Abstract: This paper considers fault tolerant attitude control problem of spacecraft under intermittent faults that occur in the control processor. A novel control framework based on multiple redundant control processors is provided, and a state-dependent switching law among these processors is proposed to stabilize the attitude dynamics without requiring control reconfiguration in each control processor when faults occur. Moreover, a probability-based method is provided to find the minimal number of control processors that are needed for attitude stabilization. Simulation results show the efficiency of the proposed methods.
INTRODUCTION
The potential faults in a complex system often range over a very large region. A single fault tolerant control (FTC) law (even an adaptive one) is often hard to design to stabilize all faulty situations effectively as indicated in Blanke et al. (2006) ; Yang et al. (2010) . Supervisory FTC approaches assume that the plant model belongs to a pre-specified set of models, including the nominal situation and all possible faulty situations, and that there exists a finite family of candidate control laws such that the faulty system is stabilized when controlled by one of those candidate control laws as in Staroswiecki and Gehin (2011) ; Yang et al. (2009) or by switching among those control laws as in Yang et al. (2012) .
Although multiple control laws are provided, the physical realization of supervisory FTC is often achieved by only one control processor (it will be called "processor" for short in the following if there is no confusion) which adopts the most appropriate control law. Such a supervisory FTC scheme obviously relies on the assumption that the processor is always healthy and available. In the presence of processor faults, most of (supervisory) FTC methods that are based on control reconfiguration are unavailable. Different from faults in actuator, sensors or the plant that are often permanent, most of processor faults are intermittent. An intermittent fault appears and disappears successively and randomly as described in Su et al. (1978) , such faults can occur 10 to 30 times as often as the permanent faults and often exists in electronic equipments (Ismaeel and Bhatnagar (1997) This paper investigates the FTC problem of spacecraft attitude control system (ACS) and particulary focuses on a kind of intermittent processor faults (I) that forces the torque inputs to be zero (the mechanism and formal model of I will be given later). Although FTC methods of spacecraft ACS have been researched for many years, e.g. Tafazoli and Khorasani (2006) ; Xiao et al. (2011) , to name a few, most of these results assume that the faulty spacecraft is still controlled with three inputs and processor is always healthy. In the presence of complete failures such that torque inputs become zero, the spacecraft become underactuated, and the FTC design is more complicated as indicated in Tsiotras and Doumtchenko (2000) . The fault tolerance of I deserves deep investigation due to two reasons:
1. For FTC design with hardware redundancy, multiple processors would be applied as backups. However, intermittent faults may occur in each processors, the reliability of the whole ACS may not be guaranteed even with multiple control processes. Moreover, too many processors obviously increase the hardware cost and computational burden of the spacecraft. 2. For FTC design with analytical redundancy, control reconfiguration has to be applied. However, it is difficult to adjust the controller to accommodate the fault in itself. Moreover such FTC takes time and control cost. Since intermittent faults may occur frequently, much control effort has to be made if we apply the FTC scheme every time when these faults occur. This is often not admissible in real situation of spacecraft operation.
This paper will answer two questions: 1) Is it possible to accommodate I by multiple processors without control reconfiguration in each processor? 2) how many processors are needed?
1. The ACS is modeled by a switched system where each mode represents the system with one of the processors. A novel switching scheme is proposed among such a family of redundant processors. It shows that if the period in which at least one processor is faultfree is long enough compared with that when all processors are faulty, then the attitude is stabilized without any control reconfiguration in each processor. 2. According to Markovian statistical property of intermittent faults, a probability-based method is provided to build a link between the fault tolerance analysis and the number of processors, under which the minimal number of processors that are needed for maintaining stability of ACS can be found.
In the rest of the paper: Section 2 presents some preliminaries. Section 3 analyzes the system behavior under single processor, Section 4 addresses the switching control issue with multiple processors. Section 5 provides simulation results, followed by conclusions in Section 6.
PRELIMINARIES

Rigid spacecraft model
Consider a spacecraft whose principal axes of the bodyfixed reference frame are along the direction of principal axes of the inertia moments. The kinematics equation is:
where ω ∈
3
[ω 1 ω 2 ω 3 ] represents the inertial angular velocity vector. q ∈
[q 1 q 2 q 3 ] , q 4 is a scalar, q 1 , q 2 , q 3 and q 4 denote the quaternions. J = J is the inertia matrix. The cross product is defined as:
The dynamic equation is:
where u ∈ 3 is the output of the processor, D = diag [1, 1, 1] is the actuator distribution matrix. Du represents the torque input generated by the thrusters. Eq.
(1) can also be expressed as in Wertz (1995) :
where
Model of I
Under I, the torque inputs become zero, i.e., Du = 0. This includes three cases: 1) The fault brakes the programme running process of the processor and makes the command signals from the processor to thrusters be zero, i.e., u = 0;
2) The fault leads to the short circuit of the processor and makes u = 0; 3) The fault affects the processor such that the command signals deviate from normal, which is very dangerous, thus the actuators are automatically stopped, i.e., let D = 0. Such an operation is available since thrusters can work in both continuous and impulsive ways.
