Design and aircraft‐in‐the‐loop validation of structured‐H∞ self‐scheduled fault‐tolerant controllers

This paper presents the design of a self‐scheduled fault‐tolerant controller for the lateral/directional motion of MuPAL‐ α$$ \alpha $$ research aircraft using a polynomial‐scheduled structured H ∞$$ {}_{\infty } $$ control. The controller is designed to be tolerant against loss‐of‐efficiency faults in the aileron and rudder, but based on industrial best practices it is scheduled with respect to an overall fault level instead of with respect to the individual faults. The performance and robustness of the resulting controller is verified first using frequency and time domain analysis, and subsequently it is validated in the Aircraft‐In‐the‐Loop configuration of MuPAL‐ α$$ \alpha $$ , where the real aircraft is operated in research Fly‐By‐Wire mode by the pilot on‐ground while coupled to an emulation computer that simulates the aircraft flying motion. The results show good behavior of the controlled aircraft across the defined fault scenarios.

bridging the gap between academic research and industrial practice, instead of proposing computationally intensive solutions the focus is placed on optimizing (or slightly modifying) control architectures that are known and proven in an industrial setting.Indeed, Airbus strategy for fault tolerance relies on a high level of hardware redundancy, but also on reconfiguration of the control laws in the event of faults.In normal conditions, a so-called normal law is active, which provides nominal performance and protection (stall, over-speed, load factor, etc.); while in the event of a fault, the flight control computer may switch to an alternate law that allows flight to continue but with reduced protection. 9If a more severe fault or multiple faults are encountered, a direct law is activated, where all protections are deactivated and manual trim by the pilot is necessary.
One approach to ensure that the controller provides sufficient performance and robustness across a wide range of faults is to manually schedule it with respect to a signal that provides an estimate of the fault. 4Manually scheduling, however, relies on heuristics and lacks theoretical guarantees and systematic design rules. 10An alternative is to use the linear parameter-varying (LPV) framework which provides a methodological way to schedule a controller, see for example, Reference 11 for an example of an LPV aircraft control design and validation against aileron and rudder faults, as well as. 12More recently, an approach (equivalent in many aspects to the LPV method) has appeared based on a so-called self-scheduling extension of the structured H ∞ optimization technique. 13,14The advantages of this design technique are the possibility of defining a priori the structure of the controller together with the robustness and multivariable capabilities inherent to H ∞ control.
In terms of recent applications of the above techniques, Reference 15 provides a comparison of structured versus classical fault-tolerant H ∞ control for the longitudinal motion of a large commercial aircraft using an Airbus-developed high-fidelity, nonlinear simulator.Continuing this work, but for a different aircraft, Reference 16 showed the first published results of a flight testing campaign for a structured H ∞ controller.From the path of self-scheduled design (using structured H ∞ control) References 17,18 presented designs of a longitudinal flight control for simplified simulators.And from the perspective of fault tolerant designs, Reference 19 shows the design of a self-scheduled FTC controller for a hexacopter unmanned aerial vehicle (UAV) with six scheduling parameters, one per each of the possible six actuator loss-of-efficiency (LoE) faults.In an attempt to reduce the number of scheduling variables, that reference also performed a design scheduling with respect to four virtual actuator faults representing the forces and moments acting on the UAV.This reduction of scheduling parameters (especially in fault cases) is important in order to keep the complexity of the controller synthesis procedure, as well as its numerical implementation, at a practical level.This concern is all the more important when considering scaling up FTC solutions to commercial aircraft, since the number of actuators can quickly become unmanageable.As an example, the Airbus A380 aircraft has two pairs of elevators and a trimmable stabilizer for longitudinal control and three pairs of ailerons and one pair of rudder panels for lateral/directional control, plus six pairs of spoilers to complement roll control. 20In such cases, scheduling with respect to individual faults becomes impractical.
To address the practicality of the approach, in this article the scheduling of the controller is made with respect to a virtual signal that represents the overall fault level of the aircraft.This approach is also in keeping with Airbus' practice 21 as the underlying idea is to adapt the control laws according to the fault level of the aircraft, trading off the performance achieved in nominal conditions for increased safety in the presence of faults.With this arrangement, in close-to-nominal conditions the controller is designed in such a way so as to privilege satisfaction of performance and handling constraints, and in the case of faulty scenarios the design shifts to safety constraints.This would make it possible to maintain the advantages of FBW control systems in the presence of faults that do not amount to critical failure.In addition, by smoothly adapting the control law instead of switching controllers, issues such as bump transfer and/or switching dynamics are avoided.This solution, although favorable from a safety-versus-performance perspective, presents two drawbacks: first, the resulting control law is sub-optimal in the sense that a fault in one actuator would lead to a decrease in performance for the whole aircraft (despite the faulty actuator potentially affecting only one of the aircraft motions).Second, as the controller is scheduled with respect to a virtual fault level then the action against faults with the same level but potentially different aircraft dynamic responses will be the same.These two issues could introduce an unwarranted level of conservatism in the design, but despite this the advantages related to scheduling with respect to a single variable (i.e., scalability as well as ease of tuning and implementation) are deemed more important.
In summary, this article presents the design of a self-scheduled FTC for the lateral/directional motions of MuPAL-, a research aircraft owned and operated by JAXA. 22The controller is designed with a polynomial scheduling rule using structured H ∞ control to be robust against LoE faults in the aileron and rudder.The adopted structure for the controller is a modified version of the traditional Y * control law used by Airbus. 3,21Therefore, the main contributions of this paper are twofold: the methodological design of a self-scheduled Y * controller using structured H ∞ control for improved fault tolerance based on the overall fault level, and its implementation and validation in a real Aircraft-In-the-Loop (AIL) setup (so called to distinguish it from the lab-based hardware-in-the-loop, HIL, benches).
The paper is structured as follows: Section 2 describes MuPAL- and its AIL setup, this is followed by a brief presentation of the models used in the design.The scheduling rationale of the self-scheduled control law and the synthesis of the FTC controller are presented in Section 3.Then, Sections 4 and 5 present respectively the controller/closed-loop analyses and the validation of the controller in AIL tests.Finally, section 6 ends with the conclusions.

