Risk-sensitive motion planning for MAVs based on mission-related fault-tolerant analysis

ABSTRACT Multirotor Aerial Vehicles may be fault-tolerant by design when rotor-failure is possible to measure or identify, especially when a large number of rotors are used. For instance, an octocopter can be capable to complete some missions even when a double-rotor fault occurs during the execution. In this paper, we study how a rotor-failure reduces the vehicle control admissible set and its importance with respect to the selected mission, i.e. we perform mission-related fault-tolerant analysis. Furthermore, we propose a risk-sensitive motion-planning algorithm capable to take into account the risks during the planning stage by means of mission-related fault-tolerant analysis. We show that the proposed approach is much less conservative in terms of selected performance measures than a conservative risk planner that assumes that the considered fault will certainly occur during the mission execution. As expected, the proposed risk-sensitive motion planner is also readier for accepting failures during the mission execution than the risk-insensitive approach that assumes no failure will occur.


Introduction
Nowadays, there exist different design solutions for Multirotor Aerial Vehicle (MAV) from micro and mini MAVs to heavy MAVs with large endurance [1]. Due to characteristics such as small geometries, vertical takeoff and landing, low cost, simple construction, degrees of freedom, their inherent manoeuvrability, ability to perform tasks that are difficult for humans where the risks of injury are high, MAVs have become the most popular type of unmanned aerial vehicles.
Regardless of the structural design type, different faults on a MAV may occur. The fault can affect actuators, sensors, controller or can be of a structural nature. If a failure occurs, the mission execution may be stopped. To increase the likelihood of mission accomplishment, different redundancy can be implemented including redundancy in propulsion system as well. The paper [21] shows that it is possible to control all degrees of freedom of the octocopter except the yaw angle for any potential double-rotor-fault scenario (the yaw controllability is preserved even in 89% of those scenarios). In [22][23][24][25][26], the authors addressed possibility of preserving the controllability of a system for different rotor faults by increasing the number of rotors, or using a rotor with a possibility to tilt motors [27,28]. In [29,30], the authors have investigated a control strategy for a quadcopter in the case of losing a single, two opposing, or three propellers.
On the other hand, regardless of whether the configuration of a MAV is redundant, the control algorithm has a significant role in improving fault-tolerance of the MAV system. If a control algorithm is faultignorant, having redundant components does not necessary increase reliability of the MAV system or probability of completing the mission. The control algorithms that inherently posses a certain level of robustness with respect to possible failures increase reliability of the system. There is a large number of methods developed within the framework of fault-tolerant control including sliding mode control [31], adaptive faulttolerant control [32,33], control allocation method for MAVs [34,35], reconfigurable control [36], backstepping method [37], model predictive control [38], control based on linear quadratic regulator [39], fuzzy predictive control [40] and many others.
In this paper, we propose a novel motion planning algorithm which takes into account potential rotorfailures of the MAV during the planning stage, named here as risk-sensitive planner (RSP). The RSP planner is much more prepared for rotor-faults during the mission execution than the planner ignorant to those potential faults, named here as risk-insensitive planner (RIP). Additionally, the proposed planner is much less conservative comparing to the approach which plans the mission assuming the faults will certainly occur during the execution, named as risk-conservative planner (RCP). To do so, we propose a procedure for (i) finding a reduced fault-dependent control admissible region, (ii) replacing that region with a set of inequality constraints, (iii) carefully selecting some of the inequality constraints based on fault-tolerant analysis of the given mission, and (iv) forming the final optimization framework which includes the selected constraints.
The paper is organized as follows. The octocopter model is presented in Section 2 as an illustrative example of MAV systems. Section 3 includes a controllability test for extracting the fault-dependent control admissible set for any fault considered. An RLS-based faulttolerant tracking control is included in Section 4 to use a unique control framework for different planners and faults during the validation stage. Section 5 introduces the proposed risk-sensitive motion planner and provides a validation of the approach for a given mission. Section 6 concludes the paper.

