“Analyzing Various Causes of Actuator Failure in Space Vehicles
Using Fault-tree Analysis”
Manjinder Singh Nirmal Singh Sandhu Mandeep Singh 40039071 40042212 40040216Concordia University, Montreal Concordia University, Montreal Concordia University, Montreal
In unmanned space vehicles such as satellites, disturbances and anomalies in the momentum wheels or reaction wheels, that is, actuator mechanisms are often the main concerns behind the failure in vehicle’s Altitude Control Subsystems referred to as ACS. Through this project report, our main objective is to study and test a system which is feasible, durable, accessible and capable enough of detecting, isolating, identifying or classifying faults (referred to as fault- diagnosis system). This project details an Approach based on Fault- Tree Analysis for the purpose of identifying numerous important causes of Actuator failure related to Attitude Control Subsystem of space vehicles to give a better understanding of problem and to reduce the time gap in problem solving.
“Homo-sapiens did not evolve to go into space, but we go there anyway”. Since the landing of Apollo on the moon to the satellites that entered the mars orbits, there has been development of numerous advanced technologies that escalated growth of economy and improved our lives on this planet Earth. Without any of the space programs and explorations, we wouldn’t have Global Positioning System (GPS), accurate and precise weather prediction, or sunglasses and cameras equipped with ultraviolet filters CITATION EXT l 1033 1. Out of all types of space vehicles that exist and took off for the space missions, one such type is unmanned space vehicles.
Often referred as uncrewed vehicle (unmanned vehicle), it is a vehicle without a person on board. These can either be remote controlled or be autonomous vehicles that are capable of sensing their environment and navigating on their own. For unmanned space vehicles, not only during the unforeseen environments, where long time
interruptions could take place for ground control, continuous communication with ground station may not be possible even during fault-free conditions. Moreover, round-trip communications delay (between spacecraft and the ground) that may last for several hours, in particularly for deep-space missions, makes intervention of operator in controlling the spacecraft to deal with changes in the environment in real -time more difficult and sometimes impossible. Apart from that, continuous and precise ground support systems are really costly, especially in case of long duration space missions. Due to the above mentioned reasons, it’s required for unmanned space vehicles to have an on-board fault Detection, isolation and recovery system called as FDIR. This this demand of a technology that would allow USV’s to detect, diagnose and fix various faults on-board is indeed a Challenging problem. This required system that is capable of detecting, isolating or classifying faults is called a fault- diagnosis system. The main objectives of an on-board FDIR function are to detect fault(s) at beginning stages and then to take desired recovery actions before the fault(s) cause a failure to the main system. Thus, a reliable and feasible failure analysis procedure can be very useful feature for identifying the root cause of malfunction so as to develop a quick and correct recovery plan. Due to their limited capability of performing fault detection and diagnosis all together, it won’t be easy for many of the existing diagnostic systems alone to perform the required and mentioned failure analysis. Thus, a complementary procedure that takes into consideration the techniques based on fault-tree analysis in on-board fault diagnosis and recovery system can help us achieve our desired goals.
Introduction to Attitude Control Subsystem (ACS)
As defined by its name, the main objective of Attitude Control Subsystem or ACS, which is also referred to as momentum management system, is to orientate the satellite’s main structure at required angle(s) within required accuracy. This ‘required accuracy’ term further depends on payload, communication devices, etc. which are attached to the main structure. CITATION Moh14 l 1033 2 There are number of ways which denote or controls the
Attitude of a spacecraft such as direction cosines, Euler’s angles etc. When we specify the attitude according to the Euler’s angles, three angles are considered for the data required for specifying the attitude which are, y (roll), e (pitch) and o (yaw), termed as the measures of rotations about the x axes, y axes and z axes respectively. An Attitude Control Subsystem is required because a body in space is subjected to small but persistent disturbance torques from a different type of sources CITATION WJL99 l 1033 3 Unless and until restricted in some of the other way, resulting torques would quickly re-orient the spacecraft which is not in favour of the space missions. Therefore, it is of optimum importance that the spacecraft determine its attitude using sensors and monitor it using actuators.
Figure SEQ Figure * ARABIC 1 Schematic diagram of ACS
Introduction to Fault-trees
The credit of putting forward the concept of fault-tree is primarily associated with the U.S. aerospace and nuclear industries. For more than 40 years, there is extensive use of Fault-trees in system safety, reliability analysis and in system fault diagnosis CITATION Eri99 l 1033 4. The main objective of fault-trees is translating the failure behavior of a physical system in the form of a visual diagram in which, a mechanism is provided for analyzing complex systems using a simple set of rules, logics and symbols. The basic structure of a fault-tree used for any failure analysis is shown in Figure 2. The top event that is to be analysed in a fault-tree is the failure. The basic events are termed as the occurrences beyond which there is no further division of events or interest for analysis CITATION llp96 l 1033 5. The problem of fault-tree can be thus divided into two parts named as fault tree
synthesis (FTS) or construction and fault tree analysis (FTA). As already mentioned, both these FTS and FTA find their application in System Fault-diagnosis, System Safety Analysis and System Reliability Analysis.