ARCHITECTURE, MODEL AND FAULTS
This section presents the controller architecture and introduces MuPAL- together with the models used in the design.The structure of the controller is presented in Section 2.1.Then, Section 2.2 provides a brief description of MuPAL- while Section 2.3 describes the models (both of the aircraft and of the considered faults) used in the design.

Controller architecture
The lateral/directional control structure adopted in this work is similar to the Y * control law presented in Reference 3. The name of this architecture is less known than its longitudinal counterpart, the C * law, 15,23 but both represent the most common flight control architectures used in commercial aircraft. 24,25he modified Y * structure used includes the addition of integrators for the  and  tracking errors, see Figure 1.The control architecture is composed of feedforward K FF and feedback K FB gains together with a first order transfer function to transform the stick and pedal commands from the pilot into roll and sideslip reference commands,  c and  c , respectively.The tuning of the latter transfer function is done a posteriori by means of the gain k, so the design focus is that of obtaining the feedforward and feedback gains for adequate performance and robustness in the tracking of the reference command signals.
Standard, no-fault, Y * control design objectives are: 11 [Obj-1] roll angle tracking with response time of less than 4 s and 0 • steady-state error, [Obj-2] sideslip angle tracking with response time of less than 2 s and 0 • steady-state error, [Obj-3] decoupled sideslip and bank angles responses to each others step commands with less than respectively ±0.05 • and ±0.5 • , and [Obj-4] robustness to actuator time delays (see the ranges given in (2)) and airspeeds between [100, 200] knots.
In the classic Y * controller architecture, the blocks K FF and K FB are a set of static gain matrices designed at different operating points of the flight envelope (altitude and airspeed) and then manually scheduled, ensuring ad hoc that the behavior is homogeneous across the flight points.Since the focus of this work is on fault tolerance, to ease understanding (and without loss of generality) the FTC design will focus on a single flight point in terms of airspeed and/or altitude.The design challenge is then to provide fault tolerance with respect to loss of efficiency (LoE) faults on the aileron and rudder actuators by means of obtaining feedforward and feedback gains that vary with respect to the fault level.It is noted that the presented fault tolerant control (FTC) approach does not strictly require a fault identification (FI) scheme as it is based on an overall fault level.Nonetheless, in practical terms, to provide the required fault level either local fault estimation (FE) schemes at each of the actuators are necessary (which then directly result in identification of the faulty component), or a global fault detection and isolation (FDI) scheme must be used (which performs the identification task by design).In view of this, the following assumption is made.
Assumption 1.It is assumed that corresponding FE or FDI schemes are available, and that they provide an estimate of the fault of sufficient quality-that is, within negligible effects from those of the true fault value.

MuPAL-𝜶: In-flight and aircraft-in-the-loop simulator
MuPAL- is a research aircraft based on the Dornier 228-202 fixed-wing turboprop aircraft, see Figure 2A.It was developed by JAXA as a multi-purpose aviation laboratory equipped with a research Fly-By-Wire system that allows flight testing new controllers as well as emulating in flight other aircraft.In addition to flight tests, MuPAL- also offers the possibility of performing Aircraft-In-the-Loop (AIL) tests, see Figure 2B.In this configuration, tests are performed on ground with the help of an emulation computer where the aircraft motions are simulated and fedback to the flight control computer as well as to the pilot via a 3D outside view.Apart from aerodynamic effects, this configuration provides an environment that is very close to actual flight conditions, with the possibility to include gust and software-implemented faults.This provides an advantage over lab-based Hardware-In-the-Loop (HIL) tests, as in this case the full aircraft, including all avionics (i.e., flight control computer, FBW system), and actual hardware (actuators and sensors), is inside the loop.Based on feedback given by pilots and on JAXA's experience, the behavior verified in AIL is very close to that during flight tests, which thus allows the AIL tests to assess the technology readiness level (TRL) of a design close to actual flight conditions.For this reason, in this paper the term AIL is preferred over the more broad notion of HIL.For more details about MuPAL-, the reader is referred to References 11, 26, 27.

