Adaptive Robust Fault-Tolerant Synchronization Control for a Dual Redundant Hydraulic Actuation System with Common-Mode Fault

This paper investigates the fault-tolerant synchronization control (FTSC) problem for a dual redundant hydraulic actuation system (DRHAS), which works on active/active (A/A) mode and suffers from a kind of common-mode fault (CMF), i.e., internal leakage faults occurring in both hydraulic actuator (HA) channels simultaneously due to a common cause. Firstly, in order to follow the position command and synchronize the force outputs of the two channels, a desired trajectory generator derived from the dynamics of the control surface is employed.Then, considering model uncertainties and nonlinear dynamics of the plant, an FTSC controller is designed based on adaptive robust control (ARC) theory and backstepping technology.The controller parameters, closely related to the fault parameters, are updated online to make the controller adapt to the fault condition only when the system performance degradation exceeds a prescribed tolerable level. It has been verified that the proposed FTSC scheme can guarantee the bounded stability of output tracking error system under common-mode fault. Finally, simulation results under two scenarios demonstrate the effectiveness of the proposed FTSC scheme.


Introduction
For safety and reliability consideration, the primary flight control systems for modern airplanes have universally adopted redundant hydraulic actuation systems (RHAS) to drive important control surfaces.One typical example is the Airbus A320, in which both ailerons are driven by a dual redundant hydraulic actuation system (DRHAS), the rudder is driven by a triply redundant hydraulic actuation system (TRHAS), and the elevators are driven by DRHASs [1].
In a typical RHAS configuration, several similar hydraulic actuators (HA), which are supplied from three redundant hydraulic power sources, connect to a common control surface in parallel.Each HA includes an electro-hydraulic servo valve (EHSV), a hydraulic cylinder, and other accessories.There are two distinct operating modes for a RHAS, i.e., active/active (A/A) mode and active/standby (A/S) mode.In A/A mode, all HA channels are working together at the same point and their outputs can be summed in three ways, i.e., parallel force summing, parallel velocity summing, and parallel position summing [2].Among them, the parallel force summing is the most common choice for the primary flight control system of airliners, such as A320, A380, B747, and B787.In A/S mode, the HA channels operate independently and only one channel is working at one time while others are isolated by bypass-valves.
The RHAS on A/A mode has a potential risk of suffering from common-mode fault (CMF), which is a coincidence of fault states of components in separate channels caused by the same event(s) [3].As stated in [4], the CMF is difficult to predict or to avoid by system design as its nature is unexpected or unrecognized.Reference [5] shows that design faults which are not found and removed at stages prior to the operational stage constitute a major part of CMF in redundant system.In addition, CMF can also occur due to external causes such as environmental disturbance and power supply disturbance.Considering the critical functions of the RHAS in primary flight control systems, CMF tolerance is very important.
Compared with SHA, to the best of the authors' knowledge, the studies on FTC strategies for the RHAS, especially for the RHAS suffering from CMF, are very limited.In [13,14], a disturbance-decoupled robust adaptive observer was designed and applied to a RHAS-driven elevator for faulty parameters estimation.A set of local fuzzy PI controllers with respect to different operating conditions of the system were designed.Then, a tolerant control output was generated by synthesizing the output of each local controller according to the obtained fault information.However, the FTC controllers are designed on the basis of an approximate linear model, dynamics of the control surface, and model uncertainties of the plant are not considered in the existing results.
To deal with the control problem for nonlinear system with model uncertainties, a great number of nonlinear control schemes have been developed by employing backstepping technology.For example, in [15][16][17][18], several backsteppingbased adaptive neural (or fuzzy) control schemes were presented and neural networks (or fuzzy logic systems) were employed to approximate the unmodeled dynamics.However, the application of these schemes is limited by the large computation load.In [19], a FTC scheme based on adaptive sliding mode backstepping was proposed for a nonlinear system under external disturbances and faults.In [20,21], with the aid of the backstepping technology, several nonlinear ARC controllers were constructed, in which the adaptive part was employed to handle parametric uncertainties and the robust part was mainly used to accommodate the unmodeled dynamics.To the authors' knowledge, a critical issue for FTC design is the limited amount of time for the control system reconfiguration [12].Therefore, due to its simple structure and fast execution speed, the backstepping-based ARC scheme is more suitable for the FTC design for RHAS with model uncertainties.
The force fighting between HA channels is an inherent problem for the RHAS which works on A/A mode and has a parallel force summing configuration, namely, the HAs fight against each other to find an equilibrium point [22].The primary cause of the force fighting problem lies in the unsynchronized force outputs of HAs.In normal situation, manufacturing tolerances and individual nonlinear property of each HA can lead to unsynchronized force outputs.Moreover, the faults occurring in the RHAS will aggravate the unsynchronization of the force outputs and finally enlarge the force fighting between HA channels.Since a serious force fighting may slow down the system response, reduce the position tracking accuracy, or even damage the control surface, solving the problem of unsynchronized force outputs under fault conditions is very important for the FTC controller design for RHAS.Recently, several control strategies have been developed for force outputs synchronization, such as pressure differential equalization control [23], decoupling control [24], and motion state synchronization control [25,26].However, to the authors' knowledge, most of the results are based on linear RHAS models without consideration of nonlinear dynamics and model uncertainties.Besides, no FTC scheme for RHAS can achieve force outputs synchronization control for HAs.
In this paper, considering the nonlinear dynamics of the hydraulic system, model uncertainties, and dynamics of the control surface, an adaptive robust fault-tolerant synchronization control (FTSC) scheme is proposed for a DRHAS suffering from an internal leakage CMF.The contributions of the paper are twofold: (1) Based on the introduction of two reference trajectories, a general nonlinear model for the DRHAS with model uncertainties and an internal leakage CMF is constructed to facilitate the controller design.
(2) A novel FTSC controller based on ARC control and backstepping technology is designed, which can handle the CMF tolerant control problem and the force outputs synchronization control problem simultaneously.Simulation results further demonstrate the effectiveness of the proposed scheme.
The rest of the paper is organized as follows.The model for a DRHAS working on A/A mode is given in Section 2.Then, the FTSC scheme which includes desired trajectory generation, model transformation, and FTSC controller design is presented in Section 3. Simulation results are provided in Section 4. Finally, a conclusion is given in Section 5.

