Method of controlling an activation system, emergency control system, and aircraft equipped with such system

Abstract

A method of controlling an overly determined actuator system that has a first number of actuators (α.sub.i) which is greater than a second number of the actuators needed to perform a predetermined physical task. The method includes: automatically controlling the first number of actuators by a control unit (CU) for jointly performing the predetermined physical task; repeatedly checking a functional state of the first number of actuators to detect an actuator failure of any one thereof; in case of any detected actuator failure, generating at least one emergency signal (EM) representative of an adapted physical task to be performed by a remaining number of the actuators. The emergency signal is generated based on kinematics of the actuator system, on known physical capacities at least of the remaining actuators, and optionally on a computational performance model of the actuator system. The adapted physical task includes activating each of the remaining actuators below a predetermined threshold of maximum physical load on a respective actuator and activating the ensemble of remaining actuators in a way to prevent further damage to the actuator system. An emergency control system and an aircraft are also provided.

Claims

1. A method of controlling an overly determined actuator system, said actuator system having a first number of actuators (α.sub.i), said first number of actuators is greater than a second number of said actuators needed to perform a predetermined physical task with said actuator system, said actuators comprise propulsion units that form part of a multi-actuator aerial vehicle, MAV, which is an electrically powered VTOL aircraft for transporting at least one of loads or passengers, the method comprising: automatically controlling said first number of actuators (α.sub.i) with a control unit (CU) for jointly performing said predetermined physical task; repeatedly checking a functional state of said first number of actuators (α.sub.i) in order to detect an actuator failure of any one of said first number of actuators (α.sub.i); in case of any detected actuator failure, generating at least one emergency signal (EM) representative of an adapted physical task to be performed by a remaining number of said actuators (α.sub.i), wherein said emergency signal (EM) is generated based on dynamics and kinematics of the actuator system, on known physical capacities at least of the remaining number of said actuators (α.sub.i), and optionally on a computational performance model of the actuator system; wherein said adapted physical task comprises activating each of said remaining actuators (α.sub.i) below a predetermined threshold of maximum physical load on any respective one of the actuators (α.sub.i) and activating an ensemble of said remaining actuators (α.sub.i) in a way to prevent further damage to the actuator system; and said emergency signal (EM) is applied to a motion planning device (MP), and said motion planning device (MP) uses the emergency signal (EM) to adapt a pre-planned flight trajectory of the MAV and to determine at least one possible adapted flight trajectory that is modified from the pre-planned flight trajectory.

2. The method of claim 1, wherein the repeatedly checking of the functional state of the said first number of actuators is performed by a failure detection algorithm which accepts at least one of the following inputs: an actuator health status from each said actuator (α.sub.i); commanded actuator values computed by the control unit (CU); output of an external disturbance observer; computed actuator commands; known system parameters, particular mass, moment of inertia, system geometry, which may be subject to uncertainties; available measurements/estimates of the system state, e.g., attitude, altitude, rotational velocities; and translational velocities; wherein said algorithm combines at least a plurality of said inputs with a probability value between 0 and 1 for each said actuator (α.sub.i), where 0 indicates that the individual actuator has failed with 0% probability and 1 indicates that the individual actuator has failed with 100% probability, and wherein said algorithm detects a failure for a particular one of the actuators (α.sub.i) if said probability value for said particular one of said actuators (α.sub.i) is higher than a heuristically set value.

3. The method of claim 2, wherein at least one of the method steps is carried out by the algorithm (ECS/A) which is installed on and performed by at least one of said control unit (CU) or a dedicated emergency control unit.

4. The method of claim 1, further comprising translating said emergency signal (EM) to a control signal that is adapted to be communicated to the human pilot or is communicated to an auto-pilot of the actuator system, which uses the control unit (CU) in order to control the actuator system, said control signal being adapted to activate the remaining actuators (α.sub.i) to perform said adapted physical task.

5. The method of claim 1, wherein the emergency signal (EM) is adapted to trigger an emergency procedure for saving the actuator system.