Model and faults
For controller design, a set of continuous-time linear models for the lateral/directional motion of MuPAL- are obtained from linearization across its flight envelope (see e.g., Reference 11).The models have as state vector x = (v, p, , r) T , whose components represent the lateral velocity, roll rate, roll angle and yaw rate, respectively.The inputs are given by u = ( a ,  r ) T , that is, the aileron and rudder control surface angles.The ailerons move anti-symmetrically via a wheel and cable system, which is controlled by a servo motor in the FBW system.For this reason, a single aileron actuator is considered, and faults are assumed to intervene at the wheel/cable level, and hence affect both ailerons identically.The outputs are given by y = (, p, , r) T , where  is the sideslip angle.The model used for design in this work is linearized at the equivalent airspeed of 120 knots and an altitude of 5000 ft.This point was chosen as it represents a typical flight condition in which MuPAL- is flown during flight tests.The aileron and rudder actuators are modeled as first-order transfer functions with uncertain delays: It is noted that these actuator models do not take into account the effect of aerodynamic pressure, since the controllers will be verified in AIL tests (i.e., on ground).The specific uncertain delay ranges used are: The actuators are assumed to be prone to LoE faults, which are modelled by an effective gain k eff,• = (1 −  • ) where  • , for • ∈ {a, r}, is the loss of efficiency in the aileron and rudder respectively.Note that  • = 0 represents the nominal case while  • = 1 represents total failure.The objective of the controller is to guarantee stability and keep a certain level of performance as  a and/or  r increase.Such faults typically occur independently, but the controller must be able to cope with simultaneous faults in both actuators to emulate scenarios with a cascade of faults.

SELF-SCHEDULED FAULT-TOLERANT CONTROLLER DESIGN
This section presents the design of the fault-tolerant self-scheduled controller, hereby denoted K SS , which comprises the feedforward and feedback terms K FF and K FB , as shown in Figure 1 (albeit with gains scheduled according to fault information, as it will be discussed below, see e.g., Figure 4).Section 3.1 describes the scheduling strategy used, which is composed of two main steps: the selection of the scheduling variable and the selection of the scheduling function.These steps, as with the standard gain-scheduling approach, are based on heuristics as well as engineering judgement.Subsequently, the controller synthesis, which is based on the structured H ∞ control, is presented in Section 3.2.

Scheduling variables
The first step in the design of a scheduled controller is to select the scheduling variables.As discussed in Section 2, in this work the scheduling does not focus on flight condition (e.g., altitude, airspeed … ) but rather on performance in the event of faults.For this reason the aileron and rudder LoE faults,  a and  r , are natural candidates as scheduling variables.But, with the aim to simplify the complexity of the scheduling and also based on Airbus's state-of-practice 21 (i.e., that posits that the increase in fault levels should lead to a shift in focus from performance to safety), it is proposed to use a signal representing the overall fault level to which the aircraft is affected.Therefore, since faults are critical for safety and the control law that is activated should consider the worst situation, the chosen signal  represents the maximum fault acting on the system With this approach, the applicable control laws are scheduled with respect to a single variable reflecting the fault level of the aircraft, which simplifies the design and implementation of the scheduling controller.The drawback is that it might be overly conservative given that a fault in a single actuator leads to modification of the active controller.This means that the focus on safety might be over-emphasized, but it is noted that such is also the rationale behind civil commercial aviation.

Scheduling function
The next step in the controller design is to choose the scheduling function.This function defines how the controller parameters, that is, gain matrices K FF and K FB , depend on the scheduling variable.Essentially, each element of K FF and K FB is defined as a function of  using a predefined structure.As aforementioned, the typical approach to obtain scheduled controllers is to design individual controllers for a few operation points and then interpolate them.The end-product is then a piecewise-affine scheduling function defined from heuristics.This approach has several drawbacks: (1) There is no standard procedure for selecting the operation points for design; (2) It is not straightforward to establish the domain in which each controller operates, and where/how two different but adjacent controllers are interpolated; and (3) the scheduling function is not smooth due to the piecewise-affine interpolation.The design of manually scheduled controllers relies on effort-intensive trial-and-error, with the control engineer having to iterate many times around the design-implement-verify loop until performance and robustness are acceptable.
In this work, a polynomial scheduling function is chosen for the structure of the scheduling function following Reference 17. Polynomial functions have the advantage of being inherently smooth, thus avoiding issues when transitioning from one region of the scheduling space to another.Furthermore, the designer is not required to define the regions where each controller is active or the regions where the interpolation takes place, as is the case in the piecewise-affine approach.The controller is simply defined by the polynomial rule over the entire scheduling space.These points effectively mitigate the aforementioned issues (2) and (3).As another advantage, by using a polynomial function and the structured H ∞ synthesis, the scheduling rule can be systematically designed at the same time as the controller gains.More details about this are provided in the next section.
With respect to issue (1), it should be noted that no previous design at individual operation points is strictly required.Nonetheless, given the non-smooth and non-convex optimisation involved in structured H ∞ synthesis, 13 it is good practice to initialize the optimization if any is available since otherwise the solver might converge to local minima and produce controllers with very poor performance.
Finally, the order of the polynomial scheduling function is flexible, but must be fixed a priori for controller synthesis.This requires the designer to compromise and trade-off between flexibility of the polynomial function and numerical complexity.Indeed, as the order increases, the scheduling rule accommodates more variation throughout the fault space, but this means that for every iteration of the control algorithm a higher-order polynomial function must be evaluated, which might overburden the computational capacity of the flight control computer.The selection of the order is heuristic and thus in this work the design is performed for polynomial orders starting at 1 and the resulting performance is evaluated before increasing the order.For MuPAL- and the defined fault-tolerant design problem, polynomials of order up to 3 were tested but an order of 2 was found to suffice.

