Fault-Tolerant Reference Generation for Model Predictive Control with Active Diagnosis of Elevator Jamming Faults

SUMMARY This paper focuses on the longitudinal control of an Airbus passenger aircraft in the presence of elevator jamming faults. In particular, in this paper, we address permanent and temporary actuator jamming faults using a novel reconﬁgurable fault-tolerant predictive control design. Due to their different consequences on the available control authority and fault duration, the above two actuator jamming faults need to be distinguished so that appropriate control reconﬁgurations can be adopted accordingly. Their similarity in symptoms, however, prevents effective discrimination of the root cause of the jamming when using only a passive fault-diagnosis approach. Hence, we propose the use of model predictive control (MPC) as fault-tolerant controller to actively help the fault-detection (FD) unit discriminate between a permanent and a temporary jamming fault, while ensuring the performance of the aircraft. The MPC controller and FD unit closely interact during the detection and diagnosis phases. In particular, every time a fault is detected, the FD module commands the MPC controller to perform a predeﬁned sequence of reconﬁgurations to diagnose the root cause of the fault. An artiﬁcial reference signal that accounts for changes in the actuator operative ranges is used to guide the system through this sequence of reconﬁgurations. Our strategy is demonstrated on an Airbus passenger aircraft simulator. Copyright c (cid:13) 2010 John Wiley & Sons, Ltd.


INTRODUCTION
The ability to automatically handle faults and component malfunctions while preserving overall performance is the main characteristic of a fault-tolerant control (FTC) system [1].Fault-tolerant control systems have been largely investigated in the context of flight control taking into account the occurrence of faults on sensors and actuators [2,3,4,5,6,7,8,9].
In this work, we focus on faults that can occur on the aircraft actuators (i.e., actuator jamming faults).Actuator jamming faults have long been investigated in the field of fault-tolerant flight control (e.g., [10,3,11,8]).Among other techniques, we focus on the use of model predictive control (MPC) as fault-tolerant control.MPC provides a well-recognized framework for fault tolerance [12,13,10,14].On one hand, MPC (even) without reconfiguration has some inherent selfreconfiguration properties that allows one to reallocate the control effort in the presence of actuator faults [15].On the other hand, reconfigurable MPC further improves fault tolerance capabilities by exploiting extra fault information in a structured manner, especially when it comes to dealing with constraints [15].
In practical applications, the control design has to take into account that the information concerning the fault is provided by a fault-detection (FD) module.Hence, in these scenarios, the design of a reconfigurable MPC controller must be integrated with a FD module.Robustness and guaranteed fault tolerance of this integrated fault-tolerant MPC (FTMPC) scheme was analyzed with set theoretic methods in [16,17].
In most literature, actuator jamming is attributed to a permanent jamming (or stuck fault), during which the actuator is locked at a certain position.The study of temporary jamming due dynamics manoeuvres (combined with the presence of heavy aerodynamic forces), however, has been only investigated by few researchers (e.g., the authors of [11] propose a sliding mode fault tolerant control control surfaces are subject to faults, the fault can be detected quickly by monitoring the deviation of the residual signal from the normal behavior of the others.This strategy is useful especially for permanent jamming faults that are more likely to involve only one control surface.Temporary faults that are more likely to affect all the control surfaces can still be detected by monitoring if the residual signal of each actuator exceeds a predetermined threshold.From the control perspective, in [22] we made the assumption that the desired reference during a manoeuvre could not lead to infeasible solutions and all the control reconfigurations were performed on the actuator constraints directly, without affecting the desired reference signal.In contrast to [22], in this work we exploit a strategy similar to the artificial reference tracking proposed by [23,24].In [23,24], the concept of artificial reference is used to enlarge the region of attraction of the proposed control while ensuring closed-loop stability guarantees.We reinterpret this idea for fault-tolerant control purposes. In particular, this approach can be used to compute artificial reference signals for the state and the actuator commands in order to compensate for the occurrence of faults that can suddenly affect the feasible region of the MPC controller.In particular, the sequence of reconfigurations used to detect and diagnose the root cause of the jamming is not performed directly on the actuators' constraints, but on the constraints associated with the artificial reference signal.By doing so, when a fault is detected the reference followed by the states and the actuators is adapted to the faulty feasible region.Consequently, if the desired reference signal becomes unfeasible in the presence of a fault, the artificial reference acts as a fault-tolerant reference signal to avoid infeasibility (and possible instability) issues.Finally, compared to [22], we incorporate the effects of plant-model mismatches directly in the definition of the artificial reference constraints using the information provided by an improved disturbance estimator module.We demonstrate the effectiveness of our approach using an Airbus civil aircraft simulator [25].
In the following, Section 2 presents the Airbus simulator used to evaluate our design.Section 3 describes our fault-tolerant control architecture.Section 4 introduces the proposed detection and diagnosis strategy and highlights the interactions between the FD module and the MPC.Section 5 compares the behavior of the MPC with and without the proposed active reconfigurations when multiple faults occur on the elevators.Finally, Section 6 concludes this paper.