Model of a Dual Redundant Hydraulic Actuation System
The structure of a typical DRHAS is shown in Figure 1.Two hydraulic actuators, powered by different hydraulic power sources, connect to a common control surface and operate on A/A mode.Each HA mainly consists of an EHSV and a hydraulic cylinder.

Model of the Hydraulic Actuator.
The two HAs have the same structure, and the mathematical model for HA 1 is presented below.
The model of the EHSV can be described by a proportional function [27,28] as where  v1 is the servo valve displacement,  1 is the control input, and  i1 is the servo valve gain.
The cylinder dynamic can be represented by where  h1 is the piston rod displacement,  h1 is the piston mass,  1 is the piston area of the active chamber,  2 is the piston area of the passive chamber,  h1 is the damping coefficient,  h1 is the external load of the cylinder, and  1 is the model uncertainty which includes unmodeled nonlinear dynamics and lumped parameter variations.The chamber pressures of the cylinder, i.e.,  h11 and  h12 , are calculated by where   is the effective oil bulk modulus,  h11 =  10 +  1  h1 is the volume of the active chamber,  h12 =  20 −  2  h1 is the volume of the passive chamber, and  10 and  20 are the initial volumes of two chambers, respectively. h11 is the supply flow rate of the active chamber and  h12 is the return flow rate of the passive chamber.When the DRHAS suffers from an internal leakage CMF, i.e., the internal leakage faults occurring in both HAs simultaneously due to a common cause, the internal leakage flow rate  h1 of HA 1 can be modeled by [9] where  i1 is the normal internal leakage coefficient,  t1 represents the fault internal leakage coefficient, sgn(⋅) is the sign function,  f is the fault occurrence time,  1 ( −  f ) is the time profile of the fault which can be described by and  1 is a positive constant which represents the fault evolution speed.
The flow rates  h11 and  h12 can be calculated by where   =  d √2/ is the flow rate gain of the servo valve,  s1 is the supply oil pressure,  r1 is the return oil pressure, and () is defined as For simplicity, we define Therefore, ( 7) and ( 8) can be rewritten as 2.2.Model of the Control Surface.Supposing both HAs are connected rigidly to the control surface (see Figure 1), the driving forces  dh1 and  dh2 which are generated by the two HAs can be described by where  h1 ,  h2 are the connection stiffness and  d is the linear displacement of the control surface.The angular displacement  d can be approximately represented as a linear function of  d , then we have Assuming that the outputs of the HAs are summed by force, the control surface dynamics can be represented as [24] where  d represents the radial distance of the control surface,  d is the moment of inertia,  d is the damping coefficient, and  L is the load torque.