MAV model
In order to achieve satisfactory control of a MAV and to eventually improve reliability of the mission execution during the planning stage as well, it is necessary to understand all stability-influential elements of its design. To that purpose, the octocopter model derived and analysed in [41] and [42] will be presented as a representative MAV example in order to easily deduce a generalized UAV model in the planar plane with a symmetrical configuration design consisting of 2n DC motors, where for n = {2, 3, 4} we have well-known MAV designs including quadcopter, hexacopter and octocopter, respectively.

Frames of reference and control inputs
The octocopter system with a PNPNPNPN configuration design, where P and N indicate clockwise (CW) and counter-clockwise (CCW) directions of rotation of a related DC motor, and its body and ground fixed frames are shown in Figure 1. Octocopter is constructed with eight DC motors accompanied by the propellers. Each motor with propeller is mounted on arm with length l. The adjacent arms are equally distant from each other by 45 • angles (360 • /n).
Two reference frames are used to derive the model, one for a local coordinate system {o} attached to the UAV and one representing a global coordinate system {g} fixed to the ground. For {g}, the ENU convention is used to represent the axes, meaning that the axes X B , Y B and Z B are pointing to the north, east and up, where x = [x y z] T  The MAV rotors together generate the total thrust force T and torques τ = [τ x τ y τ z ] acting around the axes of the local coordinate system. One can approximately calculate generated forces F i by using the expres- The system control input can be expressed as: where s represents the squared rotor velocity vector given as s = [ 2   1  2  2  2  3  2  4  2  5  2  6  2  7  2 8 ] T and A being the system actuation matrix defined as: Changing the rotor velocity of the motors in range 0 ≤ Ω i ≤ max , i = 1, . . . , 8, the different thrust force (T) and the torque (τ x , τ y and τ z ) about the x, y and z axes can be achieved.

Octopcopter kinematics and dynamics
The octocopter kinematic model of the linear motion along the X B , Y B and Z B axes of the global coordinate system asẋ,ẏ andż, respectively, can be represented aṡ where for the ZY X convention (which is used in this paper), the rotation matrix R(φ, θ, ψ) is defined as where c and s indicate cosine and sine functions. The octocopter kinematic model of the angular motion can be represented aṡ with the angular rotation matrix R −1 A being where t indicates tangens function. The dynamics of the octocopter linear motion can be described bẏ where m o represents the mass of the system, g is the gravitational acceleration and S is the skew-symmetric matrix The dynamics of the angular motion of the octocopter can be described bẏ where J = diag I xx I yy I zz represents the inertia tensor with components I xx , I yy and I zz determined by Huygens-Steiner theorem [44]. Equations (3)-(9) represent the kinematic and dynamic motion of any MAV with 2n DC motors mounted in a planar plane providing a parametrized model dependent on m o and J.

Model generalization
Equations (3)-(9) that describe the kinematic and dynamic motion of the octocopter can be used for any MAV with 2n (n ≥ 2) rotors in the planar plane with a symmetrical configuration, where the dimension of the activation matrix A is 4 × 2n and b, l and d depend on the selected MAV design parameters. For instance, in case of a quadcopter with PNPN configuration the actuation matrix is while for a hexacopter with PNPNPN and PPNNPN configurations, the related actuation matrices become · · · bl · cos 360 · k 2n 2n · · · −bl · sin 360 · k 2n 2n where k i = i − 1, i = 1, 2, . . . , 2n. This type of model is used in paper [41,42,45,46].