BENCHMARK MODEL AND SCENARIO DEFINITION
This section describes the RECONFIGURE benchmark model, that is, an Airbus civil aircraft simulator [25] (Section 2.1), and details the actuator fault scenarios we focus on in this work (Section 2.2).

The aircraft longitudinal model
This work focuses on the longitudinal control of an Airbus passenger aircraft in the presence of actuator jamming faults.Our proposed FTC architecture relies on MPC, which is a model-based technique.Hence, a mathematical description of the longitudinal dynamics of the aircraft (i.e., the model) is necessary to ensure performance of our FTC scheme.In this respect, in the control design phase, we can rely on linearized aircraft models at given operating points (or trim conditions) to build the prediction model of the MPC controller.In the following, we describe the augmented aircraft model (i.e., the cascade actuator-aircraft dynamics depicted in Figure 2) and introduce the notation used to design our MPC control (Section 3).
The linearized and discretized longitudinal dynamics of the aircraft can be described as follows: where   the vertical axis.All the states describing the longitudinal dynamics are measurable using dedicated sensors.These measurements are, however, affected by delays that must be compensated in the control design (Section 3).
The elevator dynamics in the RECONFIGURE benchmark model can be modeled as third-order linear time-invariant (LTI) systems.The following model describes the elevator dynamics: where x el ∈ X el ∈ R n el (the components of x el are the elevator position, velocity, and acceleration), u ∈ U MPC ⊆ R nu , and y el ≡ u A/C (i.e., the elevator position).
Finally, we assume that X , U, Y, X el , and U MPC are polyhedral sets that contain the origin in their interior.Furthermore, in the remainder of the paper, we use δ ei and δ ei to indicate the upper and the lower bounds of the i-th elevator output δ ei (i ∈ I := {li, ri, lo, ro}).

Fault Description
This work focuses on elevator jamming scenarios.In these scenarios, one or more elevators remain fixed at an unpredictable value δ f ei (i ∈ I), which might differ from their normal saturation limits.
The elevator jamming can be attributed to two different root causes exemplified in Figure 1: • Stuck Fault.The elevator is permanently jammed at a certain position δ f ei and cannot be recovered (Figure 1a).This effect can be modelled as a permanent change at time t f in the elevator's upper and lower operating bounds that become both equal to the jammed position • Stall load [18].The elevator is temporarily jammed during a dynamic manoeuvre, due to heavy aerodynamic forces preventing the elevator to achieve its commanded control surface deflection (Figure 1b).In this situation, the elevator can still move within its reduced control determined by the jammed position δ f ei .The stall load ends if either the manoeuvre becomes less dynamic or the aerodynamic forces acting on the control surface become smaller.
Considering their different consequences on the control limits and jamming duration, a stuck elevator and stall load need to be distinguished and require adopting different reconfiguration strategies in FTC.Nevertheless, because of the high similarity in the jamming phenomena, it is difficult to distinguish these two root causes.Hence, our proposed integrated FTC approach actively modifies the control strategies to help the FD module discriminate between the two root causes of the jamming, as detailed in Section 4.

Remark 1
This work focuses on jamming faults for which it is nontrivial to distinguish the root cause of the jamming.Although in some practical situations the stall load limits might change overtime leading to control challenges, from the diagnosis point of view we can still distinguish the root cause of the jamming easily in this case (when the fault is detected it is evident that the actuator is not permanently stuck at a given position).Hence, given that our goal is to design the interactions between the FD unit and the MPC controller to diagnose the root cause of a jamming fault, we do not focus on stall load scenarios with time-varying limits.

Aircraft Dynamics Actuator Dynamics
Elevator-state observer FD

FTC ARCHITECTURE
This section focuses on our proposed FTC architecture.In this respect, Figure 2 provides an overview of our proposed FTC design and show the interactions among the different components of our control system and the controlled plant.In particular, Figure 2 highlights (i) in dark grey the main components of the plant (i.e., the augmented aircraft model described in Section 2.1, the constraints depicted as saturation blocks, and the sensor delays) and (ii) in light grey the main components of our fault-tolerant controller.A detailed description of these components is provided in the remainder of the section.

