuator/surface fail- All rudder surfaces move quickly to an Critical
turbulence) ure extreme position.
Remaining surfaces • No false FDI detection
Asymmetric thrust • Transient behaviour (load factor)
• Controllability (authority)
9. Loss of vertical tail* Detection of actuator/surface failure and The loss of the vertical tail leads to the Catastrophic
loss of directional stability loss of all rudder control surfaces as well
as the loss of all damping in the roll and Remaining surfaces • Transient behaviour (load factor)
yaw axes. Asymmetric thrust • Controllability (authority)
10. Engine separation & re- Detection of flight critical structural and Catastrophic
sulting structural damage system failures in order to
(El Al Flight 1862)* Real time control law reconfigura- • Transient behaviour (load factor)
• continue safe flight and landing tion • Stability
(civil) Remaining surfaces • Controllability (authority)
Remaining engines Continued safe flight and landing
Real-Time Assessment and Piloted Evaluation
• improve mission effectiveness (mili- •

tary) Remaining sensors
* Used in piloted simulator evaluation

473
Appendix 2: Cooper Harper Handling Qualities Rating Scale

References
1. Anonymous. The simulation of a jumbo jet transport aircraft. Modeling data, vol. ii. Tech-
nical Report D6-30643, Boeing (September 1970)
2. Cooper, G.E., Harper Jr., R.P.: The use of pilot rating in the evaluation of aircraft handling
qualities. Technical Report TN D-5153, NASA (1969)
3. Smaili, M.H.: Flight data reconstruction and simulation of El Al flight 1862. Master’s
thesis, Delft University of Technology (November 1997)
4. Smaili, M.H.: Flight data reconstruction and simulation of the 1992 amsterdam bijlmer-
meer airplane accident. In: AIAA Modeling and Simulation Conference and Exhibit,
AIAA-2008-4586. AIAA (August 2000)
5. Stroosma, O., Van Paassen, M.M., Mulder, M.: Using the simona research simulator for
human-machine interaction research. In: AIAA Modeling and Simulation Conference and
Exhibit, AIAA-2003-5525. AIAA (August 2003)
6. Van Paassen, M.M., Stroosma, O.: Dueca - data-driven activation in distributed real-time
computation. In: AIAA Modeling and Simulation Conference and Exhibit, AIAA-2000-
4503. AIAA (August 2000)
Chapter 17
Piloted Evaluation Results of a Nonlinear
Dynamic Inversion Based Controller Using
Online Physical Model Identification
Thomas Lombaerts, Ping Chu, Hafid Smaili, Olaf Stroosma,

and Jan Albert (Bob) Mulder
17.1 Introduction
As the survey of major aircraft accidents and incidents in Chapter 1 has shown, it is
sometimes still physically possible to control a damaged aircraft while components
such as control surfaces, engines or parts of the structure have failed. In some cases,
(differential) engine control was used by the pilot to replace conventional control via
the ailerons and elevators due to loss of the hydraulic system. In other cases, some
control surfaces may still be operating to replace the failed ones. This redundancy
can be exploited by an automated reconfigurable system which identifies the re-
maining control options and drives the available surfaces. Ideally, the system would
Thomas Lombaerts
Ping Chu
Hafid Smaili
The Netherlands
Olaf Stroosma
e-mail: o.stroosma@tudelft.nl
also be able to cope with unforeseen failures and adapt itself accordingly. If the
system takes the form of a manual fly-by-wire flight control algorithm, as opposed
to a fully automatic system, the requirements on the (degraded) handling qualities
also need to be taken into account. The system must provide the pilot with good
handling qualities in normal flight conditions and acceptable handling qualities in
failed conditions.
This chapter discusses the results of a piloted simulator evaluation, conducted
in the SIMONA Research Simulator of the Delft University of Technology, of the
combination of the two-step method as an identification procedure, and nonlinear
dynamic inversion as discussed in Chapter 13. The objectives of the piloted evalu-
ation are to assess the real-time aircraft failure mode accommodation capabilities,
following a potentially catastrophic failure mode. This will be done in terms of
aircraft failure recovery capabilities, stabilisation, controllability and required pilot
workload to conduct a survivable approach and landing. As with the other fault tol-
erant control algorithms tested in the simulator, the same flight scenarios, failure
modes and subtasks were used.
The measurement of the performance of the designed NDI based control algo-
rithm with online physical model identification has been conducted in two ways:
• Qualitative: by means of subjective handling qualities ratings
• Quantitative: by means of objective pilot workload measurements
These measurements allow an initial assessment of the achieved performance of
the adaptive NDI control algorithm in a real-time operational environment using
(subjective) pilot ratings that are correlated with objective (quantitative) data of pilot
control activity as a measure of workload.
Pilot evaluations of fault tolerant control algorithms have been organised before,
as discussed in [2] and [3]. In [2], handling qualities evaluations have been dis-
cussed for a reconfigurable control law on the X-36 tailless advanced fighter aircraft
(TAFA) for a pitch capture, bank capture and a 360 degrees roll manoeuvre task.
In [3], handling qualities as well as workload have been analysed for a pitch down
manoeuvre in order to evaluate fault detection, isolation and reconfiguration algo-
rithms for a civil transport aircraft. However, the handling qualities and workload
assessment in this chapter are based upon a more elaborate experiment, involving a
realistic complete approach manoeuvre. Chapter 16 provides a complete description
of the experiment setup and the simulator equipment used in order to put the results,
as presented in this chapter, in the correct perspective.
17.2 Fly-by-Wire ANDI Control Law Design

For the manual fly-by-wire ANDI control law design, a simplified single outer loop
is needed in order to convert the pilot pedal inputs towards a sideslip β command
rather than a yaw rate r command. The inner loop is a rate feedback loop struc-
ture, as discussed in Chapter 13. A pure classical feedback loop works for unfailed
aircraft, but this will not perform adequately for asymmetrically damaged aircraft
17 Piloted Evaluation Results of an ANDI Based Controller 479
where a certain steady non-zero sideslip angle β and/or roll angle φ are necessary to
compensate for the asymmetry. Therefore, this loop must also be NDI-based, where
the feedback path makes use of the lateral specific force Ay (which is related to the
sideslip angle), the roll angle φ and the commanded roll rate pcomm .
The control law can be deduced analogously as for the inner loop described ear-
lier, where at this stage a relation must be found between the sideslip angle β and the
body fixed angular rates. From [1], the sideslip angle β can be written as follows:
v = V sin β (17.1)
Rewriting for β and differentiating and inserting the equation for v̇ from the nonlin-
ear aircraft kinematics yields:
d v 1
β̇ = arcsin =√ · v̇
dt V V − v2
2
1
= √ · [Ay + g cos θ sin φ + pw − ru]
V − v2
2
⎡ ⎤
1 w −u
p
= √ · [Ay + g cos θ sin φ ] + √V 2 −v2 0 √V 2 −v2 ⎣ q ⎦ (17.2)
V 2 − v2 r
Since controlling the sideslip β is implemented by the rudder δr via primarily the
yaw rate r, since u w, equation (17.2) can be rewritten for the NDI loop command
for r in the rate control loop where the virtual input is νβ = β̇ and where pcomm is
the commanded roll rate by the pilot, which tracks the cockpit roll wheel deflection:
−1
−u 1
r= √ · νβ − √ [Ay + g cos θ sin φ + wpcomm ] (17.3)
V 2 − v2 V 2 − v2
As a result, fig. 17.1 shows the manual fly-by-wire ANDI control outer loop archi-
tecture. In this setup, the control law provides a conventional attitude rate command
and attitude hold control strategy as applied in modern fly-by-wire transport aircraft.
Control wheel steering supplies a reference roll rate, pitch rate tracks the control col-
umn and the pedals give the commanded sideslip angle, which is limited between
+5◦ and −5◦ . Moreover, in order to ensure comfortable aircraft responses to the
pilot inputs, some first order low pass filters have been added in the input channel.
This manual fly-by-wire control setup provided the baseline for the ANDI recon-
figurable control law evaluation in the SIMONA Research Simulator and has been
flown in three aircraft failure scenarios besides the unfailed flight.
17.3 Fly-by-Wire ANDI Control Law Evaluation

The aircraft damage scenarios that were flown during the FM-AG(16) piloted eval-
uation of the fly-by-wire ANDI control strategy included the Stabiliser Runaway
scenario, Rudder Runaway scenario and Flight 1862 accident case. The failure
Fig. 17.1 NDI manual control outer loop
scenarios were selected from the GARTEUR RECOVER benchmark model’s fail-
ure mode library and are based on recent accident cases as surveyed in Chapter 1.
For the Flight 1862 case, digital flight data recovered from the accident site was used
for the validation of the Flight 1862 aircraft dynamics (Chapter 6). Considering the
restricted available time for the experiment, the evaluation phase has concentrated
on these three scenarios.
In every scenario, the pilot starts flying at an altitude of 2000 ft and with a speed
of 260 kts towards the north. After a 90 degree heading change eastward, the fail-
ure is triggered and the pilot’s task is to stabilize the plane and familiarise himself
with the degraded handling qualities and reduced performance. After familiarisation,
several evaluation manoeuvres are flown including altitude captures and bank angle
captures. This allows the pilot to verify the stability and controllability of the aircraft.
After the handling qualities evaluation manoeuvres, a conventional terminal area ap-
proach is flown that includes a right hand turn in order to bring the aircraft onto a
localizer intercept course. Finally, the final approach phase consisting of the local-
izer and glideslope intercept phases concludes the flight. The simulation is ended
at a height of 50 feet above the runway threshold.1 All flights were conducted ac-
cording to the applicable procedures in the Amsterdam Schiphol Terminal Area. The
aircraft trajectory is illustrated in fig. 17.2. Note that altitude captures and bank angle
captures are not visible on this scale. Details of the experiment scenario, including
handling qualities and performance metrics, are further elaborated in Chapter 7.
Experienced airline and engineering pilots, rated for the Boeing 747 aircraft, con-
ducted the evaluation. For the handling qualities and pilot workload analysis, the
experiment data from five pilots has been taken into account for both the Rudder
Hardover and Flight 1862 accident case scenarios. Due to time constraints, no rat-
ings and workload data for the stabiliser runaway failure are available.
1 The landing itself is not part of the benchmark, because a realistic aerodynamic model of
the damaged aircraft in ground effect is not available. However, it is believed that if the
aircraft is brought to the threshold in a stable condition, the pilot would be able to perform
a survivable final flare and landing.
Fig. 17.2 Trajectory of the piloted simulation runs in the SIMONA research simulator
17.4 Analysis Results

In this section, handling qualities and workload results are given on the manually
flown Real-Time Model Identification and Nonlinear Dynamic Inversion Controller.
First the time histories of the pilot inputs, a selection of aircraft states, and the con-
trol surface deflections are analysed. Subsequently, focus is placed on the analysis
of handling qualities and pilot workload calculations.
17.4.1 FTC and Pilot Performance Analysis Results: Time

Histories
Figure 3(a) shows the pilot control deflections for the unfailed situation. This figure
shows that there is no significant difference in required control deflections between
both control alternatives in unfailed conditions, but this graph serves as a benchmark
for the subsequent analysis for the different failure cases. Figure 3(b) shows that no
sustained pitch deflection is necessary to compensate for the failure in the FTFC
case, in contrast to the classic control case, which occurs at approximately at t =
150s. No significant differences are visible in the roll and yaw channel, because the
failure has only consequences for the longitudinal controls. In fact, this behavior
can also be called ’autotrim’, because all unrequested pitch rates are automatically
canceled out. During the simulation run, the pilot stated that there was no noticeable
difference between the FTFC controlled aircraft suffering stabilizer runaway and an
unfailed aircraft.
In the Flight 1862 failure mode scenario, both right-wing engines (no. 3 and
4) are separated simultaneously resulting in substantial structural wing damage and
partial loss of hydraulics. In this particular case, the aircraft dynamics closely match
the flight data as obtained from the digital flight data recorder (DFDR). Figure 3(c)
illustrates that the failure mode is highly demanding for the pilot to compensate
for. The pilot has to use all available steering channels (roll by the steering wheel,
pitch by the column and yaw by the pedals) in order to keep the aircraft under con-
trol in the classical control system configuration. The separation of the right-wing
engines occurs around t = 200s into the flight for both the classical and ANDI con-
trol system. For the classical control system configuration, some pilots were not
able to maintain control of the aircraft while trying to recover and stabilise after the
separation of the right-wing engines. Due to the characteristics of this failure, the
demand for the pilot is dependent upon the speed regime where the damaged aircraft
is flying. At high speed (above approximately 260 KTS) and at a weight of 317.000
kg, the aircraft appears to be controllable, while at lower speeds the handling de-
teriorates significantly until control is lost around 200 KTS in a gliding condition
(almost idle thrust on the remaining engines no. 1 and 2). Several other interest-
ing observations were made for this failure scenario. For all pilots, the separation
of both right-wing engines and the subsequent damage to the aircraft necessitated
the use of both hands on the control wheel throughout most of the flight to keep
the aircraft under control (Figure 5(a)). The sustained control forces, both to con-
trol bank angle and yaw, resulted in significant physical workloads as commented
by the pilots afterwards and confirmed by their ratings. Additionally, most pilots
commented about the obstruction of the primary flight instruments by the control
wheel deflected at large angles required for lateral control (Figure 5(b)). The lateral
control capabilities of the damaged aircraft with the classical control system showed
that approaching approximately 260 knots in level flight, controlling left bank an-
gles towards the operating engines became progressively sluggish requiring up to
almost full control wheel deflection while applying full rudder pedal. For a right
turn into the separated engines, the baseline aircraft had a tendency to overbank up
to the point where control was lost (Figure 17.6). It was furthermore observed that
lateral control capabilities were improved at increasing sink rates while intercept-
ing the glideslope and reducing thrust on the remaining engines to decelerate and
stabilise for a gliding condition towards the runway. However, for a successful land-
ing, the pilot requires knowledge concerning the aircrafts minimum control speed
under the prevailing conditions in order to remain within the degraded safe flight
envelope boundaries. After control reconfiguration by the fly-by-wire ANDI control
law, following a real-time identification of the damaged aircraft dynamics, the ex-
periment showed that conventional control strategies were restored allowing normal
use of the control wheel, column and pedal to conduct a successful landing (Figure
17.7). Aircraft recovery transients and stabilisation by the ANDI fault tolerant con-
trol laws, immediately after the separation of the engines, proved to be acceptable
(almost a non-event as commented by the pilots). Comparing the classical control
system and the fault tolerant control algorithms in Figure 3(c) shows that the ANDI
control laws require no more control effort from the pilot on the roll, pitch and yaw
steering channels than before the failure. Only near the end of this particular simu-
lation run for the FTFC configuration a major pilot control action in the lateral axis
can be seen at about t=900s resulting in a saturation of the ailerons. This appeared
to be a corrective action by the pilot as the damaged aircraft accidently decelerated
below the (unavailable) minimum control speed during final approach. More infor-
mation about this will be given later, see also fig. 17.9. This event highlights how
information about the remaining pilot authority and the restricted safe flight enve-
lope would contribute significantly to the pilot’s awareness.
The rudder runaway is the most challenging failure from the pilot perspective.
The failure occurs shortly before t = 200s. In this scenario, both upper and lower
rudder surfaces are deflected uncommanded towards the aerodynamic blowdown
limit (dependent on airspeed). As can be seen in Figure 3(d), the pilot has to use all
available steering channels (roll by the steering wheel, pitch by the column and yaw
by the pedals) to keep the aircraft under control in the case of classical control. This
is remarkable, since only two channels (roll and pitch) retain their efficiency. Rud-
der demands via the pedal inputs have no use in this failure scenario, nevertheless
it can be seen that the pilot is still tempted to use the pedals as a natural (trained)
reaction, despite being aware of the failure characteristics via the pre-flight brief-
ing. The aircraft failure transient behavior following a sudden rudder hardover of
the classical control system appeared to be rather critical. As can be seen in Fig-
ure 17.8, providing a visualisation of the simulator data, the baseline aircraft attains
an initial large roll upset following a left rudder hardover without immediate pilot
compensation. Most pilots were able to recover and stabilise the aircraft by man-
ually applying differential thrust following the failure (Figure 4(d)). However, the
application of differential thrust to stabilise the aircraft and improve lateral control
margins resulted in difficulties controlling airspeed as commented by some of the
pilots. The ANDI control algorithm, on the other hand, requires no more control
effort from the pilot on these steering channels as before the failure. The pedals for
instance, need no pilot input at all to minimize the sideslip of the aircraft in the case
of FTFC. Only at the very end, a small pedal input is given by the pilot in order to
line the aircraft up with the runway a few seconds before touchdown. It should also
be noted that, to ensure sufficient lateral controllability, differential thrust must be
applied. For the current FTFC control algorithm, differential thrust has been applied
manually by the pilot during the recovery and stabilisation phase which appeared to
be less critical immediately after reconfiguration.
Generally, comparing classical and fault tolerant control in the failure scenarios
above shows that a fault tolerant flight controller requires no more control effort
from the pilot on these steering channels than before the failure. The pedals for
instance, need no pilot input at all to minimize the sideslip of the aircraft in the case
of FTFC. Finally, some comments are given concerning the time scale. No timing
requirements have been given to the pilot, resulting in some variations in time scales,
depending on failure and control system.
Fig. 17.8 and 17.9 show the time histories of a selection of the most important
aircraft states. These confirm the evaluation trajectory as outlined in fig. 16.5. More-
over, altitude and roll angle plots illustrate the altitude and roll angle captures exe-
cuted by the test pilot to evaluate the post-failure handling qualities of the aircraft.
Fig. 17.9 gives some additional information about the situation where the safe flight
envelope boundary has been exceeded. The velocity graph shows that airspeed in the
fault tolerant control case is allowed to reduce significantly lower than for the clas-
sical control case. At some point, the minimum controllable airspeed is exceeded,
slightly above 100 m/s, and the aircraft exhibits a rolling tendency to the right which
pilot stick deflection pilot stick deflection

1 0.5
0.5 0
roll [rad]
roll [rad]
0
−0.5
−0.5
−1 −1
0 100 200 300 400 500 600 700 800 900 1000 0 100 200 300 400 500 600 700 800 900 1000
0.15 0.3
0.1 0.2
pitch [rad]
pitch [rad]
0.05 0.1
0 0
−0.05 −0.1
0 100 200 300 400 500 600 700 800 900 1000 0 100 200 300 400 500 600 700 800 900 1000
−3 pilot pedal deflection
pilot pedal deflection x 10
0.02 0
classic classic
FTFC FTFC
yaw [rad]
yaw [rad]
0.01 −2
0 −4
−0.01 −6
0 100 200 300 400 500 600 700 800 900 1000 0 100 200 300 400 500 600 700 800 900 1000
time [s] time [s]
(a) unfailed (b) stabilizer runaway

pilot stick deflection pilot stick deflection
1 2
0
roll [rad]
−1 roll [rad]
0
−2 −1
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200 1400
0.2 0.1
0.1 0.05
pitch [rad]
pitch [rad]
0 0
−0.1 −0.05
−0.2 −0.1
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200 1400
pilot pedal deflection pilot pedal deflection
0.2 0.4
classic classic
0.15 FTFC 0.2 classic failure
yaw [rad]
yaw [rad]
FTFC
0.1 0 FTFC failure
0.05 −0.2
0 −0.4
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200 1400
time [s] time [s]
(c) engine separation scenario (d) rudder runaway
Fig. 17.3 The pilot control actions during the different scenarios which were flown manually.
Range of available pilot control deflections: roll ±1.536 rad, pitch ±0.221 rad, yaw ±0.244
rad
is almost impossible to counteract. Opening throttles for increasing airspeed even

aggravates this behavior, since only the left hand engines are providing thrust. After
some major effort, the test pilot succeeds to stabilize the aircraft again, but alti-
tude and speed conditions do not permit to line up the aircraft successfully with the
runway.
Fig. 17.10 shows the time histories of the control surface deflections for the dif-
ferent scenarios. These graphs demonstrate that the ANDI-controller uses the re-
maining active control surfaces in a way similar to what a human pilot would do.
However, for the classical control system, the control surface deflections are pro-
portional to the pilot’s commands whereas in the fly-by-wire ANDI case, there is no
direct coupling anymore. In fig. 10(b), for instance, it is clear that the disturbing in-
fluence of the stabilizer runaway is counteracted by means of the elevators, however,
without command from the pilot as can be seen in fig. 3(b). The same principle holds
for the other scenarios. Another difference between the classical control system and
the ANDI algorithm is visible in the application of the elevator for the nominal
(a) Aircraft stabilised before failure. Alti- (b) Left rudder hardover to blowdown limit.
tude 2000 feet, Airspeed 260 KTS, Altitude 2000 feet, Airspeed 260 KTS, Max-
Sideslip 0 deg, Bank angle 0 deg imum sideslip excursion 11.8 deg, Maxi-
mum bank angle approximately 30 deg
(c) Pilot standing-by before failure insertion (d) Pilot applies full right-wing down con-
trol wheel deflection and differential thrust
for aircraft recovery
Fig. 17.4 Piloted simulation of left rudder hardover inducing a large upset of the aircraft
without ANDI reconfigurable control laws (flight animation by Rassimtech AVDS) c
(unfailed) and rudder hardover cases as shown in fig. 10(a) and 10(d). The ANDI
algorithm uses the elevator as an ’auto-trim’ feature that automatically compensates
for a mistrimmed stabilizer.
Information regarding control reconfiguration status by the ANDI algorithm was
available to the pilot via the engine indicating and crew alerting system (EICAS)
display in the cockpit. Figures 11(a) and 11(b) illustrate the EICAS display before
and after the separation of the right-wing engines. As shown in the figures, the asym-
metric physical loss of the engines is recovered and compensated by allocation of
control to the remaining surfaces. For this scenario, the inboard ailerons are only
half operational, supported by the remaining spoilers, as indicated by the damage
information in Chapter 6, and this is also visible in fig. 10(c). This figure shows
also that the FTFC algorithm exploits the full control authority of the rudder, where
(a) Pilot (left) requiring both hands for (b) Pilot’s head position (left) to scan pri-
lateral control after separation of both right- mary flight instruments while applying left
wing engines without control reconfigura- control wheel deflection to counteract roll
tion without control reconfiguration
Fig. 17.5 Pilot control activity after separation of both right-wing engines for classical hydro-
mechanical control system configuration
the human pilot relies less on rudder control input. As a consequence, slightly less
aileron deflections are needed in the FTFC case compared to classic control. The
balance between aileron and rudder use can be improved by means of further opti-
misation of the control allocation scheme.
The reconfiguration status of the ANDI algorithm for a sudden rudder hardover,
as presented to the pilot, is illustrated in Figures 11(c) and 11(d). Following the fail-
ure, lateral and directional control is allocated to the ailerons and spoilers providing
roll and yaw compensation while any longitudinal trim offsets, due to the failure,
are compensated by the elevators. In fig. 10(d), the faulty rudder behavior illustrates
the aerodynamic blowdown effect which is taken into account in the RECOVER
simulation model. As a result the maximum rudder deflection is slightly below 15◦
for an airspeed around 270 knots, and even close to 25◦ (the physical maximum
deflection limit imposed by the rudder control system structure) for an airspeed of
165 knots.
Based upon these simulation runs, handling qualities as well as pilot workload
have been analysed, as is shown next. Simulations have shown that the stabilizer
runaway was the least challenging from a pilot point of view, as explained ear-
lier. Therefore, the subsequent discussions focus primarily on engine separation and
rudder hardover, since these are the most interesting scenarios from a pilot point
of view.
17.4.2 Handling Qualities Analysis Results: CH Ratings