Self-scheduled controller synthesis
The -based lateral/directional MuPAL- self-scheduled FTFC system is designed following two steps (these are described in this section, while the analysis of the resulting controller is presented in Section 4): 1. Synthesize three LTI controllers for nominal, light-fault, and severe-fault conditions*.
2. Synthesize the self-scheduled FTFC design using the above controllers as initial gains, setting a polynomial function with respect to , and using the multi-model synthesis option to obtain the coefficient matrices of the final controller.
The structured H ∞ approach is used whereby the controller is found by solving the following optimization problem where  represents the fixed structure of the controller and C(s) is a set of frequency-domain constraints set by the control designer to impose the desired performance/robustness of the closed-loop system.Three main advantages of structured H ∞ control are: its capability to optimize the controller gains for a fixed structure, the flexibility in establishing C(s) (which allows to impose constraints on individual combinations of inputs/outputs), and that it also allows to perform multi-model design. 28,29he main drawback of structured H ∞ synthesis, in comparison to traditional H ∞ control, comes from the fact that constraining K to have the fixed structure defined by  leads to a non-convex and non-smooth optimization problem.This is circumvented by searching for local minima from wide variations of initial gain setup, but there is no guarantee that other better controllers with the same structure do not exist.As aforementioned, the way to deal with this is by performing single-point designs at a set of operating points and using those as initial conditions on the search for .Further to the previous comments on this issue, it is noted that this strategy can be expected to produce acceptable results provided that the individual controllers do not deviate largely from one another since, and this is an advantage of self-scheduled design approaches, the individual controllers are only a basis used during the self-scheduled design and the final controller optimizes simultaneously all the individual controllers at the given scheduling points.Thus, the approach is not restricted to be fixed at these a priori designed controllers, but it is eased if they are to a certain extent similar in behavior.For the first step, the three controllers obtained, and their domain in the fault space, are presented in Figure 3: K ROB (green), K FTC-A (yellow), K FTC-B (red) and the resulting self-scheduled controller K SS (blue).It is observed that there is no overlap between K FTC-A and K FTC-B .This is not a problem since during the synthesis of K SS (i.e., the second design step) the entire fault space is taken into account with K ROB , K FTC-A and K FTC-B serving only as initial controllers.The figure also shows in colored dots the models that are used in the multi-model design of each initial controller.Recall that for small  a and  r , the controller is designed to provide performance, while at high-fault scenarios the focus is shifted to aircraft safety.
The design of K ROB and K FTC-A is reported in Reference 30 (where K FTC-A is referred to simply as K FTC ), and thus not reproduced here but only cursory described.K ROB is designed without taking into account faults, thus emphasizing control performance of the lateral/directional control loop.K FTC-A , on the other hand, is designed using a multi-model strategy to passively (i.e., without scheduling) improve the behavior of the aircraft in the presence of actuator LoE faults, including the nominal case and faults at 40%.The last controller, K FTC-B , is designed following the same methodology employed in the design of K FTC-A , but considering fault levels from 50% up to 85% (and not including the nominal case since efforts to generate a single controller for the whole range were fruitless if a homogeneous, acceptable performance across points is desired).In line with the strategy outlined in Section 3.1, the design of K FTC-B also includes relaxed performance requirements since the objective is no longer to provide swift responses but to allow the pilot to safely control the aircraft.For ease of readability, the design of K FTC-B is given in Appendix A.
For the self-scheduled design, the scheduled gain matrices K FF and K FB are designed as polynomial matrix functions dependent on the signal  = max( a ,  r ).Hence, each controller is represented by the matrix function with # ∈ {FF, FB} and where m is the fixed degree of the polynomial.The value of m is a design choice that is selected to achieve a trade-off between the complexity of the control law and the performance it provides.There is no explicit rule for choosing m, and it is general practice for designers to start at m = 1 and then resynthesize the control laws for increasing values of m to assess whether the increase in complexity is justified by a sufficient increase in performance, see for example, Reference 31.For the control laws reported in this paper, values of m ∈ {1, 2, 3} were used in the design.
From the results, one could see that m = 2 (i.e., a quadratic polynomial) was sufficient as it provided more flexibility than a linear function (m = 1) while a cubic function (m = 3) increased the complexity of the controller without significantly improving its performance/safety properties.Based on these considerations, a degree of m = 2 was selected for K SS .
For the synthesis of K FF () and K FB (), the initial values of {K #,i } i∈{0, … ,m} provided by the controllers K ROB , K FTC-A and K FTC-B , are set by associating each to a specific fault level , and by finding the m th -degree polynomial that best fits the F I G U R E 4 Block diagram of the closed-loop system used for the self-scheduled design.

TA B L E 1
Combinations of ( a ,  r ) used as design points for K SS .