Elevator-state observer
The elevator states are needed by the MPC controller to build the predictions.By using the elevator model (2), four Luenberger observers [26], characterized by a constant gain L, are constructed.The gain L is the same for all the operating points, given that the elevators are LTI systems (according to their description in the RECONFIGURE model).Each observer independently monitors one elevator.On one hand, the elevator-state estimates are needed to exploit the elevator dynamics in the MPC problem formulation.On the other hand, these elevator-state estimates are used to compute predicted elevator outputs δ p e for the disturbance observer and the FD module.
The realization we adopt for the elevators is such that, for each elevator, the state associated with the elevator position corresponds to the output of the elevator.Hence, when a saturation is detected on the i-th elevator position, the other two states (associated with the velocity and acceleration of the i-th elevator) are set to zero and the estimated position value is set to the measured elevator output.
This allows us to estimate the elevator states without requiring a more advanced state estimator to handle saturation.
Note that if the model of the elevators is nonlinear or depends on the flight condition the gain L should also vary accordingly.As previously stated, in this work we adopt the elevator description provided in the RECONFIGURE benchmark model, which assumes the elevators to be LTI systems.

Disturbance observer
The disturbance observer is used to compensate constant measurement errors, reduce the effects of plant-model mismatches, and provide useful information to help the FD module detect jamming faults.The proposed observer strongly relies on the information provided by the MPC controller and on the plant measurements.
The observer is composed by two modules used to compensate (i) measurement errors and (ii) plant-model mismatches, respectively.In particular, the first module estimates a constant disturbance signal (that is then used by the MPC controller) as follows.First, we take into account that the MPC controller does not model the sensor and filter dynamics in the predictor to reduce the number of decision variables (and, consequently, the computation time).Hence, the proposed observer monitors e nz := n m z − n p z , that is, the mismatch between the measured and the predicted load factor.Second, the observer monitors e δe i := δ m ei − δ p ei , that is, the mismatch between the measured and the predicted elevator outputs, for elevator-jamming detection purposes.Hence, the first module of the disturbance observer estimates d := [d nz d T e ] T as follows: The second module of the disturbance observer takes into account plant-model mismatches and, eventually, nonlinearities in the plant that are not modelled in the MPC controller, given that only linearized plant models are used to build the predictions.In this respect, we define an upper bound on these plant-model mismatches as nl := xt − x t|t−1 2 , where xt is the measured state of the aircraft (we omitted the subscript A/C to simplify the discussion) at time t and x t|t−1 is the value of the state at time t predicted (by the MPC controller) according to the value of the measured state at time t − 1.This upper bound monitors the distance between the predicted behavior of the plant and the real behavior and can be used (as explained below) to design a robust reference signal to avoid constraint violations in the MPC problem formulation.

Remark 2
The strategy described in (3) can only be used to estimate disturbances that can be modeled as constant values.Hence, given that the plant-model mismatches and the nonlinearities in the plant cannot be modelled as constant disturbances, we decided to include their effects in the definition of the MPC constraints as explained below.

Fault-detection module
The Fault-Detection (FD) module relies on the elevator-output prediction error e δe i to compute the residual signal used for the detection of jamming faults.The generated residual for each elevator is evaluated by its root mean square (RMS) value over a sliding window [t − N eval + 1, t].N eval is selected according to the slowest mode of the actuators.This is an empirical choice to give sufficient time to the physical system to register the jamming fault.The choice of N eval is a trade-off between reducing the risks of miss detection/false alarms and detection delay.
The fault detection decision is made by comparing each residual evaluation value J i (t) with the related threshold J th i , that is, After fixing the length of the sliding evaluation window, the thresholds {J i (t)} are determined by the plant-model mismatch of the elevator model ( 2).In practice, each threshold J th i can be selected as the peak value of J i (t) in a large set of fault-free scenarios.In this work, we determine the thresholds by using dynamic fault-free manoeuvre, that is, when stall loads might be more likely to occur.Its choice is a trade-off between reducing the miss detections/false alarms and, at the same time, reducing detection delays.

