ESA SP-606, January 2006) Objectives

ECSS-E60 CONTROL ENGINEERING STANDARDISATION

Joerg Flemmig(1), Alain Benoit(2), Jean Mignot(3), Philippe LAURENS(4)

(1)EADS Astrium, D-88039 Friedrichshafen, Germany, Email: [email protected] (2)ESA/ESTEC, NL-2200 AG Noordwijk, The Netherlands, Email: [email protected] (3)CNES, F-31401 Toulouse Cedex 4, France, Email: [email protected] (4)EADS Astrium, F-31402 Toulouse Cedex 4, France, Email: [email protected]

ABSTRACT/RESUME robotics, … down to a simple control e.g. of a motor current the ECSS-E60 standard does not include The ECSS-E60 "Control Engineering Standard" is the requirements for a specific application area. basic standard defining the top level requirements for The E60 document is the top level (level 2) document of control engineering for space applications. It has been a series of lower level (level 3) control engineering established by the corresponding ECSS-E60 working standards which are currently elaborated or planned in group with members of space agencies and space the future. Actually two new working groups have been industry and has been published in 2004. started in 2005 establishing the standards for Two new standards, the “Control Performance • “Control Performance Specification Standard” Specification Standard” (ECSS-E60-01), which is based (ECSS-E60-01) on the "ESA Pointing Error Handbook" (Dungate D. G., 1993, and the “Star Sensor Specification Standard” • “Star Sensor Specification Standard” (ECSS-E60-02), are currently established. The paper (ECSS-E60-02) also addresses the cooperation with the ESA internal control engineering standardisation. The “Control Performance Specification Standard” is based on the “ESA Pointing Error Handbook” which has been established in 1993 under ESA contract. It has 1. INTRODUCTION been decided by the E60 working group that the scope The ECSS-E60 "Control Engineering Standard" is the of this standard is enlarged with respect to the “ESA basic standard defining the top level requirement for Pointing Error Handbook”. The new “Control control engineering for space applications. This standard Performance Specification Standard” will define the is part of the engineering standards framework (E10 … basic mathematical framework for control performance E70). The standard has been established by the specifications (not only pointing). Other areas shall also corresponding ECSS-E60 working group which has be covered like requirements for transient behaviour and members of space agencies and space industry. The frequency domain. This work is also co-ordinated with ECSS-E60 standard has been established from 2001 to the E10 system engineering working group in order to 2003 and was published after public review in ensure the coherency to system level performance September 2004. The term “control” means in the specifications. context of this standard the involvement of a feedback The “Star Sensor Specification Standard” is based on loop. However, control engineering can also include a the preparatory work which has been carried out by the higher level logic or planning algorithms and not only ESA and Analyticon. Based on this preparatory work, the pure control algorithms in the sense of classical this new standard will be elaborated according to ECSS control theory. rules and in a way which is compatible to the ECSS-E60 The ECSS-E60 standard defines the basic principles of top level document. control engineering, the related terminology and the typical tasks per development phase and specifies a set THE ECSS-E60 - CONTROL ENGINEERING of requirements which have to be applied during a STANDARD control development. The standard describes “what” has to be done and not “how”. The standard does therefore 1.1. The General Control Structure and not contain quantitative or implementation requirements. Terminology Due to the potential variety of application areas and The controlled system is defined as the control relevant complexity ranging from complex control systems for part of a system to achieve the specified control S/C attitude and orbit control, launchers, rovers,