𝜸 a
Design points 0 0.35 0.75 (, K) pairs.The fitting is performed for each element of the K FF and K FB gain matrices, leading to 2 × 2 and 2 × 6 matrices of polynomials respectively.The choice of the  value for each initial controller is:  = 0 for K ROB ,  = 0.35 for K FTC-A and  = 0.75 for K FTC-B .These values are chosen after some trial-and-errors as a compromise between the fault range ([0, 0.4] and [0.5, 0.85]) of the corresponding controller (K FTC-A and K FTC-B ) and the maximum fault it was designed for (0.4 and 0.85, respectively).For m = 1, the resulting polynomial is a least-squares best fit, while for m = 2 an exact interpolation can be found (only if the chosen  values are distinct).For m = 3 and higher, extra points are needed so a fourth controller is added, which for simplicity is obtained as the linear interpolation between K FTC-A and K FTC-B at  = 0.55.The block diagram of the closed-loop system for the self-scheduled design is presented in Figure 4.The actuator models correspond to those from (2) taken at the highest delay value, that is only T d,a = 0.4 s and T d,r = 0.2 s.This is done to consider the worst-case of the uncertainty during design, while control performance over the other values of the uncertain delays is verified in Section 4 to assess the satisfaction of Obj-4.The scheduled gain matrices K FF () and K FB () are shown in color to represent that these are the elements tuned in the optimization.The block k eff represents the efficiency gains as defined in Section 2.3.The signals are defined as: reference r = ( c ,  c ) T , errors e = ( c − ,  c − ) T , and inputs u = ( a ,  u ) T .
The multi-model design capabilities of structured H ∞ control are used by considering several combinations of ( a ,  r ) via their resulting , see Table 1.These combinations are selected to cover a representative segment of the design space, from nominal to extreme faults.The extreme cases (0, 0.75) and (0.75, 0) are specially challenging as they lead to the same value of  = 0.75 but represent systems with very different dynamics.It is thus very important that these points are considered in the design.The points (0.35, 0.75) and (0.75, 0.35) are omitted from the multi-model design in order to reduce the complexity of the controller synthesis problem.The underlying assumption is that these fault conditions are indirectly handled by the other fault points-an assumption assessed during controller validation.If this assumption is proven invalid, then these flight points can be included and the synthesis repeated.This was not necessary in the present case.
The first structured H ∞ control design constraint imposed is on the sensitivity transfer function T r→e (s) to set a minimum bandwidth on the controller.This translates into a specific settling time for the step response of the closed-loop system.The low-and high-frequency gains also help constrain the steady-state error and the robustness margins.The constraint is represented as the H ∞ norm bound The value of W r is derived from the qualitative experience of MuPAL-'s pilot that 1 • of perturbation in sideslip corresponds to a perturbation of about 5 • in the roll angle  when precise control is not required.The weight W e (s) is chosen as a low-pass filter to constrain the minimum bandwidth of the controller, and is adapted from the original designs in Reference 30 to satisfy Obj-1 and Obj-2.In this weight, the values of k e, , k e, and k e, are adjusted for each of the  design points in order to relax the constraints for the faulty cases.This is done using the following insight: the reduction of the first two parameters decrease the relative importance of the corresponding weight channel, while the reduction of k e, reduces the bandwidth of the controller (and thus decrease the required response time) in the presence of faults.The values of these parameters are reported in Table 2.
Another constraint is imposed on the cross-coupling between  and , that is, on the response from  c to  and from  c to .The requirement is to have a maximum of 1 • deviation in  in response to a step of 20 • in  c , and a step response below 1 • in  in response to a 2 • step in  c , as expressed in Obj-3.These requirements are represented as with where the values of k x for the multi-model design are given in Table 3.A constraint on the transfer function from the reference to the control signal is also added to avoid exciting any unmodeled high-frequency modes by imposing a a small gain at higher frequencies: with W r defined in (7) and W u (s) designed as a high-pass filter to ensure a roll-off of 20 dB/dec after 10 Hz, given by After preliminary design efforts, it was found necessary to constrain also the poles of the closed loop system by imposing minimum decay and damping constraints.This helps to avoid the presence of slow dominant poles, and as before, the constraint is adapted as the fault level increases where p i are the poles of the closed-loop system and the values of k p,decay and k p,damp for the multi-model design are given in Table 4. Finally, also during the preliminary design efforts, it was deemed necessary to include a constraint on the overshoot of the response from r to u in the nominal system.This was combined with (11) to avoid over-exciting the actuators in the absence of faults.The maximum overshoot was selected as 5%.

F I G U R E 5
Representation of the interpolation rule for the feed-forward block of the self-scheduled controller K SS .
For the synthesis of the self-scheduled controller, all of the above constraints are evaluated at each ( a ,  r ) point in Table 1 (i.e., their corresponding ), which leads to a corresponding frequency domain constraint.For fixed values of , the controllers K FF and K FB become affine combinations of the parameter matrices {K #,i } i∈{0, … ,m} .All constraints are gathered into a single block diagonal constraint C(s), so that the multi-model problem is represented by a single constraint.The structured H ∞ control optimization is performed to find the parameter matrices that minimise the H ∞ norm of C(s), at least in a local sense.The synthesis is done in Matlab with the routine systune.The result is a set of matrices {K #,i } i∈{0, … ,m} that can be used together with the chosen m th -degree polynomial rule to implement the self-scheduled controller K SS .As an example, the resulting K FF () controller for m = 2 is given in Figure 5 where each subplot represents one of the elements of the polynomial gain matrix.The red circles represent the values taken from K ROB , K FTC-A and K FTC-B , and the red dashed line shows the interpolated polynomial obtained from these points, which serves as the initial conditions for the optimisation.After the self-scheduled controller design, the resulting polynomial control law is shown in blue.