The experiment pilots were asked to rate both the baseline aircraft with the
hydro-mechanical control system configuration and the fly-by-wire ANDI recon-
figurable control laws using the Cooper-Harper handling qualities rating scale, see
(a) Aircraft intercepting localiser (b) Aircraft capturing localiser
(c) Aircraft overbanking to the right. Full (d) Loss of lateral control
aileron and rudder applied to compensate
roll
Fig. 17.6 Piloted simulation showing separated right-wing engines and loss of lateral control
due to overbank tendency without control reconfiguration and automatic stabilisation (flight
animation by Rassimtech AVDS) c
Appendix 2 in Chapter 16. Both the rudder runaway scenario and Flight 1862 engine
separation scenario were rated. As a comparison basis, the classical flight control
system and fly-by-wire ANDI control algorithms were rated for the nominal flight
conditions (no failure modes). This also provided the opportunity to familiarise the
pilots with the different baseline control strategies.
The handling qualities analysis results are illustrated in Figures 17.12 and 17.13.
For all evaluation tasks, pilot handling qualities ratings were provided for both lon-
gitudinal and lateral task performance. For the evaluated control algorithm, the pi-
loted evaluation tasks included altitude capture, bank angle acquisition and localizer
capture up to the intercept of the glideslope. The bank angle capture task was sub-
divided into an evaluation of left and right bank acquisition capabilities to account
for asymmetric failure modes. Figures 17.12 and 17.13 show the individual ratings,
horizontally separated as classical (left) and fault tolerant (right), and from top to
Fig. 17.7 Piloted simulator demonstration of approach and landing after separation of both
right-wing engines using fly-by-wire ANDI control reconfiguration (courtesy of RTL4 Tele-
vision, The Netherlands)
Selection of aircraft states rudder runaway scenario Selection of aircraft states rudder runaway scenario
0.4 1000
altitude [m]
pitch [rad]
0.2 500
0 0
0 200 400 600 800 1000 1200 1400 0 200 400 600 800 1000 1200 1400
angle of attack [rad]
0.2 5
heading [rad]
0.1 0
0 −5
0 200 400 600 800 1000 1200 1400 0 200 400 600 800 1000 1200 1400
flight path angle [rad] angle of sideslip [rad]
true airspeed [m/s]
0.5 150
0 100
−0.5 50
0 200 400 600 800 1000 1200 1400 0 200 400 600 800 1000 1200 1400
time [s] time [s]
0.2 1
roll angle [rad]
classic classic
0 FTFC 0 FTFC
−0.2 −1
0 200 400 600 800 1000 1200 1400 0 200 400 600 800 1000 1200 1400
time [s] time [s]
Fig. 17.8 Comparison of a selection of aircraft states for the rudder runaway scenario
bottom the tasks altitude capture, left bank capture, right bank capture and localizer
intercept respectively.
The experiment results show that both the baseline (classical) and fly-by-wire
ANDI (FBW-ANDI) aircraft configuration were rated Level 1 (Rating 1-3) by most
pilots for the unfailed condition. This provides a comparison basis when analysing
pilot performance in degraded conditions for the different flight control system con-
figurations. The trends of the pilot ratings for the ANDI reconfigurable control
algorithm show that, especially for the Flight 1862 engine separation scenario,
Selection of aircraft states engine separation scenario Selection of aircraft states engine separation scenario
0.2 1000
altitude [m]
pitch [rad]
0 500
−0.2 0
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200
angle of attack [rad]
0.4 10
heading [rad]
5
0.2
0
0 −5
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200
flight path angle [rad] angle of sideslip [rad]
true airspeed [m/s]

0.1 200
150
0
100
−0.1 50
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200
0.2 1
roll angle [rad]

classic classic
FTFC 0.5 FTFC
0
0
−0.2 −0.5
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200
time [s] time [s]
Fig. 17.9 Comparison of a selection of aircraft states for the engine separation scenario
control surface deflections control surface deflections

20 20
aileron [deg]
aileron [deg]
10 10
0 0
−10 −10
−20 −20
0 100 200 300 400 500 600 700 800 900 1000 0 100 200 300 400 500 600 700 800 900 1000
elevator and stabilizer [deg]
10 10
elevator [deg]
0
0
−10
−10
−20
−20 −30
0 100 200 300 400 500 600 700 800 900 1000 0 100 200 300 400 500 600 700 800 900 1000
10 6
classic classic
rudder [deg]
rudder [deg]
FTFC 4 classic failure

5
FTFC
2 FTFC failure
0
0
−5 −2
0 100 200 300 400 500 600 700 800 900 1000 0 100 200 300 400 500 600 700 800 900 1000
time [s] time [s]
(a) unfailed (b) stabilizer runaway

control surface deflections control surface deflections
20 20
aileron [deg]
aileron [deg]
0 0
−20 −20
−40 −40
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200 1400
30 10
elevator [deg]
elevator [deg]
20 5
10 0
0 −5
−10 −10
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200 1400
30 30
classic classic
rudder [deg]
20
rudder [deg]
classic failure 20 classic failure

FTFC FTFC
10 FTFC failure 10 FTFC failure
0 0
−10 −10
0 200 400 600 800 1000 1200 0 200 400 600 800 1000 1200 1400
time [s] time [s]
(c) engine separation scenario (d) rudder runaway
Fig. 17.10 Time histories of the control surface deflections involved in the different scenarios
which were flown manually
(a) EICAS display before failure (b) EICAS display showing control sur-
face reconfiguration after separation of right-
wing engines
(c) EICAS display before failure (d) EICAS display showing control sur-
face reconfiguration after rudder hardover to
blowdown limit
Fig. 17.11 Engine indicating and crew alerting system (EICAS) display providing control
reconfiguration status of ANDI control algorithm
conventional flight control was restored up to acceptable handling qualities levels

(upper Level 1) following a failure. In these conditions, no significant task perfor-
mance degradations occurred as compared to the unfailed fly-by-wire aircraft while
physical and mental workload was reduced as indicated by an analysis of the aggre-
gated control forces and pilot comments. After incurring significant damage due to
the loss of the right-wing engines, the pilot ratings for the conventional aircraft with
classical control system clearly show that in all conditions, above the minimum con-
trol speed, Level 2 handling qualities existed. The reconfigured aircraft (FBW-ANDI)
is able to improve the handling qualities back towards the upper Level 1 region. This
was substantiated by the measured pilot control activities, representative of workload,
indicating no sustained pilot compensation after control reconfiguration.
The rudder hardover scenario appears to be more critical from a handling qual-
ities perspective. As with the Flight 1862 case, Level 2 handling qualities were
obtained in most conditions for the classical control system. However, the lateral
control tasks were observed to induce severely coupled longitudinal and lateral dy-
namics resulting in further degradation of the handling qualities to Level 3. For the
reconfigured aircraft, the handling qualities ratings remain about Level 2 after con-
trol reconfiguration despite no required sustained control inputs by the pilot. Most
likely, the main reason for the inferior rating is caused by the fact that the fault toler-
ant controller is a rate controller, it minimizes disturbances in angular rates, but not
the disturbed angle itself. As a consequence, rudder hardover results in a yaw rate to
the left which is eliminated by the controller, but the heading angle change built-up
meanwhile is not eliminated automatically, and is left to the pilot to compensate.
Later on in this chapter, a solution will be proposed for this problem.
17.4.3 Pilot Workload Analysis Results

Handling quality ratings are only one means to evaluate the performance of a flight
control system, and despite use of the Cooper Harper Rating Scale, they still involve
some pilot subjectivity, although this is eliminated as much as possible. On the other
hand, there is the quantifiable pilot workload analysis. This subsection focuses on
the latter part of the study.
Specific metrics exist in order to analyse the specific workload properties of a
flight control system, excluding possible secondary influences, like the control load-
ing system characteristics, as described in Chapter 16. The workload of the pilot
while controlling the aircraft can be divided into physical workload and compen-
satory workload. Especially during failure conditions, the pilot may be required to
apply prolonged control inputs to maintain controllability of the damaged aircraft.
For the Flight 1862 scenario, for instance, the asymmetric aircraft configuration
caused by the separation of both right-wing engines and subsequent damage to the
right wing requires sustained large control wheel deflections and the application of
full rudder pedal throughout the flight. It is clear that in these conditions the physical
effort exerted by the pilot to maintain control of the aircraft can be significant and fa-
tiguing. To maintain stability of the (damaged) aircraft, the pilot is required to apply
compensatory workload by making constant adjustments to achieve task objectives
(e.g. capturing a heading). The quantities studied here allow a distinctive analysis
of physical workload and compensatory workload. The former is represented by
average force and root mean square of the pilot control deflections, as illustrated in
section 17.4.3.1. The latter can be observed by analysing the root mean square of the
pilot control deflection rates or the pilot control power, as done in section 17.4.3.2.
This pilot workload figures have been calculated for two different phases, namely
the specific part of the localizer intercept phase (left), which is defined as the time
span between the triggering of the LOC valid flag and the GS valid flag, and sec-
ondarily the total simulation run (right). For the latter, the time span is defined as
follows. Unfailed situations are considered from start to end of the simulation run.
Altitude Capture Task (Classical) Altitude Capture Task (FBW)

6 6
5
Longitudinal HQR
Longitudinal HQR
5
4
4
3
3
2
2 1
No Fail Rudder Engine No Fail Rudder Engine
Left Bank Capture Task (Classical) Left Bank Capture Task (FBW)
8 7
6
Longitudinal HQR
Longitudinal HQR
6
5
4 4
3
2
2
Right Bank Capture Task (Classical) Right Bank Capture Task (FBW)
8 7
6
Longitudinal HQR
Longitudinal HQR
6
5
4 4
3
2
2
Localiser Capture Task (Classical) Localiser Capture Task (FBW)

6 6
5 5
Longitudinal HQR
Longitudinal HQR
4 4
3 3
2 2
1 1
Fig. 17.12 Pilot longitudinal handling qualities ratings of classical and FTFC flight control
system configurations for the different aircraft failure scenarios.
Altitude Capture Task (Classical) Altitude Capture Task (FBW)

7 6
6
5
Lateral HQR
Lateral HQR
5
4
4
3
3
2 2
Left Bank Capture Task (Classical) Left Bank Capture Task (FBW)
6
8
5
Lateral HQR
6 Lateral HQR 4
4 3
2
2
1
Right Bank Capture Task (Classical) Right Bank Capture Task (FBW)
6
8
5
Lateral HQR
Lateral HQR
6 4
4 3
2
2
1
Localiser Capture Task (Classical) Localiser Capture Task (FBW)

6 6
5 5
Lateral HQR
Lateral HQR
4 4
3 3
2 2
1 1
Fig. 17.13 Pilot lateral handling qualities ratings of classical and FTFC flight control system
configurations for the different aircraft failure scenarios.
Scenarios including failures are restricted to the time span after the failure till the
end. The localizer intercept phase work levels are comparable, since the time in-
tervals are almost identical, thanks to the well-defined start and end points and the
prescribed airspeed and trajectory. However, for the total simulation run, there are
considerable variations in the time span from beginning till end, as can be seen in
figures 17.3 and 17.10, which makes the absolute workload values not comparable.
Therefore, average workload levels have been calculated for the total simulation
run. In each graph, a distinction is made between roll, pitch and yaw channel, as il-
lustrated by the three graphs separated vertically. In each control channel, six cases
have been studied, namely unfailed, engine separation and rudder runaway, each
time with classical and fault tolerant control. In each case, the workload figure of
each of the five pilots is represented individually by means of bar plots, after which
the mean and standard deviations are superimposed on these bar plots for every case,
in order to facilitate mutual comparisons. Note that no data are available for pilot
1 in the localizer intercept phase for the engine separation failure with fault toler-
ant controller, this is because the safe flight envelope boundary has been exceeded
before the GS valid flag was raised, leading to unreliable results since they are not
representative.
17.4.3.1 Physical Workload

The physical workload quantifies the physical effort a pilot has to exert in order to
accomplish the requested mission profile. This workload can be represented in the
first place by the aggregate of the applied control force (wheel, column and pedal)
or the average value of the absolute forces. Alternatively the root mean square of
the pilot control deflections can be used, that is calculated as follows:
δctrl 2
RMSdefl = √ (17.4)
n
where δctrl is the pilot control deflection under consideration and n is the length
of the recorded data sample. Note that both measures are set up in such a way
that variations in data sample lengths are automatically taken into account, which
is important for the total simulation run data. Figures 17.14 and 17.15 illustrate
the physical workload analysis results in the presentation as was introduced earlier.
Figure 17.14 depicts the average pilot forces, and figure 17.15 portrays the root
mean square of the pilot control deflections.
Both figures lead to the same observations regarding the measured physical work-
load during the experiment. The unfailed conditions confirm that this is a sound
comparison basis between classic and FTFC, since both have the same ratings. Sig-
nificant physical workload can be seen for the different failure scenarios to maintain
control of the damaged aircraft. Especially for the Flight 1862 engine separation
scenario, the data shows that for the complete duration of the flight and during
the individual tasks, compensation of the failure was required in all control axes
(roll, pitch and yaw). For the rudder hardover scenario, compensation is especially
Average exerted pilot force during localizer intercept phase Average exerted pilot force during complete simulation run
6 6
roll force [Nm]
roll force [Nm]

4 4
2 2
0 classic FTFC classic FTFC classic FTFC 0 classic FTFC classic FTFC classic FTFC
no failure no failure engine engine rudder rudder no failure no failure engine engine rudder rudder
separation separation runaway runaway separation separation runaway runaway
60 40
pitch force [Nm]
pitch force [Nm]

30
40
20
20
10
400 300
pilot 1 pilot 1
yaw force [N]
yaw force [N]

300 pilot 2 pilot 2
pilot 3 200 pilot 3
pilot 4 pilot 4
200 pilot 5 pilot 5
mean 100 mean
100
(a) localizer intercept phase (b) complete simulation run
Fig. 17.14 Total average pilot force during localizer intercept phase (left) and during com-
plete simulation run (right)
Root mean square of pilot control deflections during localizer intercept phase Root mean square of pilot control deflections during complete simulation run
1 0.8
0.6
RMS roll
RMS roll
0.5 0.4
0.2
0.08 0.08
0.06 0.06
RMS pitch
RMS pitch
0.04 0.04
0.02 0.02
0.3 0.2
pilot 1 pilot 1
pilot 2 0.15 pilot 2
RMS yaw
RMS yaw
0.2 pilot 3 pilot 3

pilot 4 pilot 4
pilot 5 0.1 pilot 5
0.1 mean mean
0.05
Fig. 17.15 Root mean square of pilot control deflections during localizer intercept phase
(left) and during complete simulation run (right)
apparent in the roll channel, while the other channels require less compensation. For
the reconfigured aircraft, utilising the ANDI control algorithms, the control forces
are reduced significantly indicating that use of the pilot controls was decreased. Ad-
ditionally, the data shows more consistency amongst the pilots in most cases for the
FTFC configuration as represented by the standard deviations in the graphs. Only
the applied rudder pedal force for the FTFC engine separation case is an excep-
tion to this trend, but it can be seen that this is caused by test pilot 2 who exhibits
significantly higher and above-average control behavior as compared to the other
subjects. This was partly based on a misunderstanding of the pilot regarding the im-
plemented control strategy of the controller in which the pedals directly command
sideslip angle. For the rudder hardover scenario, the data shows that almost all pi-
lots had a natural tendency to react to the failure by applying rudder pedal despite
being briefed that rudder was not available. The minimum overlap of the errorbars
Root mean square of pilot control deflection rates during localizer intercept phase Root mean square of pilot control deflection rates during complete simulation run
0.4 0.4
RMS roll rate

0.3
RMS roll rate
0.3
0.2 0.2
0.1 0.1
0 0 classic FTFC classic FTFC classic FTFC

classic FTFC classic FTFC classic FTFC
0.04 0.04
RMS pitch rate

RMS pitch rate
0.03 0.03
0.02 0.02
0.01 0.01
0 0 classic FTFC classic FTFC classic FTFC

classic FTFC classic FTFC classic FTFC
0.015 0.03
pilot 1 pilot 1
RMS yaw rate

RMS yaw rate
pilot 2 pilot 2
0.01 pilot 3 0.02 pilot 3
pilot 4 pilot 4
pilot 5 pilot 5
0.005 mean 0.01 mean
0 classic FTFC classic FTFC classic FTFC

0 classic FTFC classic FTFC classic FTFC
Fig. 17.16 Root mean square of pilot control deflection rates during localizer intercept phase
(left) and during complete simulation run (right)
of workload, for the limited number of subjects, between the classical and ANDI
control system confirms that the observed trends are significant.
Summarizing, it can be stated that average absolute force as well as pilot control
deflections RMS confirm that the FTFC reduces the physical workload considerably,
compared to classical control.
17.4.3.2 Compensatory Workload: RMS of Pilot Control Deflections

The compensatory workload is an indication of the correcting or stabilizing efforts
applied by the pilot. The most frequently used variable to quantify this type of work-
load is the root mean square of the pilot control deflection rates. These are presented
in fig. 17.16.
These results show no decisive confirmation about any changes in the workload.
This can be partly explained by the nature of the experiment. In order to be able to
draw the right conclusions about the compensatory workload based upon the RMS
of the deflection rates, one needs to make the test pilots feel familiar with the system.
Because of a lack of training in these specific experiments and the absence of repe-
titions, this causes a lot of spread in the data, as can be seen in the relatively large
standard deviations in fig. 17.16. Each pilot was still in the process of determining
his control strategy, which differs from pilot to pilot. With enough experience, af-
ter sufficient repetitions, these control strategies would converge again. However,
including more training for the pilots disagrees with the setup of the experiment to
confront the pilots with failures they are unfamiliar with.
An alternative method to represent compensatory workload is the power level
required by the pilot to control and stabilise the aircraft. The pilot power takes into
account both the applied physical control forces and compensating deflection rates.
For the total simulation run, the power level is again averaged over the time interval
and has been calculated as follows:
0 tend
d δctrl (t)
P= dt F(t) · (17.5)
dtt=t0
0 tend
1 d δctrl (t)
Pav = F(t) · dt (17.6)
Ttot t=t0 dt
These power values are depicted in fig. 17.17.

Although not as decisive as for the physical workload, the trends are still clear.
The unfailed conditions confirm that this is a good comparison basis between clas-
sic and FTFC, since both have the same ratings. Taking into account the different
behavior of pilot no 2, causing a higher spread in the data, the workload shows more
consensus between the subjects. The yaw power values should ideally be zero in the
rudder failure case, since the pedals have no effective use. As a matter of fact, the
pilots still had the natural intuitive tendency to use the pedals to compensate for
the disturbance. Some pilots realized this fact after a while, others were aware of it
from the start. As a consequence, some yaw power values are zero where others are
nonzero but still relatively small.
In summary, there are indications that the pilot’s compensatory workload is also
made easier by the fault tolerant control, although these indications may not be as
decisive as for his physical workload. It should be noted that this manual FTFC al-
gorithm has not yet been fully optimized for HQ ratings. This is partly the reason
for these less clear observations. As a final remark, it can be noted that all workload
assessment figures confirm a clear improvement in both types of pilot workload in-
crease for the rudder runaway scenario, although this is not clear from the pilot’s
appreciation through the Cooper Harper Handling Qualities assessment. It is be-
lieved that this is caused by the somehow unnatural and disturbing attitude of the
aircraft post-failure, including non-zero bank and sideslip angle. Most likely, the
reason for the lower rating is caused by the fact that the fault tolerant controller is a
Total exerted pilot power during localizer intercept phase

Total average exerted pilot power during complete simulation run
average roll power [W]
roll power [W]
0.4
0.4
0.2
0.2
no failure no failure engine engine rudder rudder
separation separation runaway runaway no failure no failure engine engine rudder rudder
separation separation runaway runaway
average pitch power [W]
0.01
pitch power [W]
0.4
0.005
0.2
0.6
average yaw power [W]
0.02
pilot 1 pilot 1
yaw power [W]
pilot 2 pilot 2
0.015
0.4 pilot 3 pilot 3
pilot 4 pilot 4
pilot 5 0.01 pilot 5
0.2 mean mean
0.005
Fig. 17.17 Average pilot power during localizer intercept phase (left) and during complete
simulation run (right)
Fig. 17.18 Input structure setup for a rate control attitude hold controller
rate controller, it minimizes disturbed angular rates, but not the disturbed angle it-
self. A possible solution for this is the implementation of a rate control attitude hold
algorithm, as shown in fig. 17.18. The beneficial effect of this feature can possibly
be tested in a new campaign.
17.5 Conclusions
As part of an experimental campaign in the SIMONA Research Simulator, the man-
ually operated Adaptive Nonlinear Dynamic Inversion (ANDI) based controller
using Online Physical Model Identification was evaluated for a damaged aircraft
during a piloted simulator assessment. The scenarios for the evaluation were se-
lected based on their criticality to the operation of the aircraft and available flight
data for the validation of the damaged aircraft dynamics.
The experiment results show that the controller is successful in recovering the
ability to control damaged aircraft after incurring a physical loss of two right-wing
engines or a sudden hardover of the rudder. Simulation results have shown that the
handling qualities of the fault tolerant controller devaluate less for most failures,
indicating improved task performance. Moreover, it has been found that the aver-
age increase in workload after failure is considerably reduced for the fault tolerant
controller, compared to the classical controller. The data shows more consistency
amongst the pilots in most cases for the FTFC configuration. These observations
apply for physical as well as compensatory (mental) workload.
For the rudder runaway scenario, physical workload was reduced with the ANDI
reconfiguration algorithm, but the lack of a rate control/attitude hold control scheme
caused a negative effect on aircraft handling. To allow a fully automatic reconfig-
uration of failure modes that affect the lateral control axes, the fault tolerant flight
control laws should include a rate control/attitude hold control scheme.
Analysis of the control surface deflections has shown that their behavior is similar
for both the conventional hydro-mechanical control system and FTFC control laws.
The major difference is that in the latter situation these commands do not come
from the pilot directly. This is the clear advantage of the physical approach which
has been followed in this method. Future research in control allocation schemes
for the ANDI control algorithm will optimize the balance between the use of the
different control surfaces.
Due to the automatic failure recovery and stabilisation capabilities of reconfig-
urable control, it is expected that the pilot is able to land the aircraft sooner due
to the reduction of the time consuming learning phase for the pilot to understand
the new basic principles of the damaged aircraft’s flying characteristics. Although
control reconfiguration can utilise the control effectors in an optimal manner for
stabilisation, the experiment has shown that information regarding the safe flight
envelope should be an integral part of a fault tolerant flight control scheme to assist
the pilot in controlling the aircraft.
For both the Flight 1862 and rudder hardover case, as part of the scenarios sur-
veyed in this research, the pilots demonstrated the ability to fly the damaged aircraft,
following control reconfiguration, back to the airport and conduct a survivable ap-
proach and landing.
References
1. Mulder, J.A., van Staveren, W.H.J.J., van der Vaart, J.C., de Weerdt, E.: AE3-302 Flight
Dynamics, Lecture Notes. Delft University of Technology, Faculty of Aerospace Engi-
neering, Delft, The Netherlands, January 25 (2006)
2. Brinker, J.S., Wise, K.A.: Flight testing of reconfigurable control law on the X-36 tailless
aircraft. Guidance, Control and Dynamics 24(5), 903–909 (2001)
3. Ganguli, S., Papageorgiou, G., van der Vaart, J.C., Elgersma, M.: Piloted Simulation of
Fault Detection, Isolation and Reconfiguration Algorithms for a Civil Transport Aircraft.
In: AIAA Guidance, Navigation and Control Conference and Exhibit, AIAA-2005-5936,
San Francisco, CA (August 2005)
Chapter 18
Model Reference Sliding Mode FTC with
SIMONA Simulator Evaluation: EL AL Flight
1862 Bijlmermeer Incident Scenario
Halim Alwi, Christopher Edwards, Olaf Stroosma, and Jan Albert (Bob) Mulder
18.1 Introduction
This chapter presents flight simulator results obtained by experienced pilots based
on the EL AL flight 1862 (Bijlmermeer incident) scenario. The results in this chap-
ter are the outcome of a controller evaluation flight testing campaign and the GAR-
TEUR AG16 final workshop at Delft University in November 2007. The results
represent the successful real time implementation of a SMC controller in real time
on the SIMONA 6-DOF flight simulator.
The EL AL flight 1862 incident represents a challenging scenario for any fault
tolerant control strategy. In this chapter, it will be assumed that the controller has
no knowledge of the failure and damage to the airframe, and that there is no FDI or
fault estimation available.
The controller that has been used is a model reference sliding mode controller
– an alternative to the integral action sliding mode controller proposed in Chapter
8. Here, since it is assumed that the controller has no knowledge of the failure and
Halim Alwi
Christopher Edwards
e-mail: chris.edwards@le.ac.uk
Olaf Stroosma
Faculty of Aerospace Engineering, P.O. Box 5058, 2600 GB Delft, The Netherlands
e-mail: O.Stroosma@tudelft.nl
Faculty of Aerospace Engineering, P.O. Box 5058, 2600 GB Delft, The Netherlands
502 H. Alwi et al.
the damage to the airframe, fixed control allocation will be used. In this situation,
there is no control signal redistribution to the healthy control surfaces. Instead, the
fixed and equally distributed control allocation scheme is sufficient to access the re-
maining available control surfaces and ‘passively’ control the aircraft while ensuring
stability and some nominal performance.
An outer loop ILS (inertial landing system) PID scheme described in Chapter 8 is
also used in this chapter in order to provide an outer loop command (roll and flight
path demand) to guide the aircraft to capture the localizer (LOC) and glide slope
(GS), as in a typical landing procedure.
18.2 A Model Reference Sliding Mode Control Allocation

Scheme
This chapter considers a situation where a fault associated with the actuators de-
velops in a system. As in Chapter 8, it will be assumed that the system subject to
actuator faults or failures, can be written as
ẋ(t) = Ax(t) + Bu(t) − BK(t)u(t) (18.1)
where A ∈ IRn×n and B ∈ IRn×m and K(t) := diag(k1 (t), . . . , km (t)) are the effective-
ness gain. In most control allocation (CA) strategies, the control signal is distributed
equally among all the actuators [8, 9, 28] or distributed based on the limits (position
and rate) of the actuators [5]. In Chapter 8, information about K(t) has been incorpo-
rated into the allocation algorithm through a weighting matrix W , so that the control
is redistributed to the remaining healthy actuators when faults/failures occur. In this
chapter, the CA strategy is based on the widely used approaches from the literature;
i.e. fixed and equal distribution of the control signals. This is motivated by the fact
that the information about K(t) in (18.1) is not always available and mirrors what
happened during the EL AL flight 1862 scenario.
As in Chapter 8, assume that the system states can be reordered, and the input
distribution matrix B from (18.1) can be partitioned as:
B1
B= (18.2)
B2
where B1 ∈ IR(n−l)×m and B2 ∈ IRl×m has rank l < m.