Denote u no as the nominal control law of ACS, one has
The model of intermittent faults are often described by a transition system with two modes (one is for the healthy situation and the other is for the faulty situation). The transitions between these two modes, i.e. the appearance and disappearance of the faults follow the well known continuous-parameter Markov rule as in Su et al. (1978) . Such a model is adopted for I. It follows that
P{Du(t + ∆t) = u no (t + ∆t)|Du(t) = 0} = ρ 10 ∆t (4) where P denotes the probability, 0 ≤ ρ 01 < 1 represents the fault appearance rates, and 0 ≤ ρ 10 < 1 represents the fault disappearance rates, ∆t ≥ 0 is a period. Throughout the paper, it is supposed that the initial situation of the processor is healthy.
Problem formulation
Define x [q , 1q ] , where 1 > 0 is a constant to be chosen. Note that
. Eq. (2) can be rewritten as:
where F and G can be obtained from (2). It is clear that if x → 0, then q → 0, q 4 → 1, ω → 0, i.e., the attitude is asymptotically stable at origin.
With m (m > 1) redundant processors, the ACS switches among these processors and apply one of them at one time, thus the system (5) is rewritten aṡ
where Lemma 1 : Consider the system (6) with σ(t) = i, i ∈ M, and there is no fault. There exists an initial condition of x(0) and u no i such that the origin of system (6) is asymptotically stable.
Proof : Design the nominal control law
where Q is defined in (2), k 1 and k 2 are two positive constants.
Substituting (7) into (6) yieldṡ
For any 1 > 0, we can chose k 1 and k 2 such that the system (8) is asymptotically stable at origin. Consider a
with P being positive definite symmetric matrix, its time derivative along the solution of (8) satisfieṡ
Note that the control law (7) is available if Q is nonsingular, this requires that q 4 = 0. If we choose the initial state satisfying
then q 4 (0) = 0, control law (7) is available at t = 0. It follows from (9) that under (7), |q(t)| ≤ α ∀t ≥ 0, this means that(t) ≤ α and q 2 4 (t) ≥ 1−α, ∀t ≥ 0. Therefore control law (7) always works and lim t→∞ V (t) = 0. This completes the proof.
The initial condition (10) implies that if the initial Euler angle θ ∈ (−π, π), then under (7), θ → 0 and would never reach π. This does not restrictq(0) since 1 can be chosen small.
Lemma 2 : Consider the system (6) with σ(t) = i, i ∈ M, and
Proof : Since Du i = 0, the system (8) changes intȯ
The time derivative of V along the solution of (11) isV
Since |x| ≤ α, |q| ≤ α, one has that
Also note that |q 4q4 | = | −| ≤ α|q|, it follows that
Substituting (14) into (13) yields
One further has that
Substituting (16) into (12) leads tȯ
This completes the proof.
Lemmas 1 and 2 mean that in the healthy situation, under initial condition satisfying (10) and nominal control law as in (7), the origin of ACS can be exponentially stabilized.
In the presence of fault, the states may diverge no faster than exponential provided it is bounded within a region.
FTC VIA MULTIPLE REDUNDANT PROCESSORS
Switching control framework
Onboard computers and processors of spacecraft often need the hot backups that always work even they are not used for the purpose of reliability. Inspired by such a setting, a switching control framework is proposed as shown in Fig. 1 , where m processors work in parallel, each one is a hot backup of others. Each processor i, i ∈ M is either connected with spacecraft body denoted as B or connected with its virtual body denoted as E i . At one time, only one of processors is chosen to be connected with B, others are connected with E i . The control law u i of processor i is always designed as u no i whatever the processor is connected with B or with E i .
It is assumed that the appearance and disappearance of I can be detected rapidly by using certain fault diagnosis scheme which is not the main focus of the paper. Interested readers are referred to Su et al. (1978) is sent to E i and the switching scheme. Based on these information, the switching scheme provides the switching function σ(t), and chooses one of processors to connect with B. We will first discuss the design of E i , then propose a switching law among processors.
Design of E i
E i works when processor i is connected with it. The dynamics of E i is also represented by a switched system with two modesż
where z i ∈ 6 is the state, i (t) : [0, ∞) → {1, 2} is a switching function, i (t) = 1 if there is no fault in processor i, and i (t) = 2 if fault occurs. The synchronization between the switchings of two modes of E i and the appearance/disappearance of processor i's fault can be achieved based on fault diagnosis information.
The dynamics of mode 1 is designed to be the same as B, i.e., F 1 (z) = F (z) and G 1 (z) = G(z), where F (·) and G(·) are defined in (5). One has that
where V takes the same form as in Section 3.