CONTROL AND CLOSED-LOOP ANALYSIS
This section presents the verification of the self-scheduled controller K SS .This assessment is based on linear, frequency-domain analyses (Bode plots and closed-loop disk margins), followed by linear, time-domain (step and doublet) simulations.All of these analyses are performed on the same linearised models that were used in the design phase.

F I G U R E 6
Sensitivity function T r→e (s) for increasing values of  a (with  r = 0 and maximum delays in both actuators).

Linear, frequency-domain analyses: Bode plots
The first step in the analysis is to check the Bode plots of the closed-loop system for different fault levels, as these are directly connected to the constraints imposed on the structured H ∞ design.Verification was performed for different values of T d,a and T d,r in their respective ranges, but for improved readability all of the plots presented in this section are obtained using the largest delay value for the actuator models (T d,a = 0.4 s and T d,r = 0.2 s), as that is the most critical case.Figure 6 shows the sensitivity function T r→e (s) for increasing aileron faults ( a ) (but assuming nominal rudder,  r = 0).The solid lines represent the sensitivity function, with the color of the curves representing the corresponding  value from 0 up to 0.75.The blue dashed line represents the weight constraints imposed on the nominal system (k e, = k e, = k e, = 1), while the orange dash-dotted line represents the constraints for the faulty systems (k e, = 0.67, k e, = 1, k e, = 0.2).It can be seen how changing the parameters k e, , k e, , k e, affects the weight constraints, which is leveraged in the  c → e  channel for increasing faults.The sensitivity function remains below the imposed constraints overall, which indicates good tracking performance according to Obj-1 and Obj-2.
Figure 7 shows the complementary sensitivity function T r→z (s) for increasing rudder fault ( r ) (and now, nominal aileron  a = 0).Once again the colors represent the value of , while the blue dashed and orange dash-dotted lines represent the weights W x, c → and W x, c → for the nominal and faulty cases respectively.The  c →  coupling remains overall below the specified limits, but the  c →  response is seen to slightly violate the imposed constraints.Nonetheless, as it will be shown subsequently in the time-domain analyses, the desired decoupling from  c to  expressed in Obj-3 is still achieved.
Finally, Figure 8 shows the control sensitivity function T r→u (s) for increasing simultaneous aileron and rudder faults ( a =  r ).The same color convention as above is used, but in this case the weights were not made to change with  a and  r .The plots show that the control signal is indeed attenuated at higher frequencies.

Linear, frequency-domain analyses: Robustness via disk margins
The linear robustness characteristics of the closed-loop system with K SS are assessed in this section.Classically, this is performed by looking at loop-at-a-time gain and phase margins, but these might be misleading because the system may be subject to simultaneous gain and phase variation.Therefore, the analysis presented look at input/output disk margins, 32 which indicate the maximum simultaneous variation in gain and phase that the system can sustain before becoming value and the applicable controller matrix K FB is extracted from K SS by using the corresponding  value.Further, for these analyses, the actuators are modelled as first-order Padé approximations of the uncertain model also at the highest delay value as before.
Figure 10 shows the disk-based gain margin and Figure 11 the corresponding disk-based phase margins, as a series of contour plots for: single-loop at input (A), single-loop at output (B), multi-loop at input (C), multi-loop at output (D) and multi-loop input/output (E).The latter considers simultaneous independent perturbations in all input and output channels.
For the single-loop gain margins' results, Figure 10A,B show that a minimum gain margin of 6 dB is maintained throughout the design space, except at a very small region at the extreme point ( a ,  r ) = (0.75, 0).This is to be expected as this corresponds to an extreme fault case, and is related to the fact that design of K SS () requires the same controller to work at the points ( a ,  r ) = (0, 0.75) and ( a ,  r ) = (0.75, 0), which are quite different.Not surprisingly, these two points correspond to the regions where the margin is the lowest.
With respect to the multi-loop gain margins, Figure 10C,D show that for the input case it is similar to the single-loop results (other than some decrease in the margin in the diagonal ( a =  r )), but that for the output case the gain margin decreases overall, reaching a minimum of around 3.5 dB.

F I G U R E 12
Step responses to  c : (left) increasing  a only, (middle) increasing  r only, and (right) simultaneous increase.
For the multi-loop input/output gain margins, Figure 10E shows that the margins are lower than for the previous cases, which is to be expected given the stricter robustness guarantees.Nonetheless, the controller still ensures a minimum of about 2.4 dB.
Finally, with respect to the corresponding disk-based phase margins, Figure 11 shows that the overall tendency is the same as those observed for the gain margins, with lower values at the corners where one of the actuators is extremely faulty and the other is nominal.The single-loop phase margins are all above 40 • , while the multi-loop cases drop to 22 • .As seen with the gain margins, the closed-loop system is more sensitive to multi-loop variations at the plant output, but even in the multi-loop input/output case a minimum phase margin around 15 • is achieved.