It will be assumed without loss of generality that the states of the system in (18.1)
have been transformed so that B2 BT2 = Il and therefore B2 = 1. Let the ‘virtual
control’ be given by
ν (t) := B2 u(t) (18.3)
Since B2 BT2 = Il , it follows

u(t) = B†2 ν (t) (18.4)
18 Sliding Mode FTC with SIMONA Evaluation: EL AL Flight 1862 Incident 503
where the right pseudo inverse is chosen as
B†2 := BT2 (18.5)
It can be shown that the pseudo-inverse in (18.5) arises from the optimization
problem
min u 2
subject to B2 u = ν (18.6)
u
In terms of the stability analysis which follows, the effect of the exogenous dis-
turbance d(t) from (18.1) is ignored. Clearly this external signal does not formally
affect the stability or otherwise of the closed-loop system associated with (18.1) –
although of course it affects the closed-loop performance of the system. In the real
system, it will directly affect the trim points and flight envelope of the damaged
aircraft.
The development which follows is similar in spirit to Chapter 8 but is different
in detail because of the model reference setting. Using (18.4) and (18.5), it can be
shown that (18.1) can be written as
ẋ(t) = Ax(t) + BBT2 ν (t) − BKBT2ν (t) (18.7)
In the fault free case K = 0 and BKBT2 in (18.7) is zero. Consider a reference model
defined as
ẇ(t) = Am w(t) + Bm yd (t) (18.8)
where yd (t) is the reference signal and Am ∈ IRn×n , Bm ∈ IRn×l with Am is stable.
Define
e(t) = x(t) − w(t) (18.9)
and therefore from (18.7) and (18.8) the error system
ė(t) = Ae(t) + (A − Am)w(t) + BBT2 ν (t) − BKBT2 ν (t) − Bm yd (t) (18.10)
Suppose the reference model matrices Am and Bm are given by
Am = A + BBT2F, Bm = BBT2 G (18.11)
and define a feed–forward signal
νm (t) := Fw(t) + Gyd (t) (18.12)
The matrices Am and Bm represent the reference model which defines the required
system performance. The control objective is to minimize the error between the
reference model and the ‘virtual’ controlled plant (A, BBT2 ) in (18.7). The matrices
F and G represent the feedback and feed–forward terms which define the refer-
ence model. Sliding mode control (SMC) techniques [10, 4], will now be used to
synthesize ν (t). As in Chapter 8, the so–called switching function s : IRn → IRl
to be
504 H. Alwi et al.
σ (t) = Se(t) (18.13)

where the design parameter S ∈ IR l×n
and det(SBBT2 ) = 0 by construction. Let S be
the hyperplane defined by
S = {e(t) ∈ IRn : Se(t) = 0}
The sliding surface will be designed based on the nominal no fault condition (K =
0). Using (18.11), equation (18.10) can be rewritten as
ė(t)=Ae(t) − BKBT2ν (t) + BBT2 (ν (t) −Fw(t) − Gyd (t)) (18.14)

, -. /
−νm (t)
After a coordinate transformation of the error states e → Tr e(t) = ê(t) where Tr is

defined in Chapter 8, it is easy to check that equation (18.14) becomes:
Â11 Â12 0
2 (I − K)B2 ν (t)
−B1 BN T
˙
ê(t)= ê(t) + ν (t) − νm (t) − (18.15)
Â21 Â22 I I − B2 (I − K)B2
T
, -. / ,-./
Â B̂ν
where
BN2 := (I − BT2 B2 ) (18.16)
Therefore, the last term in (18.15) is zero in a fault free case (K = 0), but is treated
as (unmatched) uncertainty when K = 0. Define
W := I − K (18.17)
and write
B+ T −1
2 := W B2 (B2W B2 )
T
(18.18)
As argued in Chapter 8, there exists a scalar γ0 which is finite and independent of W
such that
B+
2 < γ0 (18.19)
for all W = diag(w1 . . . wm ) such that 0 < wi ≤ 1.
In the ê(t) coordinates, choose

Ŝ = STr−1 = M I (18.20)
where M ∈ IRl×(n−l) represents design freedom [4]. The reduced order system which
governs the sliding motion is
+ N + −1 N + N + −1
2 B2 (I+MB1 B2 B2 ) Ã21)ê1 (t)+B1 B2 B2 (I+MB1 B2 B2 ) νm (t) (18.21)
ê˙1 (t)=(Ã11−B1 BN
where Ã11 := Â11 − Â12M and Ã21 := M Ã11 + Â21 − Â22 M. When W = I (fault free
situation), B+
2 |W =I = B2 and the system in (18.21) ‘collapses’ to ê1 (t) = Ã11 ê1 (t)
T ˙
which is the nominal sliding mode reduced order system for which M has been
designed to guarantee stability. However, during fault/failure conditions stability of
the system in (18.21) (which depends on W through B+ 2 ) needs to be established. If
G̃(s) := −Ã21 (sI − Ã11)−1 B1 BN2 (18.22)
where
γ2 = G̃(s) ∞ (18.23)
and
γ1 := MB1 BN2 (18.24)
then as proven in [2], during a fault or failure condition, for any combination of
0 < wi ≤ 1, the closed-loop system (18.21) will be stable if
γ2 γ0
0≤ <1 (18.25)
1 − γ1γ0
where the positive scalar γ0 is defined in (18.19).

The control law is given by
ν (t) = νl (t) + νn (t) (18.26)
where
νl (t) := −Ã21 ê1 (t) − Ã22σ (t) + νm (t) (18.27)
and Ã22 = M Â12 + Â22. The nonlinear component is defined to be
σ (t)
νn (t) := − ρ (t) + η σ (t) for σ (t) = 0 (18.28)
where η is a positive scalar.

It follows that the actual control which is sent to the actuators is resolved from the
‘virtual control law’ ν (t) (from (18.27)-(18.28)), using (18.4) and (18.5). Therefore
u(t), is defined as
u(t) = BT2 ν (t)
In a fault free situation it is not necessary and indeed is not advisable to have a
large gain on the switched term – therefore ideally the term ρ (t) should adapt to the
onset of a fault and react accordingly. It is easy to see from (18.27) that, if yd (t) is
bounded, νl (t) is bounded by
νl (t) < l1 e(t) + l2 (18.29)
where l1 and l2 are known positive constants. The gain from (18.28) is defined to be
ρ (t) = r(t)(l1 e(t) + l2) (18.30)

506 H. Alwi et al.
The scalar variable r(t) is an adaptive gain which varies according to

ṙ(t) = a l1 e(t) + l2 Dε ( σ (t) ) − br(t) (18.31)
where r(0) = 0 and a and b are positive design constants. The function Dε : IR → IR
is the nonlinear function

0 if s < ε
Dε ( s ) = (18.32)
s otherwise
where ε is a positive scalar. Here, ε is fixed to be small and helps define a boundary
layer about the surface S , inside which an acceptably close approximation to ideal
sliding takes place. Provided the states evolve with time inside the boundary layer,
no adaptation of the switching gains takes place. If a fault occurs, which starts to
make the sliding motion degrade so that the states evolve outside the boundary layer
i.e. σ (t) > ε , then the dynamic coefficients r(t) increase in magnitude, (according
to (18.31)), to force the states back into the boundary layer around the sliding sur-
face. The choice of the design parameters η , a, b and ε depends on the closed-loop
performance specifications and requires some design iteration. The choice of these
design parameters will be discussed further in Section 18.3. The proposition and
proof that r(t) is bounded and motion inside a boundary layer around S is obtained
is given in [1].

The main objective of the controller design is to bring the damaged EL AL 1862
aircraft to a near landing condition on Runway 27 at Schiphol airport (through a
proper landing approach using localizer (LOC) and glide slope (GS) capture pro-
cedures if possible). It is assumed that no FDI or fault reconstruction scheme is
available to replicate the actual EL AL 1862 scenario – indeed the flight crew were
even unaware that engine no. 3 and 4 were detached from the right wing.
A linearization of the nominal aircraft has been obtained around an operating
condition of 263,000 Kg, 92.6 m/s true airspeed, and an altitude of 600m at 25.6%
of maximum thrust and at a 20deg flap position. The state-space system pairs rep-
resenting the lateral and longitudinal systems about the trim condition can be found
in Chapter 8. The states are xlat = [p r β φ ]T and xlong = [q Vtas α θ ]T . The lateral
control surfaces are
δlat = [δair δail δaor δaol δsp1−4 δsp5 δsp8 δsp9−12 δr e1lat e2lat e3lat e4lat ]T
while the longitudinal control surfaces are δlong = [δe δs e1long e2long e3long e4long ]T .
The controlled outputs are φ and β for lateral control and flight path angle (FPA)
and Vtas for longitudinal control. These linear models of the nominal (damage free)
aircraft have been used to design the control schemes which will be described in the
next sections.
18.3.1 Lateral Controller Design

The feedback matrices for the ideal lateral model from (18.12) have been designed
using eigenstructure assignment [6]. The eigenvalues were chosen as {−0.3500 ±
0.1500, −0.5000, −0.4000} and the desired and obtained eigenstructure are
respectively
⎡ ⎤ ⎡ ⎤
∗ + ∗i ∗ − ∗i ∗ 0 0.3195 − 0.1369i 0.3195 + 0.1369i 0.4498 0.3748
⎢ 0 0 0 0⎥ ⎢ −0.0000 − 0.0000i −0.0000 + 0.0000i −0.0430 −0.0526 ⎥
⎢ ⎥ =⇒ ⎢ ⎥
⎣ ∗ + ∗i ∗ − ∗i 0 0⎦ ⎣ 0.1619 + 0.1412i 0.1619 − 0.1412i 0.0182 0.0275 ⎦
1 + ∗i 1 − ∗i 1 1 −0.9127 −0.9127 −0.8919 −0.9252
, -. / , -. /
desired obtained
which yields
0.5592 −0.8808 −0.6384 0.1010
Flat =
0.0823 1.3729 2.5265 −0.5851
The feed-forward matrix Glat has been designed using the inverse steady-state gain
for the virtual triple system (Alat , Bνlat ,Cclat ): specifically
Glat = −(Cclat (Alat + Bνlat Flat )−1 Bνlat )−1
Here, the lateral feed-forward matrix Glat is given by
−0.3078 0.0651
Glat =
0.7310 0.3891
It will be assumed that at least one of the control surfaces for both φ and β tracking
will be available when a fault or failure occurs (i.e. one of either the four ailerons
or the four spoilers will be available and one of either the rudder or the four en-
gine thrusts are available). Based on these assumptions, it can be verified from a
numerical search that γ0lat from (18.19) is γ0lat = 8.1314.
The matrix which defines the hyperplane must now be synthesized so that the
conditions in (18.25) are satisfied. A quadratic optimal design [4] has been used to
obtain the sliding surface Slat which depends on the matrix Mlat in equation (18.20)
where the symmetric positive definite state weighting matrix has been chosen as
Qlat = diag(2, 2, 1, 1). The first and second term of Qlat are associated with the
equations of the angular acceleration in roll and yaw (i.e. the Blat,2 partition) and
thus weight the virtual control term. Thus by analogy to a more typical LQR frame-
work, they affect the speed of response of the closed–loop system. Here, the first
and second terms of Qlat have been more heavily weighted compared to the last two
terms to give a reasonably fast closed–loop system response. The poles associated
with the reduced order sliding motion are {−0.7136 ± 0.0522i}, where
0.0813 −1.9138
Mlat =
1.3455 0.1854
508 H. Alwi et al.
Based on this value of Mlat , simple calculations from (18.24) show γ1lat = 0.0230.
Therefore γ0lat γ1lat = 0.1870 < 1 and so the requirements of (18.25) are satisfied.
Also for this particular choice of sliding surface, G̃lat (s) ∞ = γ2lat = 0.0563 from
(18.23). Therefore from (18.25),
γ2lat γ0lat
= 0.5627 < 1
1 − γ1lat γ0lat
which shows that the closed loop system is stable for all choices of 0 < wi ≤ 1.
For implementation, the discontinuity in the nonlinear control term in (18.28)
has been smoothed by using a sigmoidal approximation where the scalar δlat =
0.05. This removes the discontinuity and introduces a further degree of tuning to
accommodate the actuator rate limits – especially during actuator fault or failure
conditions.
For simplicity, the variables related to the adaptive nonlinear gain have been cho-
sen as l1lat = 0 and l2lat = 1. This removes the dependence of r(t) on x(t) and simpli-
fies the implementation. The parameter ηlat from (18.28) was chosen as ηlat = 1. In
practice, a maximum limit ρmax for the adaptive nonlinear gain in (18.30) has been
imposed to avoid the actuators becoming too aggressive. Here, the maximum gain
was set at ρmaxlat = 5. The adaptation parameters from (18.31) have been chosen as
alat = 100, blat = 0.01 and εlat = 5 × 10−2. The parameter εlat was chosen to be able
to tolerate the variation in slat (t) due to normal changes in flight conditions but
small enough to enable the adaptive gain to be sensitive enough to deviation from
zero due to faults or failures. Here alat has been chosen to be large to enable small
changes in slat (t) to cause significant changes in the gain, so that the control sys-
tem reacts quickly to a fault. The parameter blat dictates the rate at which ρlat (t)
will decrease, after slat (t) has returned below the threshold εlat .
18.3.2 Longitudinal Controller Design

As in the lateral controller, the feedback matrices for the ideal longitudinal model
from (18.12) have been designed using eigenstructure assignment [6]. The eigenval-
ues were chosen as {−0.240 ± 0.170 − 0.700 − 0.125} and the desired and obtained
eigenstructures are
⎡ ⎤ ⎡ ⎤
0.5 + ∗i 0.5 − ∗i 0 0 0.1812 − 0.1283i 0.1812 + 0.1283i −0.1057 0.0001
⎢ 0 0 0 1⎥ ⎢ −0.0020 + 0.0015i −0.0020 − 0.0015i −0.0060 1.0000 ⎥
⎢ ⎥ =⇒ ⎢ ⎥
⎣ 0.5 + ∗i 0.5 − ∗i 0 0⎦ ⎣ 0.3220 − 0.5264i 0.3220 + 0.5264i 0.9829 −0.0037 ⎦
0 0 1 0 −0.7549 −0.7549 0.1510 −0.0012
, -. / , -. /
desired obtained
respectively which yields
−0.0012 −0.0380 −0.6113 3.4367

Flong =
−0.0523 0.0017 0.4395 −0.2396
As in the lateral control design, the feed-forward matrix Glong has been designed
using the inverse steady-state gain i.e.
Glong = −(Cclong (Along + Bνlong Flong )−1 Bνlong )−1
Here, the lateral feed-forward matrix Glat is given by
−0.0015 0.0438
Glong =
0.0665 −0.0024
It will be assumed that at least one of the control surfaces for FPA tracking will still
be available when a fault or failure occurs. It is also assumed that at least one of
the four engines is available for V tracking. Based on these assumptions, it can be
verified from a numerical search that γ0long = 8.2913 from (18.19).
As in the lateral controller, a quadratic optimal design has been used to ob-
tain the sliding surface matrix. The weighting matrix has been chosen as Qlong =
diag(2, 2, 1, 1). The first two terms of Qlong are associated with the Blong,2 partition
in (18.2) (i.e. states q and V ) which weight the virtual control term, and have been
more heavily weighted compared to the last two terms. The poles associated with
the reduced order sliding motion are {−1.1157, −0.3737} where
−0.0124 −0.0037
Mlong =
0.4786 0.1247
Based on this value of Mlong , it can be shown from (18.24) that γ1long = 3.0160 ×
10−4 . Therefore γ0long γ1long = 0.0025 < 1 and so the requirements of equation
(18.25) are satisfied. For this choice of sliding surface, G̃long(s) ∞ = γ2long =
0.0066 from (18.23). Therefore from (18.25),
γ2long γ0long
= 0.0551 < 1
1 − γ1long γ0long
which shows that the faulty closed-loop system is stable for all 0 < wi ≤ 1. The
discontinuity in the nonlinear control term in (18.28) has been smoothed by using a
sigmoidal approximation where the scalar δlong = 0.05.
As in the lateral design, the variables related to the adaptive nonlinear gain have
been chosen as l1long = 0 and l2long = 1. This was found to give sufficiently good
performance and removes the dependence of r(t) on x(t). The parameter ηlong from
(18.28) was chosen as ηlong = 1. In practice, a maximum limit ρmax for the adap-
tive nonlinear gain in (18.30) is imposed to avoid the actuators from becoming too
aggressive. Here, the maximum gain was set at ρmaxlong = 2. The adaptation pa-
rameters from (18.31) have been chosen similar to those in the lateral design; i.e.
along = 100, blong = 0.01 and εlong = 5 × 10−2.
To emulate real aircraft flight control capability, an outer loop PID for heading
and altitude control, as well as the EPR control mixing and ILS landing described
in Chapter 8 are also used here.
510 H. Alwi et al.
Controller
States x(t) & sensors
LOC & GS
logic
Aircraft model
LOC & GS Roll
PID FPA
Outputs
APP switch
Roll=0 ν(t)
Roll Linear νl Control u(t)
FPA=0
Command: FPA component allocation
Heading MCP switch
Altitude
PID W
Command:
Roll
FPA Roll Command: νn
Adaptive W=I
Inputs
FPA Roll unit

Sideslip vector
FPA
Command: ρ(t) ||s||
Vtas
Sideslip Adaptation
Vtas scheme
SIMONA simulator
Pilot inputs and switches
Data logging
MCP inputs
Fig. 18.1 SIMONA interconnections
18.4 SIMONA Implementation

The controller was implemented on the SIMONA flight simulator. The command
inputs from the pilot are through the mode control panel (MCP). The controller
was implemented as a Simulink (version 2006b) model with appropriate inputs and
outputs to connect it with the SIMONA hardware, as described Figure 18.1.
The controller was set up to work with an Ode4 (Runge-Kutta) solver with a
fixed time step of 0.01 s (100 Hz). Using the Real-Time Workshop, the Simulink
controller block diagram was converted to C-code and integrated into the SIMONA
research simulator(SRS), where it runs on a dual Pentium III 1 GHz processor, to-
gether with the aircraft model and the motion control software. The available pro-
cessing power is sufficient to run the controller in real time, i.e. within 10 ms per
time step.
A connection with the Mode Control Panel (MCP) on the flight deck enables
the selection of ‘control modes’ e.g. altitude hold, heading select and reference val-
ues. The simulator trials were performed with the speed, altitude and heading select
modes active. The pilot commands new headings, speeds or altitudes by adjusting
the controls on the MCP.
Further details on real time implementation issues can be found in Chapter 8.
18.5 SIMONA Flight Simulator Results with Experienced Pilots

The controller was flown by three different pilots with experience on B747, B767,
A330 and Citation II aircraft. An experienced B767 and Citation II pilot, rigorously
tested the controller during the flight evaluation campaign before the GARTEUR
FM-AG16 final workshop in November 2007. During the FM-AG16 final workshop,
an experienced A330 pilot, flew the damaged ‘aircraft’ on the SIMONA simulator,
during the presentation to the general public, including the local Dutch press (TV
news, radio and newspapers). The results presented here are from ‘flights’ flown by
an experienced B747 pilot and a test pilot for NLR (National Aerospace Laboratory)
during the pilot evaluation campaign in November 2007.
Even though the controller has been designed based on the linearization using
a weight of approximately 263 000kg, the controller was tested with a heavy trim
weight of 317 000Kg. This removes the advantage of low weight and low speed
maneuverability and higher performance and controllability compared to the heavy
trim weight, which was one of the main findings in [7]. The heavy trim weight for
the flight test also replicates the actual EL AL 1862 scenario and fits with the as-
sumption that the exact damage and condition of the aircraft post-faults is unknown.
18.5.1 SMC Controller Evaluation

Figure 18.2 shows the trajectories of three different flight tests - a classical con-
troller, a SMC without failure and the SMC tested with the EL AL 1862 failure
scenario. The no failure test of the SMC was done to give the pilot the feel of the
new controller and to give the pilot a chance to familiarize himself with the con-
troller in nominal conditions. Figure 18.2 shows that the aircraft was flown straight
SMC: ELAL 1862 scenario

classical: ELAL 1862 scenario
SMC: nominal
right turn
800 failure
X
600 X
400
he
right turn right turn &