State-Space Equation of the Dual Redundant Hydraulic
Actuation System.Define the state variables as follows.
x = [  11 ,  12 ,  13 According to (3)-( 13), we have and ẋ 23 can be described in a similar manner.Then, a statespace equation for the DRHAS can be written as where is the control input vector, and is the coupling part between two HA channels [24].Defining the output variables as  1 =  d ,  2 = θ d , then according to ( 14)-( 17), the output equation can be written as Assumption 1.The chamber pressure  h11 ,  h12 are bounded and satisfy  r1 <  h11 <  s1 ,  r1 <  h12 <  s1 .Similarly, the chamber pressure  h21 ,  h22 are bounded and satisfy  r2 <  h21 <  s2 ,  r2 <  h22 <  s2 .Meanwhile, all the state variables in (18) are bounded no matter under fault-free or faulty conditions.

Fault-Tolerant Synchronization Control Scheme
For system ( 18)-( 24), the purpose of this section is to design a fault-tolerant synchronization control scheme such that the output tracking error system is bounded stable under the internal leakage CMF condition and the following control performance can be guaranteed: (a) The output deflection angle of the control surface can follow the system deflection command.
(b) The force outputs synchronization for two HAs can be maintained.
The structure of the proposed FTSC scheme is illustrated in Figure 2. To serve the control objectives, a desired trajectory generator is employed to adjust command inputs.Two reference trajectories  r1 and  r2 are generated for position tracking and for force outputs synchronization, respectively.Based on a transformed nonlinear model, an adaptive robust FTSC controller is designed by using backstepping technology.A Lyapunov function based method is used to evaluate the control performance of the closedloop system.The controller reconfigures its control action through parameters adaptation online as the degraded control performance induced by the CMF exceeds a tolerable level.

Desired Trajectory Generation.
To realize the position control of the closed-loop system, a reference trajectory  r1 is generated.Theorem 3. The actual deflection angle  1 can trace the deflection command  r accurately if the function  1 ( h1 ,  h2 ) =  h1  h1 +  h2  h2 can trace the reference trajectory  r1 which satisfies Proof.The reference trajectory  r1 can be derived by using backstepping technique.Define two error variables as Defining a Lyapunov function as  1 = 0.5 2 1 , its time derivative is Choosing the virtue control input  r1 as and substituting it into (27) yields where  1 is a positive constant.
In order to achieve the synchronous force outputs of two HAs and eliminate the fighting force as much as possible, a reference trajectory  r2 is generated.
Assumption 4. The deflection command  r is  5 continuous and bounded.

Model Transformation.
A linear transformation T for the first two equations of ( 23) is introduced [24] and a new statespace model can be derived as where To facilitate using backstepping method [29] to design the FTSC controller, a new state variable x 3 = M 3 x 3 is defined and the state-space model (34) can be rewritten into the following semi-strict-feedback form [30].
where  1 and  2 are known constants.
Assumption 7. The components of the fault parameter vector where  1min ,  1max ,  2min , and  2max are known constants.
The effects of the internal leakage CMF can be represented by where q f = [ f1 ,  f2 ] T .The specific design procedure is described as follows.