Remark 3
Note that in this work we rely on a simple fault-detection logic with fixed J th i to present our integrated approach.Nevertheless, the proposed approach can be extended with the use of more sophisticated detection techniques to select the threshold J th i (for example, when an explicit description of multiplicative model uncertainties is taken into account).
Furthermore, we add an additional check to improve the detection of isolated faults for which we can exploit redundancy, that is, the presence of redundant control surfaces.In fault-free conditions, the residual signal of each elevators are sufficiently small and close to each others (in terms of magnitude).Suppose that one of the residual signals starts deviating from the others.This abnormal behavior is an indicator that the elevator associated with that residual signal might be jammed.This strategy is useful when we have to deal with isolated faults on one or two actuators.For example, this strategy is useful to anticipate the detection of a stuck fault, because a permanent jamming is more likely to occur on a single elevator.Remark 4 The detection logic described above is insufficient to identify the root cause of jamming by itself given that it only informs the controller that the actuator is jammed.At this stage the controller does not know whether the jamming is permanent or temporary.In Section 4, we combine the detection logic (5) with different active reconfigurations to capture more detailed fault information.

Model Predictive Controller
MPC controllers rely on (i) the plant description to build predictions of the plant behavior over a predefined time window (called prediction horizon), (ii) the information on state, input, and output constraints, and (iii) current measurements from the plant, such as state measurements and desired reference signals.These controllers offer an intuitive and structured framework to compute the optimal control law to simultaneously satisfy the control objectives and constraints on the plant.
This control law is computed by solving (either offline or online [27,28,29,30,31], depending on the number of decision variables) an optimization problem (usually a quadratic programming problem).For more details on MPC refer to [32,33,34] and the references within.

Remark 5
In this work, we solve the MPC optimization problem online.This requires solving a quadratic programming (QP) problem of size proportional to the number of decisions variables and length of the prediction horizon.The solution of this optimization problem in an embedded environment can be challenging, due to small sampling times and limited hardware and software resources (the availability of a QP solver is usually not guaranteed).First-order solvers, such as proximalgradient and splitting methods (refers to [35,36] and the references within for an overview) are valid solutions for this problem.In this respect, in the context of aerospace applications, in [37], we show on the RECONFIGURE benchmark model how we can efficiently compute the MPC problem by relying on these first-order solvers (in particular, by combining the use of Nesterov's dual fast gradient and the alternating direction method of multipliers).With this framework in mind, we define the model used to compute the predictions in the the MPC controller.In particular, given (1)-( 2), this model is computed as follows: where

Remark 6
Note that we use linearized aircraft models in the MPC problem formulation (as described in Section 2.1 as well) to explain our algorithm.Nevertheless, the approach can potentially be extended to linear-parameter varying (LPV) or linear time-varying (LTV) models [38,39,40,41].
In the remainder of the paper, we consider the following assumption: Assumption 1 The augmented system is stabilizable.
Our goal is to control the longitudinal dynamics of the aircraft.In particular, our goal is to steer the output of system (6) to a desired reference value denoted by ν, which is generated by a pilot stick command.The reference value is measured at each sampling time and we assume that is constant along the length of the prediction horizon in the MPC problem formulation.Furthermore, we have to take into account the constraints acting on state, input, and output, that are, X MPC , U, and formulation proposed in [23,24].In particular, we can formulate our MPC problem as follows: where x t ∈ R n , u t ∈ R nu indicate the t-step-ahead state and control predictions, respectively.In addition, (7d) represents the constraints on the predicted state, input, and output (G x ∈ R c×n , G u ∈ R c×nu , and g θ = g in fault-free operating conditions) that follow from the definition of X MPC , U, and Y MPC .Furthermore, θ t ∈ R nu is the vector of parameters used to generate the artificial steady state, input, and output xt , ût , and ŷt , respectively.M θ and N θ are suitable matrices (refer to [23] for details).For a prediction horizon of length N , the cost l t in (7a) is described as follows: where The main idea of the artificial reference associated with the parameters θ t in Problem ( 7) is to generate a reference for the states and the control inputs that achieves the control objectives (i.e., the tracking of the reference ν) while satisfying the constraints on the system.This strategy allows one to compromise between tracking performance and feasibility of the solution when the commanded reference ν does not lead to feasible state and control trajectories.In this respect, note that in the cost the distance between the desired reference and ŷt is penalized by a quantity ρ 1 > 0 (which is a tuning parameter of our design) in order to generate an output trajectory close to the desired one.At the same time, the constraints (7e) prevent that the generated trajectory along the prediction horizon becomes infeasible.This strategy has the following advantage compared to the one proposed in [22].At every problem instance, if a jamming fault is detected on the actuators, with a simple reconfiguration of the constraints on θ t (i.e., by changing the definition of g θ according to the severity of the fault, but without changing the initial feasible region of the states and control commands) we can generate a feasible reference signal for the state, input, and output that steers the system towards the new (post fault) feasible region.This reference signal is clearly suboptimal (note that we are using the 2-norm in (8) to penalize the distance from ν, which is not an exact penalty), but ensures a safer transition to the after-fault feasible region of the controller.