Proceedings of the 6th International ESA Conference on Guidance, Navigation and Control Systems, Loutraki, Greece, 17-20 October 2005 (ESA SP-606, January 2006) objectives. It includes the control system (consisting of • a pointing system all relevant functional behaviour of controllers, sensors • and actuators) and the controlled plant. a robot arm system, a rover • To illustrate and delineate the scope of the ECSS-E60 an automated payload or laboratory facility "Control Engineering Standard", Fig. 1 shows a general • a launcher control structure. This fundamental diagram introduces the following basic concepts and definitions: • any other technical system involving control Control engineering always concerns some kind of The users of the controlled plant pursue very specific feedback loop. There is a physical system whose goals. At the most abstract level, they are called control intrinsic behaviour and output do not meet the objectives. The purpose is to have a control system expectations without being modified and shaped which gives the controlled plant a specified control (improved in the sense of some well-defined objectives). performance, despite its interaction with its This is called the controlled plant. For space environment. applications, the controlled plant can be: To do this, suitable devices are used: actuators which • a satellite (e.g. w.r.t. its attitude and orbit, or w.r.t. its can convert control commands into physical effects temperatures in the case of active thermal control) or (such as a motor driving a pointing system through a a cluster of satellites gearbox upon a current command), and sensors which measure states of the controlled plant and provide • a spacecraft during re-entry and landing, or during control feedback to the controller. rendezvous and docking

Interaction with Controlled Environment System

Control Objectives Control Control Commands Performance Controller Actuators

Controlled Control Plant Feedback Sensors

Control System

Figure 1: General Control Structure

Besides this primary flow of information which forms a Control objectives (as the reference input to the classical feedback loop, the dashed arrows in Fig. 1 also controller) can range from very low level commands show some secondary flow of information or physical (such as set points to a simple servo control loop) to reaction. With more complex plants, sensors and high level mission goals (such as soft landing on the actuators can be quite complex systems of their own surface of Mars). In the latter case, the actual controller with additional cross-coupling of information, e.g. consists of many layers of (usually hierarchically control commands can modify the configuration or decomposed and refined) control functions and the parameters of a sensor or actuators can produce direct corresponding sensors, actuators and the controlled feedback to the controller. The dynamics of the plants (which can be suitable abstractions of lower level controlled plant can have a relevant physical effect on control loops). In the reverse direction there can be the sensors and actuators, and the operation of the information (such as status) returned from the controller sensors can feed back onto the controlled plant. to a higher level system. Consequently, the control performance can also range • nominal and backup control (e.g. exception from very elementary behaviour (such as the speed of a handling, failure detection, and isolation and motor) to complex high level concepts. recovery) With this in mind, the controller can range from This notion of controller is a general concept which, something very confined and simple (such as an among others, enables a quite natural definition of the analogue on-off logic) to a highly complex system of its various degrees of autonomy or “intelligence” which can own right. In the most general case, the controller is be given to a controlled system. The allocation of considered to include: control functions to hardware vs. software vs. human operations, space vs. ground, planning vs. execution • (digital or analogue electronics) hardware, software (which are essentially independent “dimensions” in and human operation implementation) for a particular phase (or mode) of a • elements in the space segment and in the ground mission are based on a judicious trade-off considering segment (if essential control loops are closed via aspects like for example predictability of the situation ground) (availability of reliable models), specified reaction time, available on-board computer resources, available tele- • aspects of planning (quasi “off-line” preparation of communications coverage and bandwidth, decision- the commands to give in the future) and of execution making complexity, cost of development and operations, of these commands (“on-line” in the sense of the and acceptable risk. update frequency of the control loop) A typical example of a controller internal structure is shown in Fig. 2.

Desired Control Reference State Control Objectives State Determination of Derivation of Commands Current/Future Control Desired State Commands