200 localizer intercept
0
2.5
X crash
1.5
start 5
4
x 10
glideslope intercept 4
1
3
4
2 x 10
0.5 end
1
0
xe 0 −1 ye
Fig. 18.2 Classical & SMC controller: 3-D flight trajectory

512 H. Alwi et al.
and level first, before a heading change of 90 deg to the east was performed. The
pilot tested the aircraft’s capability to climb to a pre-specified altitude from 600m
to approximately 800m. Then the pilot commands a return to an altitude of 600m
and performs another right turn to capture the LOC. At this stage, the pilot ‘arms’
the APP in order to prepare for an automated landing approach. Once the aircraft
captures the LOC signal, a final turn towards the centreline of Runway 27 is started
and after a while the GS signal is captured and the aircraft descends towards the
runway on a 3 deg glideslope. Note that starting from the moment the pilot activates
the APP button in the MCP and the LOC signal has been captured, the aircraft is on
a fully automated landing mode and no other pilot input is required. (Full pilot au-
thority flight can also be undertaken using heading and altitude changes or manual
roll and FPA commands from the pilot). Figure 18.2 shows a ‘tighter’ manoeuvre
for the nominal SMC controller compared to the classical controller and the SMC
with the EL AL 1862 scenario.
The SMC in the EL AL 1862 failure mode manages to bring the aircraft near
to landing on the desired runway. Figure 18.3 shows the controlled states of the
damaged aircraft with the SMC controller. Note at the beginning of the simulation,
before the failure occurs at around 200sec, the FPA, Vtas and altitude show small
steady state errors due to the mismatch between the designed trim conditions and
the test conditions described earlier. The mismatch between the designed and test
conditions demonstrate the controller coping with uncertainty and allows the pilot
to rigorously test the controller outside its ‘comfort zone’. The steady state error is
small and does not represent any significant loss of overall performance.
Figure 18.3 shows that after the failure occurs, at approximately 200sec, the
climb capability of the aircraft is degraded when the pilot requests an increase in
altitude to 800m (from 600m). On the other hand, the more important descent ca-
pability of the SMC controller is not degraded as it is able to follow the glide slope
of 3deg towards the runway. This is shown in Figure 18.4. The glide slope error
is maintained below 0.5deg. Figure 18.3 also shows that the side slip angle of the
damaged aircraft has been limited to no more than ±1.5 deg which is much better
than the one from the classical controller in Figure 18.3. The heading changes of
the damaged aircraft with the SMC controller in Figure 18.3 also show a more sys-
tematic and higher level of performance compared to the classical controller. This
also shows that the lateral controller is able to deal with the asymmetric change in
CG, weight and the asymmetric thrust conditions and maintains the desired change
in heading. Decreasing the speed to approximately 120m/s does not have the dev-
astating and unstable effect seen in the classical controller. In fact, as suggested in
[7, 3], reducing the speed helps in terms of lateral control. This is seen in terms
of the deviation of the side slip angle in Figure 18.3 which is much smaller than
at higher speed after the failure has occurred. The roll angle tracking again shows
good performance tracking even after the loss of the two engines and the hydraulics
associated with the EL AL 1862 scenario.
Figure 18.4 shows typical signals from the ILS sensors. It represents the DME,
LOC and GS deviation, and the moment when the LOC and the GS are engaged
(valid/engaged) after being ‘armed’ using the APP button on the MCP. As usual, the
Lateral states Longitudinal states

20 5
roll angle (deg) 10
FPA (deg)
0
0
−5
−10
failure
−20 −10
0 200 400 600 800 0 200 400 600 800
0.5 150
side slip angle (deg)
Vtas (m/sec)
0 140
−0.5 130
states
−1 120
cmd
−1.5 110
0 200 400 600 800 0 200 400 600 800
300 800
heading angle (deg)
200 600
altitude (m)
localizer
100 intercept 400 glideslope
intercept
0 200
−100 0
0 200 400 600 800 0 200 400 600 800
time (sec) time (sec)
Fig. 18.3 EL AL 1862 scenario: SMC controller: controlled states
4
x 10
6
X
DME (m)
4 LOC
failure GS
engaged engaged
X
2
X
0
0 100 200 300 400 500 600 700 800 900
1
0
LOC dev (deg)
GS dev (deg)
0.5
0
−5
−0.5
−10 −1
0 200 400 600 800 0 200 400 600 800
time (sec)
1 1
LOC valid
GSvalid
0.5 0.5
0 0
0 200 400 600 800 0 200 400 600 800
Fig. 18.4 EL AL 1862 scenario: SMC controller: LOC and GS deviation angle
514 H. Alwi et al.
LOC is engaged before the GS. The LOC coverage is much further than the GS and
this allows the aircraft to align to the extended centreline of the runway before the
descent starts.
Figure 18.5 shows the control surface deflections of the SMC controller under
the EL AL 1862 scenario. This figure highlights the major difference between the
classical controller (which is mechanically linked) and the FBW aircraft that has
been provided by the GARTEUR FM-AG16 modification. In this figure, the out-
board aileron can be seen to be independently mobile before the occurrence of the
failure. After the failure, the right outboard aileron float due to the loss of hydraulic
system 3 and 4. Independent control can be seen in the spoilers, elevators, rudders
and EPR. The effect of losing the hydraulic system can also be seen in the floating
of the inboard left and outboard right elevators (see Figure 18.5) where a clear dis-
tinction between the control surface deflection can also be seen. The spoilers also
show similar patterns. Before the loss of engines 3 and 4, all the spoilers seem to
be moving independently; but when the failure occurs, only spoilers 2,3,10 and 11
are active, the rest of the spoilers remain at zero deflection. In general, the control
surface deflections of the elevators, ailerons and spoilers are almost half the ones
resulting from using the classical controller (see Figure 18.5). The control surface
deflections from the SMC controller do not reach the saturation limits of the surfaces
and the spoilers and the ailerons are generally less aggressive. Engine EPR shows
that differential thrust has been used to achieve the desired performance, especially
for obtaining small sideslip and roll angles. Note that all the control surfaces are
controlled independently by the control allocation SMC scheme described in the
earlier sections of this chapter. The only pilot input consists of supplying the higher
level commands such as heading and altitude change (or roll and FPA command
through the MCP panel).
Figure 18.6 and 18.7 show the adaptive gain and the associated σ (t) signals
that initiate the adaptation. Before the occurrence of the failure, the sliding signal
σ (t) is below the selected threshold. Once the threshold is exceeded, the gain is
adapted from a minimum of 1 up to the maximum of 5 and 2 respectively for the
lateral and longitudinal axes respectively. High deviation from the sliding surface
σ (t) = 0 shows the severity of the faults. After the failure has occurred and during
manoeuvres, the switching function plot σ (t) deviates away from the ideal slid-
ing surface. However, in the near landing condition, the switching function returns
below the adaptation threshold. During this time, the adaptive gain reduces to the
minimum value of 1.
Although the SMC controller can be implemented in such a way that pilot inputs
(such as column, wheel and pedal) can be used; the purpose here is to show that, as
a proof of concept, the SMC controller is more than able to handle all the rigorous
tests and failures it is subjected to, using the minimal amount of input from the pilot
(thus lowering the workload during an emergency condition). This allows the pilots
to concentrate on higher level decisions.
Figure 18.8 is one of the SIMONA output alternative views and provides the
aircraft position relative to the actual position on a map of the Netherlands. This
2 20
rudders (deg)
10 engine 3 & 4 missing
EPR
1
EPR1&2 active
0 ru
engine 3 & 4 missing rl
0 −10
0 200 400 600 800 0 200 400 600 800
sp2&3 active 4
20 sp10&11 active
right (deg)
left (deg)
2
spoilers
spoilers
10
0 0
sp1,4,5&6 inactive sp7,8,9&12 inactive
−10 −2
0 200 400 600 800 0 200 400 600 800
10 air
10
right (deg)
aor
left (deg)
0
ailerons
ailerons
0
−10 aol
ail −10 aor float
−20
0 200 400 600 800 0 200 400 600 800
10 2
elevators (deg)
stabilizer (deg)
eol & eir active

5
horizontal
0
0
eil & eor float
−5 −2
0 200 400 600 800 0 200 400 600 800
Fig. 18.5 EL AL 1862 scenario: SMC controller: control surfaces deflection
0.1
LAT adaptive gain
5
4
Lat ||s(t)||
3 0.05
2
1
0
0 200 400 600 800 0 200 400 600 800
Fig. 18.6 EL AL 1862 scenario: SMC controller: lateral adaptive gain

LONG adaptive gain
2 1
Long ||s(t)||
1.5 0.5
1 0
0 200 400 600 800 0 200 400 600 800

Fig. 18.7 EL AL 1862 scenario: SMC controller: longitudinal adaptive gain

516 H. Alwi et al.
(a) overall trajectory
(b) zoomed trajectory near the runway
Fig. 18.8 SIMONA flight trajectory of EL AL 1862 scenario with model reference SMC
controller with control allocation. Google
c Earth
figure shows the actual SMC controller trajectory under the EL AL 1862 failure
condition. The overall trajectory shows the aircraft manages to reach Runway 27.
18.6 Conclusions
This chapter has presented piloted flight simulator results associated with the EL
AL flight 1862 (Bijlmermeer incident) scenario. The results represent the suc-
cessful implementation of a FTC SMC controller on the SIMONA 6-DOF flight
simulator configured to represent a large transport aircraft with experienced pilots
flying and evaluating the controller. The results show that not only does the proposed
SMC scheme work in a no-fault condition, but it also facilitates a safe positioning
of the aircraft for landing on the designated runway in EL AL flight 1862 failure
conditions. This is achieved without requiring controller reconfiguration and in the
absence of any information about the failures.
References
1. Alwi, H., Edwards, C., Stroosma, O., Mulder, J.A.: Fault tolerant sliding mode control
design with piloted simulator evaluation. AIAA Journal of Guidance, Control and Dy-
namics 31(5), 1186–1201 (2008)
2. Alwi, H., Edwards, C., Stroosma, O., Mulder, J.A.: Piloted sliding mode FTC simulator
evaluation for the EL AL Flight 1862 incident. In: AIAA Guidance, Navigation, and
Control Conference (2008)
3. Anon. El al flight 1862, aircraft accident report 92-11. Technical report, Netherlands
Aviation Safety Board, Hoofddorp (1994)
4. Edwards, C., Spurgeon, S.K.: Sliding Mode Control: Theory and Applications. Taylor &
Francis, London (1998)
5. Härkegård, O., Glad, S.T.: Resolving actuator redundancy - optimal control vs. control
allocation. Automatica 41(1), 137–144 (2005)
6. Liu, G.P., Patton, R.J.: Eigenstructure Assignment for Control System Design. John Wi-
ley & Sons, Chichester (1998)
7. Smaili, M.H.: Flight data reconstruction and simulation of EL AL Flight 1862. Gradua-
tion Report, Delft University of Technology (1997)
8. Shin, D., Moon, G., Kim, Y.: Design of reconfigurable flight control system using adap-
tive sliding mode control: actuator fault. Proceedings of the Institution of Mechanical
Engineers, Part G (Journal of Aerospace Engineering) 219, 321–328 (2005)
9. Shtessel, Y., Buffington, J., Banda, S.: Tailless aircraft flight control using multiple time
scale re-configurable sliding modes. IEEE Transactions on Control Systems Technol-
ogy 10, 288–296 (2002)
11. Wells, S.R., Hess, R.A.: Multi–input/multi–output sliding mode control for a tailless
fighter aircraft. Journal of Guidance, Control and Dynamics 26, 463–473 (2003)
Part V
Conclusions
Chapter 19
Industrial Review
Philippe Goupil and Andres Marcos
19.1 Introduction
The transition of the potentially viable fault tolerant flight control methodologies,
as developed and evaluated within this GARTEUR Action Group, towards practical
applications, requires a critical look at the design and safety issues concerning the
developed adaptive control methodologies as an integrated part of the flight control
system. Therefore, the aim of this chapter is to provide an evaluation by repre-
sentatives from industry to look at the potential of the results of this action group
for industrial application. This also facilitates the necessary knowledge transfer be-
tween academia, research and industry which is one of the main principles of the
GARTEUR framework and of this project. Clearly, the application of fault mitigat-
ing control technologies, or ‘intelligent’ adaptive control, has benefits in a wide area
of industrial domains, but in this research, the evaluation has been focused on the
potential within the aerospace community. It is not the intention to assess which
of the developed fault tolerant control methodologies is the ‘best’, or has the best
performance achieved in the benchmark as compared to other methods. Instead, the
main objective is to assess the achieved maturity level, potential and open issues of
the fault tolerant control designs, as developed in this action group, in terms of ap-
plicability, complexity, compatibility with (future) on-board processor requirements
and overall flight safety. This also includes the innovative aspects of the presented
control solutions to accommodate potentially catastrophic on-board system failures
for recovery of the aircraft and ensure safe continuation of the flight or to improve
Philippe Goupil
Airbus France, EDYC-CC Flight Control Systems, 316 Route de Bayonne,
31060 Toulouse Cedex 09
e-mail: philippe.goupil@airbus.com
Andres Marcos
Advanced Projects Division, Simulation & Control Section, Deimos Space S.L.,
Ronda de Pendente 19, Edifices Fitment VI, Madrid, 28760, Spain
e-mail: andres.marcos@deimos-space.com
522 P. Goupil and A. Marcos
the performance and operation of the aircraft in terms of economics and efficiency.
It should be remembered that in this GARTEUR Action Group, adaptive control
design concepts have been assessed on their viability, both from an aircraft per-
formance and human factors aspect, while issues from an industrial design process
perspective, including the required engineering tools, design process efficiency, syn-
thesis and flight clearance have not been taken into account. This could, however,
be the subject of a subsequent research programme in which the fault tolerant flight
control algorithms that have been designed and demonstrated can be used as a start-
ing point. The evaluation of the results of this GARTEUR Action Group, as de-
scribed in this chapter, has been performed by several organisations. These include
Airbus, representing the European aircraft manufacturing industry and Deimos-
Space, an aerospace company specializing in industrialization of innovative guid-
ance, navigation and control solutions.
19.2 Considerations for Commercial Aircraft - AIRBUS

As previously mentioned in Part I, the introduction of Fly-By-Wire (FBW) sys-
tems led to more sophisticated control of the aircraft and flight envelope protection
functions. In parallel, the number of failure cases to be considered in the design of
an aircraft is increasing significantly because of the growing complexity of equip-
ment and systems. Similarly, the introduction of Electrical Flight Control Systems
(EFCS) led to a number of interactions with flight physics disciplines involved in
the design of an aircraft, in particular in the case of failures. These interactions must
be taken into account very early in the conception of an aircraft and all along its
development process. This is why fault tolerance and fault detection are key points
in the design of a safety-critical EFCS created to meet very stringent requirements
in terms of safety and availability. Compliance with these requirements is crucial
to obtain the certification that is necessary to allow the use of an aircraft in a civil
environment in complete safety. The state-of-practice for an aircraft manufacturer
to diagnose and to tolerate faults, and then to obtain full flight envelope protection
under all possible external disturbances, is to provide high levels of hardware redun-
dancy. Relying on this strong redundancy, fault detection is mainly performed by
cross checks, consistency checks, voting mechanisms and built-in test techniques of
varying sophistication (although analytical redundancy is used for the detection of
a very specific failure case in the A380 EFCS [6]). Fault tolerance relies mainly on
hardware redundancy, stringent safety analysis, dissimilarity, physical installation
segregation and hardware/software reconfiguration. Here reconfiguration means au-
tomatic management following a failure. These standard industrial practices fit into
the current aircraft certification processes. However, for upcoming and future air-
craft, on the one hand, there is a necessity to be compliant with more stringent
safety requirements. However, on the other hand, there is a strong will from the
aircraft manufacturers to develop more affordable, cleaner and quieter aircraft for
environmental concerns, while keeping the highest safety standards and the highest
operational availability. This could lead to the implementation of more advanced
19 Industrial Review 523
algorithms to achieve these stronger and stronger requirements. This is why an air-
craft manufacturer like Airbus is very interested to study the viability and capabil-
ities of advanced innovative methodologies, as developed within this GARTEUR
Action Group, in order to bridge the gap between industrial needs and academia.
Also it is interesting to note the continuous trend to use innovative technical so-
lutions in the aeronautical sector to satisfy the aforementioned safety and societal
imperatives: for example the use of Electro-Hydrostatic Actuators (EHA) on the
A380 [7]. Other innovations could also contribute in the future to widen the gap
between the scientific methods advocated by academia and industrial requirements,
justifying collaborative work between both communities. One of the goals of this
chapter is to provide an industrial perspective on the results of this GARTEUR Ac-
tion Group, to assess the maturity level of the developed designs and to evaluate
any missing requirements for a practical certified use on a safety-critical system
such as a large civil aircraft. First, it is useful to start with a brief reminder of the
main current industrial constraints and limitations for a practical real-time algorithm
implementation in a safety-critical environment. In subsequent sections, some com-
ments and recommendations for the possible use of the proposed methodologies in
the EFCS of a large civil aircraft are proposed.
19.2.1 Industrial Limitations and Constraints

From the perspective of activating a Fault Tolerant strategy, if any fault detection
information is demanded, a low false alarm rate is required in order not to degrade
the operational reliability. The false alarm rate must be lower than the Flight Control
Computer Mean Time Between Failure (MTBF, i.e the arithmetic mean (average)
time between failures of a system). Similarly, a low non-detection rate is required on
a safety-critical system as the consequences of a failure might be critical. All failures
with potentially a catastrophic consequence must be demonstrated to be extremely
improbable to obtain certification: that is with a probability less than 10−9 per flight
hour. Thus, the product of the probability of occurrence of the failure to be detected
by the probability of non-detection should be less than 10−9 per flight hour.
On a large civil aircraft, the flight control computer computing capacities are
low compared to other classical applications (e.g. multimedia). Proven and robust
processors must be used for safety-critical applications. For example, the current
A340 primary computer processor is an AMD 486 DX4, at 32 MHz, representing
about 19 million instructions per second. Consequently, it is very difficult to use
advanced processing with a high computational burden, like an on-line optimization
algorithm or even wavelet or Fourier transforms. For instance, the matrix triangular-
ization involved in many non-linear filtering techniques is difficult to implement and
all elementary operations involved in this case must be detailed at a low level. To
implement a complex algorithm, a version must be developed with as much simpli-
fications as possible, by deleting all needless operations and redundancy. In general,
a loss of performance occurs after such simplifications and typically a trade-off be-
tween complexity and performance must be found.
As explained previously in the chapter on industrial practices (Part I), the typi-
cal Airbus Flight Control Computer architecture consists of two separate indepen-
dent channels, each with its own clock. Consequently, there is a time asynchronism
between both units. In particular some data is recorded in one unit but not in the
other.For instance, in Airbus aircraft, dedicated position sensors measure the posi-
tion of some control surfaces in degrees. These sensors are located inside the con-
trol surfaces. A design must be implemented in one unit only and if it requires data
from the other unit, there is a time asynchronism to take into account. Moreover,
the Flight Control Computers are multi-rate time triggered which means that not all
data is processed with the same sampling period, even in the same unit. For exam-
ple, some data is produced every 40 ms. If a FTC design works with a sampling
period of 10 ms then the 40 ms data must be adapted to this faster sampling time,
by using for example some prediction filter. This can have a serious impact on a
design. Similarly, some useful data like the air and inertial information are sent by
other dedicated computers with different sampling periods. This data received in the
Flight Control Computer also presents an asynchronism to take into account. Some
designs could be sensitive to all these asynchronisms and should be able to deal
with it.
The industrial use of innovative and advanced designs requires easy tuning for
possible use on different control surfaces and different aircraft. If the tuning of some
important parameters is too difficult, or requires too specific expertise, then it will
not be useful for an industrialist. For instance, the initial tuning of Q and R matrices
(the covariance matrices of the process noise and the measurement noise in a state
space representation) is a crucial issue for nonlinear filtering (e.g in an Extended
Kalman Filter). A bad choice could lead to diverging behaviour. The use of simple
approaches with restricted high-level parameters which are easy to tune is also very
important to reduce the test phase during the certification procedure. Due to the con-
straints of a safety-critical system, the convergence and the stability of the designs
must be proven to avoid any diverging behaviour that can potentially degrade the
availability of the flight control system (a false alarm leads to a system reconfigura-
tion and degrades the hardware redundancy level and potentially the flight envelope
protection level). Diverging behaviour could also lead to a numeric overflow entail-
ing an automatic switch-off of the related Flight Control Computer. After this brief
reminder of the main industrial limits and constraints for a real-time implementa-
tion, the next section is dedicated to an industrial perspective on the GARTEUR
Action-Group results.
19.2.2 An Aircraft Manufacturer Perspective

