Architecture and Philosophy of a Passive FTCS
In a passive approach, a list of potential malfunctions is assumed known a priori as design basis faults, and all failure modes as well as the normal system operating conditions are considered at the design stage. Neither an FDD scheme nor a controller reconfiguration mechanism is needed. Therefore, the term ‘passive’ indicates that no additional actions need to be taken by the existing control system in response to the design basis faults. The controller
FIGURE 1.3: Critical reaction time of an active FTCS.
deals with the faults passively. As shown in Fig 1.4. a passive FTCS is a control system designed to tolerate system component faults by using the system redundancies without any controller structure or parameter adjustment. The objective of a passive FTCS design is to synthesize a single fixed controller to make the closed-loop system as insensitive as possible to the set of design basis faults.
The philosophy of a passive FTCS is to find a controller within the region of intersection among all admissible solution sets. As shown in Fig 1.2, this region corresponds to the shadowed area where the admissible solution sets intersect. Several limiting situations in a passive FTCS synthesis are shown in four sub-plots in Fig 1.5 where no single overlap can be found. Sacrifices may have to be made even for the normal system operating conditions to accommodate anticipated failure cases. As shown in Fig 1.5(c), no passive FTCS can be found to deal with the normal condition and the pre-considered faults 1 and 2 simultaneously.
From performance perspective, a passive FTCS focuses more on the robustness of the control system to accommodate multiple system faults without striving for optimal performance for any specific fault condition. In comparison with an active FTCS, it is more difficult for a passive FTCS to achieve optimal performance under any design basis fault condition. Since the stability is the number one consideration in a passive approach, the designed controller turns to be more conservative from performance viewpoint.
If there is an overlap among all the admissible solution sets for considered fault cases, a single controller can theoretically deal with any presumed design basis faults. However, nothing can be said about the behavior of the system when an failures beyond design basis occur. It is critical to emphasize that the number of the design basis faults that the FTCS can deal with also depends on the availability of the redundancies. Nevertheless, since a passive FTCS does not involve controller reconfiguration, there are no switching transients.
Summary of FTCS
The objectives of active and passive FTCSs against actuator failures are to compensate for the loss of control actions by appropriately reassigning the control signals to the remaining healthy control surfaces. The philosophies and architectures for both active and passive FTCSs are presented. Comparisons
FIGURE 1.4: Architecture of a passive FTCS.
FIGURE 1.5: Illustration of overlap among admissible solution sets.
between the two approaches are made in the following. The characteristics of both active and passive FTCSs are then summarized. Through analysis and comparison of the simulation results, the essential characteristics of two FTCS strategies are summarized in Table 1.1. The detailed information is given as follows.
Advantages of an Active FTCS
Active FTCS can reconfigure the controller by using the real-time information provided by the FDD scheme. From the conceptual illustrations in Fig 1.2, an active FTCS initially operates in the normal mode using an admissible solution with certain performance levels. Upon detection of a fault, it moves to another admissible solution region to counteract the fault effects. Within each of these admissible regions, the optimal solution may exist with certain pre-set performance criteria.
Another advantage of an active FTCS is that it can deal with beyond design basis failures as long as the FDD scheme can detect and diagnose them correctly in time, and also there exists a sufficient degree of redundancy to
TABLE 1.1: Comparison of the characteristics of an active and a passive FTCSs.
|
Active FTCS |
Passive FTCS |
|
|
Potential for performance optimization |
Yes |
No |
|
Dealing with beyond design basis failures |
Yes |
No |
|
Immediate control action after the fault |
No |
Yes |
|
Sensitive to the results of FDD |
Yes |
No |
|
Guaranteed stability for the design basis faults |
N/A |
Yes |
|
Switching transients |
Yes |
No |
|
Smooth in operation during a fault occurrence |
No |
Yes |
|
Time before control in action |
Yes |
No |
|
Easy in implementation |
No |
Yes |
|
Controller design time (based on optimization) |
Short |
Long |
make up the shortfall of the failed actuators. However, the accuracy and the time taken for the diagnosis are the key.
Limitations of an Active FTCS
In the current active FTCS design, no action is performed until the new control system is synthesized. However, the interval between the fault occurrence and the initiation of the reconfigured controller plays a role in maintaining the safe operation of the system. If the FDD process takes an unexpectedly long time, the integrity of the system may be in danger. It is very likely that the performance of the system deteriorates with an increase in FDD time. In some safety-critical systems, certain critical system variables may cross the safety boundaries if no actions are taken within a certain critical period of time.
The reconfigurable controller design relies heavily on the information of the fault provided by the FDD scheme. The performance of an active FTCS is highly dependent on the accuracy of FDD. Any uncertainties in FDD can lead to loss of effectiveness in the designed controller. And an error in FDD can have a significant impact on the quality of the active FTCS results. The altitude of the aircraft cannot even be maintained in the event of these uncertainties. In addition, the overall system performance can degrade progressively as the magnitude of the uncertainties increases. In an active FTCS, a newly reconfigured controller has to be switched in to replace the pre-fault controller. The switching transients, which are essentially shocks to the system, are highly undesirable and can potentially lead to further damage to the system components.
Advantages of a Passive FTCS
In a passive FTCS the controller, once designed, does not need to be changed during the course of operation. In practice, a passive FTCS has a simple structure and has no controller switching associated transients. Therefore, the additional real-time computational demand is low for a passive FTCS.
Since no switching is involved in a passive FTCS, the behavior of the system is much smoother than that of an active FTCS. Furthermore, since the passive FTCS does not require any FDD unit, there is no delay between the fault occurrence and the corresponding control actions. The control system is fully engaged, and the control actions to the fault occurrence are always immediate.
Limitations of a Passive FTCS
A passive FTCS is designed with the consideration of both normal system operation and design basis faults. Compared with an active approach, the performance achieved by a passive FTCS can never be optimal for all design scenarios. If one attempts to design a passive FTCS to accommodate excessive number of faults, the overall conservatism increases. No controller may be found to satisfy all the design requirements.
Since the philosophy of a passive FTCS is to find a region of intersection among several admissible solution sets, when the number of fault scenarios increases beyond a certain number, such a region of intersection may not even exist.
Compared with an active FTCS, a passive FTCS is less flexible and has limited fault-tolerant capabilities, especially in the case of beyond design basis failures. The overall performance of the controller becomes less and less effective for each fault case as the number of fault cases increases. The passive FTCS designed on the basis of cases can no longer guarantee the stability and acceptable performance when failures beyond the passive FTCS design basis has occurred.
The comparison of both active and passive FTCS strategies leads one to think whether it is possible to design a “hybrid” FTCS to combine the merits of active and passive FTCSs, and to discredit their respective disadvantages. In fact, such hybrid FTCS concept has been proposed [9, 30] to deal with actuator faults. In this concept, a passive FTCS is used to slow down the deterioration of the system with minimal amount of fault information. As more detailed fault information becomes available, effective reconfigurable controllers can be designed and subsequently switched to achieve improved system performance.
