Active Fault Tolerant Control – explained

A blog by Mark Melczer, Pepijn van den Bos & Mathijs Crone

Drones enable us to perform unprecedented feats: see the world from a bird’s perspective, reach remote places thought to be inaccessible, deliver packages or race at incredible speeds. No doubt, drones are awesome pieces of flying hardware, but as all human-made systems, they are prone to failures. At Fusion Engineering, we believe that unprecedented feats require unprecedented levels of safety. Therefore, we put great effort into creating a bulletproof flight control system by employing, among other things, redundant subsystems and Active Fault Tolerant Control (AFTC) methodologies.

This post aims to give a sneak peek to the cutting edge AFTC technologies we leverage in the Fusion Reflex. The emphasis will be on handling faults occurring in the actuators – motor + propeller – of the drone. Let’s start with a comparable example to show what AFTC means in real life.

2791B0C600000578-3038787-image-a-1_1429035699861

Drone delivering asparagus to Dutch restaurant crashes
Source: Omroep Brabant

What is Active Fault Tolerant Control

Imagine an autonomous car which suddenly pops a tyre at high speeds. Everything happens in a split second and since very few people have the reﬂexes of a Formula 1 driver, a human would have a hard time avoiding a crash. However, the software of an autonomous car could detect that something went wrong from anomalies appearing in the sensor signals; for example, a sudden peak in accelerations/resonances could be an indicator. Then, applying extremely quick control action it could steer the damaged car to stop in the emergency lane. It is possible that the car, despite the ﬂat tyre, would remain controllable, meaning that the control software could still drive the car to the closest tyre shop for repairs but the car would pose increased danger to other road users and it could get even more damaged. So it’s probably better to just call the emergency services to safely tow the car.

This example, in its core, is very similar to what happens to a drone when it gets damaged to the point that it loses a complete propeller mid-ﬂight. If it is ﬂown by a human operator or a control system that isn’t fault tolerant, it will probably crash. However, an AFTC system would have a fault detection module which monitors all kinds of signals on the drone, and if anomalies occur in those signals it will — in a split second — detect that the drone has lost one of its propellers. Then, if the damaged drone remains controllable in a mathematical sense, the control system will take appropriate control action to recover and safely land the drone without crashing.

Thus, an AFTC system is the synergy of a fault detection module and a control module. The fault detection module, as its name suggests, actively monitors signals of interests to detect faults in the drone, for example a broken propeller. Should a failure occur, it informs the control system to reconﬁgure itself to account for this by taking recovery control action. Now that we know what AFTC is, let’s get a bit more technical and investigate what happens in that split second between the occurrence of the failure and the emergency control action.

How the control system works

To understand how the control system works we need to look at what type of control actions does an actuator exert on the drone. As the motors spin up, the propellers start to generate a thrust force and actuation torque based on how fast the motors are spinning. Since the propellers are generally placed at a given distance from the drone’s center of gravity, the upward thrust of each propeller generates a rotational moment that would turn the drone’s body around its axes. So in order to ﬂy from point A to point B, the control system is regulating the motor speeds to generate the forces and moments required to steer the drone accordingly. As you can imagine, if a propeller gets damaged, the respective actuator fails to deliver its carefully calculated control input and the drone leaves its desired state, due to the sudden, involuntary change in moments acting on its body. This results in the drone ﬂipping upside down and crashing immediately.

When an actuator fails, we say it loses its eﬀectiveness since it cannot output its nominal control input at a given motor speed anymore. Knowing the actuators’ eﬀectiveness values is crucial for the control allocation unit as it needs to allocate additional input to a damaged actuator to make up for its loss of eﬀectiveness. And this is where the fault detection and diagnosis (FDD) module comes into play.

Fault detection and diagnosis (FDD)

The FDD unit is responsible for updating the actuator eﬀectiveness values for the control sys-tem. It monitors certain signals and, based on these signals, notiﬁes the control system when something goes south with the actuators. So basically, we can imagine the following conversation between the FDD unit and the control system (CS):

FDD: Oops, something bad happened! (Fault detection)
CS: What? Where? How bad is it?
FDD: We lost propeller number 3 completely. The respective actuator eﬀectiveness has degraded to 0! (Fault diagnosis)
CS: Thanks, I’ll update the control allocator and take immediate action to save the drone! (Control reconﬁguration)

But how does the FDD module work? Well, there are a lot of ways to do it. Once I heard an interesting idea: why not just mount a camera onto each motor of a drone to see whether the propeller is still there or not. In theory, this could work, but we would need expensive high-speed cameras, hardware that processes those images, etc. Sounds cumbersome and ineﬃcient.

Thankfully, we can just use signals that are already measured on-board, such as the rotational rates of the drone, motor speeds, and so on. Then we can set up a reference model, that mathematically describes how the drone and the actuators work. In other words, we essentially simulate the drone’s motion/behavior when a certain input is applied to it. This model would describe the response of a healthy drone without any faults. Then we could set up something that monitors the diﬀerence between this mathematical model of a healthy drone and our actual drone. If we do it right, the diﬀerence would be zero if our real drone is healthy because they would have the same behavior given the same input. However, if the actual drone gets damaged, it will exhibit a diﬀerent behavior than our healthy model.

Sounds great, just make a model of the healthy system and we have an FDD module! Well, yes, but obtaining that model is not as easy as one would think. The behavior of a drone is highly nonlinear, tough to describe mathematically and even harder to actually identify. System idetiﬁcation is a complete ﬁelds of its own and is out of the scope of this post, but we need to understand that there are a lot of trade-oﬀs we are facing. If our model is not accurate enough it might trigger false alarms – FDD module thinks there is a failure when there isn’t – or it may fail to detect failures completely. Therefore, we need to carefully weigh what signals we need to monitor, how accurate our model needs to be to make FDD robust against disturbances and mismatch between the mathematical model and the actual drone.

But we at Fusion Engineering have conducted thorough research on various FDD method-ologies with promising results. Our tests have shown that a nonlinear adaptive Thau observer is highly capable of detecting faults and estimating actuator eﬀectiveness values. Should it detect any discrepancies between the healthy model and the actual drone indicating a failure, it updates the control allocation unit accordingly.

The Thau observer, as discussed, needs a model of the system which means that we need to identify certain parameters to construct the model. An advantage of our implementation is that the required system identiﬁcation procedure is fast and can be highly automated. It doesn’t need a full model of the drone so there’s no need to ﬂy in wind tunnels for system identiﬁcation. Furthermore, the Thau observer is a nonlinear observer that enables the utilization of fast nonlinear dynamics present in the system. The monitored signals are very sensitive to failures, which our tests have reinforced as we could see extremely fast action from the FDD unit. Furthermore, the Thau observer has a thorough stability analysis and its synthesis – constructing the gain matrices – is performed by solving a set of Linear Matrix Inequalities for which there are multiple tools available.

In conclusion

I hope I could shed some light on how AFTC systems works. It is a close collaboration between an FDD unit and a control system that performs the computation of the required control actions and allocates it to the actuators. We are working hard to integrate the described AFTC system into the Fusion Reﬂex ﬂight controller and our prototype test results allow for healthy optimism for creating the most reliable ﬂight controller on the drone market.