6. The method of claim 1, wherein said adapted physical task comprises shutting down the actuator system.

7. The method of claim 1, wherein said actuator functional state is repeatedly communicated by the actuators (α.sub.i) to the control unit (CU) or to a dedicated emergency control unit.

8. A method of controlling an overly determined actuator system, said actuator system having a first number of actuators (a), said first number of actuators is greater than a second number of said actuators needed to perform a predetermined physical task with said actuator system, the method comprising: automatically controlling said first number of actuators (α.sub.i) with a control unit (CU) for jointly performing said predetermined physical task; repeatedly checking a functional state of said first number of actuators (α.sub.i) in order to detect an actuator failure of any one of said first number of actuators (α.sub.i); in case of any detected actuator failure, generating at least one emergency signal (EM) representative of an adapted physical task to be performed by a remaining number of said actuators (α.sub.i), wherein said emergency signal (EM) is generated based on dynamics and kinematics of the actuator system, on known physical capacities at least of the remaining number of said actuators (α.sub.i), and optionally on a computational performance model of the actuator system; and translating said emergency signal (EM) to a communication signal and that is adapted for communication to a human operator of the actuator system, said communication signal being indicative of an operator action required to perform said adapted physical task; wherein said adapted physical task comprises activating each of said remaining actuators (α.sub.i) below a predetermined threshold of maximum physical load on any respective one of the actuators (α.sub.i) and activating an ensemble of said remaining actuators (α.sub.i) in a way to prevent further damage to the actuator system.

9. A method of controlling an overly determined actuator system, said actuator system having a first number of actuators (α.sub.i), said first number of actuators is greater than a second number of said actuators needed to perform a predetermined physical task with said actuator system, the method comprising: automatically controlling said first number of actuators (α.sub.i) with a control unit (CU) for jointly performing said predetermined physical task; repeatedly checking a functional state of said first number of actuators (α.sub.i) in order to detect an actuator failure of any one of said first number of actuators (α.sub.i); in case of any detected actuator failure, generating at least one emergency signal (EM) representative of an adapted physical task to be performed by a remaining number of said actuators (α.sub.i), wherein said emergency signal (EM) is generated based on dynamics and kinematics of the actuator system, on known physical capacities at least of the remaining number of said actuators (α.sub.i), and optionally on a computational performance model of the actuator system; wherein said adapted physical task comprises activating each of said remaining actuators (α.sub.i) below a predetermined threshold of maximum physical load on any respective one of the actuators (α.sub.i) and activating an ensemble of said remaining actuators (α.sub.i) in a way to prevent further damage to the actuator system; wherein said emergency signal (EM) is applied to a motion planning device (MP), and said motion planning device (MP) uses the emergency signal (EM) to adapt a pre-planned flight trajectory of a multi-actuator aerial vehicle (MAV) and to determine an adapted flight trajectory that is modified from the pre-planned flight trajectory; and the motion planning device (MP) automatically suggests an overrule command and provides said overrule command to a trajectory tracking unit (TT), which enables the MAV to at least locally deviate from said pre-planned flight trajectory.

10. The method of claim 9, wherein locally deviating from a pre-planned flight trajectory comprises: implementing a potential field covering at least a respective local area; and using at least one of the motion planning device (MP) or the trajectory tracking unit (TT) to at least locally recalculate the pre-planned flight trajectory based on said potential field.

11. The method of claim 10, wherein the motion planning device (MP) sets a geometrical or geographical extent of said potential field; and the trajectory tracking unit (TT) decides whether or not local deviation is permitted.