Linear, time-domain analyses: Step and doublet responses
Figure 12 shows the closed-loop responses to a 20 • -step command in the  c channel for the same combinations of faults as in the previous Bode plots: left-column for increasing  a and nominal  r (i.e.,  =  a ), middle-column for nominal  a and increasing  r (i.e.,  =  r ), and right-column for simultaneously increasing  a =  r (i.e.,  =  a =  r ).The corresponding  value is once again represented by the colormap code.Each of these plots clearly show that K SS shifts from performance to safety as the fault level is increased (i.e., the darker color shifts to the right indicating a slower response), and that Obj-1 is satisfied in the nominal case.Further, the plots show that K SS provides acceptable fault-tolerance against all the tested combinations of faults, with minor coupling from  c to  (the acceptable limits given by Obj-3 are shown as the red dashed lines in the bottom-row plots).
Figure 13 shows the responses to simultaneous (not-aligned) doublets in the  c and  c channels -of 15 • and 3 • amplitude, respectively.In this case, three different combinations of the uncertain delay parameters in the actuators (T d,a and T d,r ) are used to assess the satisfaction of Obj-4, which are represented by dash-dotted (fastest), dashed (middle) and solid (slowest) lines.During the simulations, the value of  a is increased in a ramp manner (from nominal up to 0.7 LoE) while  r is kept nominal.This is shown in the bottom plot of the figure.These results allow verifying that the response time  slows as the fault level increases, but more importantly, that the overall behavior of the system is otherwise unaffected (i.e., the cross-coupling and overshoot behavior remains virtually the same).

AIRCRAFT-IN-THE-LOOP VALIDATION
The final assessment is the validation of the controller in MuPAL-'s AIL setup.For the implementation in the FBW, the controller is transformed from continuous to discrete using a sampling time of T s = 20 ms.As the only dynamic element of the controller is the integrator block, it is simply discretized by replacing it with a numerical integrator with a trapezoidal rule.This is as it provides a better correspondence between the continuous-and discrete-time frequency responses. 33Once discretized, the controller is flight-coded onboard using C code, after it is checked for coding and runtime errors.
In order to test different fault scenarios, and for safety of the avionics hardware, several fault models are also implemented in the FBW C-code.They allow simulation in the AIL setup of loss of efficiency (LoE) and bias faults for the aileron and rudder actuators.Note that K SS was not designed specifically against bias faults, but the results indicate that it also shows satisfactory performance against this type of faults.The LoE simulated in the FBW code is directly used to compute , which is then fed to K SS as a (perfect) estimation of the faults.This information would be provided by a fault detection algorithm in the real case.Several combinations of pilot inputs (steps and doublets of different magnitudes) and fault scenarios (sudden/ramp LoE and biases for one or both actuators) were validated in MuPAL-'s AIL, but due to space limitations only a representative set is presented in this section.
Figure 14 shows the results for simultaneous (but not-aligned) pilot doublet commands (in red dashed lines in the top row) with a 75% LoE aileron fault activated at t = 20 s and a 20% LoE rudder fault at t = 28 s.It can be seen that K SS is able to maintain consistent performance despite this combination of sudden faults.Notice that there is a quick absorption of Figure 15 shows the same pilot doublet pattern as above, but for two different fault scenarios (each scenario uses the same plot setup as in the previous figure, that is, two rows of plots: the top for the pilot commands and the bottom for the actuator responses).The top two plots, Figure 15A, show the scenario for an aileron LoE ramp from nominal up to 70% while the rudder is non-faulty (this is the equivalent test to the linear simulation showed in Figure 13).It is seen that the response time is slowed down as the fault level increases, but otherwise K SS provides very good fault-tolerance.As above, the only issue is an increase in the decoupling from  to , but the response remains very close to the design constraints and no handling quality loss is experienced by the pilot.The bottom two plots, Figure 15B, show the same type of fault but applied now to the rudder.A similar conclusion is extracted except that now the coupling on  is slightly higher and there is some degradation on the coupling on .Another test, not shown, was performed for both ramp faults simultaneously active.As this condition was one of the design points used in the synthesis, the results are actually better than those shown in Figure 15.
Finally, this section concludes presenting the fault scenario of both actuators affected by bias faults of −3 • (in the aileron at t = 50 s and in the rudder at t = 94 s), see Figure 16.As aforementioned, the self-scheduled controller K SS was not explicitly designed against such faults, but the closed-loop still shows very good behavior in this fault scenario.This is mainly due to the presence of the integrators in the controller for the  and  channels, which allows it to reject step disturbances.