Figure SEQ Figure * ARABIC 2 Basic structure of fault tree
It is really important to clear the fact that fault-tree on its own is not a complete representation of all the types of faults and failures that the system can encounter. It is basically a way of representing the combinations of events for a failure, which the associated analyst has foreseen. The top event associated with a fault tree need to be detected by other mechanism. Hence, we have assumed the presence of an efficient fault detection mechanism here. Fault-tree generation or synthesis is relatively a difficult task because a very thorough understanding of the system is indeed required for Fault Tree Synthesis. However, for complex systems, constructing the fault-trees manually can be extremely time-consuming and further be expensive in addition to leading to human errors. This is because if a system is analysed by two persons, the final obtained results will never be the same. Apart from that, the forms of the obtained fault-trees and the terminology used to describe the failure may be different. Hence, fault-tree synthesis is a necessary step if viewed from the point of cost reduction, for understanding the construction process and result standardization.
ACS Failure Scenarios
In the subsequent sections, we have considered four different failure scenarios and constructed fault-trees associated with them. It must be considered that by using the actual system for analysis, the final results thus obtained by assuming such scenarios may be utilized. In the evolved Attitude Control Subsystem model, it is assumed that attitude error with a maximum value of 0.03 in the pitch angle can be tolerated to ensure the stability of the space vehicle. Consequently, the top most events in the fault-trees have been denoted as Pitch Error of 0.030, for all of the ACS failure scenarios. Three of the ACS failure scenarios out of the four described in the subsequent discussion, correspond to an initial condition, in which the reaction wheel (RW) runs near zero speed whereas the fourth case is related to a different initial condition when the Reaction Wheels spins at near maximum allowable speed.
ACS Failure Scenario-1
Random increase in reaction wheel motor current
We usually come across such type of failure in the motor drive unit (MDU) in the reaction wheel because of some hardware level failure. This type of fault has been introduced when the Reaction Wheel was running near zero speed. The main motive of this type of fault is to represent failure under an increase in the magnitude of current. System behavior (measured in terms of pitch angle error) during fault-free condition
and under the presence of this fault can be witnessed in Figure 3. Fault has been injected between t=2500 seconds and t-3500 seconds. The behaviour of the system was normal outside this time range.
Figure SEQ Figure * ARABIC 3 Fault Scenario 1 (random increase in the RW motor
The associated T flag indicates that the injected fault led the top event which means that the ‘Pitch Error ; 0.03. Under fault-free condition, the feature value of motor current varies within an approx. range of +/-0.25 Ampere. To determine the ranges for feature values for the considered case, it was observed that ACS met the attitude requirement with a random error of 0.18
Ampere (which is around 72 % of the normal maximum value) or below present in the system.
We need to assume a worst-case scenario in order to determine the upper limit. It has been assumed that the surge would lead to maximum 0.375 ampere (150 % of normal maximum value) random error in the Motor Drive Unit output. Based on the above information, the approximate ranges for the feature values of the different attributes for the failure scenario are developed in table 1.
ACS Failure Scenario-2
Increase in Friction in the reaction wheel
This type of intentional fault has been injected when the Reaction Wheel was spinning near zero speed. The main objective of this type of fault is to represent a failure if the friction is increased in the wheel bearings which can be due to wear and tear of bearing material with time span or can also be a result of some problem in the lubricant flow. The behaviour of the system (pitch angle error) for the fault-free condition and under the presence this fault can be seen in Figure 4 given below.
Figure SEQ Figure * ARABIC 4 Fault Scenario 2 (increase in the RW bearing friction).
Fault has been introduced between at t= 2000 and t=3000 seconds. Outside this time range, the system behaves normally. From the Attitude Control Subsystem model, it is known that that the coulomb friction in the wheel is 2 mN-m. Also, it is known that ACS met the attitude requirement when the Pitch Error ; 0.03 ” with an increase of 1.5 mN – m (which is approx. 75 % of the normal value) or below in friction. Now, it is necessary to assume a worse- case scenario, in order to determine the other limit. We can safely assume that 150 % of increase in the normal value (3mN – m) is the worst case. This is because with time, bearing wear and tear or other similar faults are usually developed, and it is very likely that the fault as a result of this type of anomaly will be detected by the fault
detection scheme before the extreme value of the friction. The approximate ranges for the feature values for this failure scenario are given in the last row of Table 1.