Remark 7
One concern when using this approach is related to the stability of the system controlled by the MPC controller.In [24] a terminal set for tracking is introduced in the MPC problem formulation to guarantee stability.When a jamming fault occurs, this impacts the definition of the terminal set that shrinks according to the severity of the fault.While a rigorous stability proof is out of the scope of this manuscript (our main focus is to provide a strategy for active diagnosis of jamming faults using control reconfiguration and, consequently, in the remainder of the paper, we consider maneuvers that do not impact the stability of the system), we provide different possible strategies/guidelines to design a robust MPC controller in the presence of faults: 1.The jamming faults can be considered as (possibly persistent) disturbances bounded in a given set W computed based on some heuristics (for example, by considering different fault combinations).The robust terminal set for tracking computed based on the worst combination of faults can then be used in the MPC formulation (leading to a tube-based MPC design [43] for tracking).
2. If in the current setup we include a terminal set for tracking (according to [24]), when a fault occurs, the only reconfigurations in the MPC problem formulation affect the parameters θ used to generate the artificial reference signal.The optimizer computes the best artificial reference trajectory to compromise between tracking performance and constraint satisfaction.
Hence, if we tighten (according to the severity of the fault) the constraints associated with the parameters θ this should directly prevent violation of the original terminal set for tracking (which remains unmodified for the states and control commands).
3. Alternatively, if we include a terminal set for tracking in the current MPC formulation (as in the previous point), a solution could be to tighten the terminal set by an amount proportional to the fault and uncertainties in the model.The terminal set associated with the augmented aircraft model takes into account also the dynamics of the actuators.Consequently changes in the actuator bounds will impact the dynamics and the choice of the associated tightening parameters.
An interesting alternative to be investigated (as part of our future research and out of the scope of this manuscript) is related to the use of infinite horizon MPC formulations [44,45,46], that are recently gaining increasing attention and can remove the requirements of a terminal set in the MPC problem formulation.
Note that the constraints on the artificial states (7e) are tightened (E is the matrix used to select the subset of state constraints where the tightening occurs), compared to (7d), by a quantity nl , which is computed by the disturbance observer (presented in Section 3.2) at each sampling time.
This additional tightening allows the controller to take into account the effects of the plant modelmismatches/nonlinearities, which are not modelled in the prediction model (7b) and cannot be modelled as constant disturbances (3).Consequently, the pairs (x t , ût ) are generated to take into account these plant-model mismatches leading to a robust artificial reference generation, without directly affecting the feasible region of the states and control inputs.Note that constraint tightening is a technique used in robust MPC to avoid infeasibility in the presence of disturbances (the interested reader can refer to [47] and the references within).
Only the first element of u is implemented in closed-loop, that is, the control law obtained using the MPC controller is given by: and the closed-loop system is described by With this framework in mind, the next section details the interactions between the FD module and the MPC controller to actively detect and diagnose the root cause of jamming faults.

INTERACTION FD-MPC
This section aims to describe the close interactions between the FD module and the MPC controller (described in Sections 3.3 and 3.4, respectively) in our proposed integrated FTMPC approach.
Figure 3 summarizes these interactions.In the following, we show how the fault information obtained by the FD module is exploited by the MPC controller and how the MPC controller actively modifies its reconfiguration strategies to assist the FD module in diagnosing the root cause of a detected elevator jamming.

Detection
As Figure 3 shows, during the detection phase, the FD module constantly monitors each elevator by evaluating its corresponding residual signal e δe i with J i in(4) (i ∈ I).J i associated with the i-th elevator at time t fi exceeds the predefined threshold J th i or differ from the others as described in Section 3.3, the FD module detects that the i-th elevator is jammed.At this stage, the root cause of jamming is still unknown.Hence, the FD module sends a message to the MPC controller to activate the first reconfiguration (i.e., reconfiguration for diagnosis in Figure 3).