CONCLUSION
This article has presented the design, verification, and validation of a self-scheduled FTC design for the lateral/directional motion of JAXA's research aircraft MuPAL-.The controller was designed using structured H ∞ control to provide FTC capabilities with respect to aileron and rudder loss-of-efficiency faults.A modified Y * controller structure was used, an architecture very close to the industrial practice in today's commercial aircraft.
In order to facilitate scaling up of the controller to more realistic scenarios with an increased number of actuators, the controller was scheduled with respect to the overall fault level instead of individual actuator faults.By doing so, the focus during design shifted from performance to safety in high-fault scenarios.This was achieved mainly by relaxing constraints on response time and decoupling while still being able to maintain good performance throughout the fault space.
The performance of the designed controller was assessed in the linear frequency-and time-domains (including robustness analyses using disk margins), and further validated in MuPAL-'s Aircraft-In-the-Loop configuration.This configuration is very close to actual flight, with the only missing factor being the aerodynamic forces affecting the control surfaces.The results show the effectiveness of the approach for the designed faults but also against additional fault scenarios.As discussed at the beginning of Section 3.2, dealing simultaneously (i.e., with the same controller) with the cases where the aileron is non-faulty but the rudder suffers a severe fault and/or the opposite case of nominal rudder and extreme faulty aileron, is not trivial.This observation leads to the design of K FTC-B focusing on extreme fault conditions, and therefore excluding the nominal system (i.e.,  a =  r = 0) from the multi-model design.

TA B L E A1
After several trials, it was clear that for MuPAL- and the defined design problem it was not possible to obtain a single (i.e., LTI) controller that achieved a sufficient level of performance and robustness for the cases where ( a ,  r ) = (0, 0.85) or ( a ,  r ) = (0.85, 0).Therefore, these two points are also removed from the final K FTC-B synthesis.Nonetheless, it is highlighted that in Section 3.2, and mainly due to the use of a self-scheduled controller, the synthesis of such controller allows to include these points and the resulting design shows good level of performance and robustness.
After the above considerations, the multi-model design of K FTC-B considers only eight cases (four at each airspeed), as detailed in Table A1.It should be noted that while K ROB , K FTC-A and K FTC-B were designed to be robust to airspeed variations, the design of K SS focus on robustness to faults and assumes a fixed airspeed of 120 knots.
For the K FTC-B synthesis, the uncertain delays in the actuators are modelled as second-order Padé approximations at the respective maximum delays.The block diagram in Figure 4 is used, but this time with constant matrices K FF and K FB .
The constraints on the performance expected with K FTC-B are translated into H ∞ constraints via weighting functions applied to the plants inputs/outputs as well as constraints on the closed-loop poles.The reasoning behind each constraint and the selected values was discussed in Section 3.2, and is thus omitted here to avoid repetition.
The first constraint is imposed on the sensitivity function of the closed loop system, and it is the same H ∞ constraint given in (6).In this case, W e (s) and W r are given by (with the k B e,• parameters given in Table A2) The cross-coupling constraint ( 8) is also used here, with the value k x = 0.67 for ( a ,  r ) ∈ {(0.5, 0.5), (0.85, 0.85)} and k x = 1 elsewhere.Similar to K FTC-A in Reference 30, a gust input g is modeled as an additive disturbance to the sway speed v.A requirement on the response from the gust g to the plant outputs y is then imposed via the constraint where W g = 20k B g and k B g is given in Table A3.Finally, a constraint on the minimum decay and damping of the closed-loop poles is also imposed as follows: with the values of k B p,decay and k B p,damp given in Table A4.The controller synthesis is done in Matlab using systune starting with five random initial conditions for the feedforward and feedback gains.A closed-loop H ∞ gamma of 1.56 is achieved, which indicates that the constraints are mostly satisfied.For ease of readability and focus on the self-scheduled design, no performance analyses of K FTC-B are given here, but verification and validation of the resulting controller showed good behavior in the extreme fault scenarios tested, which qualifies K FTC-B to be used as an initial condition for the self-scheduled design presented in this article.

F I G U R E 2
MuPAL-: (A) In-flight picture and (B) aircraft-in-the-loop configuration.

F I G U R E 3
Representation of the fault space design coverage for each controller.

F I G U R E 9 11
Block diagram of the closed-loop system used for the robustness margin analysis.U R E 10 Disk gain margins in decibels for aileron/rudder LoE faults: (A) Single-loop input, (B) single-loop output, (C) multi-loop input, (D) multi-loop output, and (E) multi-input/multi-output.Disk phase margin in degrees for rudder/aileron LoE faults: (A) Single-loop input, (B) single-loop output, (C) multi-loop input, (D) multi-loop output, and (E) multi-input/multi-output.

F I G U R E 13
Simulation of alternating  c and  c doublet response with increasing aileron LoE fault.

F
I G U R E 15 AIL validation:  c and  c doublets plus LoE ramp faults for aileron (top two plot) and rudder (bottom two plots).

F
I G U R E 16 AIL validation:  c and  c doublets plus −3 • bias faults [aileron at t = 50 s, rudder at t = 94 s)]. the fault effects when they are introduced, and only some degradation on the coupling from  on  is seen when both faults are active.bottom row shows the actuator signals, with  •,c the deflection commanded by K SS ,  •,f the effective deflection command (after application of the simulated LoE fault) and  • the actual measured deflection of the actuator, for • ∈ {a, r}.
Combinations of ( a ,  r ) used as design points for K FTC-B .Values of the parameters (a) k B e, and (b) k B e, in (A1) for the design of K FTC-B .
Values of the parameter k B g in (A2) for the design of K FTC-B .Values of the parameters (a) k B p,decay and (b) k B p,damp in (A3) for the design of K FTC-B .
Values of the parameters (a) k e, , (b) k e, and (c) k e, in(7).
TA B L E 2 Values of the parameter k x in(9).Values of the parameters (a) k p,decay and (b) k p,damp in(12).
TA B L E 3