ACS Failure Scenario-3
Bus Voltage Failure at High Speed
The injection of this fault took place when the Reaction Wheel was running near maximum allowable speed. When large back-EMF, which is developed in the RWM operating at a high speed, limits the motor current and thus the motor torque, this type of fault may take place at low bus conditions. Pitch angle error during fault-free condition and under the presence of this fault can be observed in Figure 5. Fault has been introduced between t= 2000 seconds and t=3500 seconds. System behaved normally outside this time interval.
Figure SEQ Figure * ARABIC 5 Fault Scenario 3 (bus voltage drop at high speed of the RW)
T indicates that the injected fault led the topmost event that is Pitch Error > 0.03 degree. CITATION ABa05 l 1033 6It must be noted that this type of fault leads to a failure that may take place only at high operational speed of the RW. In case of low or near zero speed, even when the value of the bus voltage is as low as 10 volts, the torque may not be limited due to small amount of back-EMF generated in the motor. But it is very unlikely to have such low values of the bus voltage. Hence, for this case, we must take into consideration the scenarios at high speed. It has been assumed that the bus voltage level and maximum allowable reaction wheel speed is of 21 -28 volts and 5059 RPM (which is very close to 5100 RPM) respectively under normal system conditions (as it is in EO-1 satellite).
From the obtained data, it is clear that at around 5095 RPM of maximum speed, minimum bus voltage drop to 19.5 volts should be there for any failure in attitude to take place. From the above information, the
approximate ranges of the different attributes for this failure scenario are provide in Table 1.
ACS Failure Seenario-4
Small Error in Motor Current together with Increase Wheel-bearing Friction
In this particular case, we show that ACS may fail to maintain required attitude when both a small error in motor driver unit (MDU) output and small increase in friction take place together at the same time though individually they may not affect the stability. This situation has been developed under the initial condition when the Reaction wheel was running near zero speed. The pitch angle error during fault-free condition and the presence of this fault is shown in Figure 4.5.
The fault related to the motor current and the friction has been injected between t-2000 and t-3000 seconds and between t=2500 and t=3500 seconds respectively. It should be noted that Pitch Error > 0.03 when both the faults take place at the same time between t-2500 and 3000 seconds. Attitude Control Subsystem meets the attitude requirement outside this time range. CITATION SIN06 l 1033 7
Figure SEQ Figure * ARABIC 6 Fault Scenario 4 (error in the RW motor current together with increase in RW-bearing friction)
From the previous scenarios, we know that an increase in friction of 1.5 mN – m (approximately 75 % of nominal value) or below and an increase in error in motor current by 0.09 Ampere (approximately 35 % of nominal peak value) or below does not cause any failure. Example 38 shows when a fixed error of .09 ampere has been introduced. The ranges of the different attributes for this failure scenario are presented in Table 1. For motor current, it must be noted that above 0.31 Ampere, there can be failure scenario where fixed error in MDU output itself would
cause failure. Thus, we would define another range with lower limit as 0.32 Ampere and the upper limit bounded by a worst-case scenario.
Identification of Different Ranges of Feature Values
The Table 4.6 below shows the ranges of different feature values for the four failure scenarios which we have discussed so far. As already mentioned that at high speed, high back EF which is developed in the motor may limit the torque in case the bus voltage becomes really low. Due to this reason, two ranges were assumed for the attribute bus voltage (V)-one with the normal operational range 21- 28 volts and the other representing low bus voltage condition discussed under Scenario-3.Thus, we can define different ranges for different failure scenarios which is put in form of Table 1
These ranges have been assigned names only to give a clear and better presentation.
Table SEQ Table * ARABIC 1 Specified Ranges for Numeric Feature Values of the Attributes
Fault tree that are constructed in the coming sections are the results of four different scenario’s we discussed so far in this project report. For the construction of all the associated fault trees, there are certain nodes that are used for tree synthesis, given below.
Figure SEQ Figure * ARABIC 7 various symbols used in fault tree
Fault-tree for Failure Scenario-1
A fault that is similar to the one we studied under the failure scenario-1 is considered here. From the figure 8, it’s quite clear that the fault tree points towards Im (motor current) by means of a node in the tree. Now, in the presence of the fault that is introduced, the anomalous behavior of RW motor current is passed on directly to the motor torque. Its due to this motor torque that Vc know as the torque command voltage is also affected by this fault. Hence, in addition to Im, Tm, and Vc known as motor current, motor torque and the torque command voltage respectively is presented on the associated fault-tree as the source of anomaly in the respected system.