12. An emergency control system for controlling an overly determined actuator system, said system having a first number of actuators (α.sub.i) and said first number of actuators is greater than a second number of the actuators needed to perform a predetermined physical task with said actuator system, the emergency control system comprising: a control unit (CU) that automatically controls said first number of actuators (α.sub.i) for jointly performing said predetermined physical task; a function for repeatedly checking a functional state of said first number of actuators (α.sub.i) in order to detect an actuator failure of any one of said first number of actuators (α.sub.i); a emergency signal device or unit (ECS/A) that, in case of any detected actuator failure, is configured to generate at least one emergency signal (EM) representative of an adapted physical task to be performed by a remaining number of said actuators (α.sub.i), said emergency signal (EM) is generated based on kinematics of the overall actuator system, on known physical capacities at least of the remaining actuators (α.sub.i), and optionally on a computational performance model of the overall actuator system; wherein said adapted physical task comprises activating each of said remaining actuators (α.sub.i) below a predetermined threshold of maximum physical load on a respective one of the actuators (α.sub.i) and activating an ensemble of the remaining actuators (α.sub.i) in a way to prevent further damage to the actuator system; wherein the system is configured for use with a multi-actuator aerial vehicle, MAV, comprising an electrically powered VTOL aircraft for transporting at least one of loads or passengers, said actuators (α.sub.i) comprise propulsion units which form part of said MAV, and the control unit comprises a flight control unit; and the control unit is configured to apply said emergency signal (EM) to a motion planning device (MP), and said motion planning device (MP) uses the emergency signal (EM) to adapt a pre-planned flight trajectory of the MAV and to determine at least one possible adapted flight trajectory that is modified from the pre-planned flight trajectory.

13. An aircraft comprising a multi-actuator aerial vehicle, MAV, formed as an electrically powered VTOL aircraft for transporting at least one of loads or passengers, said aircraft comprising: an overly determined actuator system having a first number of actuators (α.sub.i) and said first number of actuators is greater than a second number of said actuators needed to perform a predetermined physical task with said actuator system, said actuators (α.sub.i) comprising propulsion units; and the emergency control system according to claim 12.

14. The aircraft of claim 13, wherein the propulsion units comprise rotors/propellers (R) or motor-propeller units.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) Further details and advantages of the invention will now be explained in exemplary fashion based on the appended drawings.

(2) FIG. 1 shows a generic illustration of an MAV design;

(3) FIG. 2 shows the MAV of FIG. 1 in case of actuator failure;

(4) FIG. 3 shows are more detailed illustration of the MAV according to FIG. 1;

(5) FIG. 4 shows are more detailed illustration of the MAV according to FIG. 2;

(6) FIG. 5 shows a generic depiction of an optimum direction suggested by the reflex indicator in case of an actuator failure;

(7) FIG. 6 shows are more detailed illustration of the MAV according to FIG. 1 during failure of two front actuators; and

(8) FIG. 7 shows a flowchart of an embodiment of the method according to the invention.

DETAILED DESCRIPTION

(9) A very generic illustration of an MAV design is presented in FIG. 1. Reference numerals α.sub.i, i=1, . . . , n; n∈, denote individual actuators, e.g., motors with rotors/propellers. Reference numerals d.sub.i, i=1, . . . , n; n∈, denote the distance (in 3D space) of individual actuators α.sub.i from an aircraft center AC, in particular a geometric center or the center of mass. Each of these actuators could be generating forces (e.g. lift) and torques in/around any direction, depending on their design. Note that the distance of an individual actuator to the center AC of the vehicle, depicted as d.sub.i, could be any, i.e., they can be symmetrically placed around said center AC, but this is not mandatory. Reference numeral CU denotes a control unit, which can be a flight control unit of the aircraft, which is adapted to perform an emergency control system or algorithm denoted ECS/A. Control unit CU is in signal communication SC with every actuator α.sub.i, as shown in exemplary fashion for one single actuator. This signal communication SC comprises sending control signals (commands) to the actuators and receiving status information therefrom.