Simple PD tracking controller with control allocation
The task of the tracking controller is to ensure that a MAV follows the mission-related trajectory. In this section we briefly present the proportional-differential (PD) control scheme depicted in Figure 2, which is a classical control architecture [43,47] presented in more details in [45]. The controlled variables are the vehicle position x, y, z and its attitude , while the overall architecture includes xy, altitude, attitude and motor controllers as well as the control allocation and system dynamics consisted of the motor, actuation and MAV (e.g. octocopter) dynamics (see Figure 2).
The desired linear motion reference values along mission trajectory are applied to the xy controller, while the corresponding desired attitude and altitude reference values are handled by the related controllers. The outputs of these controllers form the desired values of the total force and torques to the control allocation algorithm to deal with the over-actuated system. This algorithm then distributes these desired values onto the desired velocity vector ref to provide speeds for each motor. For the purpose of this work, we use a pseudo-inverse control allocation [21,48]. The motor controller is used as a low-level controller to force the motor velocity vector to follow the reference values from ref .
To design a PD tracking controller, it is common practice to linearize the octocopter dynamics around the hover configuration By the linearization of the nonlinear system model presented in Section 2, one can obtaiṅ where R(Z, ψ e ) represents the rotation matrix around the z-axis. Substitution of (17) in (15) yields As it can be noticed from (20), altitude can be directly controlled with thrust T. If e z = z ref − z is now the altitude tracking error, the control law can be chosen as where z ref is the reference altitude, K pz is the proportional gain, K dz the derivative gain. In a similar manner, substitution of (18) in (16) yields It can be observed from (22) that the attitude can be directly controlled with torque vector τ . If now e = where ref is the reference attitude, K p is the proportional gain, K d the derivative gain. Clearly, all generalized forces are stand for attitude and altitude control. Therefore, in order to achieve tracking of the x and y position coordinates, we need a flat mapping between those positions and the altitude and attitude coordinates.
which can be rewritten as (25) From (19) and assuming that e = ref = const, the reference values of the roll φ ref and pitch θ ref become The attitude controller (23) needs the first and the second derivation of the roll and pitch reference values. By differentiating (26), we get Equations (25)-(28) represent the xy position controller and the flat mapping between (x, y) and (φ, θ). The proposed controller is able to track the reference The proposed architecture has been exploited in [45] to control the position and orientation of the octocopter.
It is necessary to emphasize that the reference trajectories of the x and y position coordinates must be at least four times differentiable, while trajectories for the altitude z and orientation ψ must have the first and the second derivation. These trajectories are provided by an adequate motion planning algorithm, while references for φ and θ orientation coordinates are provided as the output of the xy controller.
To illustrate the proposed control architecture for the position and orientation tracking, we can consider tracking the Vivian curve (octocopter with PPN-NPPNN configuration) in the three-dimensional space represented in Figure 3. One can observe a small-error tracking of the referent trajectory. It is important to note that the simulation was conducted with a healthy system, that is without any fault. For the case when the 3rd DC motor is in a fault state, it can be seen from Figures 4 and 5 that the presented control architecture fails to track the reference trajectory.

Analysis of fault-dependent MAV manoeuvrability
For the purpose of developing a motion planner and estimating the possibility of completing a pre-planned mission, it is necessary to determine whether the system is capable of generating necessary thrust and torques, to be able to reach the points generated by the   motion planner with available DC motors. As shown in Section 2.4, regardless whether the system has a redundant actuator or not, it is possible to have a case when the control algorithm is not able to track the referent trajectory (fault state caused by a failure occurred on one of the motors). This problem has been addressed in [21][22][23][24][25][26] for a MAV with a fixed rotor and classical configurations (quadcopter, hexacopter and octocopter). In addition, in [27] and [28], the controllability analysis has been considered for a MAV designed with a tilted rotor, while for non-classical (coaxial) octocopters the analysis has been given in [49]. In this paper, an empirical method is developed which can be used for any MAV configuration designed with different number of rotors and their directions of rotation.