It is first interesting to note that the designs developed in this GARTEUR project are
mainly model-based approaches that do not need additional hardware, like probes
and sensors for example. That means that there is no additional weight (i.e. no air-
craft performance degradation), no extra maintenance tasks to perform, no specific
monitoring to add. This is a great advantage from an industrial point of view.
For possible industrial use it is necessary to be compliant with the computa-

tional burden limitation. The Flight Control Computers perform a number of tasks,
mainly sensor acquisition and monitoring, flight control law computations, servo-
loop computation, reconfiguration and monitoring of all the flight control system
components. It is then practically impossible to dedicate too much computational
load to a single fault detection algorithm dedicated to a single failure case. Simi-
larly, the computational burden of a single Fault Tolerant flight control law must be
light as several other functions (like critical event protections) must be integrated
within the whole control law. In this sense, the estimation of the computational load
of each design presented in Part IV is very interesting from an industrial point of
view and can help to identify the impact of the new designs. From the viewpoint of
this criterion only, some designs already seem to be suitable for a real-time imple-
mentation, although it is difficult to compare the algorithms as they do not perform
exactly the same control task. This remark is valid for the current Flight Control
Computer capacities and also taking into account the expected performance of the
upcoming processors to be used in future aircraft. However, as explained in more
detail later in this paragraph, more complete assessments are required before indus-
trial mass use. This could lead to more enriched designs, and then an increase in the
whole computational burden. The estimation presented in Part IV is considered as a
minimum cost from an industrial standpoint.
As explained in Part I, the Flight Control Computer specification includes a de-
scription of the software by using a graphical tool composed of a set of elementary
symbols each corresponding to a dedicated processing operation (adder, limiter, fil-
ter, delay, etc.), before automatic coding. The next step for real-time use of the
proposed designs could be coding using a kind of graphical tool in order to split
as much as possible the proposed algorithm into elementary operations. This eases
the estimation of the computational burden and will answer a requirement from the
manufacturer or the equipment supplier in charge of the coding and of the computer
hardware. On the other hand, there is a requirement from the specification designers
to use high-level blocks of symbols in order to write a clearer and more readable
specification. These two contradictory tendencies must be taken into account and a
two-level specification writing would be useful from an industrial viewpoint. If the
cost of a design is too high, some simplifications must be considered. Such sim-
plifications generally lead to some performance loss. A classical trade-off between
complexity and performances must be found. It could also be interesting to quantify
the performance of the design for different simplified versions of the algorithm.
As previously mentioned, a high-level tuning of the designs would be appreci-
ated from an industrial point of view for easy adaptation to different aircraft or to
different flight control surfaces on the same aircraft. For each design method, iden-
tification of such high level parameters could be useful to evaluate the applicability
in a safety-critical real-time environment.
Certification is a key point for industrial use. Validation in a representative en-
vironment is a major part of the certification process. In this GARTEUR project,
the real-time assessment on a research flight simulator and the piloted evaluation
are strong points. It shows the motivation of all the partners not to perform just an
academic exercise but the will to develop realistic designs with a view to bridge
the gap between the innovative scientific methods advocated by the academic com-
munity and industrial needs. A complete industrial assessment was not the initial
goal of this project, and in any case time and means were also limited. Although the
validation goes far, from an industrial viewpoint, it cannot be considered as a com-
prehensive assessment, at least from the perspective of in-service aircraft use. The
following recommendations should be taken into account to complete the validation:
first of all, the advanced designs must be intensively tested in fault-free situations, in
the whole flight domain and for different aircraft configurations (e.g. to explore the
whole weight and balance diagram). One possibility could be to implement a design
as dormant software code on a real aircraft during flight tests in order to explore a
wide set of scenarios. Similarly it is necessary to perform tests in degraded config-
urations to assess the robustness in the case of parametric variations. For instance,
to simulate a bad Trimmable Horizontal Stabilizer (THS, horizontal tail) configura-
tion that does not correspond to the centre of gravity position, representing a human
error in the flight preparation, is a good way to provoke high levels of dynamic be-
haviour on the elevator on some typical manoeuvres (e.g. ”push over”) and to test
the robustness of the design when less deflection is available on the control surfaces.
The next step is to assess the designs in the presence of strong external disturbances
like wind and turbulence. Another key point concerns the robustness of the designs
when they are fed by faulty inputs. For example, the behaviour of the designs must
be studied in the case of uncertainty (offsets, bias, drift, delays, noise) on the input
flight parameters. One other issue to consider concerns the aircraft performance: the
developed designs are supposed to be tolerant to different failures and in particular
they allow recovering a controllable aircraft in an extreme situation. However, the
most typical failures lead fortunately to non-critical situations where it is still pos-
sible to fly. In such a situation, for example a low dynamic control surface runaway,
is it better to reallocate control to the remaining control surfaces or to reconfigure
on a safe redundant actuator? In the first case the robustness of the flight control
system is not degraded in the sense that the redundant hardware is still available, but
the aircraft configuration is not optimized, drag is generated and the whole aircraft
performance is degraded with a risk of becoming non compliant with regulations
like the ETOPS (Extended-range Twin-engine Operation Performance Standards)1.
In the second case, the aircraft performance is maintained, without drag, but the
availability of the flight control system is degraded. The question is: in non-critical
situations, with the current Flight Control System architecture, is it necessary to ac-
tivate a Fault Tolerant strategy or must the hardware redundancy be used? If such
a choice must be made, the switching strategy between both possibilities must be
studied. This implies that one possible solution could be to use the certified base-
line controller in fault-free configuration, the most probable situation, and to switch
on a fault tolerant controller in a faulty situation signaled by the available FDI
(Fault Detection and Isolation) information. Such a configuration could also ease the
1 An international (ICAO) rule that restricts twin-engine aircraft to routes that put them
within 60/90/180 minutes of an emergency or diversion airport in case of an engine failure.
certification of the whole design as the nominal controller, which is active the greater
part of the time, is already certified.
Following the previous remark, one comment concerns the integration with the
current state of the art designs. For instance, with the Airbus flight control law phi-
losophy, the aircraft is protected against critical events, like stall or overspeed. How
do the proposed innovative FDI/FTC designs integrate with the current flight con-
trol laws? How to integrate the protection in the proposed advanced algorithms?
The second comment concerns fault detection. Some of the developed designs re-
quire FDI information to be activated. It is useful for industrial use to know if a
design requires FDI information or not. If this is the case, what kind of informa-
tion is needed? Do the designs need already existing FDI information? If it requires
information that is not available, what information could be useful? The piloted
evaluation on the SIMONA Research flight Simulator added a lot of value in the as-
sessment. It is essential for the designs to meet the end-user expectations. It is also
crucial to check that, particularly in a fault-free situation, the controller is ‘flyable’
and that the aircraft handling qualities remain intact. A pilot in the loop is essen-
tial for such an analysis. To illustrate that close cooperation between designers and
pilots is of great interest, and corresponds to an industrial practice, it is useful to
take a concrete example [8]: the Flight Control Law tolerance to engine asymmetry
or failure. On a conventional aircraft, such a failure results in constant sideslip and
roll rate with a very diverging heading, leading potentially to a difficult situation to
manage for the pilots. Before A380, the largest passenger aircraft in the world, FBW
Airbus lateral normal laws include a correction and stabilize the aircraft in a steady
state of constant bank angle and sideslip, with slowly diverging heading. With the
‘super jumbo’ A380, the so-called ”Y*” lateral law is able to compensate automat-
ically for any lateral asymmetry, for example in the case of engine asymmetry or
failure. Initially in the A380 lateral law design, the lateral asymmetry was auto-
matically compensated (passive fault tolerance): sideslip is maintained very close
to zero, with a remaining roll angle of a few degrees. However, because of this
automatic compensation, pilots could miss an engine failure situation: therefore, a
specific means was designed to alert pilots that an engine failure had occurred. Nev-
ertheless, after the first tests, pilots expressed the need to detect an engine failure
through an aircraft movement and not only through an audio warning or a simple
display in the cockpit. So, it has been decided to simulate the effect of the engine
failure through the lateral law by commanding a sideslip in the same sense as the one
resulting from the engine failure: thus, the engine failure is felt by pilots like on any
other aircraft, but sideslip is smaller and much better controlled. Moreover, rudder
and ailerons deflections are calculated in order to minimize the drag while keeping
enough maneuverability to safely continue the flight. This example illustrates the
necessity for an efficient awareness of the pilot about the aircraft state throughout
a movement or a dedicated interface in the cockpit. The professional pilots raised
this last point during the SIMONA evaluation: they felt it was useful to be aware
that a FTC strategy is activated. This is an important topic for a successful trans-
fer of the GARTEUR Action-Group results to the aircraft industry: the techniques’
integration and cross-communication with the human operator, as well as with other
avionic systems, must be addressed.
19.2.3 Conclusion
The GARTEUR Action-Group 16 results can be considered as a first step toward an
industrial use of modern Fault Tolerant Control. Indeed, a strong focus was made
during the project on the viability of the designs in a real-time environment. The
piloted evaluation is also greatly appreciated from the industrial viewpoint, bring-
ing an operational feedback essential for a representative assessment. From a strict
aircraft manufacturer standpoint, before envisaging an in-service implementation of
these innovative designs, some works remain to be done to complete the assess-
ment. This GARTEUR project did not initially aim at providing such a validation.
Moreover, the time and means allocated did not allow a complete industrial assess-
ment. To complement the assessment, it is necessary to take into account all the
operational constraints and to explore the whole flight envelope, in nominal and
degraded configurations. It must also be honestly confessed that, on the most re-
cent in-service FBW aircraft, the failure scenarios tested in this GARTEUR project
would certainly not have had exactly the same consequences as the ones observed
in this study, even with the non-FTC baseline controllers. However, the relevance
of the FTC strategy is very interesting and promising in some extreme situations
when some elements of the Flight Control System are still available to help the pi-
lot to recover a controllable aircraft and to land safely thanks to a more intelligent
reallocation of the control commands. In the long term, such adaptive FTC meth-
ods, coupled to advanced FDI designs, could potentially help to reduce the number
of discrete low-level control laws, to reduce the hardware redundancy and then to
save weight with a direct impact on the aircraft performance, to develop a more pre-
dictive maintenance and finally, to optimize the tuning of the Flight Control Laws
during the flight tests. From an aircraft manufacturer viewpoint, this collaborative
work was a very good opportunity to make the academic community sensitive to the
industrial constraints and to share current industrial state of the art and practices on
FDI and FTC. For upcoming and future programs, in the frame of the aircraft global
optimization, innovative designs are needed to support the innovative technologies
developed by the aircraft manufacturers to satisfy the evolving safety and societal
requirements. Airbus will continue to have a great interest in all collaborative works
aimed at bridging the gap between the academic design methods and the industrial
requirements.
19.3 Perspectives for Aerospace Applications - Deimos Space

In space systems, the usual implementation constraints found in commercial and
military aviation, such as computational load and complexity, are also encountered,
albeit to a greater degree due to the more limited weight and computational pro-
cessing capabilities. These more restrictive limitations arise from the expensive cost,
around e 10,000 to 20,000 for putting one kilogram of payload into space, and by the
lengthier testing and validation processes required to classify any software/hardware
as space-ready, which results in a de facto decade-long technological delay.
The weight limitation directly affects the system decisions related to hardware
redundancy while the computational processing limitation affects those decisions
pertaining to the choice of the control and FDI techniques to be used on-board.
In addressing these limitations space systems typically use (i) geometric solutions,
such as the 4-to-3 inertial measurement units (IMU) configuration found in many
satellite systems where four individual IMUs are positioned to provide redundant
measurements in three axes -see Figure 19.1, or (ii) complete hardware duplication
solution when the criticality of the system is high. An example of the latter is the use
of two (fully independent) thruster sets in failover configuration, where the primary
set is active until an abnormality is detected at which time the secondary set is
activated and the first is switched off -note that in this case, only a fault detection
scheme might be required which helps address the processing limitation. For other
space systems such as winged atmospheric re-entry vehicles (e.g. Space Shuttle,
X33, X38) it was seen in chapter 1 that they have more aircraft-like configurations
where more redundant control actuation architectures, such as those presented in this
book, can be used – capsules, like the Apollo or Soyuz, are similar but again with
more limited weight capabilities compounded, by the more restrictive aerodynamic
and controllability characteristics resulting from their lower Lift-to-Drag ratios.
Fig. 19.1 4-to-3 inertial measurement units (IMU) in Proba 2, Verhaert Space. Kruibeke,
Belgium. Picture: Paul Hopff.
The space systems’ stringent hardware redundancy limitation has a positive influ-
ence on the consideration of advanced (model-based) FDI/FTC techniques, which
provide redundancy without significant weight increase (analytical redundancy).
Despite this, the processing limitation as well as implementation, performance, reli-
ability and certification issues have all slowed the use of these techniques in space.
Nevertheless, the perspective for the future is bright as there is a growing need to
move towards greater space system autonomy which requires ‘intelligent’ technol-
ogy for self-diagnosis and self-healing. This need is driven by the more challenging
requirements of future space missions, examples of which are the lunar/mars robot
and human campaigns (such as the very successful NASA Mars Exploration Mis-
sion or ESA Exomars and Mars Sample Return, both currently in development), and
the in-the-drawing-board science missions involving multi-craft formation flying,
Near Earth Objects (NEO) or deep space exploration in general (e.g. ESA Proba-
3 and the twelve-spacecraft Cross-scale concept, or the joint NASA/ESA LISA
mission).
19.3.1 Context and Significance of the FM-AG16 for Space

Systems
As mentioned above, there are space systems (i.e. atmospheric re-entry vehicles) to
which the techniques presented in this book can be more readily transferred since
these systems share common problems and potentially require similar solutions to
aircraft FDI/FTC. For other space systems such as satellites the techniques pre-
sented have for now only limited use since most of the considered approaches take
an over-determined (in actuation terms) system perspective or are based on specific
particularities of aircraft motion. Of course this limitation is just a reflection that
knowledge of a system is critical to develop an appropriate control or FDI scheme
and does not imply that the techniques could not be equally well used for satel-
lites or other space systems. Additionally, it is highlighted that despite the inherent
differences between aeronautics and space systems, the former have almost always
been used as the perfect technological test-bed for the latter – indeed, note the close
relationship in the US between space and aeronautics research as epitomized by the
NASA Dryden, Glenn and Langley test centers. Thus, the aircraft application of the
FDI and FTC technologies presented in this book is highly relevant for the future
introduction of the techniques in space as the assessment of the results provides a
first glimpse of their technological readiness level (TRL) -see Figure 19.2. It is from
this perspective that the following evaluation is undertaken.
In order to help contextualize the significance of the results, an assessment of the
objectives and evaluation methodology (see Chapters 6, 7 and 16) of the GARTEUR
FM-AG16 project is given next.
First, it is very commendable that the project did not focus only in fault tolerant
approaches but that it also examined the interplay between FDI and FTC, with sev-
eral of the approaches directly emphasizing and utilizing it. This is very refreshing
since most of the fault-related R&D projects in the last two decades have focused
Fig. 19.2 Technology Readiness Level scheme, source: NASA
either on FDI or FTC as if they were two independent systems. The latter type of
projects typically assume (almost) ideal knowledge on the fault information which
then limits the impact of the associated results as the performance of the FDI filter
is the main limitation for the performance of an active FTC scheme.
Additionally, the evaluation methodology used in GARTEUR 16 involved a very
well defined and realistic simulation benchmark, arising from an already mature
FDI/FTC aircraft model2, as well as pilot-in-the-loop and a renowned 6DoF motion
simulator such as SIMONA, all of which represent a TRL level shift from 3/4 to
5/6. This incremental validation supports the interest of the aeronautics and space
fields in these advanced techniques and greatly increases the significance of the re-
sults. The main complaint on the evaluation and presentation of the results is that
no real examination of the performance versus robustness trade-off is performed for
any technique, with for example no design team including a Monte Carlo campaign
or even a limited (e.g. maximum and minimum uncertainty) validation assessment.
With respect to practical concerns (such as implementation issues, formalization of
2 As indicated in chapter 6, the main aircraft simulation model used in the RECOVER
benchmark is the 2003 FTLAB747 version 6.5 developed at the University of Minnesota
within the context of the NASA Aviation Safety Project (AvSP) – based on the Delft Uni-
versity/NLR DASMAT and FTLAB Matlab version 4.2 models. The FTLAB747v6.5 has
been used in the US during the last 7 years to assess model and data based aircraft FDI and
FTC approaches under the auspices of NASA by many Industry and Universities research
groups, and as shown in this book, it has evolved in Europe under GARTEUR’s impulse
to become a significant and realistic FDI/FTC aircraft benchmark.
the approaches within an industrial design process, or the addressing of the resulting
designs’ certification) it is well recognized that the FM-AG16 project represents a
first R&D step towards aircraft implementation of advanced FTC/FDI schemes, and
thus sets the path for subsequent more-industrially oriented developments. Never-
theless, it is worth noting that some of the design teams did address the important
industrial aspect of tuning and real-time implementation of the designs.
19.3.2 Assessment of the Techniques and Results

Due to the usual programmatic complexities of this type of projects, there is some
dispersion in the validation of the different approaches (e.g. some of them only use
a partial set of the fault scenarios or of the benchmarking metrics), which makes a
proper comparative benchmarking on the techniques’ achievements very difficult.
Thus, a review of each technique is performed mostly focusing on the techniques
results rather than its significance with respect to the other approaches.
Chapter 8 describes an on-line sliding mode control (SMC) scheme that in the-
ory necessitates no FDI to fulfill its fault tolerance task. The developed technique
addresses the total failure case, which was claimed in the past to be a shortcoming
of FTC SMC approaches since it had not been proved that they could consider this
case directly in a rigorous manner. A pseudo code of the design process is given as
well as insight on the tuning knobs used in the approach, which greatly facilitates
judging the possible incorporation of the approach in an industrial design process.
The approach presented was evaluated on SIMONA, see chapter 16 and 18, and the
results are very deserving -including a very light computational workload as shown
in Table 5 of chapter 16-, all of which helps demonstrate the mature level of SMC
technology for FTC. Despite the claim that no FDI is necessary, the authors rec-
ognize that information on the actuator effectiveness matrix is required, which for
space systems -where for example effective thruster firing is very difficult to esti-
mate individually- is tantamount to requiring an actuation FDI scheme. The space
industrial plausibility of SMC techniques, and its associate sliding mode observer
(SMO), is exemplified by JAXA Micro LabSat (launched in December 14th 2002)
which carries a 3-axis SMC attitude controller [5].
Chapter 9 focuses on a FTC system formed by a classical autopilot and a ro-
bust control law based on an adaptive model-following (AMF) approach. The use of
AMF allows, in principle, stability using Lyapunov conditions, dynamic inversion
ideas and a given reference model (that must satisfy the usual invertibility condi-
tions arising from the latter ideas). Good discussions are found on the limitations
and practical solutions for the approach, which indicate a very industrially-oriented
mentality from the design team. Due to the focus on the FTC component and in
trying to satisfy a no-FDI module philosophy, the results for some of the more crit-
ical fault scenarios are very challenging to the control law. As shown later by the
authors, the proposed FTC-AMF law can be complemented with FDI and optimal
control allocation (CA) modules to successfully tackle these more challenging fault
scenarios. The technique should not be much more difficult to implement or be
more computationally demanding than other adaptive techniques, but will require
the usual precautions on numerical integration (of the adaptive gains) and more no-
tably on the selection of the reference models. With respect to this issue, and with
a desire to maintain the no-FDI philosophy, it is noted that it should be perfectly
plausible to use banks of reference (faulty) models in the spirit of model-reference
FDI schemes such as Kalman -although of course this has its own advantages and
disadvantages.
Chapter 10 and 13 form a cohesive conceptual approach, with a mix of subspace-
identification and model predictive control (MPC) for the first approach and of
parametric-identification plus nonlinear dynamic inversion (NDI) for the latter.
This cohesion in the approaches arises from the research interaction of two dis-
tinct groups at Delft University of Technology. Interest in the space community
for MPC-based approaches is increasing due to the nice characteristics of the ap-
proach (optimal command input calculation based in predicted output behaviour,
multi-objective, elegant theoretical underpinning) and the important computational
reductions accomplished in the last few years that address the practical processing
shortcomings of these methods. The situation for parametric and subspace identi-
fication methods is similar as they both need to deal with closed-loop data, noise
and robustness issues in a fast and reliable manner -especially if they are to be used
for on-board FDI/FTC. For deep space and NEO missions, where the system time
constant from a navigation perspective is relatively slow, MPC should be a good
candidate technology to achieve a large degree of autonomy if further improvements
towards computationally light identification approaches can be achieved. Similarly,
the use of NDI as a control technique is also becoming very standard in re-entry
space systems, with for example the Space Shuttle guidance based on inversion
concepts, and is expected to become a popular candidate control technique in the
future (it is noted that it was used for the flight control system of one of the two X35
Joint Strike Fighter candidates [1]).
The technique proposed in Chapter 10 is based on subspace predictive control
(SPC), which is a mix of the better-known MPC approach with subspace identi-
fication methods. SPC uses input-output data to obtain a prediction of the future
outputs, which helps to indirectly account for fault effects, and calculates a one-
step-at-a-time control output to optimally achieve the desired objectives. It has the
advantage of using closed-loop data in an unbiased, computationally efficient man-
ner by means of a recursive-updating scheme. Similar to chapter 8 the authors also
acknowledge the practical advantage of using FDI information and thus apply a
multiple-model estimation approach to obtain the required information on the avail-
able control surfaces. The chapter discusses the proposed design approach and pro-
vides insight on the process with the advantage of including a dedicated section on
the real implementation issue (which is a must for MPC-based approaches). The
evaluation results show good responses to all the fault scenarios demonstrating the
potential of the approach despite the computational workload, see 5 of chapter 16,
which in this case is further compounded by the subspace identification component.
Chapter 10 is very complete and has two distinct parts: the first presenting the
parametric identification approach and the second the adaptive NDI control design
wrapped around the identification results. The proposed approach has been devel-
oped over 20 years at Delft University of Technology, see chapter 4, and as exem-
plified in chapter 13 and subsequently in the SIMONA evaluation, chapter 17, and
consequently it is quite mature. Very detailed insight and comments are given on
the approach and on the key issues, which gives a good perspective on its capa-
bilities. The idea of the approach is to address the robustness problem endemic to
NDI control solutions by including as precise as possible knowledge of the to-be-
inverted aircraft dynamics. This knowledge comes from applying a two-step iden-
tification method composed of a Kalman-based state estimation step, followed by
a least square aerodynamic identification step. The results demonstrate a high level
of accomplishment on par with those for the SMC technique of chapter 8 (both in
the wide array of fault scenarios covered but also in terms of insight on the ap-
proach). From Table 5 of chapter 16, it is seen that the computational load is quite
high, which as noted by the authors is the result of the use of an iterative Extended
Kalman filter.
Chapter 12 uses the well-known robust H∞ approach to design a fault tolerant
controller against horizontal stabilizer faults. The authors discuss some very im-
portant practical issues for the acceptance of FTC schemes such as FDI detection
time delay and switching/activation effects -although the subsequent development
only covers them very informally. The approach presented is based on an architec-
ture stemming from the Youla parameterization (actually the four-parameter con-
troller [2] ), which allows the design of a fault tolerant compensator (following
anti-windup and input saturation nomenclature [3] ) based on the coprime factoriza-
tion FDI technique. The approach presented is important in that it allows retaining
the nominal controller performance in the no-fault case and only activates the fault
tolerant compensator when a fault is unequivocally detected, a property that has
great implications towards the certification of such an FTC scheme. As shown in
Table 5 of chapter 16, the computational load is comparable to that of the classical
baseline controller thanks to the fixed LTI compensator used (and an assumption
that the proper FDI information is readily available). H∞ methods, and their natural
evolution to linear parameter varying (LPV) approaches, are well-matured control
technologies as exemplified by their use in space (Ariane launcher [4]) and aeronau-
tics (an LPV flight control system was the other of the two X35 Joint Strike Fighter
candidates [1]). Although H∞ technology, to the best of the author’s knowledge, has
not been deployed yet specifically for FDI/FTC in an industrial platform there is a
recent flurry of ESA and aeronautical studies aimed at their evaluation within an
industrialized setting, which highlights the relevance and maturity of the techniques
for space.
Chapter 14 presents a combined FDI, NDI and optimal control allocation scheme
matured over several years at QinetiQ. A highly appreciated candid account is
given by the authors of their experiences on the application of different approaches
for each of the three modules from a practical perspective (considering ease of
tuning, implementation problems and other aspects in the control design cycle).
Additionally, the extremely important (for aircraft) issue of flight envelope protec-
tion (FEP) is considered -for space systems this will be relevant possibly only for
atmospheric re-entry vehicles and launchers. The results show that the combina-
tion of FDI and optimal control allocation can be effectively used and moreover,
that a systematic FDIR design process, with fast design turn-around and wide sys-
tem coverage, can be obtained when all the key modules have achieved a matured
independent development stage.
Chapter 15 is the only chapter fully dedicated to FDI. The main result is a fea-
sibility proof for complete isolation of actuator faults for the nominal case. The
importance of this proof is in providing a minimal number of surface angle sensors
required to achieve complete fault isolation. As noted in the chapter’s summary, it
is hoped that further research will be performed to develop similar proofs for both
sensor and actuator faults, and considering the robustness and noise issues. The
achievement of such proofs can have potential implications in space, principally for
system design, as it could pave the way to decide early on in the system development
process the number and position of the sensors and actuators.
19.3.3 Conclusion
In summary, a wide array of techniques have been used, by teams spanning several
European countries and backgrounds, in examining the applicability of FDI/FTC
technology to aircraft under the auspices of the GARTEUR FM-AG16 project. A
well-defined and focused objective, rooted and supported by industrialists, was es-
tablished and has led to some of the technologies increasing in their TRL level from
3/4 to 5/6 (the latter corresponding to the piloted evaluation at SIMONA). This
should be the first of a series of steps, increasingly industrially-oriented, required to
further increase the techniques TRL and help bridge the technological gap between
the academic developments and the industrial implementations. Among these steps,
proper evaluation of the results using standard techniques and metrics that indus-
trialists can relate to should be a must, for example application of worst-case and
Monte Carlo analyses leading to a clear understanding of the robustness versus per-
formance trade-off for each technique. From a space application perspective, the
project and results are highly relevant due to the difficult validation and testing of
the approaches under real space environment conditions, which makes these results
a first indispensable step towards their consideration in space.
References
1. Balas, G.J.: Flight control law design: An industry perspective, fundamental issues in
control. European Journal of Control 9(2-3), 207–226 (2003); Special issue
2. Jacobson, C.A., Nett, C.N.: An integrated approach to controls and diagnostics using the
four parameter controller. IEEE Control Systems Magazine 11(6), 22–29 (1991)
3. Marcos, A., Turner, M., Postlethwaite, I.: An architecture for design and analysis of high-
performance robust antiwindup compensators. IEEE Transactions on Automatic Con-
trol 52(9) (September 2007)
4. Mauffrey, S., Meunier, P., Seillier, F., Ganet, M., Rongier, I.: H-infinity control for ari-
ane 5 plus launcher: The industrialisation of a new technology. In: Proceedings of 5th
International Conference on Launcher Technology, Madrid, Spain (2003)
5. Terui, F., Noda, A., Nakasuka, S.: Sliding mode attitude control of a bias momentum
micro satellite using two wheels. In: Advances in Variable Structure Systems: Analysis,
Integration and Applications, pp. 425–441. World Scientific, Singapore (2000)
6. Goupil, P.: Oscillatory Failure Case detection in the A380 Electrical Flight Control
System by analytical redundancy. To appear in Control Engineering Practice (2009),
doi:10.1016/j.conengprac.2009.04.003
7. Van den Bossche, D.: The A380 Flight Control Electrohydrostatic Actuators, Achieve-
ments and Lessons Learnt. In: Proc. 25th Congress of the International Council of the
Aeronautical Sciences, Hamburg, Germany (2006)
8. Goupil, P.: AIRBUS State of the Art and Practices on FDI and FTC. In: Proc. of the
7th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes,
Barcelona, Spain, June 30 - July 3, pp. 564–572 (2009)
Chapter 20
Concluding Remarks
Christopher Edwards, Thomas Lombaerts, and Hafid Smaili
20.1 Summary of Achievements