Guidance Function Control Function Estimated State

Determination of Navigation Function Current/Future Estimated State

Measured Controller State

Control Feedback

Figure 2: Controller Internal Structure

• sensors, actuators, controller 1.2. Control Engineering Terminology • state (reference, desired, measured, estimated) One important item of the "Control Engineering Standard" is the definition of consistent terminology. • control mode, control mode transitions This terminology is used throughout the standard • mathematical model, simulation model (keywords in italic) such that the reader can easily refer to the definitions. Examples are (see Fig. 1 and 2): • stability, robustness, autonomy • control system, controlled plant, controlled system 1.3. Control Engineering Activities tutorial form, and introducing a set of reference examples used for illustration of the concepts and In the main part of the ECSS-E60 "Control Engineering rules established in the frame of the standard Standard" the control engineering process is described which has to be used to design and verify/validate a • definition of performances terms for general systems space control system. The main engineering activities (controlled or uncontrolled), extending the concepts are defined and characterised by their inputs, the tasks to introduced in the “Pointing Error Handbook”: be performed, outputs (including documents), separation functions, error indices with milestones, and relationship to the project phases. For corresponding physical properties (bias, drift, the definition of tasks the ECSS-E60 "Control stability over a time frame), and definition of Engineering Standard" follows the engineering specific terms for closed-loop systems (disturbance categories used in the "System Engineering Standard" rejection, tracking performance, response time, (E10), as there are: control stability margins) • integration and control • definition of specific terms for pointing performances, as a special subset of controlled • requirements analysis systems with “vector type” outputs • design and configuration • rules and guidelines to establish a performance • analysis budget (including breakdown, summation and statistic approaches, margin philosophy) • verification and validation • rules and guidelines for performances requirement The required engineering activities are formulated as breakdown and specifications requirements ("… shall be done …"). In addition there are "notes" which contains a lot of explaining text. Special emphasis will be placed on the correct mathematical definition of signals and signal errors. This will also be done for different domains (e.g. time 1.4. Control Engineering Documentation domain/frequency domain, transient/steady state In the annex of the ECSS-E60 standard the required behaviour). documentation is defined. There are 5 documents which are defined to be under the responsibility of control 2.1. Performance Indicators engineering: The performance indicators for a given control system • Control System Design Report are defined based on a generalised concept of • Control Algorithms Specification “separation function” S(t), which quantifies the difference between the actual system states and the • Controlled System Analysis Report desired ones. This separation can be a simple scalar difference, a distance, an angle, or any other type of • Controlled System Verification Plan separation according to the nature of the physical system • Controlled System Verification Report under investigation. For these documents "Documents Requirements A set of indicators operates on this separation function Definitions" (DRDs) have been established which in time domain. These indicators were generalised from specify the typical contents. the ones defined in the Pointing Error Handbook to be applicable to any other kind of controlled systems. They may apply as well on measurement performances as on 2. ECSS-E60-01 - CONTROL PERFORMANCE actual performances. For example: SPECIFICATION STANDARD • the APE (Absolute Performance Error) is defined as The working group for elaboration of the "Control the instantaneous value of the performance error at Performance Specification Standard" has been kicked any given time (Eq. 1) off in beginning of 2005. This new standard is based on the "ESA Pointing Error Handbook" from 1993. The APE (t) = S (t) (1) scope of this new standard however is enlarged to deal P with performance issues for general systems (not only where Sp(t) is the performance separation function. pointing performance): • The MME (Mean Measurement Error) is defined as • general outline and description on control the mean value of the performance error over a performances activities for a project, presented in specified time interval of duration ∆t (Eq. 2): 1 according to the current phase of a project). The MPE ()∆t = S ()t dt (2) ∆ ∫ M logic must be built according to the current case, in t ∆t agreement with the customer.

where Sm(t) is the measurement separation function. • Identifying and classifying contributing errors. The assumptions concerning these error sources (models, A constraint considered by the standardisation group numerical values, uncertainties, statistical properties was to keep as close as possible to the original such as probability distribution functions, PDFs...) definitions established in the "ESA Pointing Error must be listed and justified. These data can come Handbook", not to throw the users into confusion. Only from different origins for example sensor minor changes were introduced, mainly for manufacturer, system assumptions, lower level simplification and to avoid ambiguous interpretation. performance analyses, customer specification. Of For example the MPE is no longer defined using the course they may evolve according to the current “median value”, which was unusual and rather project phase. Their sources shall be clearly confusing, but the “mean value”. identified.