Fault-dependent admissible set of thrust force and torques
To find the admissible set of thrust force and torques in control space, it is necessary to check whether the system can reach and stay in hovering point without any rotation. For illustration purposes, consider again an octocopter with the PNPNPNPN configuration. The relation between the control inputs u (the reference thrust force T and torques τ ) and the rotation velocity s of DC motors is given with u = A s (see Section 2), where the control vector u is represented by where s ∈ D s ⊂ R 8 and u ∈ D u ⊂ R 4 . The set D s is defined based on the velocity constraints of DC motors Knowing that the DC motor velocity is limited between 0 and ω max (30) and the mapping is defined by the linear relation u = A s , it means that the set D u represents a polytope in space R 4 . If velocities of all DC motors are equal to zero when all components of the control input are zero-valued, we get the first point in control space. If we now set the rotation velocity of the first DC motor to its maximum value, we get the second point in control space. The number of these combinations is 2 2n , where n is the number of DC motors. For the octocopter example, it is possible to construct one hyper-plane for each tuple (4 control components) of the total of 256 points. However, only those hyper-planes that form an outer region are of interest. In this way, one can construct a convex polytope-like admissible region in four-dimensional space. Since the obtained region is constructed in fourdimensional control space, we consider the case for τ z = 0 for illustration purposes. In this case, an orthogonal projection of the polytope of the set D u (with coordinates T, τ x and τ y ) is shown in Figure 6.   In order for the octocopter system to be stable at the hovering point, it is obvious that the thrust force should be T = mg. If the represented three-dimensional set from Figure 6 is projected onto the plane T = mg, then the projection is shown in Figure 7. It can be observed that the torques τ x and τ y have symmetric values and that they are linearly dependent, meaning that is not possible to simultaneously reach maximal values of the torques τ x and τ y . Consider now that the DC motor 1 is in a fault state. The projection of the torques τ x and τ y onto the plane T = mg is shown in Figure 8. In case of a double fault (DC motors 1 and 2), the projection of the torques onto the plane T = mg is shown in Figure 9.
It can be seen from Figure 8 and 9 that the admissible set for τ x and τ y is reduced with respect to a healthy system shown in Figure 7. Depending on the type and combination of faults occurred, some of the planned manoeuvers for stabilizing a hovering state will not be possible. The obtained admissible sets have been illustrated only to understand that each DC motor has a different effect on the generation of thrust T and the torques τ x , τ y and τ z .

Fault-dependent controllability test procedure
To understand whether an MAV is controllable (or at least stabilizable) in case of a single fault (or any multiple faults combination), we propose a testing procedure to check whether a hovering state is reachable or not. We say that a MAV is controllable with respect to a certain state in case there is a control input that moves the MAV to that state. In case the controller is not capable to influence yaw-torque, τ z we say it is stabilizable in that state. The latter means that the vehicle is capable to remain at the given position only by rotating around z-axes.
The task of the control allocation algorithm is to distribute DC motor velocities s to each motor in order to achieve the referent thrust force and torques for reaching a waypoint generated by a motion planner. For all MAVs for which n > 2, there is an infinite number of realization to achieve the same result in case a feasible solution exists. To check whether a feasible solution exists, we define the optimization problem to generate the optimal solution * s that minimizes the squareerror between the reference u ref and achieved control over the feasible control region (0 In case there is no solution to the optimization problem (31), the MAV is unstable. In case (31), with a feasible solution yielding zero-valued e p , the MAV is controllable. In case there is a feasible solution without zero-valued e p , we have two additional cases. If we allow  In case we get a zero-valued error, the MAV is stabilizable, although it will be rotating around z-axis. Otherwise, the system will be unstable. By checking whether the hovering point is reachable or not, we can understand if the MAV is capable for given mission regardless the faults occurred. In the following subsection, we thoroughly analyse controllability of different types of MAVs by examining different single and multiple faults.

Quadcopter
First, we consider quadcopter with DC motors without fault states. The quadcopter has the following parameters [42]:  Table 1. As it can be seen, the quadcopter cannot be fully controlled at the hovering point for any single failure. Such cases are indicated by red colour in Table 1. For example, in case of a failure occurred on the DC motor 1, quadcopter is stabilizable, but there is a constant rotation in the negative direction about the x-axis as well as intense rotation about the z-axis. The results obtained were expected and are in line with the state-of-the-art work. In [25], the authors have shown that the quadcopter does not have a redundant configuration and its controllability will be lost in case any of DC motors fails.