The GARTEUR Action Group FM-AG(16) on Fault Tolerant Control, of which this
book is the culminating result, has made a significant step forward in terms of bring-
ing novel ‘intelligent’ self-adaptive flight control techniques, originally conceived
within the academic and research community, to a higher technology readiness level.
Although work still remains to be done before stringent safety and certification re-
quirements are met, as stipulated by the industrial reviewers in the previous chapter,
this book should provide a practical reference for the aerospace community on novel
fault tolerant flight control techniques and their integration within the aircraft and
cockpit environment. This includes studies on the application and integration issues
of modern fault tolerant control techniques and a description of several innovative
fault tolerant flight control methods. It is hoped that the promising results obtained
in this project, and described in this book, will motivate the further maturing, testing
and safe integration of the methods. Furthermore, it is hoped the book and the ac-
companying software will provide a reference, and benchmark for a critical review
of new advanced flight control designs.
Christopher Edwards
University of Leicester, Control and Instrumentation Research Group,
Department of Engineering, University Road, Leicester, LE1 7RH, UK
e-mail: chris.edwards@le.ac.uk
Thomas Lombaerts
Hafid Smaili
The Netherlands
538 C. Edwards, T. Lombaerts, and H. Smaili
Part I of this book provided a background on the current technological challenges

when faced with the problem of improving the survivability and resilience of the
next generation of aircraft, while ensuring recovery and safe control of the aircraft
during adverse or upset conditions. The application of fault tolerant flight control,
as a technology solution to this problem, has been addressed in this project and
described in the book. The assessment of several new fault tolerant control design
approaches applied to a realistic high fidelity aircraft benchmark problem have been
described in Part II and III. Real-time aircraft integration of the controllers was
assessed in a joint experimental programme (described in Part IV) that consisted
of a unique collaboration between experienced pilots, flight control system design
engineers and industry representatives. Industrial perspectives from two leading Eu-
ropean aerospace organisations were provided in Part V, which give feedback on the
maturity level achieved by the proposed fault tolerant control techniques. This in-
cludes aircraft integration issues and areas needing further improvement, testing or
attention.
From a scientific and research perspective, this project provided an opportunity
for undergraduate and post-graduate students to conduct work on the topic of fault
tolerant control based on a realistic advanced flight control problem. GARTEUR
again proved to be an excellent framework for the exchange of ideas, knowledge
and feedback between all member organisations within the Action Group. This re-
sulted in several conference papers, journal and magazine publications, workshops,
a special session at a conference, and this book.
The GARTEUR RECOVER benchmark, developed in this Action Group as a
Matlab R
/Simulink R
platform for the design and integrated (real-time) evaluation
of new fault tolerant control methods, consists of a set of high fidelity simulation
and control design tools, including aircraft fault scenarios validated against acci-
dent flight data. The benchmark supports tool-based design, and the evaluation of
modern fault tolerant control techniques providing engineering insights into con-
trol system performance using integrated assessment criteria and high resolution
aircraft visualisation. The modularity of the benchmark makes it customisable to
address research goals in terms of aircraft type, flight control system configuration,
failure scenarios and assessment criteria.
This book and the accompanying software, may be used as an introduction to the
topic and can be used for educational or demonstration purposes. Within a research
or industrial framework, the book and the software tools may provide a reference
to support new advanced flight control system designs and testing activities both
off-line and in piloted hardware in-the-loop simulation.
20.2 Future Research

The proposed fault tolerant flight control designs in this book should be regarded
as a first ambitious step towards assessing their potential to improve the recovery
and survivability of aircraft in adverse or upset conditions. Follow-on work will
be conducted by the research organisations with the Action Group to address the
20 Concluding Remarks 539
areas of improvement identified during the project, both from a design and real-time
aircraft integration aspect. Close collaboration with industry will also be maintained.
This Action Group in particular demonstrated the importance of protecting the
aircraft’s operational envelope following a failure of a critical onboard system or
degradation of the aircraft handling characteristics. Based on the experimental eval-
uations in this project, it was recognised that protection of the operational envelope
should be an integral part of any new intelligent self-adaptive control system. This
should not only ensure acceptable controllability in degraded conditions, but also
safe control of the aircraft within the remaining performance and controllability
boundaries. Additional issues requiring more extensive investigation include sen-
sor redundancy, and fault detection and identification requirements to ensure that
reliable information is supplied for control reconfiguration and identification of the
aircraft operational boundaries. These topics are currently being studied in follow-
up projects as part of continuing work programmes at the Action Group’s organi-
sations – some of which are supported by the European Commission FP7 project
‘ADDSAFE’.
Within the international aviation community, urgent measures and interventions
are being undertaken to reduce the amount of loss of control accidents caused by
mechanical failures, atmospheric events or pilot disorientation. Within this area, the
application of fault tolerant and reconfigurable control, including aircraft envelope
protection, has been recognised as a possible long term option for reducing the im-
pact of flight critical system failures, pilot disorientation following upsets or flight
outside the operational boundaries in degraded conditions (e.g. icing). Fault toler-
ant flight control, and the (experimental) results of this Action Group, may further
support these endeavors in providing technology solutions aiding the recovery and
safe control of aircraft in degraded or upset conditions. Several organisations within
this Action Group, conducting aircraft upset recovery training and simulation re-
search, will utilise the experience obtained in this project to study future measures
in mitigating the problem of loss of control and upset recovery and prevention.
The members of the GARTEUR Action Group FM-AG(16) hope that the results
of this project will contribute to a further improvement in the safety and quality of
tomorrow’s air travel.
Appendix
Getting Started with the GARTEUR RECOVER
Benchmark
542 Appendix
1 Introduction
The GARTEUR REconfigurable COntrol for Vehicle Emergency Return
(RECOVER) aircraft simulation benchmark was developed to demonstrate, both
offline and in real-time (piloted) simulation, the performance and viability of newly
designed fault tolerant flight control algorithms. The software package, based on the
Delft University Aircraft Simulation and Analysis Tool DASMAT [2], is equipped
with several simulation and analysis tools, all centered around a generic non-linear
aircraft model for six-degrees-of-freedom non-linear aircraft simulations. For high
performance computation and visualisation capabilities, the package has been inte-
grated as a toolbox in the computing environment Matlab R
/SimulinkR
. The tools
of the RECOVER benchmark include trimming and linearisation for (adaptive)
flight control law design, non-linear off-line (interactive) simulations, simulation
data analysis and flight trajectory and pilot interface visualisations. The modularity
of the RECOVER software allows customisation by applying user-generated mod-
els to the generic package for the simulation of any specific aircraft type or fault
scenario. In conjunction with the Matlab R
/Simulink R
Real-Time Workshop R
,
the benchmark model is suitable for integration on simulation platforms for piloted
hardware in the loop testing.
The GARTEUR RECOVER benchmark provides enhanced graphical and
high-resolution aircraft visualisation capabilities, that interface with the Matlab R
environment, to support tool-based advanced flight control system design and eval-
uation. This includes, for instance, the visualisation of flight data, the animation
of fault or aircraft upset recovery scenarios or (real-time) analysis of flight control
system states and performance.
The capabilities of the GARTEUR RECOVER benchmark software are suitable
for any educational or demonstration purposes, providing insight into the design of
adaptive flight control algorithms, aircraft flight dynamics and handling qualities
and human factors interfaces.
This Appendix provides a practical guide to get started with the GARTEUR RE-
COVER Simulation Benchmark software package. It provides the necessary steps
to install the software (Section 3) and get familiar with the model structure (Section
5) and the main features of the benchmark environment (Section 6). Some practi-
cal examples demonstrate the steps necessary to run a benchmark simulation (Sec-
tion 6.2). It is assumed that the user is familiar with the installation and use of
the Matlab R
/SimulinkR
programming environment (references can be found in
[13, 14] or on the website of The Mathworks (www.mathworks.com)). For the
application of the benchmark, the user should have a basic understanding of general
rigid body aircraft dynamics and aircraft simulation modeling. An introduction to
these subjects can be found in several excellent books (e.g. [9, 12]). In this aspect,
the GARTEUR RECOVER benchmark is an ideal tool to complement any studies
on the introduction of flight control and aircraft simulation modeling using chal-
lenging design problems.
The GARTEUR RECOVER benchmark should be regarded as a research tool
providing the flexibility for customisation using a modular structure. As such, the
Getting Started with the GARTEUR RECOVER Benchmark 543
user is encouraged to explore and experiment with the software as much as possible
to obtain insight into the model structure and its features, and adapt it to his or her
own research requirements. Names and descriptions of blocks and signal definitions
in the benchmark model provide a guide for the user on the model interfacing re-
quirements. An introduction to the RECOVER benchmark, including development
background, software achitecture, the main features and the aircraft operational
characteristics has been provided in Chapter 6 of this book. For more details and in-
sight into the generic simulation architecture, including the GARTEUR RECOVER
benchmark mathematical models, applied reference frames, variable definitions and
sign conventions the user may refer to the references [2, 3, 4, 5, 6, 7, 8, 10].
The GARTEUR RECOVER benchmark is distributed as open source software to
accompany this book on fault tolerant flight control design and simulation for civil
transport aircraft. The software package can be downloaded, after registration, from
the GARTEUR project website hosted by NLR (www.faulttolerantcontrol
.nl). Any updates of the GARTEUR RECOVER benchmark, including documen-
tation and release notes, will be made available via the website.
2 System Requirements
The GARTEUR RECOVER benchmark was designed to run under Matlab R
6.5.1

R
and Simulink 5.1 as part of Release 13/Service Pack 1 (R13SP1). This means that
the benchmark model can also be used with higher versions of Matlab R
/Simulink R
.
To install and operate the benchmark model, any PC that complies with the mini-
mum hardware requirements to properly run Matlab R
/SimulinkR
is suitable. The
website of The Mathworks (www.mathworks.com)) provides further details on
the hardware requirements to install and run Matlab R
/SimulinkR
.
The graphical visualisation capabilities of the GARTEUR RECOVER bench-
mark, especially the aircraft animation features, require at least a graphics card
that supports Direct3D. OpenGL compatible hardware acceleration is recommended
to improve the overall graphics quality and hardware performance of the RE-
COVER visualisation features. For customisation of the visualisation tool within
Matlab R
/SimulinkR
, specifically the inputs that drive the graphical displays, a C-
compiler needs to be installed. When running the benchmark within Matlab R
7.1
(Release 14) under Windows XP, the buttons of the benchmark main menu do not
display correctly. This graphics issue does not occur in Matlab R
6.5.1 (R13SP1)
R
and should be solved for later versions of Matlab 7.1 (R14).
The GARTEUR RECOVER benchmark was tested under Windows XP and Win-
dows VISTA. For the current version of the benchmark (version 2.2) no issues, other
then those mentioned in this guide, are known under these operating systems.
3 Installation and Initialisation

The GARTEUR RECOVER benchmark software package is distributed via the
GARTEUR project site hosted by NLR (www.faulttolerantcontrol.nl).
544 Appendix
After registration, the software can be downloaded as a packed ZIP archive. The
following steps are necessary to download and install the benchmark within the
Matlab R
6.5.1 (R13SP1) environment.
• After registering, download the software package from the GARTEUR project
website (www.faulttolerantcontrol.nl).
• Unzip the package into a temporary directory.
• Copy the unzipped package into a suitable destination directory, preferably into
the Toolbox directory of Matlab R
. Make sure that the directory structure of
the unpacked package is retained.
• Append the RECOVER benchmark directories to the Matlab R
path. The

R
Matlab references provide information on how to configure the path.
• Change the Matlab R
directory to RECOVERv65. Datafiles generated by the
benchmark tools will be made available in the data directory.
• The benchmark can be started by typing recover in the Matlab R
command
window which activates the main user menu. This will provide further steps to
start running any simulations or exploring the features and models of the RE-
COVER benchmark.
The benchmark can be uninstalled by deleting the directory RECOVERv65.
Please make sure that any backup copies are made of the user generated datafiles in
the data directory before deleting.
4 License Agreement
The GARTEUR RECOVER benchmark package is distributed with this book as a
collective work. The Matlab R
/Simulink
R
models of the benchmark are distributed
under the Open Software License (OSL) version 3 or later, whereas the benchmark
visualisation tool remains copyrighted by NLR (although freely distributable with
the RECOVER benchmark). The OSLv3 license allows the user of the software to
modify the models according to his or her own requirements and applications and
re-distribute the software to other users under the OSLv3 licensing terms and con-
ditions and NLR copyright. Any notices and text, including the attribution to the
original developers and the book, should remain in the software package and mod-
els. To facilitate the development or application by other users, developers that have
adapted the software are required to include an appropriate attribution notice in the
source code to inform new users that the original software has changed. The OSLv3
license is available in the file license.txt as part of the GARTEUR RECOVER
software package. Please take notice of the licensing terms and conditions before
using the software.
5 Model Structure
The aim of the following section is to provide an overview of the main model struc-
ture of the GARTEUR RECOVER benchmark. This can be used as a starting point
to further explore the model. Reference [2] provides information on all the submod-
els that comprise the generic aircraft simulation in the benchmark including input
and output formats of the individual generic simulation blocks.
The benchmark Matlab R
/SimulinkR
environment has been developed in a mod-
ular and layered structure using (masked) system blocks and subsystem blocks. In
this structure, each block has its specific input and ouput formats and signal defi-
nitions. When customising the RECOVER benchmark simulation for any particular
research application, it is important to maintain the model format and signal rela-
tionships as much as possible to prevent any inadvertent mismatches between the
many subsystems and library components. Due to the complexity of the GARTEUR
RECOVER benchmark model, it is recommended to always make use of a version
control method to track any changes or revert to a working version of the benchmark
if necessary.
Chapter 6 of this book provides an introduction to the model structure of the
benchmark and its components.
5.1 Model Architecture

The software architecture of the GARTEUR RECOVER simulation benchmark
(Fig. 1) comprises a combination of generic aircraft models and aircraft specific
modules including aerodynamics, flight control systems and propulsion systems.
For the RECOVER benchmark, the aerodynamic, flight control systems and propul-
sion model are representative of the Boeing 747-100/200 aircraft [5, 10]. Through
the graphical user interface, the user has access to the RECOVER benchmark simu-
lation and analysis tools (Section 6).
5.2 GARTEUR RECOVER Benchmark Libraries

The GARTEUR RECOVER benchmark model consists of a combination of
Matlab R
scripts and Simulink R
block diagrams. The Simulink R
block diagrams
are built in a layered, modular structure consisting of subsystems with a fixed inter-
face definition between the block inputs and outputs ([2]). In order to ensure consis-
tency, the top-level models have been built from common blocks that are linked to
Simulink R
libraries. All blocks and libraries are contained in the root directory of
the benchmark called RECOVERv65 (extension v65 referring to Matlab R
version
6.5.1 (R13SP1)). The RECOVER benchmark libraries can be regarded as a central
repository of the main benchmark simulation models. All blocks in the benchmark
that are linked to a library are automatically updated by any changes of a library
block. As such, it is not recommended to change a library block in the benchmark
locally. However, if required, the linked blocks in the benchmark model can be
changed when the link to the library is disabled. This is accomplished by selecting
Disable Link in the Matlab R
message dialog window which appears as soon as the
user tries to change the block. In order to change a block in the library, it first needs
to be unlocked by selecting Unlock Library in the Matlab R
edit menu. It should
546 Appendix
Fig. 1 GARTEUR RECOVER benchmark software architecture and analysis tools relation-
ships
be noted that any changes to the interface definitions of the models in the library
should be made carefully. This includes the names of the blocks as the library links
use the block names as a reference.
A basic library (B747 library.mdl) for the simulation of the B747-100/200
aircraft model in the benchmark, contains the basic aircraft, engine and actuator
models, complete with failure models (Fig. 2). For the GARTEUR RECOVER
benchmark, an additional library was developed (ag16 library.mdl), based on
the basic library, that contains the larger and more extensively modified submodels
out of which the top-level benchmark is built (Fig. 3). This extended library contains
models of the aircraft, the actuators, the sensors, the classic flight control system and
the benchmark failure generator.
5.3 GARTEUR RECOVER Model Components

The actual benchmark model (b747 auto g.mdl) is depicted in Fig. 4 and is
also described in Chapter 6. The airframe block is the combination of the aircraft
aerodynamic model, engines and actuators. It also contains the fault models and
the turbulence and wind models. The inputs to this block are twenty-six separately
controllable aerodynamic surfaces and four engine controls. The autoflight block
Fig. 2 GARTEUR RECOVER benchmark basic aircraft simulation library

(B747 library.mdl)
represents the implementation of the classic Boeing 747-100/200 autoflight system

based on [7]. This is the block that is to be replaced by any new fault tolerant con-
troller design and is intended as a working example of how the new controller is
supposed to fit into the aircraft. The classic autoflight system block consists in-
ternally of the B747-100/200 hydro-mechanical flight control system model (FCS),
which forms the inner control loop, and the autopilot and autothrottle systems which
together form the outer control loop.
An open-loop simulation model (b747 funpc d.mdl), enabling e.g. real-time
interactive ‘engineer-in-the-loop’ simulations, is available as part of the benchmark
package (Fig. 5). It contains the same aircraft, engine, actuator model and failure
generator as found in the main benchmark model. The open-loop model is in a
functional form, i.e. it has explicit inputs (12) and outputs (140). The inputs of the
open-loop model consist of the pilot’s controls as found on the Boeing 747 aircraft.
The structure of this model is very similar to the model that is used for trimming
(b747 trim d.mdl).
To enable real-time ‘engineer-in-the-loop’ simulations, a Simulink R
S-function
block (sf realtime), which emulates approximate real-time conditions, is included in
the top level of the open-loop model. An additional block library in the RECOVER
root directory (Stick interface library.mdl) provides a Simulink R
stick
manipulator block to interface with the pilot control inputs of the open-loop model.
548 Appendix
Fig. 3 GARTEUR RECOVER benchmark component library (ag16 library.mdl)
Fig. 4 GARTEUR RECOVER benchmark main model components (b747 auto g.mdl)
Fig. 5 GARTEUR RECOVER functional model for open-loop simulation

(b747 funpc d.mdl)
Depending on the stick configuration, adaptation of the stick interface model by the
user might be necessary.
Fig. 6, shows the Simulink R
model structure at Level 5 of the benchmark
airframe block. This level shows the main layout of the RECOVER aircraft simu-
lation model consisting of the generic simulation models and aircraft specific mod-
ules. The aircraft specific modules (Airframe model (AFM) block and Engine frame
model (EFM) block indicated with a blue background) can be customised for any
particular aircraft taking into account the interface definitions of the blocks.
The blocks that are not specific for any aircraft and that are part of the generic
simulation models ([2]) are displayed with a white background. The generic simu-
lation blocks consist of:
AIRDATA block
The atmospheric and airdata parameters are calculated in this block. The equations
are compiled in a MEX-type Simulink R
S-function ac.atmos.mex.
WIND/TURBULENCE block
In this block, the wind and gust velocities are calculated based on user-supplied
Simulink R
S-functions of wind and turbulence models. The benchmark simula-
tion uses zero wind and zero turbulence conditions by default. The block includes a
switching capability for the selection of a turbulence model based on Dryden spectra
550 Appendix
Fig. 6 GARTEUR RECOVER benchmark Simulink R

block diagram showing main aircraft
simulation model at Level 5 of the airframe system block
or a wind model that includes a wind profile based on meteorological data estimated
at the time of the Flight 1862 aircraft accident.
AFM block
In this block the forces and moments of both the aircraft aerodynamics and turbu-
lence are calculated. The aerodynamic forces and moments are determined from the
aircraft specific aerodynamic model.
EFM block
This block calculates the propulsion forces and moments based on the aircraft spe-
cific engine model.
GRAVITY block
This block calculates the components of the gravity force in the air-path, stability,
body and moving earth reference frames. The gravity force is calculated in the mov-
ing earth reference frame from the aircraft mass and the altitude varying gravity
acceleration.
FM SORT block
In this block all forces and moments calculated from the aerodynamic model, tur-
bulence model, propulsion model and gravity model are combined and added.
EQM block
This block includes the aircraft equations of motion and are solved resulting in the
aircraft states and their derivatives. In addition, the aerodynamic and total forces and
moments and their coefficients are corrected for the α̇ - and β̇ - contributions.
OBSERVATIONS block
The observation parameters of the RECOVER benchmark are calculated in this
block. The parameters are arranged in several subgroups, calculated in subblocks,
consisting of accelerations, linear velocity time derivatives, flight-path related pa-
rameters and measurements outside the center of gravity. A complete list of the
benchmark observation output signal formats is provided in Section 8.
6 Using the GARTEUR RECOVER Benchmark

This section describes the structure and operation of the different (customisable)
GARTEUR RECOVER benchmark tools which can be accessed via the RECOVER
graphical user interface. A few user examples are provided demonstrating the proce-
dures to conduct a simulation under a particular aircraft condition, perform lineari-
sation of the non-linear aircraft model and utilise the aircraft visualisation features.
6.1 Main Menu