(10) FIG. 2 shows a case wherein k, k∈ actuators out of n actuators experience failure, with k<n (e.g. in FIG. 2 k=3). In FIG. 2, the failed actuators have been crossed out. If the aircraft can still perform stable flight with n-k actuators, this will be detected by the algorithm ECS/A (reflex indicator), and an optimum new direction or trajectory will be suggested to either pilot or an autopilot. This new direction is computed by the algorithm ECS/A in a way that the remaining (healthy) actuators α.sub.i are not overloaded. If a stable flight is not possible at all, this is also computed in the algorithm (reflex indicator) ECS/A by comparing the available control volume with the required control action. Required control action is computed in the control unit (CU) using the desired aircraft state, current aircraft state and the known kinematics and dynamics of the aircraft. Available control volume consists of all physical forces and torques applicable to the aircraft body using only the remaining actuators, computed using the available actuators, their physical capabilities and geometry of the aircraft (e.g. the location of the actuators on the aircraft). In this case, the algorithm ECS/A returns an emergency message or signal EM, which can be used for triggering an emergency procedure, e.g., immediate landing. In particular, the emergency signal EM can be translated (e.g., by the control unit) to a communication signal and then communicated to a human operator of the actuator system (aircraft), said communication signal being indicative of an operator action required to perform an adapted physical task, i.e., follow an optimum new direction or trajectory. Alternatively, the emergency signal EM can be translated to a control signal and communicated to (or used by) the control unit of the actuator system, said control signal being adapted to activate the remaining actuators α.sub.i to perform said adapted physical task.

(11) In case of a piloted flight, this suggestion can be made using visualization on a screen (not shown). In case of an autopilot, the available information is used for trajectory re-planning purposes, using a motion or trajectory planning device MP comprised within control unit CU or in a separate and dedicated hardware. If trajectory planning device MP suggests multiple possible trajectories (e.g., multiple emergency exit plans, or different flight missions), the proposed algorithm ECS/A may weight these trajectories and propose the trajectory closest to the optimum direction. If trajectory planning device MP suggests only one possible trajectory, the proposed algorithm ECS/A sends a command for relaxing a trajectory tracking unit TT (“tracker”), which is a function or component comprised within the control unit CU or in a separate and dedicated hardware making sure that the MAV tracks the planned trajectories, in a way that tracker TT may overrule or overshoot the planned trajectory in a bounded way (if allowed) for the sake of saving the rest of the healthy actuators and hence avoiding any catastrophic event. This overrule command can be overruled again by tracker TT, in case, e.g., for static or dynamic obstacle avoidance, or if aircraft overshoots its safe pre-defined trajectory bounds. This overshoot from the planned trajectory is done locally, i.e., by implementing a potential field at that local area of the trajectory, which potential field is used by trajectory planning device MP to re-plan a new trajectory that is pushed away from the original one (in a bounded way using a safe radius) in the direction which algorithm ECS/A suggests. The potential field comprises a safe radius defining an (3D) ellipsoid, current state (position and velocity) and desire state (position and velocity) of the aircraft. In this case, the desired trajectory is altered with a safe distance and velocity profile from the original desired trajectory, where this safe distance is defined with the radius of the aforementioned ellipsoid in 3D. Direction of this new desired trajectory is defined based on the reflex indicator/emergency signal (EM) provided by the reflex indicator. In this case, reflex algorithm ECS/A sends the radius of the potential field to be used in the tracker TT. Tracker TT decides if this overshoot is allowed or not, based on the (static or dynamic) obstacles around the flight path (e.g. defined as geofences or detected during operation). Autopilot, motion planner and trajectory tracker have the highest priority, as human has during piloted operations.

(12) For a better understanding, the “Volocopter”® MAV design by the applicant can be taken as an example. Said design comprises 18 actuators α.sub.i (each having a motor (not shown) and a propeller or rotor R), which are symmetrically placed in a doubly hexagonal pattern around the center AC of the MAV. This is depicted in FIG. 3 and FIG. 4. Vector g denotes gravitational acceleration. In FIG. 4, failed actuators are again crossed out, cf. FIG. 2.

(13) According to FIG. 3, each one of the 18 propellers R is generating lift upwards and a drag moment on the counter direction of their rotation (rotation directions are depicted with circular arrows around the lift axis (up): actuators α.sub.1, α.sub.2, α.sub.4, α.sub.7, α.sub.8, α.sub.10, α.sub.13, α.sub.14, and α.sub.16 rotate counter clockwise and the remaining actuators rotate clockwise). Actuators α.sub.1 and α.sub.18 are assumed to be located in the front (in the direction of flight).