Reconfiguration for diagnosis
The aim of the reconfiguration for diagnosis is to help the FD module understand the root cause of the jamming fault.The MPC controller checks the sign of e δe i at time t fi to decide whether to modify δ ei or δ ei , that is, the upper or the lower bounds of the i-th elevator.Note that this modification in the MPC problem formulation affects only the definition of g θ (i.e., the feasible region of the parameters θ used to generate the artificial reference signal).The idea is to temporarily set the jammed elevator bound to a tightened value δ f ei ± γ, where δ f ei is the measured value of the elevator at time t fi and γ is a positive constant that should be tuned sufficiently small to preserve the performance of the controller, but, at the same time, large enough to allow the size of residual signal exceed the predefined threshold J th i for a stuck elevator.Note that the positive or negative (±) sign depends on the bound that the MPC modifies, according to the description in Figure 3.
The MPC maintains this new γ-tightened bound for τ samples.On one hand, τ must be selected sufficiently large to ensure that the control commands u have time to adjust to the updated (in terms of feasible region) parameters θ.On the other hand, τ must be small enough to preserve performance (especially in case of false alarms or stuck faults).It is reasonable to set τ proportional to the prediction horizon N .

Diagnosis of the root cause
If J i (t fi + τ ) < J th i at the end of the diagnosis period, the FD module confirms a stall load as the root cause of the jamming fault, because the controller showed (using the reconfiguration for diagnosis) that jammed elevator can still move within its reduced bounds.If J i (t fi + τ ) ≥ J th i , the FD module confirms a stuck elevator as the root cause of the jamming fault, because the faulty elevator was unable to reach the tightened bound.

Reconfiguration for stuck fault
As soon as the FD module communicates the root cause of the jamming fault, the MPC controller performs the second reconfiguration.If the diagnosis is that the elevator is stuck, the MPC controller performs the reconfiguration for the stuck elevator by setting both δ ei and δ ei in the definition of g θ to δ f ei , as Figure 3 shows.In this way, the artificial reference is generated to take into account that the i-th elevator is permanently stuck at the fault position and adapts the reference for the remaining healthy elevators accordingly.This second reconfiguration is also the last one for the stuck elevator.

Reconfiguration for stall-load start
If the diagnosis is stall load on the i-th elevator, the MPC controller performs the reconfiguration for stall-load start to allow the detection of the end of the stall load.In this respect, the controller sets the previously modified bound (δ ei or δ ei depending on the sign of e δe i at time t fi ) to the new value δ f ei ± α, that is, the controller allows a α > 0 larger feasible region for the i-th elevator, but does not restore yet the original bound (δ o ei or δ o ei ) yet.This new limit allows one to detect the elevators deviate from the temporarily jammed position at the end of the stall load.

Remark 8
Setting α = 0 could prevent the FD module to monitor the end of the stall load because the elevator cannot follow a command that exceeds its reduced bound.The reduced bounds of elevators due to miss detecting the end of a stall load may lead to sever control performance degradation.

Detection of end of stall load
During the reconfiguration for stall-load start, the FD module constantly monitors the between the measured elevator position δ m ei and its previously jammed position the FD module communicates that the stall load is still active on the i-th elevator and the MPC controller maintains its current formulation.When this condition is violated, the FD module communicates the end of the stall load to the controller and returns to monitor the residual value.

Reconfiguration for stall-load end
When the stall load ends, the MPC must restore the original saturation limit (i.e., g θ = g), which is the last reconfiguration for the stall load.

Remark 9
The MPC reconfiguration can handle more than one elevator fault at a time, thanks to the decoupled structure of the FD module, which monitors each elevator independently.In this work, however, we consider symmetric faults, that is, if a jamming fault occurs on the left inner elevator, the same fault occurs on the right inner elevator.The reason for this choice is related to the fact that nonsymmetric faults affect the lateral behavior of the aircraft and would require a different (more complex) model to build the MPC predictions.

Remark 10
Compared to [22], all the reconfigurations in the MPC problem formulation does not affect the states and the control commands, but only the feasible region of the parameters θ.These reconfigurations affect the way the artificial reference is generated and allows a smoother transition from the faultfree region to the faulty feasible region (by generating a feasible reference signal for the states and actuators at every problem instance).

