A Boolean algebraic-based solution for multiple fault diagnosis: Application to a spatial mission

Abstract

The paper deals with the application of a formalized fault diagnosis strategy for multiple faults occurring in an autonomous spatial vehicle. The research work draws expertise from a collaboration between the European Space Agency, the “Laboratoire de lʼIntegration du Materiau au Systeme” and the Thales Alenia Space industry. The goal is to demonstrate the benefits of novel fault diagnosis methods to enhance spacecraft autonomy. The applicative support is the Mars Sample Return mission, a spacecraft mission undertaken jointly by the National Aeronautics and Space Administration and the European Space Agency. In this paper, a formalized framework, based on first order logic formulas, is detailed and an algorithm based on Boolean algebraic tools is presented in order to cope with the multiple fault diagnosis problem. The method uses the concepts of conflicts and diagnoses and aims at establishing the set of minimal diagnoses which is nothing else than the minimal list of the system components that have been identified to be faulty, solving de facto the fault isolation problem. The paper addresses this problem using jointly the concept of Analytical Redundancy Relations and their associated characteristics called their “supports”. With respect to the application, the faulty scenarios concern the failure of sensors in the orbiter during the rendezvous phase of the Mars Sample Return mission. Simulation results from a high-fidelity industrial simulator demonstrate the feasibility and the efficiency of the proposed technique.

Introduction

Fault diagnosis is a key element of any safety critical system. When faults appear on dynamic systems, it is vital to quickly identify these degradations so that corrective actions can be undertaken in a timely manner. The issue of fault diagnosis has been an active research area during the last three decades, both in the research and space industrial communities, see [29], [3], [19], [30], [18], [11], [6], [1], [16], [24], [15] for surveys. A fault diagnosis scheme consists of several successive processing blocks: the fault indicating signal or fault indicator generation, the fault indicator evaluation, and the decision making task, thus providing the basic fault diagnosis functionality.

In the fault diagnosis literature, there exist two distinct and parallel research communities that work on model-based approaches to the diagnosis, namely:

• The FDI (Fault Detection and Isolation) community whose foundations are based on engineering disciplines such as control theory and statistical decision making (see for instance [5], [11], [14], [16], [18], [26], [31] for a survey).

• The DX (Diagnosis) community whose foundations are derived from the fields of Computer Science and Artificial Intelligence (see for instance [8], [9], [21], [23], [28] and [32] for a survey).

In the FDI field, many research works have been carried out for robust fault detection and isolation on dynamic systems and these works are mostly performed with the assumption of the presence of single faults only (see for instance [18], [26] and [31]). However, in large and complex systems (for example, nuclear plants, aeronautic systems or autonomous spatial vehicles), the admissibility of such an assumption can be disputable. It can be argued that the occurrence of multiple faults is less probable and therefore of less importance but the impact of such faulty situations on operating systems can lead to the incapacity of the systems to achieve their defined function or/and a (complete or partial) loss of the systems or even to even more catastrophic consequences such as human loss and environmental damages.

In the aerospace domain, there exist many successful applications of FDI methods, see for instance the parity space-based approaches [34], the particle filtering-based algorithms ([10] and [17]), the fault detection observer-based approaches [20], [27] and the ${\mathcal{H}}_{\infty }$ filtering methods [7], [14]. These research works have focused on the design of robust FDI solutions such that the fault indicators are sensitive to one or more faults whilst at the same time these indicators are insensitive to modeling errors and disturbance effects (see for instance [11], [12] and [26]). However, the issue of multiple faults in such complex systems has received less attention within the FDI community. It can be noted that the problem of creating and implementing signature (or isolation) matrices, including those for multiple faults, has been studied in [12]. In fact, a survey among the FDI solutions shows that the existing techniques are successfully designed for the diagnosis of simple faults but have limited impact for the multiple fault cases.

On the other hand, several research works within the DX community have been published during the last three decades and these works have been carried out especially for multiple fault diagnosis, see for instance [9], [28], [29], [30], [8] and [3], [19], [30], [6], [4], [24] for space applications. Although the results presented in these papers demonstrate that different methods could be considered as viable candidates for an on-board implementation, the overall gain of the obtained fault diagnosis scheme is not so well clear and defined, see for instance the interesting discussion in [25].

The work presented in this paper is situated on the boundaries of both communities. The application is related to ongoing researches undertaken jointly by the European Space Agency (ESA), the IMS Laboratory and Thales Alenia Space. The goal is to demonstrate the benefits of novel fault diagnosis methods to enhance spacecraft autonomy. The applicative support is the Mars Sample Return (MSR) mission, a spacecraft mission undertaken jointly by NASA and ESA.