Fault-Tolerant
Step 1. Defining a vector of reference trajectory as x r = [ r1 ,  r2 ]  , the tracking error vector z 1 is calculated by Introducing a virtue control vector  1 = [ 11 ,  21 ]  to stabilize f( 12 ,  22 , ), the error vector z 2 is calculated by Defining a Lyapunov function as  1 = 0.5z  1 z 1 , its time derivative is Setting  1 = −k 1 z 1 + ẋ r and substituting it into (41) yields where k 1 = diag( 11 ,  12 ) is a diagonal positive definite matrix.
Step 2. Introducing a virtual control vector  2 to stabilize x 3 , the tracking error z 3 can be calculated by Constructing a Lyapunov function  2 =  1 +0.5z  2 z 2 , then according to (35), ( 40), (42), and (43), the time derivative of  2 can be written as Choose the virtual control vector  2 in (43) as where  1 and  2 are positive design parameters.In condition (i),  2s21 and  2s22 are used to tackle the model uncertainties d1 and d2 in two HA channels, respectively.Condition (ii) is to ensure that the control items  2s21 and  2s22 are dissipating in nature without affecting the functionality of the control item  2a .
Remark 8 (see [30]).To meet the conditions of (46), we can choose (48) Remark 9. From condition (i) of ( 46), it can be derived that where  =  1 +  2 .Note that the smaller the value of , the better the robust control performance can be achieved.Substituting (45) into (44) yields Step 3. Similarly, constructing a Lyapunov function  3 =  2 + 0.5z  3 z 3 , then according to (35), (43), and (50), the time derivative of  3 can be calculated by The control law u can be described as follows: where θ is an estimation of , u a is an adjustable model compensation term, u s1 is a nominal stabilizing feedback, u s2 is a nonlinear robust control law to tolerate the effects of the slight internal leakage CMF, and k 3s1 = diag( 3s11 ,  3s12 ) is a diagonal positive definite matrix.
Remark 10.Under no leakage or slight internal leakage CMF condition, the proposed FTSC control law (52) without parameters adaptation is actually a nonlinear robust synchronization control (NRSC) law.
From (38), the effect of the slight internal leakage CMF for each HA channel, which can be tolerated by the robust control law u s2 , should satisfy where  f1 ,  f2 are predefined constants and represent the tolerable level of the slight internal leakage for HA 1 and HA 2 , respectively.Subsequently, the robust control law u s2 = [ s21 ,  s22 ] T in (52) should satisfy the following conditions.
In condition (i) of (54),  s21 and  s22 are robust control laws to tolerate the effects of the slight internal leakage  f1 and  f2 in two HA channels, respectively, and the control accuracy for them is quantified by the positive design parameters  1 and  2 , respectively.The condition (ii) of ( 54) is to ensure that the control law u s2 is damping without affecting the functionality of u a .
Remark 11.The control law u s2 is chosen as where ℎ 31 and ℎ 32 are positive design parameters which satisfy and it is easy to verify that the control law (55) satisfies both the conditions of (54).
Proof.In this situation, the third equation of (35) can be rewritten as Then, the time derivative of z 3 is equal to Note that there is no unknown disturbance in (72) and the PE condition (70) can be easily satisfied as the integral term is a diagonal positive definite matrix.Therefore, the CMF estimation θ will converge to its real value (i.e., θ → 0 as  → ∞).Thus, (64) can be rewritten as which leads to the same result as (59).If there are no model uncertainties after a finite time  1 (i.e., d = 0, q f = 0, ∀ ≥  1 ), the same result as (63) can be obtained.Thus, Theorem 17 is proved.