2.2. Capturing the Requirements using the • Obtaining the error contributions from the error Performance Indicators sources. Each error source is processed using a mathematical approach, simulation, experimental The types of performance requirements which may be results.... in order to get the corresponding needed for a general system fall into three general performance error contribution. For example the classes: contribution coming from a sensor noise can be • Accuracy: constraints upon the absolute value of a assessed by examining the Power Spectral Density separation function, either instantaneously or over (PSD) transmission through the closed-loop transfer some time interval. Such requirements may be set on functions (for a linear system). instantaneous accuracy (measured by APE) or the • Assigning PDFs to individual error contributions. average accuracy over some period (MPE). Each individual error contribution shall be • Stability: constraints upon the time variation of a categorized according to its temporal behaviour, and separation function over some timescale. Such the associated PDF shall be obtained applying the requirements may be set on the deviation from mean appropriate methods described in the informative over some interval (measured by the Relative appendices of the standard. Performance Error, RPE) or on the drift over some • Combining error contributions, according to one of interval (measured by the Performance Drift Error, the statistical rules described in the standard PDE). document, if required by and discussed with the customer. • Reproducibility: constraints upon the degree to which the behaviour of a separation function will • Assessing requirement compliance using the repeat itself under similar circumstances. combined overall error. Requirements on reproducibility are generally given in terms of the Performance Reproducibility Error, This section of the new standard is probably the most PRE). challenging. These questions of statistic properties, combination, summation rules were addressed by the The discussion here has been given in terms of perfor- Pointing Error Handbook but not in a very satisfactory mance indices (APE …), however the generalisation to manner. As a matter of a fact, they are seldom applied in measurement indices (AME …) is straightforward. practice and need improvement. Nevertheless this is quite a complex issue, currently being investigated by 2.3. Management of a Performance Budget the standardisation group. Working out a performance budget requires clear rules 2.4. Elements of Performance Specification for to be followed, in terms of Closed-Loop Controlled Systems • Methods of assessing compliance; the overall In practice for space applications the systems involving verification process can include budgets, simulation closed-loop control represent an important subset for campaigns, test campaigns, analytical approach, which performance indicators have to be defined. For flight experience. There is no general rule stating such architectures it is not always sufficient to specify which is best suited to a particular case (in addition, (and to verify) the performance in terms of output the method of assessing compliance can be different signals only; the internal behaviour of the system can performance budget have to be very carefully also have to be inspected. described, justified and if possible illustrated. As an example, one of the most common requirements • The applicability of the standard requires taking into set for such systems concerns the stability margins (such account the practical constraints on real projects. It as gain and phase margins for linear SISO feedback may be necessary to prefer pragmatic, simplified loops). This can be considered as a performance approaches rather than more technically rigorous requirement, although not directly related to the nature ones which may induce excessive complexity for a of the output signals. Such margins are very commonly limited added value for the customer as well as for specified by customers to suppliers to ensure that the the study team. Nevertheless the simplified methods controlled system is able to operate properly in the – if any – must remain sufficiently accurate to presence of uncertainties in the plant model or in the produce acceptable results. Setting up performance environment. budgets is a good example of such domains requiring pragmatism. This standard identifies and defines the main features describing the intrinsic behaviour of a closed-loop • There is a project “performance tree” ranging from controlled system, which are commonly subject to the lower level (equipment) to the higher one specification, and which have to be analysed and (system). The whole error budget philosophy and the verified by the control study team. relevant concepts, definitions and methods can be It is not intended by the standardisation group to extend used at any of these different levels. There is a need the scope to the technical domain of control design and to ensure consistency at all levels. In particular the analysis (synthesis techniques, advanced analysis relation between control engineering standards and methods etc.). This standard cannot synthesise nor system engineering standards must be carefully substitute for the huge literature available in this examined. As a consequence a liaison to the system domain. The purpose here is to review the elements that engineering working group (E10) has been specify the design, and clearly not to deal with the established to ensure the coherency with the system design process itself. engineering standard (see chapter 4). • • Definition and specification of stability, stability One of the main inputs for the working group is the margins and robustness. With the emergence of “ESA Pointing Error Handbook”, which indeed is a techniques making it possible to design complex handbook and not a standard. An appropriate MIMO controllers there is a need for guidelines to balance between normative, informative and issue appropriate specification inputs for these handbook sections shall have to be found for the new properties. standard. The "Control Performance Specification Standard" is • Definition of time and frequency domain currently in drafting (September 2005) with some major performance indicators of specific interest for sections already completed. The public review is closed-loop controlled systems (such as overshoot, foreseen for 2006. response time, raising time, bandwidth, disturbance rejection etc.). 