Future science space missions require critical autonomous proximity operations, for example rendezvous and docking/capture for the MSR mission. Mission safety is usually guaranteed through various modes of satellite operations, with ground intervention, except in these specific critical phases, for which the on-board robustness and on-board fault tolerance/recovery prevails in the dynamics trajectory conditions.

Satellite health (including outages) monitoring is classically performed through a hierarchical implementation of the fault diagnosis and fault tolerance in which several levels of faults containments are defined from local component/equipment up to global system, i.e. through various equipments (sensors like Inertial Measurement Units (IMU), thrusters, etc.) redundancy paths. Common Fault Detection Isolation and Recovery (FDIR) implementation uses four hierarchical levels with graduated detection/isolation/reaction to faults, see for instance [24] where fault detection and isolation are performed by cross checks, consistency checks, voting mechanisms, etc. Fixed thresholds (once validated with all the known delays and uncertainties) are used for rapid recognition of out-of-tolerance conditions. Their setting are tuned in order to avoid false alarms and to insure acceptable sensitivity to abnormal deviations. However, recent developments on both FDI and DX techniques applied to space missions, tend to demonstrate that model-based and IA solutions can be used to enhance spacecraft autonomy, see for instance [3], [19], [30], [6], [16], [24], [15].

The work presented in this paper should be understood in this context. The objective is to develop an advanced fault detection and isolation scheme, able to diagnose faults of the MSR orbiter, on-board/on-line and in time within the critical dynamics and operations constraints of the last terminal translation (last 20 meters) of the MSR rendezvous/capture phase. As the mission scenario is undertaken, the chaser stays in the rendezvous/capture corridor such that it is possible to anticipate the necessary recovery actions to successfully meet the capture phase.

The fault profile that is considered in this paper concern the loss of measure in the sensors present in the orbiter vehicle during the rendezvous phase of the MSR mission. To solve the considered fault diagnosis problem and especially for the multiple fault cases, a formalized framework, based on first order logic formulas, is defined and an algorithm, based on Boolean algebraic tools initially presented in [22], is considered.

The contributions of the paper can be summarized as follows: First, a complete formalization of a fault diagnosis method using the concepts of conflicts and diagnoses initially introduced by Reiter [28] and De Kleer and Williams [9] is proposed. Both a conflict and a diagnosis are a subset of a system component set. The meaning of a conflict is that not all system components can be in the fault-free mode and the meaning of a diagnosis is that the components contained in it are faulty and the components not contained in it are fault free. Then, given a set of diagnoses and a set of conflicts, the method proposed in [28] and [9] finds the set of minimal diagnoses by means of the so-called “hitting-set” algorithm. The key feature of this technique is that the set of minimal diagnoses is nothing else than the minimal list components that have been identified to be faulty, solving de facto the fault isolation problem. However, the authors do not provide a systematic method to establish the conflicts from a given system operating mode. This paper provides a solution to this problem using jointly the concept of Analytical Redundancy Relations (denoted “ARR”) from the FDI community (see [18], [26], [31]) and their associated characteristics we called their “supports”. Furthermore, because the hitting-set algorithm proposed by De Kleer and Williams [9] fails in some particular situations (see [13] for more details), it is shown how the Boolean algebraic formulas presented in [22] can be used jointly with the conflicts, to provide the set of minimal diagnoses. These theoretical aspects are addressed in Section 2.

The second contribution is concerned by the complete illustration of the different steps of the proposed method to a real space mission, i.e. the Mars Sample Return (MSR) mission. The goal is to provide a solution to the sensor fault diagnosis problem of the orbiter spacecraft during the rendezvous phase of the mission. In this sense, it is explained how to derive an adequate set of ARRs from the orbiter sensors (i.e. inertial measurement units (IMUs), star trackers (STR), coarse sun sensors (CSS), global navigation satellite system (GNSS) sensors, radio frequency sensors (RFS), a Light detection and ranging (LIDAR) sensor and a narrow angle camera (NAC)), and their associated supports. Then given a situation, it is shown how the conflicts are established and how the method performs the fault isolation task. The robustness aspects are addressed by means of the probabilities of false alarms and non-detection as a part of the ARR definition procedure. In other words, a complete fault diagnosis scheme for multiple sensor faults is proposed for the chaser spacecraft during the rendezvous phase of the MSR mission. These application aspects are addressed in Section 3.