Simulation Results
To illustrate the effectiveness of the proposed FTSC scheme, a model of a DRHAS is established in the MATLAB/Simulink environment.Simulation parameters of the model are given in Table 1.
A comprehensive performance evaluation regarding the proposed FTSC scheme is performed in comparison with the other two schemes, i.e., the classical PID and the NRSC.Moreover, the following two scenarios are considered: (a) Scenario S1: A severe internal leakage CMF which has different effects (i.e., different magnitudes and evolution speeds) on two channels occurs in the DRHAS.Specifically, at  f = 7s, a severe internal leakage fault with  t1 = 5 × 10 −7 (m 3 /s/pa),  1 = 10 occurs in HA 1 and a severe internal leakage fault with  t2 = 1 × 10 −7 (m 3 /s/pa),  2 = 0.5 occurs in HA 2 due to a common cause.
The parameters for the control schemes are shown in Table 2.In addition,  r = arctan(0.2sin(2))[1−exp(−0.1 3 )] is used as the system deflection command to fulfill Assumption 4.An elastic load  L =  d  d is used to simulate the air loads acting on the control surface and the unknown model uncertainties  1 and  2 in two HAs are as follows: and  2 = 400.
For scenario S1, Figure 3 shows the position tracking error for three control schemes, and Table 3 summarizes the results of the maximum position tracking error for each scheme under different conditions.It is evident that the proposed FTSC scheme has the best position tracking performance among the three schemes.
In normal condition, the FTSC and NRSC are the same.As listed in Table 3, the maximum position tracking error for FTSC/NRSC is only 2.4546e-004 rad, much less than that for PID.This can be attributed to the robust control design in the FTSC/NRSC which dominates the model uncertainties better than PID.
When the severe internal leakage CMF occurs at  f = 7s, the dynamic performance of the closed-loop system begins to deteriorate rapidly, and this can be reflected from the variation of the performance indicator  3 (see Figure 4).It is observed that the function value of  3 experiences an abrupt variation at  f = 7s and exceeds its upper bound  r immediately, due to the occurrence of the CMF.Then, according to (67), the fault parameter vector and also the control parameter vector θ for FTSC begin to be updated online, and more control input is generated to compensate for the CMF effects.Therefore, the dynamic performance of the system under the control of the FTSC is gradually restored.As summarized in Table 3, after experiencing a small jump about 7.8270e-004 rad, the position tracking error for the FTSC finally converges to 2.4635e-004 rad in steady state, much less than that for PID and for NRSC.
Figure 5 compares the output fighting forces for three control schemes.Table 4 summarizes the results of the maximum fighting force for each scheme under different conditions.Results indicate that the proposed FTSC scheme has the smallest fighting force among all the schemes no matter during fault-free or faulty time.
In normal condition, due to the introduction of the force synchronization strategy, the NRSC and FTSC can reduce the fighting force more effectively than PID.As shown in the second column of Table 4, the maximum fighting force is about 133N for FTSC, smaller than that for PID.
Under fault condition, note that the CMF which has different effects on HAs may lead to response difference between two HAs and further enlarges the fighting force.Therefore, since the proposed FTSC scheme can accommodate the CMF better than the other two schemes, a more significant elimination of the fighting force between two HAs can be achieved naturally.As shown in Figure 5 and Table 4, the fighting force of the FTSC reaches its maximum  value 4.9884e+003N, along with the occurrence of the severe internal leakage CMF, and gradually reduces to 133N after entering steady state, far less than that of PID and NRSC.
Figure 6 shows the control inputs of the DRHAS for three schemes.Note that the fault effect in HA 1 is more serious than that in HA 2 .Therefore, more control input is allocated to HA 1 to compensate for the fault effect.As depicted in the upper plot of Figure 6, the control input u1 for the proposed scheme is slightly larger than that for PID and for NRSC, but still maintains a relatively small value.Figure 7 presents the estimation result of the CMF and its real value.It can be found that the fault effect for each channel can be estimated correctly.
Under scenario S2, the DRHAS suffers from a slight internal leakage CMF.As illustrated in Figure 8, neither the maximum fault effect in HA 1 nor that in HA 2 exceeds the threshold.In this situation, according to inequalities (53) and (54), the leakage effects can be compensated by the robust control law (52).In Figure 9, the variation curve of the performance indicator  3 further confirms that the system performance is still acceptable as the maximum value of  3 does not exceed its upper bound.Therefore, based on (67), the parameters online adaptation in (52) will not be activated and the schemes FTSC and NRSC are the same.Figure 10 compares the position tracking error for three schemes.It is easy to see that the FTSC/NRSC has a much higher tracking accuracy than PID.As summarized in Table 3, by comparing the maximum tracking errors before and after the fault occurrence for each scheme, it seems that the slight internal leakage CMF has little effect on the position tracking accuracy of the system.Figure 11 shows the output fighting forces for three control schemes.Obviously, the FTSC/NRSC can reduce the fighting force more effectively in comparison with the PID, especially after the fault occurrence.As listed in Table 4, the maximum fighting force for PID during fault transient time is about 1.2109e+003N, almost ten times larger than that for FTSC/NRSC.This can be attributed to the robust control design as well as the force synchronization design for the FTSC/NRSC controller.
In conclusion, based on the simulation results, the proposed FTSC scheme can ensure the following: (a) The closed-loop control system is robust to model uncertainties and slight internal leakage CMF.
(b) Fast and correct CMF estimation can be obtained when the performance degradation exceeds the predesigned tolerable level.(c) A high position tracking accuracy and an effective reduction of fighting force between channels can be achieved no matter during fault-free or faulty time.

Conclusions
This paper proposes a fault-tolerant synchronization control scheme for a DRHAS, which operates on A/A mode and suffers from an internal leakage CMF, i.e., internal leakage faults occurring in both HAs simultaneously due to a common cause.Firstly, a desired trajectory generator is  employed and two reference trajectories are generated for position tracking and for force outputs synchronization of HA channels, respectively.Secondly, a nonlinear adaptive robust FTSC controller is designed by employing backstepping method.A Lyapunov function based method is used to evaluate the control performance of the closed-loop system.As the degraded control performance induced by the CMF exceeds a tolerable level, the FTSC controller reconfigures its control action through parameters adaptation online to accommodate the fault.It has been verified that the proposed FTSC scheme can guarantee the bounded stability of output tracking error system under CMF.Finally, simulation results under two scenarios demonstrate the effectiveness of the proposed FTSC scheme.

Figure 1 :
Figure 1: Structure diagram of a DRHAS operating on A/A mode.

Figure 2 :
Figure 2: Structure diagram for the proposed FTSC scheme.

Figure 5 :
Figure 5: Force fighting between two HA channels under scenario S1.

Figure 6 :
Figure 6: Control inputs of the DRHAS under scenario S1.

Figure 11 :
Figure 11: Force fighting between two HA channels under scenario S2.

Table 2 :
Parameters of the control schemes.

Table 3 :
Maximum tracking error for three control schemes under different scenarios.

Table 4 :
Maximum fighting force for three control schemes under different scenarios.