3. ECSS-E60-02 - STAR SENSOR There are some challenges raised by this standard, SPECIFICATION STANDARD mainly due to the fact that it intends to deal with a domain where detailed technical know-how is of major The working group for elaboration of the "Star Sensor importance. The right balance must be found between Specification Standard" has been kicked off in the normative dimension of the standard (which will beginning of 2005. This new standard is based on the impose definitions, methods and process to compute and work which has been performed by Analyticon under build up performance budgets) and the necessary ESA contract and which has been completed in 2002. degrees of freedom that must be granted to the control The main objectives of this new standard are: study teams to get their results by the most appropriate way according to their own know-how and experience. • definition of star sensor capabilities Among these challenges the following ones are • identified: classification of star sensors, based on the sensor capabilities. Difference between different sensors is • Its wide scope needs clear statements, definitions detailed by the description of added functions in and rules. Being not restricted to the special class of more and more elaborated sensors “pointing system”, general error indices and the way to handle and combine them in the frame of • definition of star sensor component parts. These The ECSS-60-02 document will be the basis for new definitions are detailing the functions of all sensor star sensor specifications. The working group pays parts: optical head, baffle, electronic unit… specific attention to provide a document in respect with ECSS recommendation for specifications. However a • definition of output parameters to support the particular effort is done to give technical information in capabilities order to use the specification in the proper way. • detailed derivation of performance metrics to be The purpose of the last part of the document is to define used for specification and the corresponding performance parameters and associated metrics verification methods including verification methods. An example The characterisation of the performance is done using specification is also given. the formalism of separation function introduced by the This new standard is facing up to the fact that star “Control Performance Specification Standard”. sensors are used since many years with a specific However the standard proposes rules for translation terminology for errors characterisation. The extensive between this formulation and traditional metrics used by use of the standardised terminology proposed by ECSS suppliers. concerning pointing error characterisation (MME, Finally annexes to the document are addressing the RME…) is performed all along the specification general rules for error specification and conventions standard. An example of specification using this used for quaternion notations in most of star sensors. terminology is given for each item of the standard. In a specific annex, a correspondence table will be The content of the initial document is modified provided which summarizes the result of the detailed considering the objective to produce a standard analysis performed to compare the two different rules. specification and then all purely informative notions from the main document are moved as non-normative Examples are given in Tab. 1: information into annexes. The purpose is to have a real Typical Name in specification standard that could be customized by the Error Contributors Name Standard user to produce a product specification. Annexes will be useful for common understanding of the content by the Misalignment: - initial supplier and the customer. Bias MME - after ground calibration The working group is still reviewing the whole draft - launch induced document and is ready to propose an updated version Orbital or long Relativistic error MDE including remarks from star sensor suppliers, users in term error charge of AOCS development or responsible for Noise NEA RME procurement. (several effects) An important effort had been carried out by the ECSS FOV Spatial Errors Medium/ long MDE Secretary to propose modifications in order to have a (several effects) term error draft document compliant with ECSS rules. Different star sensor types and components are described as well Table 1: Error Correspondence Table as conventions used for frames definitions. Abbreviations in Tab. 1: The working group is proposing a detailed terminology • MME - Mean Measurement Error concerning star sensor characteristics based on an agreement after rewriting and detailed discussion of the • MDE - Mean Drift Error document. Each working group member has the • responsibility of review of a part of the document. The RME - Relative Measurement synthesis is proposed by the convenor and discussed • NEA - Noise Equivalent Angle during working session. • FOV - Field of View The content of the document is still under construction however the first version is largely used and the two first The two working groups E60-01 and E60-02 are closely parts of the document concerning general definitions coordinated in order to produce compatible and terms is not subject to major changes. The user will requirements definitions. find in these sections the usual vocabulary of star Finally this standard will be available for public review sensors approved by users and providers. in 2006. 4. LIAISON WITH SYTEM ENGINIEERING There is normally a part of the plant including the STANDARDS (E10) payload (G2) which is not inside the control loop and which introduces additional errors (e.g. thermal During the establishment of the "Control Performance distortions, deformations arising from vibrations, Specification Standard" cooperation with the E10 payload internal effects) leading to the system system engineering standardisation group has been performance, e.g. the line of sight of the payload. established to harmonise the performance metrics definitions. One important item is the separation For some of these additional plant errors, which are not between control performance and system performance measured by the control system, there might be which leads to the definitions shown in Fig. 3. additional sensors which provide further information for the knowledge of the system performance. This Fig. 3 shows a typical situation for a satellite where the normally requires processing of these additional plant AOCS can control the attitude up to the point where the sensors in combination with the information supplied by AOCS sensors are measuring the attitude (G ). 1 the controller (control knowledge).