(14) FIG. 5 shows a generic depiction of an optimum direction suggested by the reflex indicator in case of an actuator failure, cf. FIG. 2 or 4. In case of such a failure, the proposed reflex indicator algorithm ECS/A (cf. FIGS. 1 and 2) suggests a motion to either a pilot or an autopilot (e.g., a high-level real-time trajectory/path planner and tracker; cf. elements denotes MP and TT in FIGS. 1 and 2). This involves considering the available control volume of the vehicle, which covers all physical forces and torques applicable to the aircraft body using only the remaining actuators, computed using the available actuators, their physical capabilities and geometry of the aircraft (e.g. the location of the actuators on the aircraft). In FIG. 5 an example is shown, where the suggested motion belongs to the shaded region of the MAV's workspace in the instant of failure and at later times, and the thick arrow marked “indication to pilot” shows the suggested (new) direction of motion along the adapted trajectory (“chosen trajectory”) indicated to the pilot, e.g. visually or graphically by means of a suitable display. In case an autopilot is used, the reflex indicator allows the trajectory planner to choose a trajectory option with less effort for the vehicle in terms of performing a stable flight in case of actuator failures. “” denotes a (pre-planned) trajectory which can no longer be followed due to the actuator failure. If multiple trajectories are available, the optimal one is chosen. If only one possible trajectory exists, then a local deviation using potential fields is suggested.

(15) Consider now FIG. 6. If, for example, actuators 1 (a.sub.1) and 18 (a.sub.18) fail completely (e.g., due to a bird strike; marked “FAIL!” in FIG. 6) during a forward (cruise) flight, which are located at the front of the aircraft, then the MAV will pitch forward since it just has lost thrust/lift in the most forward position and therefore experiences a tilting moment in a forward down direction. Usually, flight control (control unit CU in FIGS. 1 and 2) would try to trigger actuators 16 (a.sub.16), 17 (a.sub.17), 2 (a.sub.2) and 3 (a.sub.3) (cf. FIG. 3), which are located adjacent to the failed actuators, to compensate for the loss of thrust from actuators 18 (a.sub.18) and 1 (a.sub.1), especially when, e.g., the cruise speed is being reduced by an autopilot or a pilot by tilting/pitching backwards, as a reaction to the actuator failures, for e.g. coming back to the hover condition. However, this can result in a so called “burning” (overloading) of these neighboring actuators (marked “Overloaded” in FIG. 6), which can eventually lead to losing these actuators as well. This could then lead to a catastrophic event.

(16) Instead, the proposed reflex indicator algorithm ECS/A (cf. FIGS. 1 and 2) calculates a new optimum direction of the next flight path/maneuver, which minimizes the effort on the remaining actuators and forwards this information either to a pilot (e.g., as a visualization on a screen, or a “keep forward velocity” and “down before up” wording) or to an autopilot. Either of these two then decides, calculates or choses a new trajectory based on the input information provided by the emergency system (the reflex indicator). In any case, this involves activating each of the remaining actuators below a predetermined (or pre-set) threshold of maximum physical load on a respective actuator and thus activating the ensemble of the remaining actuators in a way to prevent further damage to the actuator system.

(17) As another example, consider that the actuators 3, 6 and 9 of the MAV depicted in FIG. 3 fail. It should be noted that all these actuators are located on the right half-plane of the MAV (when looking from above). In case of this failure scenario, the MAV experiences a roll torque to the right (when looking from the rear) around the forward body axis. The overall system experiences a reduction in roll authority to its left side (when looking from above), which means that it is easier to roll the MAV to the right (in this case, the emergency indication for the pilot issued by the ECS/A could be “roll to right before left”). At the same time, it should be noted that the failed actuators all comprise clockwise rotating actuators/propellers. Hence in this failure case, the MAV experiences a yaw torque to the right (when looking from above). The overall system experiences a reduction in yaw authority to its left side (when looking from above), which means it is easier to yaw the MAV to the right (in this case, the emergency indication for the pilot issued by the ECS/A could be “yaw to right before left”). Without any loss of generalization, in case of an autopiloted MAV, this information is used for automatic re-planning of the flight trajectories (see, e.g., FIG. 5). Notice that the proposed algorithm computes these optimal directions automatically for any actuator failure combination, using the knowledge on the physical capacities of at least the remaining actuators and the geometry of the aerial vehicle (location of the actuators), physical and kinematics model of the aircraft and computed (and optionally also measured) actuator commands.