Hexacopter
In this subsection, we analyse two types of hexacopter with PNPNPN and PPNNPN rotation con-     Tables 3 and 4) and the cases where the hovering point is stabilizable but not controllable when the reference is used in the form u = T τ x τ y T = mg 0 0 T (right columns in Tables 3 and 4). Although the MAV may loose controlability, the latter case is important to be discovered since a safety landing can be performed which can protect the vehicle and its equipment from potential damage. From the results presented in Tables 3 and 4 related to the two different hexacopter orientation configurations, 80% of total double-fault cases lead to the loss of controllability (cases with at least one non-zero values in left columns), while 40% cases are unstable without possibility for a safe landing (cases with at least one non-zero values in right columns). This further means that the hexacopter will have a potential to continue the mission only in three cases (cases with all zero values in left columns) and to be safe in 60% (cases with all zero values in right columns). One can also conclude that the hexacopter is single-fault-tolerant, while it is quite  However, it possesses some safety robustness. Since the results are equal, there is no advantage for using any particular hexacopter configuration.

Octocopter
In this subsection we address two different orientation configurations, PNPNPNPN and PPNNPPNN, for different single and double faults. The octocopter has the following parameters [41]  The analysis of single-fault cases for both configurations is presented in Table 5, while for double-fault cases in Tables 6 and 7. It is evident that both octocopter configurations are fully insensitive with respect to single failures in terms of their potential to continue the mission execution. From the results presented in Table 6 related to PNPNPNPN configurations, 28% of total double-fault cases lead to the loss of controllability (cases with at least one non-zero value in left column), while there are no unstable cases without possibility for a safe landing. This means that this octocopter configuration will have a potential to continue the mission in 72% of cases (cases with all zero values in left columns) and to be safe in 100% (cases with all zero values in right columns). For the hexacopter PPNNPPNN configuration we have 14% of controllability loss, no unstable cases, 86% potential to continue mission and 100% safety (Table 7). This analysis shows that a careful selection of the octocopter configuration may additionally influence the MAV overall manoeuvrability and keep the MAV ready to execute the mission under variety of faulty states. For instance, when the probability of double fault is high, we can increase mission reliability by choosing PPNNPPNN configuration. However, the performed analysis can be generalized for any MAV   Triple or quadruple faults can be also analysed in the same way. However, the probability of such occurrence is much lower than for single or double faults, so they are not considered in this paper.

RLS-based fault-tolerant tracking control
In order to exploit the results of the fault-dependent MAV manoeuvrability analysis, presented in Section 3 and to provide a unique testbed for performance analysis of considered motion planners, a mechanism for failure detection and fault-tolerant tracking control is needed. In this section, we briefly describe the approach we previously presented in [45].

Fault-tolerant PD tracking control
To design fault-tolerant control, it is necessary to include information about faulty states of DC motors into the actuation matrix. Now we can rewrite the actuation matrix as: where θ = [ θ 1 θ 2 θ 3 θ 4 θ 5 θ 6 θ 7 θ 8 ] T represents the faulty states of DC motors. The coefficients 0 ≤ θ i ≤ 1 (i = 1, . . . , 8) represent the failure level of related DC motor, where θ = 1 represents fully available motor, θ = 0 failed motor while all values in between represent a partial loss of DC motor functionality. If we rewrite the actuation matrix as A = [ A T A 1 A 2 A 3 ] T , the components of the τ x , τ y and τ z vectors of the controllable control signals u can be represented as weighted scalar products in the form As we can see from (33), the control output can be represented by its four components that have a linear dependence. Based on these values, it is possible to estimate the parameter θ in a least-squares manner. For the estimation, it is necessary to know all parameters in (33). The basic requirement is that the values of the actuation matrix A are a priori known. For the detection and isolation of failures, we only use gyroscopic data for their inherent accuracy of measurement so that the first equality from (33) is not necessary, so the final prediction is If we have N measurements at time instances 1 to N, then for each sample i = 1, . . . , N, based on (34), we have the following model to predict the output where each regressor of output models is defined as Using the property that each tensor can be represented as a matrix using the skew-symmetric matrix S defined with (8), we can represent the inertia tensor J = diag I xx I yy I zz as a symmetric matrix. Now, we can rewrite (9) as We can now formulate the FDI technique for the propulsion system as an recursive least square (RLS) estimation problem of the rotor capacity vector θ in the following way: where the data matrix Ψ r has the form Now, by using a classical non-recursive least-square method [50], we can express the coefficientθ aŝ In this paper, we use the RLS method based on (40). It is necessary to emphasize that the proposed technique for the RLS problem has a linear configuration, while obtaining values for the vector rotor capacity comes from a MAV model, which is nonlinear (9). The proposed method applies to any type of MAV with 2n rotors mounted in a planar plane. The values for θ i (i = 1, . . . , 8) are not constant all the time. To apply the proposed technique to an MAV, the RLS with a forgetting factor is used. The values for θ i obtained by the proposed RLS algorithm are used as a feedback to update the actuation matrix. Note that θ and s represent vectors of the same size, so (32) can be rewrite as Furthermore, by introducing a new matrix B as B = Adiag(θ), we can calculate the velocity for all DC motors that can achieve the reference thrust and the torques as where B + = B T (BB T ) −1 .