Interaction with Controlled Environment System

Control Reference Control System Commands Performance Controller Actuators G1 G2 Control Knowledge Control Perfor- Control mance Feedback Sensors

Control System Controlled Plant

System Knowledge Additional Processing Sensors

Figure 3: Control and System Level Performance Definition

5. COOPERATION WITH ESA CONTROL The Control Engineering Standards Board (CESB) is the ENGINEERING STANDARDISATION youngest of the standards Sub-Boards. It follows closely BOARD (CESB) the development of ECSS-E60 control engineering standards. The CESB is currently supporting the In ESA, the responsibility for the reduction in the space development of the "Control Performance Specification engineering risk and the support of space missions falls Standard" and the "Star Sensors Specification upon the ESA Standardisation Steering Board. Below Standard". this board the Engineering Standards Board (ESB) co- ordinates the ESA engineering standardization in the following domains: Systems Engineering, Electrical and 6. ECSS-E60 OUTLOOK AND FUTURE Electronics Engineering, Mechanical Engineering, The ECSS-E60 control engineering standardisation is a Software Engineering, Telemetry and Data Handling, complete framework of a set of standards of which the Control Engineering, and Ground Systems & ECSS-E60 is the top level (ECSS level 2) document. Operations. The overview on this framework is shown in Fig. 4.

E60 Standard (Level 2) General Control Engineering Rules

Level 3 WG’s: Level 3 WG’s: Level 3 WG’s: Dynamics and Sensor and Special Control Actuators Applications

• Control • Star Sensor • AOCS/GNC Performance Specification Spec. Standard Standard • Control Methods • Gyros • Launchers - control design • Sun Sensors - special analyses (e.g. stability, ...) • Wheels • Robotics

Figure 4: E60 Control Standards Framework

After completion of the work of the currently active working groups and the publications of the “Control Performance Specification Standard” (ECSS-E60-01) and the “Star Sensor Specification Standard” (ECSS- E60-02) it is foreseen to establish further standards. This mainly depends on the interest of the community. This could be in the area of control design and analysis methods, sensors and actuators and special application areas.

7. ACKNOWLEDGEMENTS Acknowledgement and thanks is given to the support, advice and comments provided in the preparation of the standards by the E60 working group members from ESA, CNES, and a large number of industry representatives. Special thanks for the support and the preparatory work is given to the ESA Control Systems Division.

8. KEYWORDS Control engineering standard, control engineering process, control engineering terminology, control performance, star tracker performance

9. REFERENCES Dungate D. G., ESA Pointing Error Handbook, ESA Handbook, 1993.