(18) Depending on the phase of flight (e.g., in cruise velocity) the aerodynamics forces and torques acting on the vehicle might impact on the optimal direction suggested to the human pilot or to the autopilot. This depends on the structural geometry and the aerodynamics of the MAV and can be taken into account by the ECS/A.

(19) FIG. 7 shows a flow chart of an embodiment of the method according to the invention as applied to an MAV (cf. FIGS. 1 and 3).

(20) The method starts with step S1. In step S2, the MAV follows a preplanned trajectory under control of control unit CU. In step S3, it is checked whether or not the MAV has reached its destination. If yes (y), the method ends with step S4. If not (n), then it is checked whether or not the MAV experiences any actuator failures in step S5. This is done in an actuator failure detection algorithm, which accepts an actuator health status (e.g., motor has failed or healthy) from each actuator (and optionally an actuator's current state, e.g., a current RPM value). Furthermore, it receives commanded actuator values computed by the control unit (CU). Moreover, together with using an external disturbance observer (that utilizes known dynamics equations of the system under consideration (e.g., the aircraft), computed actuator commands, known system parameters (e.g., mass, moment of inertia, aircraft geometry, which may be subject to some uncertainties) and available measurements/estimates of the system state, e.g., attitude, altitude, rotational velocities, and translational velocities (if available), this algorithm combines all of these inputs and outputs a probability value (between 0 and 1) for each actuator, where 0 indicates that the individual actuator has failed with 0% probability and 1 indicates that the individual actuator has failed with 100% probability. In case this probability value for any given actuator is higher than a heuristically set value, e.g. 50%, then an actuator failure is detected for this particular actuator. If no actuator failure is detected (n), the method returns to step S2. If yes (y), the method continues with step S6, which comprises determining (calculating) the impact of said failures on the overall aircraft behavior and then generating at least one emergency signal representative of an adapted flight trajectory with the remaining number of actuators, wherein said emergency signal is generated based on dynamics and kinematics of the overall aircraft system, on known physical capacities at least of the remaining actuators, and optionally on a computational performance model of the overall aircraft system. This comprises activating each of the remaining actuators below a predetermined threshold of maximum physical load on a respective actuator and activating the ensemble of remaining actuators in a way to prevent further damage to the actuator system. The required information and data for these decisions as used in step S6 is denoted D in FIG. 7. It may involve sensor measurement.

(21) Based on the outcome of step S6, based on the nature of the emergency signal it is checked in step S7 whether or not the aircraft is still operational. If not (n), an emergency procedure is performed in step S8 in order to land the aircraft immediately, and the method ends with step S9. If yes (y), it is checked in step S10, whether or not the aircraft still can reach its original destination (on the originally pre-planned trajectory) without overloading other actuators. If yes (y), the current mission is continued (step S11), and the method ends with step S12 (cf. step S4). If not (n), and if it is a piloted flight (yes (y) in step S10′), reflex indicator suggests an optimal direction to the pilot (using, e.g., verbal/audial/haptical/visual means, cf. FIG. 5) in step S10″, whereupon the method ends with step S10.sup.(3). If it is an autopiloted flight (no (n) in step S10′), there is a further check in step S13, whether or not more than one alternative trajectory is available. If not (n), a deviation from the original trajectory is suggested to the tracker TT (cf. FIGS. 1 and 2) using the computation via potential fields, and the aircraft automatically follows the one alternative trajectory (if suggested trajectory does not violate other safety relevant conditions decided by the tracker, e.g. static and/or dynamic obstacles or if aircraft overshoots its safe pre-defined trajectory bounds) in step S14, and the method ends with step S15. If yes (y), the aircraft automatically selects an alternative trajectory, which is closest to the original one but at the same time avoids overloading the remaining actuators, in step S16 (cf. FIG. 5), and the method ends with step S17.