Simulation results for fault-tolerant PD tracking control
In this subsection, we present the simulation results for the RLS-based technique for detection and isolation of DC motor failures on MAVs. We used a fault-tolerant PD tracking control system around the hovering configuration. To illustrate that the designed controller can handle a faulty state on MAV, we consider the case described in Section 2.4 (octocopter with the PPN-NPPNN configuration). In this case, we have a failure occurred on the 3rd motor at time t = 5 [s]. This case can be expressed by the rotor capacity vector θ = [ 1 1 0 1 1 1 1 1 ] T . It should be emphasized that the presented approach was tested for different classes of possible faults (different numbers of faulty rotors and different values of rotor capacity). For the purpose of the RLS algorithm (38), we need to determine 8 unknowns parameters θ i , so we need at least 8 equations. It follows, that the number of samples N must be at least N ≥ 8. However, to eliminate the impact of noise, it is advisable to use a larger number of equations, that is N 8. So, we set the forgetting factor to 0.8 in order to take into account the measurements from the previous 0.8 s to provide a sufficient number of samples for the RLS algorithm. Figures 10 and 11 depict the performance of the proposed RLS-based PD tracking controller with control allocation for a failure occurred on the 3rd motor at t = 5 [s]. Figure 12 shows that the relative capacity of each rotor is properly diagnosed.
From Figure 11, we can conclude that the presented RLS controller has an acceptable tracking performance (it is similar to the tracking performance for a healthy MAV). This can be attributed to the inherent fault-tolerability of the octocopter platform,  as can be expected based on the analysis of faultdependent manoeuvrability for octocopter provided in Section 3.3.3).

Motion planner algorithm based on mission-related fault-tolerant analysis
This section presents a novel motion planner for MAVs based on admissible set of thrust force and torque obtained through fault-dependent manoeuvrability analysis presented in Section 3.

Presentation of the admissible set of thrust force and torques with a set of inequality constraints
As shown in Section 3.1, the admissible set for thrust force and torques can be determined depending on the number of DC motors used, the orientation configuration and the states of DC motors (with or without faults). This admissible set has a convex polytope-like form in four-dimensional space.
Each of the outer sides of the polytope can be represented by its related hyper-plane based on the four points that form that side, that is aT + bτ x + cτ y + dτ z e, (43) where a, b, c, d and e are the slope coefficients of the individual axes. Since the polytope-like admissible set is composed of a large number of such hyper-planes, it can be represented as a set of inequalities that fully describes the admissible set of thrust force and torques for each specific MAV design. For instance, for an octocopter without failure, it turned out, the related polytope can be described by 617 inequalities. In case any of DC motor is in a fault state, the number of inequalities decreases, while in an extreme case when all DC motors are in failure modes, the admissible set is reduced to a single point at origin, hence the system is fully uncontrollable. The obtained inequalities can be further used in motion planning to generate a feasible trajectory that depends on the initial admissible set of thrust force and torques (or the resulting polytope). In the next subsection, we describe a novel motion planner named as risk-sensitive planner (RSP) based on a careful selection of some of the inequalities that describe the admissible set (only a few of them), where the selection process depends on the required mission.