The GARTEUR RECOVER benchmark simulation and analysis tools can be ac-
cessed via a Matlab R
graphical user interface (Fig. 7). The benchmark main menu
can be started by typing recover in the Matlab R
command window. The user op-
tions in the menu are divided into three main sections allowing the user to perform
benchmark initialisation and simulations (Simulation) and run the analysis tools
(Analysis) including aircraft linearisation, plotting of simulation results and flight
control assessment criteria and aircraft visualisation. A help section on the main
menu (Reference) provides a quick reference for operation and customisation of the
GARTEUR RECOVER benchmark.
6.1.1 Open-Loop Simulation
The Open-Loop Simulation button (Fig. 8) in the Simulation section of the bench-
mark main menu will activate the initialisation of an open-loop simulation of a
newly designed control algorithm. During initialisation, the calculation of a (user
specified) trim condition is performed, and a particular test scenario and aircraft
failure mode can be selected. Section 6.2 demonstrates the required steps to per-
form a typical open-loop simulation.
552 Appendix
Fig. 7 GARTEUR RECOVER benchmark graphical user interface
Fig. 8 Open-loop simulation initialisation button
6.1.2 Closed-Loop Simulation
The Closed-Loop Simulation button (Fig. 9) in the main menu activates the initiali-
sation of a closed-loop benchmark simulation. As with the initialisation of an open-
loop simulation, the calculation of a (user specified) trim condition is performed and
a particular test scenario and aircraft failure mode can be selected. It should be noted
that the closed-loop simulation is performed using preset test scenarios as specified
for the GARTEUR fault tolerant control benchmark (Chapter 6 and 7 of the book
provide details on the test scenario specifications based on predefined aircraft opera-
tional requirements). An example in Chapter 6 describes the initialisation procedure
to perform simulations using the closed-loop benchmark model.
Fig. 9 Closed-loop simulation initialisation button
6.1.3 Linearise Aircraft

For control law design purposes, the non-linear aircraft model can be linearised us-
ing a basic linearisation routine that is available as part of the RECOVER benchmark
tools. The linearisation routine allows a linear model with twelve states and 29 con-
trol inputs (25 control surfaces and 4 engines) to be obtained. In the current version
of the benchmark, the linearisation can only be done for the total non-linear model
perturbing all twelve states and 29 control inputs. Separation into a symmetric or
asymmetric linear model is an option reserved in the linearisation routine but is not
yet implemented. The user may refer to reference [2] for further customisation of
the benchmark linearisation routine.
To obtain a linearised model, a trimmed flight condition needs to be calculated via
the initialisation of a closed-loop or open-loop simulation. Fig. 10 and 11 illustrate
the calculation steps of an example trim condition (TESTlin4.tri).
When a trimmed flight condition is determined, the linearisation of the non-linear
aircraft model can be started by using the Linearise Aircraft button in the benchmark
main menu which activates the linearisation procedure (Fig. 12).
The matrices of the calculated linear model, which is given in state-space form,
are available as the variables Alin, Blin, Clin, Dlin in the Matlab R
workspace. Note that the variable Alin is in radians but all control surface de-
flections (except for thrust which is in Newtons) in the matrix variable Blin are in
degrees. For the purpose of designing a controller, it might be better to convert the
Blin matrix back to radians (this can be done by multiplying the columns of Blin ,
associated with the control surface deflections, with 180/π ).
The ordering of the states xlin and the control surfaces ulin of the total linear
model described by the matrices Alin and Blin are as indicated in equation (1).
The spoilers #6 and #7 are ground spoilers and are not used during flight. The
10th and 11th columns associated with these control surfaces can therefore be ne-
glected during design. Also note that the number of columns of the Blin matrix
is 29. The 30th column is associated with the landing gear and has not been in-
cluded in the linear model. An example linear model can be accessed through the
file TESTlin4.lin, available in the benchmark data folder, using the command
load -mat TESTlin4.lin in the Matlab R
window.
554 Appendix
Fig. 10 Initialisation of benchmark trim conditions

Fig. 11 Calculation of benchmark trim condition

556 Appendix
Fig. 12 Initialisation and calculation of linearised benchmark model (total model)

Total model:
⎧
⎨ xlin = pb qb rb VTAS α β φ θ ψ he xe ye
⎪

⎪
⎩ ulin = δair δail δaor δaol δsp1−12 δeir δeil δeor δeol δih δru δrl δ f o δ f i δTN
1−4
(1)
After the completion of the steps in Fig. 12, the quality of the linearisation routine
can be evaluated by comparing the states (around the trimmed flight condition) be-
tween the linear and non-linear model using small actuator deflections. This is done
by running the Simulink R
model called b747 auto g LINcheck.mdl and the
plotting routine plotBENCHMARKtestLINandNL.m. The user needs to make
a selection of the actuator to be used as perturbation input for the comparison de-
pending on which axis is to be tested (e.g. to test the quality of the lateral axis,
1.5deg of right aileron and -1.5deg of left aileron can be used). Any control input
for a particular actuator to excite the linear model can be defined in the airframe for
LINEAR comparison test block within the model b747 auto g LINcheck.mdl.
Fig. 13, 14 and 15 show example plot results allowing the comparison of the lin-
earised model (TESTlin4.lin) and the non-linear model after a spoiler
Fig. 13 Plots showing actuator deflections (spoilers deflected 1.5 degrees at t=1s) for com-
parison of linearised model (TESTlin4.lin) and non-linear model
558 Appendix
Fig. 14 Plots showing longitudinal states for comparison of linearised model

(TESTlin4.lin) and non-linear model (NL: non-linear model, lin: linear model)
Fig. 15 Plots showing lateral states for comparison of linearised model (TESTlin4.lin)
and non-linear model (NL: non-linear model, lin: linear model)
deflection input of 1.5 degrees. The aircraft states are given in radians while alti-
tude (he ) and ground distance (xe ) are given in meters.
6.1.4 Plot Simulation Results

The Plot Simulation Results button (Fig. 16) activates the plotting function of the
benchmark following a closed-loop or open-loop simulation. The plot function,
called via the script plot sim.m, generates additional time responses of the air-
craft including the aircraft states, pilot control deflections and specific forces. Ex-
ample aircraft simulation responses obtained by the plot function are illustrated in
the user examples (Chapter 6 and paragraph 6.2).
6.1.5 Show Assessment Criteria

Following a simulation (open-loop, closed-loop or via manually controlled inputs
in the open-loop functional model (Fig. 5)), the performance of the designed fault
Fig. 16 Simulation time responses activation button
Fig. 17 Benchmark assessment criteria activation button

560 Appendix
Fig. 18 Benchmark assessment criteria plots for Right Turn and Localiser Intercept phase
showing aircraft states with evaluation criteria
tolerant control algorithms can be evaluated using the benchmark assessment crite-
ria. The assessment criteria are provided as plots for each phase of the benchmark
scenario (Chapter 6) and can be generated using the Show Assessment Criteria but-
ton (Fig. 17) after a simulation. Fig. 18, 19 and 20 show example plots for the Right
Turn and Localiser Intercept phase of the benchmark scenario. Chapters 6 and 7
provide further details on the benchmark scenario specifications and definition of
the assessment criteria parameters as used in the plots.
6.1.6 RECOVER Visualisation

The GARTEUR RECOVER benchmark aircraft visualisation and animation tool
(Fig. 22) provides a high-resolution visualisation of the benchmark’s approach and
landing scenario and flight trajectory. The RECOVER visualisation tool is specifi-
cally aimed to support interactive (real-time) fault tolerant flight control design and
evaluation for civil transport aircraft. The visualisation features include graphic ren-
ditions of the aircraft, cockpit flight instrumentation and aircraft geographic environ-
ment (Amsterdam Schiphol airport and surroundings). The RECOVER interactive
simulation and visualisation window can be activated via the RECOVER Visualisa-
tion button following initialisation of an open-loop or closed-loop simulation.
Fig. 19 Benchmark assessment criteria plots for Right Turn and Localiser Intercept phase
showing kinematic accelerations in body axes with evaluation criteria
(a) Horizontal trajectory (b) Vertical trajectory
Fig. 20 Aircraft trajectory plots for Right Turn and Localiser Intercept phase
562 Appendix
Fig. 21 Interactive simulation and visualisation activation button
Fig. 22 GARTEUR RECOVER benchmark interactive simulation and visualisation window

showing aircraft model with separated right-wing engines (Flight 1862 accident scenario)
A graphical pilot interface shows the basic flight instrumentation based on spec-
ifications of the electronic flight instrument system (EFIS) displays as found on
the B747-400 aircraft. The RECOVER EFIS displays are configured to show the
primary aircraft state parameters, flight control system state and engine thrust pa-
rameters. Additional features on the displays, not found on the standard B747-400
instrumentation, are included to assess the human-machine interfacing (HMI) as-
pects of new fault tolerant flight control algorithms. For these design applications,
the RECOVER benchmark primary flight display (PFD) has the capability to dis-
play, for instance, the aircraft’s bank, pitch and airspeed envelope protection limits
as calculated by a new self-adaptive control system. The lower display (Engine In-
dicating and Crew Alerting System (EICAS) display) shows the engine parameters,
using Engine Pressure Ratio (EPR) as the main thrust setting reference, inboard
trailing edge flap position and landing gear status. Additional aircraft state informa-
tion on the EICAS display includes angle-of-attack, sideslip and load factor. The
EICAS display also enables monitoring of the activity of the flight control system
and control law performance by presenting all individual control surface deflec-
tions. A basic 3D aircraft model, representing the B747-100/200 aircraft, and the
aircraft’s reconstructed flight path in the out-the-window view allows analysis of
the flight trajectory and maneuvers.
The following features of the interactive simulation window can be controlled by
keyboard and mouse:
• shift -W: switch to aircraft view mode
• shift -A: switch to cockpit view mode
• shift -C: Activate free viewing (aircraft view mode)
• P: Activate/deactivate aircraft flight path (aircraft view mode)
• Left mouse/touch pad button: zoom out (aircraft view mode)
• Right mouse/touch pad button: zoom in (aircraft view mode)
• Mouse or touchpad: Move viewpoint (aircraft view mode)
Fig. 23 shows the information available on the RECOVER benchmark primary
flight display.
Fig. 24 provides a description of the parameters that are available on the RE-
COVER benchmark EICAS display.
For a realistic visualisation of the benchmark scenario, the RECOVER visuali-
sation tool includes a high-resolution geographic rendition of the Amsterdam area
including a detailed layout of the Amsterdam Schiphol Airport runway configura-
tions (Fig. 25). Currently, only runway 27 is configured with an instrument landing
system (ILS) as part of the GARTEUR benchmark scenario. However, further cus-
tomisation of the airport approach and landing aids is possible within the benchmark
model (e.g. an extension of ILS availability).
The aircraft’s flight trajectory can be visualised by pressing P before starting, or
during, a (real-time) simulation. Fig. 26 and Fig. 27 illustrate the flight path visu-
alisation capability in the RECOVER out-the-window view (free viewing mode),
following a simulation of a landing test scenario and in-flight maneuver.
Although not part of the GARTEUR benchmark scenario, runway 06 of the
Schiphol airport scenery is equipped with approach lighting and a visual approach
slope indicator (VASI) (Fig. 28 and 29) to replicate the pilot’s viewpoint during a
typical approach and landing test scenario under visual meteorological conditions
(VMC).
All parameters presented on the RECOVER flight instrumentation displays and
controlling the out-the-window view are available as inputs via a Simulink R
in-
terface in the output & visualisation block (top system level). The RE-
COVER visualisation window input variables, including the signal element number,
variable name, dimension and description are summarised in Tables 1 and 2.
564 Appendix
Fig. 23 GARTEUR RECOVER benchmark primary flight display (PFD) elements
1 ILS DME distance 12 Flight director

2 Pitch envelope limit 13 Localiser indicator
3 Radio altitude 14 Selected heading
4 Selected altitude 15 Magnetic heading
5 Bank angle envelope limit 16 ILS course
6 Altitude 17 Minimum speed (red) and mini-
mum maneuvering speed (yellow)
7 Vertical speed 18 Attitude indicator
8 Selected altitude 19 Indicated airspeed
9 Vertical speed 20 Selected airspeed
10 Atmospheric pressure (QNH) 21 Maximum speed (red) and maxi-
mum maneuvering speed (yellow)
11 Glideslope indicator 22 Selected airspeed
Fig. 24 GARTEUR RECOVER benchmark engine indicating and crew alerting system
(EICAS) display elements
1 Total air temperature 7 Right inboard and outboard elevator

position
2 Landing gear indicator 8 Stabiliser position
3 Commanded and actual inboard 9 Left-wing spoilers #1 to #6 position
trailing edge flap position
4 Angle-of-attack (ALFA), sideslip 10 Left-wing inboard and outboard
(BETA) and load factor (GLOAD) aileron position
5 Right-wing inboard and outboard 11 Upper and lower rudder position
aileron position
6 Right-wing spoilers #7 to #12 posi- 12 Engine pressure ratio (EPR) and
tion maximum EPR
566 Appendix
Fig. 25 GARTEUR RECOVER benchmark geographical rendition of Amsterdam Schiphol

airport and runway configurations and dimensions
Fig. 26 Aircraft flight path visualisation during approach and landing test scenario
Fig. 27 In-flight maneuver visualisation in free viewing mode

568 Appendix
Fig. 28 Amsterdam Schiphol runway 06 visual landing aids and ground textures
Fig. 29 Visual Approach Slope Indicator (VASI)

Table 1 Aircraft state and navigation input variables for the GARTEUR RECOVER bench-
mark visualisation tool (output & visualisation block)
Input Variable Dimension Description

no.
1 TIMERUN s Simulation time
2 VCAS knots Calibrated airspeed
3 VSEL knots Selected airspeed
4 VGND knots Ground speed
5 Reserved input
6 MACH – Mach number
7 MACHSEL – Selected Mach number
8 VSELKTS 1=VSEL / Selected speed mode
0=MACHSEL
9 VS feet/min Vertical speed
10 VSSEL feet/min Selected vertical speed
11 VSSELSET 1=on / 0=off Show selected vertical speed
12 VMAX knots Maximum airspeed
13 VSTALL knots Stall speed
14 WHEELSONGND 1=ground / Wheels on ground
0=flight
15 PHI deg Bank angle
16 PHILIM deg Bank angle envelope limit
17 THETA deg Pitch angle
18 THETALIM deg Pitch angle envelope limit
19 PSIM deg Magnetic heading angle
20 PSI deg True heading angle
21 PSISEL deg Selected heading angle
22 GHIM deg Magnetic track angle
23 GHI deg True track angle
24 MAGVAR rad Magnetic variation
25 ALFA deg Angle-of-attack
26 BETA deg Sideslip angle
27 ALTBAROL feet Baro-corrected altitude
28 ALTSEL feet Selected altitude
29 ALTGND feet Radio altitude
30 FDSETL 1=on / 0=off Show flight director
31 Reserved input
32 FDTHETACOM deg Flight director pitch command
33 FDPHICOM deg Flight director roll command
34 ILSDMEL NM DME distance ILS
35 ILSCOURSEL deg ILS course
36 LOCDEVL dot ILS localiser deviation
37 GLSDEVL dot ILS glide slope deviation
38 LOCSHOWL 1=on / 0=off Show localiser deviation
39 GLSSHOWL 1=on / 0=off Show glideslope deviation
40 ACLATR rad Aircraft latitude
41 ACLONR rad Aircraft longitude
42 Reserved input
43 Reserved input
44 Reserved input
45 Reserved input
46 Reserved input
47 Reserved input
48 Reserved input
49 Reserved input
50 Reserved input
51 STATICTEMP K Static air temperature
52 Reserved input
53 GSTATUS g Load factor
570 Appendix
Table 2 Flight control system and engine state input variables for the GARTEUR RECOVER
benchmark visualisation tool (output & visualisation block)
Input Variable Dimension Description

no.
54 EPR – Engine pressure ratio #1
58 EPRMAX – Maximum engine pressure ratio
59 Reserved input
60 Reserved input
61 PITCHTRIM deg Stabiliser trim angle
62 DGEAR 1=down / 0=up Landing gear selection
63 Reserved input
64 DFLAP deg Flap angle (inboard flaps)
65 DFLAPCOM deg Demanded flap angle
66 AILLINBOARD deg Left inboard aileron deflection
67 AILRINBOARD deg Right inboard aileron deflection
68 AILLOUTBOARD deg Left outboard aileron deflection
69 AILROUTBOARD deg Right outboard aileron deflection
70 ELEVLEFT deg Left inboard elevator deflection
71 ELEVRIGHT deg Right inboard elevator deflection
72 ELEVLEFT2 deg Left outboard elevator deflection
73 ELEVLEFT2 deg Right outboard elevator deflec-
tion
74 DRUDDER deg Upper rudder deflection
75 DRUDDER2 deg Lower rudder deflection
76 SPOILLEFT1 deg Spoiler #6 deflection
82 SPOILRIGHT1 deg Spoiler #7 deflection
88 LEXPSW3 1=engine #3 Switch to remove engine #3 from
separated/ 0=en- 3D model (Flight 1862 accident
gine #3 not scenario)
separated
88 LEXPSW4 1=engine #4 Switch to remove engine #4 from
separated/ 0=en- 3D model (Flight 1862 accident
gine #4 not scenario)
separated
6.1.7 Help RECOVER

The Help RECOVER button (Fig. 30) provides a quick reference guide to start using
and customising the RECOVER benchmark.
Fig. 30 Benchmark help button providing access to quick reference guide
6.2 User Example

In this section, the required steps for a typical open-loop simulation within the GAR-
TEUR RECOVER benchmark (b747 funpc d.mdl) are demonstrated for the in-
vestigation of the aircraft behaviour under the influence of failures. As an example
failure mode, the loss of the vertical tail (Chapter 6) is simulated, which makes the
aircraft unstable in roll and yaw and also removes the rudder control. Chapter 6
of the book describes a user example to conduct a simulation with the closed-loop
model involving the separation of both right-wing engines (Flight 1862 accident
scenario). The Matlab R
command line scripts are set up to give reasonable default
values for all questions during initialisation of the simulation. The user may enter
the correct data if he wants to deviate from the default values. The user input prompt
is indicated by a semicolon during initialisation.
Fig. 31: After selecting Open-Loop Simulation in the main menu, the open-loop
initialisation is started in the Matlab
R
command window and the first step is to
define the failure model. For this example, the loss of vertical tail failure case is
chosen (failure mode #9). The aircraft configuration may then be entered including
the weight and balance of the aircraft and initial values for the pilot control inputs
used for trimming. For the initial trim values of the controls, it is usually sufficient
to accept the default values here. For this example, the aircraft is setup in the stan-
dard condition (clean configuration, he =2000ft, VTAS =260kts).
Fig. 32: The next step is to choose the flight condition. The straight-and-level trim
condition is chosen and the flight path angle and rate of climb are set at the default
values. This sets up the trim routine.
Fig. 33: The program continues with the start of the optimisation to determine the
trim condition. For trimming, the b747 trim d.mdl model is used. The trim rou-
tine runs and gives a trim result in terms of stabiliser deflection and thrust. If the
trim results are acceptable, the required EPR setting is derived from the thrust in the
next step.
572 Appendix
Fig. 31 Selection of failure mode and aircraft configuration
Fig. 34: After the trim condition is calculated, the user is first asked to define a test
input signal for an open-loop simulation. Note that the test signals are applied to the
pilot control inputs and not to the separate control surfaces. The simulation is then
performed using the open-loop model b747 funpc d.mdl. Any saved inputs and
outputs are located in the data subdirectory.
Fig. 32 Selection of flight condition
Finally, a few time responses can be made to show the results. These plots are
generated by the plot sim script. Fig. 35 shows the plotted simulation results of
the aircraft states following an aileron doublet at t=2s . As can be seen in the plots,
the aircraft with missing tail becomes unstable in the lateral axis after the aileron
doublet at t=2s. The pilot control inputs are shown in Fig. 36. The calculated specific
forces are also plotted and are shown in Fig. 37. The effect of the loss of directional
stability due to the missing vertical tail is clearly visible in the lateral acceleration
(Ayb ) response.
7 Aircraft and Flight Control System Specifications

Fig. 38 and Table 3 provide aircraft operational data and geometric dimensions
for both the B747-100/200 and B747-200F (freighter version) as simulated in the
benchmark. The B747-100/200 flight control system characteristics, including ar-
rangements and operating limitations, are illustrated in Fig. 39 and Table 4. For the
benchmark simulation, the B747-100/200 hydraulic and flight control system spec-
ifications were taken from [5, 10].
8 Signal Formats
This section provides a reference on the signal formats and observation outputs as
available in the top system level (Level 1) of the closed-loop (b747 auto g.mdl)
and open-loop (b747 funpc d.mdl) benchmark models. For all signal formats,
the signal number, name, symbol, dimension and a description are provided. The
GARTEUR RECOVER benchmark observation outputs follow the signal formats
as described in reference [2].
574 Appendix
Fig. 33 Optimisation and trim routine results

Fig. 34 Test input signal definition for open-loop simulation (b747 funpc d.mdl)
576 Appendix
Fig. 35 Aircraft state response after an aileron doublet at t=2s with open-loop benchmark
model (b747 funpc d.mdl) and loss of vertical tail failure mode
Fig. 36 Pilot control inputs showing aileron doublet as test signal at t=2s
Fig. 37 Aircraft specific forces in body axes after an aileron doublet at t=2s with open-loop
model (b747 funpc d.mdl) and loss of vertical tail failure mode
Fig. 38 Boeing 747-100/200 large transport aircraft

578 Appendix
Table 3 B747-100/200 series operational data and geometric dimensions
B747-100/200 B747-200F (Freighter)

Wing area 511 m2 511 m2
Wing mean aerodynamic chord (MAC) 8.324 m 8.324 m
Wing span 59.65 m 59.65 m
Length overall 70.66 m 70.66 m
Height overall 19.33 m 19.33 m
Engines Pratt & Whitney JT9D-3 Pratt & Whitney JT9D-
7J
Takeoff thrust rating (standard day / sea 193 kN (43,500 lb st) 222 kN (50,000 lb st)
level)
Maximum takeoff weight 321,995 kg (710,000 lb) 377,842 kg (833,000 lb)
Maximum landing weight 255,782 kg (564,000 lb) 285,763 kg (630,000 lb)
Maximum zero fuel weight 238,776 kg (526,500 lb) 267,619 kg (590,000 lb)
Load factor range flaps up -1.0/+2.5 -1.0/+2.5
Load factor range flaps down 0/+2 0/+2
Fig. 39 Boeing 747-100/200 flight control surface arrangements and body axes and moment
definitions (L̄ = rolling moment, M = pitching moment, N̄ = yawing moment, p = roll rate,
q = pitch rate, r = yaw rate)
Table 4 B747-100/200 flight control surface operating limits (positive sign: surface deflec-
tion down / spoiler panel up)
Control surface Symbol Mechanical Two hydraulic sys- One hydraulic sys-
limit (deg) tem rate (Full boost, tem rate (Half boost,
deg/sec) deg/sec)
Inboard elevator δei +17/-23 +37/-37 +30/-26
Outboard elevator δeo +17/-23 +37/-37 +30/-26
Stabiliser ih +3/-12 +/-0.2 to +/-0.5 +/-0.1 to +/-0.25
Inboard aileron δai +20/-20 +40/-45 +27/-35
Outboard aileron δao +15/-25 +45/-55 +22/-45
Spoilers #1 - #4 δsp1−4 +45 +75 0
Spoilers #9 - #12 δsp9−12 +45 +75 0
Spoilers #5, #8 δsp5 , δsp8 +20 +75 0
Spoilers #6, #7 δsp6 , δsp7 +20 +25 0
Upper rudder δru +25/-25 +50/-50 +40/-40
Lower rudder δrl +25/-25 +50/-50 +40/-40
Table 5 Aircraft states (x)

No. Name Symbol Dimension Description
1 pbody pb rad/s roll rate about body X-axis
2 qbody qb rad/s pitch rate about body Y -axis
3 rbody rb rad/s yaw rate about body Z-axis
4 VTAS VTAS m/s true airspeed
5 alpha α rad angle of attack
6 beta β rad angle of sideslip
7 phi φ rad roll angle
8 theta θ rad pitch angle
9 psi ψ rad yaw angle
10 he he m geometric altitude
11 xe xe m horizontal position along earth X-axis
12 ye ye m horizontal position along earth Y -axis
Table 6 Aircraft state derivatives (xdot)