The dynamics of mode 2 is designed as F 2 (z i ) = Az i where A is a Hurwitz matrix and G 2 (z i ) = 0 such that
It can be seen from (19)- (20) that whatever processor i is faulty or not, z i exponentially converges to zero if processor i is connected with E i .
To guarantee the availability of nominal control law u no i
for E i . At every time instant t s after which processor i is connected with E i , the state values z i (t s ) is chosen such that
Switching law design
where M h denotes the set of healthy processors, and M f denotes the set of faulty processors. Since under I, the fault appears and disappears intermittently in each processor, both M h and M f are time variant.
The switching law among processors are given as:
disconnect processor i from B, go to step 3; else go to step 4.
Pick an arbitrary controller j ∈ M h (t ), apply it to
B, let i = j, go to step 2. 4. Continue applying processor i to B, until t = t such that M h (t ) = ∅, let t = t , go to step 3.
The main idea behind S is that at each time one healthy processor i is connected with B until this processor can not stabilize B due to fault, then another healthy processor is connected with B. If there is no healthy processor, processor i is still applied until a healthy one appears.
It can be seen that such a switching law relies on real-time situations (healthy or faulty) of all processors. Thanks to the structure of E i as described in Section 4.2, S is implementable since each processor always works whatever it is faulty or not by being connected with E i or B, its real situation is always known by fault diagnosis scheme. Theorem 1 : The origin of (6) with initial condition satisfying (10) is asymptotically stable by m redundant processors under switching law S if
Fault tolerance analysis
Proof : According to Step 1 of S, apply an arbitrary processor i to B. Since the initial situation of each processor is healthy, based on lemma 1, applying processor i with nominal control law as in (7) and choosing the initial condition satisfying (10) guaranteeV ≤ −λ 0 V . It follows that V (t) ≤ e −λ0t V (0) for t < t f where t f is the time when fault occurs in processor i.
At t = t f , two cases are considered:
According to
Step 4 of S, processor i is still applied to
Note that |x(t f )| ≤ α < 1, thus control law (7) is still available at t f . According to Lemma 2, one has
for t < t escape where t escape denotes the time when |x(t escape )| ≥ 1. Note that for t ≥ t escape , q 4 (t) may equal zero, which violates the control law (7). On the other hand, Condition (22) guarantees that V (t) < V (0), which means that |x(t)| ≤ α, ∀t ≤ t . Therefore the control law (7) and lemmas 2 is always available in [0, t ). It follows that
Step 3 of S, at t = t f , apply another healthy processor j to B. We have that
Therefore, when another healthy processor j is applied to B, the nominal control law is always available.
S guarantees that for any t > 0, one of healthy processors is always being applied to B in ∆ h aoc (t), while in ∆ f allc (t), a faulty processor is applied, it follows that
Condition (22) guarantees that V (t) always decreases, therefore when each processor is connected with B, the nominal control law is always available. Finally, lim t→0 V (t) = 0. This completes the proof.
It is interesting to compare (22) 
In this case, there is no need to switch among multiple redundant processors. In the proposed multiple-processors switching scheme, even all processors do not satisfy (23), condition (22) may still hold. The more is the number of processors, the less restrictive is condition (22). This explicitly reveals the advantage of using multiple processors.
The minimal number of processors
Condition (22) of Theorem 1 can be used for checking on-line whether the attitude is stable. However it is unavailable a priori for the determination of the number of redundant processors. This motivates us to further investigate the statistic properties of I which can build a link between the fault tolerance analysis and the number of processors as it will be shown.
12 . According to condition (26), let m = 2, i.e., 2 processors are applied for the FTC purpose.
The first two sub-figures of Fig. 2 illustrate the healthy periods and faulty periods of two processors that are generated under ρ 01 and ρ 10 , the function χ i (t) = 1 (χ i (t) = 0) when processor i is healthy (faulty), i = 1, 2. It can be seen that in period [0.50)s, processor 1 is healthy in periods [0, 7.7) [12.4, 22.5) [28.7, 41. 3) [45.1, 50)s and processor 2 is healthy in periods [0, 3.6) [8.7, 14.1) [16.7, 30.8) [37.8, 43.1) [47.8, 50)s.
The third sub-figure of Fig. 2 shows the trajectory of σ(t) according to switching law S. Processor 1 is applied to the spacecraft in periods [0, 8.7) [12.4, 22.5) [30.8, 41.3) [45.1, 50)s and processor 2 is applied in other periods. Fig. 3 shows trajectories of Du σ . Since in periods [7.7, 8.7) [43.1, 45.1)s, both processors are faulty, there is no torque input in these periods. Fig. 4 shows the behaviors of ω, q and q 4 . It can be seen that when there is no torque input, the states diverge, however, the attitude stability in the whole process is achieved under switching between two processors in spite of intermittent faults. provides a new FTC clue in the case that control reconfigurations are difficult to be done. In this work, all states are available, output-feedback control together with observer design would be considered in the absence of full state measurements.