Discussion
The proposed relies on the interactions between the FD unit and the MPC controller.In this work, we proposed a simple FD design and an LTI MPC formulation to simplify the presentation of our approach (as pointed out in Remarks 3 and 6).
The success of our proposed algorithm depends on the accuracy of the detection and diagnosis.
In general, the fault detection and diagnosis accuracy depends mainly on N eval , J th i and τ .These parameters determine the delay from fault occurrence to control reconfiguration.On one hand, if we set these parameters so that the delay is short, the FD results are less accurate.Consequently, control performance is sacrificed.On the other hand, if we set those parameters so that the delay is larger, the FD results are more accurate, but the control performance would still be sacrificed (due to the larger delay).This suggests a trade-off in the waiting time for the reconfiguration.
Detailed theoretical analysis of such an integration for FD parameter tuning is an open theoretical challenge [48].Nevertheless, the intuitive understanding above provides a guideline for tuning.
The proposed design is robust to scenarios that might lead to misdetection or misdiagnosis of actuator faults.For example, if the reconfiguration for diagnosis is triggered by a misdetection in the FD unit, a temporary reconfiguration of the actuator bounds will be performed leading to τ time instances of conservative behavior.In most cases, the redundancy in the number of actuators (that allows to reallocate the control action on the healthy control surfaces) will mitigate the conservatism due to the misdetection.
A more severe situation that the proposed algorithm does not address is related to the misdiagnosis of a stuck fault.In particular, suppose that τ is too short and the residual signal does not have enough time to decrease during the diagnosis phase.In this scenario, a stuck fault for an healthy elevator is diagnosed by our algorithm.This misdetection can seriously affect the performance, especially if all the longitudinal control surfaces are erroneously diagnosed as stuck.The algorithm can be modified to include additional control surfaces (e.g., the ones associated to the lateral dynamics) to compensate for the fault, or techniques to recover from the of a fault must be implemented for this particular scenario.

SIMULATION RESULTS
This section presents numerical results of our integrated control strategy on an Airbus simulator that has been the benchmark model of the RECONFIGURE project [25].
The threshold J th i in the FD module is selected according to the guideline of Section 3 and is equal to 0.40 for the inner elevators and to 0.65 for the outer elevators (the thresholds are different given the differences between the inner and outer elevator models).In addition, we implemented the detection strategy that exploits redundancy described in Section 3.3.In this respect, the FD unit detects a fault on the i-th elevator if J i >= 4J j , i = j, i, j ∈ I, that is, when the residual signal of the i-th elevator is four times larger than the residual signals of the other elevators.In addition, we selected the time required for the diagnosis of the root cause of the jamming as τ = N T s (N = 20 is the length of the prediction horizon and T s := 0.04 sec is the sampling time of the system), that is,τ is selected proportional to the prediction horizon used in the MPC problem formulation.Another parameter that requires a trade-off between performance and accuracy is γ, used to tighten the faultyelevator constraints during the reconfiguration-for-diagnosis phase.We noticed that a small value of γ (e.g., 1% of the maximum allowed control command) is sufficient for the diagnosis.Finally, we selected α sufficiently large (e.g., 3γ) to avoid false alarms in the detection of the stall-load end right after the diagnosis phase.
We trimmed the aircraft at an altitude of 12, 500 feet and calibrated airspeed of 335 knots (inside the flight envelope) and we used the linearized model of the aircraft at the trimmed operating condition to build the MPC prediction model.Our aim is to track a doublet signal on the vertical load factor, that is, ν := n z ref .Specifically, we consider the sequence of two doublets of different amplitude.The first doublet starts at 0.04 sec and ends at 20.04 sec and its value exceeds the allowed constraints on the vertical load factor.The second doublet starts at 30.04 sec and ends at 50.04 sec and its value remains within the constraints of the vertical load factor.We study the performance of our integrated design in the following scenarios: • Stall load occurring at 2.65 sec from the beginning of the simulation on the inner elevators.
• Stuck fault occurring on the inner elevators at 2.65 sec from the beginning of the simulation.
The baseline to evaluate the performance of the proposed integrated design is the behavior of the system controlled by the MPC, in the fault-free case.Note that we simulate the occurrence of the faults during the first doublet when the reference signal starts exceeding the vertical load factor bounds.Furthermore, in the following, recall that all the reconfigurations operate on the feasible region of the artificial reference signal (as discussed in Section 4) and do not affect the original feasible region of the states and actuators.The detection and diagnosis of the fault is fundamental for the performance of the controller.In particular, as shown in the last row of Figure 5, the FD unit alerts the MPC controller as soon as the residual signal J i of the inner elevators starts to abnormally increase with respect to the one of the outer elevators.When the anomaly is detected the MPC proceeds to perform the reconfiguration for fault diagnosis (first row) and adapt the reference signal to maintain feasibility.At the end of the detection time, given that the residual signal is below the threshold, the FD unit notifies the MPC controller of the occurrence of a stall load.Note that, at the end of the detection phase, the inner elevators are no longer in stall, but they remain close (within α) to the lower bound.Hence, the FD unit maintains the stall load on (highlighted in grey in Figure 5).As soon as the inner elevators move away from their reduced saturation bounds the stall load ends and the MPC controller restores the original elevator bounds.would not be able to maintain the system within its feasible region and ensure stability.performance is maintained (compared to the fault-free case depicted in dash-dotted green lines) with limited loss thanks to the reallocation of the control authority on the healthy outer elevators (second and third row of Figure 7).The minor performance loss is due mainly to the inner elevator being stuck to a nonzero value and the presence of physical rate limitations in the actuators that affect the response of the outer elevators to the loss of the inner ones.