13 pbdot ṗb rad/s2 roll acceleration about body X-axis
14 qbdot q̇b rad/s2 pitch acceleration about body Y -axis
15 rbdot ṙb rad/s2 yaw acceleration about body Z-axis
16 VTASdot V̇TAS m/s2 time derivative of true airspeed
17 alphadot α̇ rad/s angle of attack rate
18 betadot β̇ rad/s angle of sideslip rate
19 phidot φ̇ rad/s roll attitude rate
20 thetadot θ̇ rad/s pitch attitude rate
21 psidot ψ̇ rad/s heading rate
22 hedot ḣe m/s geometric altitude rate
23 xedot ẋe m/s horizontal ground speed along earth X-
axis
24 yedot ẏe m/s horizontal ground speed along earth Y -
axis
580 Appendix
Table 7 Airdata parameters (yair)

25 pstat pa N/m2 ambient pressure
26 rho ρ kg/m3 air density
27 temp T K ambient temperature
28 grav g m/s2 acceleration of gravity
29 hpress hp m pressure altitude
30 hradio hR m radio altitude
31 Hgeopot H m geopotential altitude
32 Vsound Vsound m/s speed of sound
33 Mach M – Mach number
34 qdyn q N/m2 dynamic pressure
35 Reynl Re – Reynolds number per unit length
36 qc qc N/m2 impact pressure
37 qrel qrel – relative impact pressure
38 ptot pt N/m2 total pressure
39 temptot Tt K total temperature
40 VEAS VEAS m/s equivalent airspeed
41 VCAS VCAS m/s calibrated airspeed
42 VIAS VIAS m/s indicated airspeed
43 uwindb uwb m/s wind velocity along body X-axis
44 vwindb vwb m/s wind velocity along body Y -axis
45 wwindb wwb m/s wind velocity along body Z-axis
46 uwinde uwe m/s wind velocity along earth X-axis
47 vwinde vwe m/s wind velocity along earth Y -axis
48 wwinde wwe m/s wind velocity along earth Z-axis
49 ug ûg – dimensionless gust velocity along nega-
tive body X-axis
50 alphag αg rad gust angle of attack
51 betag βg rad gust angle of sideslip
52 ugdot û˙g 1/s dimensionless gust velocity derivative
along negative body X-axis
53 alphagdot α̇g rad/s gust angle of attack rate
54 betagdot β̇g rad/s gust angle of sideslip rate
55 ugasym ûgasym – dimensionless gust velocity along nega-
tive body X-axis, varying along wingspan
56 alphagasym αgasym rad gust angle of attack, varying along
wingspan
Table 8 Acceleration parameters (yacc)

57 axb axb g acceleration at c.g. along body X-axis
58 ayb ayb g acceleration at c.g. along body Y -axis
59 azb azb g acceleration at c.g. along body Z-axis
60 anxb anxb g accelerometer output at c.g. along body X-
axis
61 anyb anyb g accelerometer output at c.g. along body Y -
axis
62 anzb anzb g accelerometer output at c.g. along body Z-
axis
63 anxa anxa g accelerometer output at c.g. along airpath
X-axis
64 anya anya g accelerometer output at c.g. along airpath
Y -axis
65 anza anza g accelerometer output at c.g. along airpath
Z-axis
66 anxib anx,ib g accelerometer output at (x, y, z)iacc along
body X-axis
67 anyib any,ib g accelerometer output at (x, y, z)iacc along
body Y -axis
68 anzib anz,ib g accelerometer output at (x, y, z)iacc along
body Z-axis
69 anb anb g normal acceleration at c.g.
70 anib an,ib g normal acceleration at (x, y, z)iacc
71 n n g load factor
Table 9 Flight path related parameters (yfp)

72 gamma γ rad flight path angle
73 chi χ rad azimuth angle
74 gammadot γ̇ rad/s flight path angle rate
75 chidot χ̇ rad/s azimuth angle rate
76 heacc ḧe m/s2 vertical acceleration
77 fpacc f pa m/s2 flight path acceleration
Table 10 Energy related terms (ys)

78 Espec Es m specific energy
79 Pspec Ps m/s specific power
582 Appendix
Table 11 Aerodynamic forces and moments (yFMaero)

80 Tbody Tb N aerodynamic tangential force in body ref-
erence frame
81 Ybody Yb N aerodynamic sideforce coefficient in body
reference frame
82 Nbody Nb N aerodynamic normal force in body refer-
ence frame
83 MXbody Lb Nm aerodynamic rolling moment in body ref-
erence frame
84 MYbody Mb Nm aerodynamic pitching moment in body
reference frame
85 MZbody Nb Nm aerodynamic yawing moment in body ref-
erence frame
Table 12 Forces and moments due to turbulence (yFMgust)

86 Tgbody Tgb N tangential force due to turbulence in body
reference frame
87 Ygbody Ygb N sideforce coefficient due to turbulence in
body reference frame
88 Ngbody Ngb N normal force due to turbulence in body
reference frame
89 MXgbody Lgb Nm rolling moment due to turbulence in body
reference frame
90 MYgbody Mgb Nm pitching moment due to turbulence in
91 MZgbody N gb Nm yawing moment due to turbulence in body
reference frame
Table 13 Propulsion forces and moments (yFMt)

92 Ttbody Ttb N propulsion tangential force in body refer-
ence frame
93 Ytbody Ytb N propulsion sideforce coefficient in body
reference frame
94 Ntbody Ntb N propulsion normal force in body reference
frame
95 MXtbody Ltb Nm propulsion rolling moment in body refer-
ence frame
96 MYtbody Mtb Nm propulsion pitching moment in body ref-
erence frame
97 MZtbody N tb Nm propulsion yawing moment in body refer-
ence frame
Table 14 Aerodynamic force and moment coefficients (yCaero)

98 CDair CDa – aerodynamic drag coefficient in airpath
reference frame
99 CYair CYa – aerodynamic sideforce coefficient in air-
path reference frame
100 CLair CLa – aerodynamic lift coefficient in airpath ref-
erence frame
101 CLLair Ca – aerodynamic rolling moment coefficient
in airpath reference frame
102 CMair Cma – aerodynamic pitching moment coefficient
103 CNNair Cna – aerodynamic yawing moment coefficient
104 CDstab CDs – aerodynamic drag coefficient in stability
reference frame
105 CYstab CYs – aerodynamic sideforce coefficient in sta-
bility reference frame
106 CLstab CLs – aerodynamic lift coefficient in stability
reference frame
107 CLLstab Cs – aerodynamic rolling moment coefficient
in stability reference frame
108 CMstab Cms – aerodynamic pitching moment coefficient
109 CNNstab Cns – aerodynamic yawing moment coefficient
110 CTbody CTb – aerodynamic tangential force coefficient
in body reference frame
111 CYbody CYb – aerodynamic sideforce coefficient in body
reference frame
112 CNbody CNb – aerodynamic normal force coefficient in
113 CLLbody Cb – aerodynamic rolling moment coefficient
114 CMbody Cmb – aerodynamic pitching moment coefficient
115 CNNbody Cnb – aerodynamic yawing moment coefficient
584 Appendix
Table 15 Control surfaces (uc)

116 delta air δair rad right inboard aileron deflection
117 delta ail δail rad left inboard aileron deflection
118 delta aor δaor rad right outboard aileron deflection
119 delta aol δaol rad left outboard aileron deflection
120 delta sp1 δsp1 rad spoiler #1 deflection
132 delta eir δeir rad right inboard elevator deflection
133 delta eil δeil rad left inboard elevator deflection
134 delta eor δeor rad right outboard elevator deflection
135 delta eol δeol rad left outboard elevator deflection
136 ih ih rad stabiliser deflection
137 delta ru δru rad upper rudder deflection
138 delta rl δrl rad lower rudder deflection
139 delta fo δfo rad outboard trailing edge flaps deflection
140 delta fi δfi rad inboard trailing edge flaps deflection
Table 16 Pilot control inputs (top level open-loop model b747 funpc d.mdl)

1 delta c δc rad control column position (+12.67deg/-
12.5deg)
2 delta w δw rad control wheel position (+88deg/-88deg)
3 delta p δp rad rudder pedal position (+14deg/-14deg)
4 delta stab δstab rad stabiliser handle position (0-15 units)
5 delta sbh δsbh rad speedbrake handle position (0-37deg in-
flight detent)
6 delta fh δfh rad flap handle position (0-30 detent)
7 EPR1 EPR1 – EPR engine #1 (0.94-1.62 (Flight 1862
simulation))
simulation))
simulation))
simulation))
11 gear gear 0/1 gear handle position
Table 17 Instrument landing system (ILS) parameters (Standard Sensors block)

1 GSdev GSdev rad glideslope deviation
2 DME DME m distance to runway threshold
3 GSvalid GSvalid 0/1 glideslope signal valid
4 LOCdev LOCdev rad localiser deviation
5 LOCvalid LOCvalid 0/1 localiser signal valid
9 Contributors
The following persons and organisations contributed to the development of the
GARTEUR RECOVER benchmark.
Coen van der Linden (Delft University of Technology)

Hafid Smaili (National Aerospace Laboratory NLR)
Jan Breeman (National Aerospace Laboratory NLR)
Jaap Groeneweg (National Aerospace Laboratory NLR)
Ronald Verhoeven (National Aerospace Laboratory NLR)
Thomas Lombaerts (Delft University of Technology)
Andres Marcos (Deimos Space)
Gary Balas (University of Minnesota)
Chris Edwards (University of Leicester)
Halim Alwi (University of Leicester)
David Breeds (QinetiQ)
Stuart Runham (DSTL)
Contact information, organisation details and links can be found on the GAR-
TEUR project site www.faulttolerantcontrol.nl.
References
1. GARTEUR. GARTEUR RECOVER benchmark quickstart guide, GARTEUR Flight
Mechanics Action Group 16 ‘Fault Tolerant Control’ (2009)
2. van der Linden, C.A.A.M.: DASMAT- Delft University Aircraft Simulation Model and
Analysis Tool. Report LR-781, Delft University of Technology, Faculty of Aerospace
Engineering, Delft, The Netherlands (1996)
3. Smaili, M.H.: Flight data reconstruction and simulation of El Al Flight 1862. Final thesis,
Delft University of Technology, Faculty of Aerospace Engineering, Delft, The Nether-
lands (1997)
4. Smaili, M.H., Mulder, J.A.: Flight data reconstruction and simulation of the 1992 Ams-
terdam Bijlmermeer airplane accident. In: AIAA Modeling and Simulation Technologies
Conference and Exhibit, AIAA-2000-4586, Denver, CO (August 2000)
5. Hanke, C.R.: The simulation of a large transport aircraft. Modeling data, vol. II. NASA
CR-114494 (September 1970)
586 Appendix
6. Hanke, C.R.: The simulation of a large transport aircraft. Mathematical model, vol. I.
NASA CR-1756 (March 1971)
7. van Keulen, R.: Real-time simulation and analysis of the automatic flight control sys-
tem of the Boeing 747-200. Final thesis, Delft University of Technology, Faculty of
Aerospace Engineering, Delft, The Netherlands (1991)
8. Marcos, A., Balas, G.J.: A Boeing 747-100/200 aircraft fault tolerant and fault diagnostic
benchmark. Technical Report AEM-UoM-2003-1, University of Minnesota, Minnesota
(June 2003)
9. EL AL Flight 1862, aircraft accident report 92-11. Netherlands Aviation Safety Board,
Hoofddorp, The Netherlands (1994)
10. Boeing 747 Aircraft Operations Manual (1976)
11. Stevens, B.L., Lewis, F.L.: Aircraft control and simulation. John Wiley & Sons Inc., New
York (1992)
12. Etkin, B., Reid, L.D.: Dynamics of flight - stability and control, 3rd edn. Wiley, New
York (1996)
13. Matlab getting started guide. Version 6.5 (Release 13) or later. The Mathworks Inc.,
Natick, MA (USA)
14. Simulink user’s guide. Version 5.1 (Release 13SP1) or later. The Mathworks Inc., Natick,
MA (USA)
Lecture Notes in Control and Information Sciences
Edited by M. Thoma, F. Allgöwer, M. Morari
Further volumes of this series can be found on our homepage:
springer.com
Vol. 399: Edwards, C.; Lombaerts, T.; Vol. 389: Bru, R.; Romero-Vivó, S. (Eds.):
Smaili, H. (Eds.): Positive Systems
Fault Tolerant Flight Control 398 p. 2009 [978-3-642-02893-9]
586 p. 2010 [978-3-642-11689-6]
Vol. 388: Jacques Loiseau, J.; Michiels, W.;
Vol. 398: Willems, J.C.; Hara, S.; Niculescu, S-I.; Sipahi, R. (Eds.):
Ohta, Y.; Fujioka, H. (Eds.): Topics in Time Delay Systems
Perspectives in Mathematical System 418 p. 2009 [978-3-642-02896-0]
Theory, Control, and Signal Processing
Vol. 387: Xia, Y.;
388 p. 2010 [978-3-540-93917-7]
Fu, M.; Shi, P.:
Vol. 397: Yang, H.; Jiang, B.; Cocquempot, V.: Analysis and Synthesis of
Fault Tolerant Control Design for Dynamical Systems with Time-Delays
Hybrid Systems 283 p. 2009 [978-3-642-02695-9]
191 p. 2010 [978-3-642-10680-4] Vol. 386: Huang, D.;
Vol. 396: Kozlowski, K. (Ed.): Nguang, S.K.:
Robot Motion and Control 2009 Robust Control for Uncertain Networked
475 p. 2009 [978-1-84882-984-8] Control Systems with Random Delays
159 p. 2009 [978-1-84882-677-9]
Vol. 395: Talebi, H.A.:
Vol. 385: Jungers, R.:
Neural Network-Based State
The Joint Spectral Radius
Estimation of Nonlinear Systems
144 p. 2009 [978-3-540-95979-3]
appro. 200 p. 2010 [978-1-4419-1437-8]
Vol. 384: Magni, L.; Raimondo, D.M.;
Vol. 394: Pipeleers, G.; Demeulenaere, B.; Allgöwer, F. (Eds.):
Swevers, J.: Nonlinear Model Predictive Control
Optimal Linear Controller Design for 572 p. 2009 [978-3-642-01093-4]
Periodic Inputs
177 p. 2009 [978-1-84882-974-9] Vol. 383: Sobhani-Tehrani E.:
Khorasani K.;
Vol. 393: Ghosh, B.K.; Martin, C.F.; Fault Diagnosis of Nonlinear Systems
Zhou, Y.: Using a Hybrid Approach
Emergent Problems in Nonlinear 360 p. 2009 [978-0-387-92906-4]
Systems and Control
285 p. 2009 [978-3-642-03626-2] Vol. 382: Bartoszewicz A.;
Nowacka-Leverton A.:
Vol. 392: Bandyopadhyay, B.; Deepak, F.; Time-Varying Sliding Modes for Second
Kim, K.-S.: and Third Order Systems
Sliding Mode Control Using Novel 192 p. 2009 [978-3-540-92216-2]
Sliding Surfaces
137 p. 2009 [978-3-642-03447-3] Vol. 381: Hirsch M.J.; Commander C.W.;
Pardalos P.M.; Murphey R. (Eds.):
Vol. 391: Khaki-Sedigh, A.; Moaveni, B.: Optimization and Cooperative
Control Configuration Selection for Control Strategies: Proceedings of the 8th
Multivariable Plants International Conference on Cooperative
232 p. 2009 [978-3-642-03192-2] Control and Optimization
459 p. 2009 [978-3-540-88062-2]
Vol. 390: Chesi, G.; Garulli, A.;
Tesi, A.; Vicino, A.: Vol. 380: Basin M.:
Homogeneous Polynomial Forms for New Trends in Optimal Filtering and Control for
Robustness Analysis of Uncertain Systems Polynomial and Time-Delay Systems
197 p. 2009 [978-1-84882-780-6] 206 p. 2008 [978-3-540-70802-5]
Vol. 379: Mellodge P.; Kachroo P.: Vol. 368: Chee F.; Fernando T.
Model Abstraction in Dynamical Systems: Closed-Loop Control of Blood Glucose
Application to Mobile Robot Control 157 p. 2007 [978-3-540-74030-8]
116 p. 2008 [978-3-540-70792-9]
Vol. 367: Turner M.C.; Bates D.G. (Eds.):
Vol. 378: Femat R.; Solis-Perales G.: Mathematical Methods for Robust and
Robust Synchronization of Chaotic Systems Nonlinear Control
Via Feedback 444 p. 2007 [978-1-84800-024-7]
199 p. 2008 [978-3-540-69306-2]
Vol. 366: Bullo F.; Fujimoto K. (Eds.):
Vol. 377: Patan K.: Lagrangian and Hamiltonian Methods for
Artificial Neural Networks for Nonlinear Control 2006
the Modelling and Fault 398 p. 2007 [978-3-540-73889-3]
Diagnosis of Technical Processes
206 p. 2008 [978-3-540-79871-2] Vol. 365: Bates D.; Hagström M. (Eds.):
Nonlinear Analysis and Synthesis
Vol. 376: Hasegawa Y.: Techniques for Aircraft Control
Approximate and Noisy Realization of 360 p. 2007 [978-3-540-73718-6]
Discrete-Time Dynamical Systems
245 p. 2008 [978-3-540-79433-2] Vol. 364: Chiuso A.; Ferrante A.;
Pinzoni S. (Eds.):
Vol. 375: Bartolini G.; Fridman L.; Modeling, Estimation and Control
Pisano A.; Usai E. (Eds.): 356 p. 2007 [978-3-540-73569-4]
Modern Sliding Mode Control Theory
Vol. 363: Besançon G. (Ed.):
465 p. 2008 [978-3-540-79015-0]
Nonlinear Observers and Applications
Vol. 374: Huang B.; Kadali R.: 224 p. 2007 [978-3-540-73502-1]
Dynamic Modeling, Predictive Control
Vol. 362: Tarn T.-J.; Chen S.-B.;
and Performance Monitoring
Zhou C. (Eds.):
240 p. 2008 [978-1-84800-232-6]
Robotic Welding, Intelligence and
Vol. 373: Wang Q.-G.; Ye Z.; Cai W.-J.; Automation
Hang C.-C.: 562 p. 2007 [978-3-540-73373-7]
PID Control for Multivariable Processes Vol. 361: Méndez-Acosta H.O.; Femat R.;
264 p. 2008 [978-3-540-78481-4] González-Álvarez V. (Eds.):
Vol. 372: Zhou J.; Wen C.: Selected Topics in Dynamics and
Adaptive Backstepping Control of Uncertain Control of Chemical and
Systems Biological Processes
241 p. 2008 [978-3-540-77806-6] 320 p. 2007 [978-3-540-73187-0]
Vol. 371: Blondel V.D.; Boyd S.P.; Vol. 360: Kozlowski K. (Ed.):
Kimura H. (Eds.): Robot Motion and Control 2007
Recent Advances in Learning and Control 452 p. 2007 [978-1-84628-973-6]
279 p. 2008 [978-1-84800-154-1] Vol. 359: Christophersen F.J.:
Vol. 370: Lee S.; Suh I.H.; Optimal Control of Constrained
Kim M.S. (Eds.): Piecewise Affine Systems
Recent Progress in Robotics: 190 p. 2007 [978-3-540-72700-2]
Viable Robotic Service to Human Vol. 358: Findeisen R.; Allgöwer
410 p. 2008 [978-3-540-76728-2] F.; Biegler L.T. (Eds.):
Vol. 369: Hirsch M.J.; Pardalos P.M.; Assessment and Future
Murphey R.; Grundel D.: Directions of Nonlinear
Advances in Cooperative Control and Model Predictive Control
Optimization 642 p. 2007 [978-3-540-72698-2]
423 p. 2007 [978-3-540-74354-5]

Fault Tolerant Flight Control

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fault Tolerant Flight Control

Uploaded by

Copyright:

Available Formats

Lecture Notes

in Control and Information Sciences 399

Fault Tolerant Flight Control

ISBN 978-3-642-11689-6 e-ISBN 978-3-642-11690-2

Lecture Notes in Control and Information Sciences ISSN 0170-8643

Library of Congress Control Number: 2010924939

– University of Hull (UHUL, Hull, United Kingdom)

FM-AG(16) also wishes to express its gratitude to the Netherlands Aerospace

December 2009 C. Edwards

Part I Surviving the Improbable: Towards Resilient Aircraft Control

1.4.1 Self-Repairing Flight Control System (SRFCS)

3.2.6 H∞ Fault Estimation Approach . . . . . . . . . . . . . . . . . . . . . 104

Part II RECOVER: The Benchmark Challenge

6 RECOVER: A Benchmark for Integrated Fault Tolerant Flight

Part III Design Methods and Benchmark Analysis

8 Fault Tolerant Control Using Sliding Modes with On-Line

8.3 Controller Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

10 Subspace Predictive Control Applied to Fault-Tolerant Control . . . . 293

11 Fault-Tolerant Control through a Synthesis of Model-Predictive

13.2 On Line Nonlinear Damaged Aircraft Model Identiﬁcation:

15 Detection and Isolation of Actuator/Surface Faults for a Large

Part IV Real-Time Flight Simulator Assessment

16 Real-Time Assessment and Piloted Evaluation of Fault Tolerant

17.4.2 Handling Qualities Analysis Results: CH

19 Industrial Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

Halim Alwi Christopher Edwards

351 cours de la liberation, Cambridge CB2 1PZ,

Colin Jones Shadhanan Manickavasagar

Stoyan Kanev Gianfranco Morani

Anthony A. Lambregts Jan Albert (Bob) Mulder

United Kingdom, GU14 0LX, United Kingdom,

Silvio Simani Ton van den Boom

Fig. 1 Delft University, April 2007

Thomas Lombaerts, Hafid Smaili, and Jan Breeman

1.1 Towards More Resilient Flight Control

1.2 History of Flight Control Systems, Source: [40]

autopilot, or as it was nicknamed Metal Mike, consisted of three gyroscopes and a

1.2.1 Mechanical [33], [35]

1.2.2 Hydro-mechanical [33], [35]

1.2.3 Fly-By-Wire Flight Control [33], [35], [34]

The advent of Fly-By-Wire Flight Control

How Fly-By-Wire Control works

direct control laws provide the same handling characteristics as a good-handling

Flight Envelope Protection

1.2.4 Fault Tolerant Control in Fly-By-Wire Systems, Sources:

system is a safety driven design built to very stringent dependability requirements.

1.2.5 Airbus Philosophy, Sources: [22], [30]

1.2.6 Boeing Philosophy, Sources: [24], [42]

1.2.7 Short Case Study of Other Fault Tolerant Systems, Source:

to be representative of the many excellent systems in use. Table 1.1 is a summary of

F-16 Analog Fly-by-Wire Flight Control [1]

F-16 Digital Fly-by-Wire Flight Control [10]

The quad-redundant analog NMR computers used in earlier production F-16A/Bs

Pratt and Whitney

Boeing 777 Airplane Information Management Systems (AIMS) [18]

Arinc-659 ‘Safebus’, is used to mechanize switchover between the redundant self-

US Space Shuttle FBW Flight Control [25]

X-33 Reusable Launch Vehicle Control System [11]

X-38 Prototype Crew Return Vehicle (CRV) Control System [2]

However, budget cuts have led to the cancellation of this

1.2.8 A Final Note on Fault Tolerance Properties Incorporated in

1.3 Rationale of Damage Tolerant Control - Aircraft Accident