Figure SEQ Figure * ARABIC 8 Fault-tree for Failure Scenario-1
Fault-tree for Failure Scenario-2
In this construction of the fault tree for the scenario-2, a fault range value that we studied under the failure scenario-2 is applied here. From the figure 9, we can pretty see that the constructed fault tree points towards Tm (motor torque) which is affected mostly by an increase in friction in the system by means of a node.
Now, RW motor draws more current for the purpose to overcome the increase in friction as a result of fault in the system which is indeed necessary to maintain desired orientation of the satellite. It is due to this reason that the motor current is also altered. Hence, Im (motor current) also appears on the final fault tree constructed. For the ease of understanding the concept of the fault tree, we have considered only non-overlapping range of feature values and ignored the overlapping to avoid the complexity. CITATION SIN06 l 1033 7
Figure SEQ Figure * ARABIC 9 Fault-tree for Failure Scenario-3
Fault-tree for Failure Scenario-3
For fault tree for the scenario-3, we consider the fault range value we studied before in failure scenario-2. The figure 10 makes it clear that, the cause of the failure is bus voltage as is pointed by the tree constructed in this case. As discussed earlier, this type of fault can be encountered only during the high speeds of RW. For such situations, motor current Im is limited by the increasing Back-EMF of the reaction wheel motor. Due to this, Torque command voltage Vc and the motor torque Tm are also affected. CITATION SIN06 l 1033 7
Figure SEQ Figure * ARABIC 10 Fault-tree for Failure Scenario-2
Fault-tree for Failure Scenario-4
A fault discussed under the failure scenario-1 is considered here. From the figure 11, we can clearly see that the fault tree points towards Im (motor current) and the torque command voltage Vc which are affected the most by increase in friction in the system and the error in motor drive unit (MDU).
Figure SEQ Figure * ARABIC 11 Fault-tree for Failure Scenario-4
Due to the both parameters involved in this scenario, the torque voltage Vc is further affected. Moreover, Tm called as the motor torque also show up on the tree because any alteration in current in the reaction wheel mechanism also gets converted into torque directly. Now, in the presence of the fault that is introduced, the anomalous behavior of RW motor current is passed on directly to the motor torque. Its due to this motor torque that Vc know as the torque command voltage is also affected by this fault. Hence, in addition to Im, Tm, and Vc known as motor current, motor torque and the torque command voltage respectively is presented on the associated fault-tree as the source of anomaly in the respected system. CITATION SIN06 l 1033 7Conclusion
FDIR which stands for fault detection, isolation and recovery system is necessary system on board an unmanned spacecraft to face and overcome undesired events without bothering the human bodies and intelligence on the ground. Practically, integration of different types of existing fault-diagnosis methodologies that has the potential to make a unified FDIR schemes seems to be a much better option. Here in this project, we considered four ACS failure cases. The faults that are presented and assumed in this project work are similar to what actually are encountered by people in practice.
The final constructed fault-trees gives us brief information on the failure which reveals that the top event took place when the maximum magnitude of motor current was in the range (x1, y1) ampere, for reaction wheel when the maximum speed was within the range (x2, y2) revolutions per minute and minimum bus voltage fell within the range of (x3.y3) and so on. In many cases, though the final generated fault tree may not give us the exact cause of the failure, yet it can be further used to avoid certain combinations of events in the future that have the potential to cause any system failure. Moreover, if it is required to know what exact different components in the associated system caused the failure, any basic event can be considered as the top event in the generated fault-tree and further fault trees can be constructed to reveal what sort of events led to such situation.
1 “EXTREME TECH,” Online. Available: https://www.extremetech.com/extreme/268062-5-reasons-space-exploration-is-more-important-than-ever.
2 M. T. Nasri, “AN IMPROVED APPROACH FOR SMALL SATELLITES ATTITUDE DETERMINATION AND CONTROL,” pp. 5-9, 2014.
3 W. J. L. Wertz, Space mission analysis and design, Kluwer academic Publishers, 1999.
4 C. A. Ericson, “Fault Tree analysis- A history,” 1999.
5 J. D. l. l. pullun, “Fault Tree model for analysis of Complex Computer based systems,” 1996.
6 P. S. K. K. A. Barua, “A Novel Fault-Tree Approach for Identifying Potential Causes of satellite reaction wheel failure,” pp. 3-5, 2005.
7 P. SINHA, “A Diagnostic Tree Approach for fault cause identification,” 2006.