CONCLUSIONS
We presented a novel fault-tolerant controller tailored to aerospace applications.Our approach relies on the close interaction between a fault-detection (FD) module and a model predictive controller (MPC).The FD module exploits the controller to diagnose the root cause of the elevator jamming and the MPC exploits the information provided by the FD module to better handle the jamming.
We showed on an Airbus passenger aircraft simulator the benefits that our strategy can bring to the performance of the control system.
As the numerical example showed, the proposed design is effective for the detection and active diagnosis of jamming faults that can occur on the aircraft actuators.Furthermore, the reconfiguration and fault-tolerant reference generation allows one to preserve the tracking performance after the occurrence of the fault.
A limitation of the current approach is related to the definition of the threshold used to activate the diagnosis.Exploiting the information provided by the other actuators helps the early detection of the faults, but if all the control surfaces are affected by a fault (e.g., in case of temporary jamming) the choice of the threshold remains critical.As part of our future work, we plan to investigate different strategies on the threshold selection (for example, by exploring the relationship with the amplitude of the reference signal and disturbances) to improve the detection of the fault.

Figure 1 .
Figure 1.Overview of the elevator jamming scenarios considered in the paper.

Copyright c 2010
John Wiley & Sons, Ltd.Int.J. Robust.Nonlinear Control (2010) Prepared using rncauth.clsDOI: 10.1002/rncThis estimated disturbance d ∈ R n d (n d = 5) affects the predicted elevator outputs, the aircraft states, and the aircraft outputs.Hence, we must consider this disturbance as an additional state in the MPC prediction model as explained below.

Figure 3 .
Figure 3. Description of the interaction FD-MPC.

Figures 4 -
present the results obtained using the proposed algorithm (i.e., the integrated FD-MPC

Figure 4
Figure 4 details the behavior of the vertical load factor.During the first part of the manoeuvre the Stall load scenario (proposed FD-MPC design) Bound

Figure 4 .
Figure 4. Comparison of the vertical load factor tracking performance in the fault-free case (dot-dashed green line) and when a stall load on the inner elevators (at 2.65 sec from the beginning of the simulation) is detected and diagnosed using the proposed integrated design (solid blue line).

Figure 6
Figure 6 details the behavior of the vertical load factor.During the first part of the manoeuvre

Figure 7
Figure 7 presents the behavior of the elevators and of the residual signals during the detection and

Figure 5 .
Figure 5.Comparison of the elevator behaviors (rows 1-3) in the fault-free case (dot-dashed green line) and when a stall load on the inner elevators is detected and diagnosed using the proposed integrated design (solid blue line).The last row depicts the behavior of the residual signals used to detect and diagnose the fault.The grey area highlights the duration of the reconfiguration for stall load start.

Figure 6 .
Figure 6.Comparison of the vertical load factor tracking performance in the fault-free case (dot-dashed green line) and when a permanent jamming of the inner elevators (at 2.65 sec from the beginning of the simulation) is detected and diagnosed using the proposed integrated design (solid blue line).

Figure 7 .
Figure 7.Comparison of the elevator behaviors (rows 1-3) in the fault-free case (dot-dashed green line) and when a stuck fault on the inner elevators is detected and diagnosed using the proposed integrated design (solid blue line).The last row depicts the behavior of the residual signals used to detect and diagnose the fault.The grey area highlights the reconfiguration for stuck fault.
is the state vector, which includes the pitch rate, roll rate, ground speed, angle of attack, pitch angle, and altitude, respectively, u A/C := [δ e li δ e ri δ e lo δ ero ] ∈ U⊆R nu is the control input with δ e li , δ e ri , δ e lo , and δ ero representing the left inner, right inner, left outer and right outer elevator deflections, respectively, and y A/C := [n z x T ] T ∈ Y A/C ⊆ R ny A/C is the output vector with n z representing the vertical load factor, which is a quantity related to the acceleration on present the results obtained using the proposed algorithm in case of permanent jamming of the inner elevators.In this scenario the outer elevators are healthy.