Selected optimization framework for motion planning
In Section 2.4, it is shown that for the tracking reference trajectory the position coordinates x and y must be at least four times differentiable, and the heights z and orientations ψ are at least twice differentiable. References to φ and θ orientation coordinates are obtained as a consequence of the control of the x and y position coordinates. Accordingly, the height coordinates z and the orientation coordinates ψ behave as a double integrator, that isq = u, (44) and the x and y position coordinates can be approximated by a quadruple integrator ....
where q,q andq are the generalized coordinate, velocity and acceleration respectively, and q = [x y z ψ].
The minimization of acceleration (44) and snap (45) directly yields the minimization of the generalized forces which act on the system. This further results in the minimization of energy consumption while taking into account the constraints imposed on the trajectory. This consequently means that the battery consumption during the mission will be minimal. Detailed description of motion planning based on minimal acceleration and snap can be found in [51].
For this reason, motion planning problem can be described as a fixed finite-time optimization problem given as subject to q min q q maẋ q min q q maẍ q min q q max , (46) where the fixed finite-time represents the mission execution time T. The waypoints, as part of the given mission, through which the MAV is supposed to pass should also be included in the optimization framework as desired constraints. One way to include these constraints is to impose hard constraints into the optimization. To ensure that the planner can be risk-averse, if necessary, we need to allow the motion planner to be capable of generating trajectories that may deviate from the waypoints. In addition, the deviation from the waypoints can be also used as a performance measure for the given mission. To do so, we include these constraints into the objective function by penalizing large deviations from the given waypoints as subject to q min q q maẋ q min q q maẍ q min q q max (47) where weights 0 ≤ α i ≤ 1 are used for describing how important it is to pass through some of the waypoints q i during the mission execution. For the purpose of this work, we set α i = 1 for all i. Since (19), (20) and (22)) give the relation between T, τ x , τ y and τ z and q, it is now possible to include the inequalities (or some of them) that describe the fault-dependent admissible set into the optimization framework. This gives the final form of the optimization framework used for the proposed RSP motion planner: In order to take into account any possible failure during the motion planning stage, one can include all constraints related to the admissible set of that failure. In this paper, we call such a planner a risk-conservative planner (RCP). However, the RCP planner would be quite conservative, so in the following subsection we describe how to select some of the inequalities by carefully examination of the given mission to form the RSP planner. It should be noted that the decision on which failures and their related admissible sets to include should follow from the failure mode and effects analysis (FMEA) [21,52].

Risk-sensitive motion planner based on mission-related fault-tolerant analysis
In this subsection we describe how to take possible failures into account during the motion planning stage by means of their related admissible sets. By doing so, we aim to include the associated risk into the planner in order to increase reliability of the mission execution in terms of satisfactory performance. This will be done at the cost of a much smaller performance deterioration than in case when a RCP planner is used for which all constraints related to risk-dependent admissible sets are included. As expected, the planner will require a bit more time to complete the mission than the RIP planner.
When a fault occurs the MAV may be in a position and orientation such that the control allocation is capable to produce desired thrust force and torques for the remaining DC motors without any effect on the mission performance. Contrary, the MAV may be in such a position and orientation to significantly deteriorate the performance. The idea behind the proposed RSP motion planner is to carefully select a certain number of fault-dependent inequalities to retain the overall performance of a healthy system as much as possible. By doing so, the planner aims to minimally reduce the vehicle manoeuvrability (much less than in case of the RCP motion planner) in order to decrease those states in which the vehicle might significantly deteriorate the performance when any of selected fault occurs.
The overall steps for mission-related fault-tolerant analysis and for designing the proposed RSP motion planner can be summarized as follows: The presented design steps can be explained as follows. First, we perform the FMEA analysis in order to find the most critical failure mode that will be taken into account during the planning stage (step (a)). Second, we determined the minimum execution time for the RIP planner (step (b)). The minimum mission execution time represents a time for which the optimization framework still gives a feasible solution, that is, the solution which ensures passing through the waypoints. Since the proposed design steps can be conducted offline, that is before the mission execution, this minimum value can be easily found by incrementally decreasing the time and checking whether the related solution is feasible or not. Then, for all selected failure modes from step (a), we determine their minimum execution times (step (c)). In step (d), we select the worst-case (maximum time) from step (c) to be the mission time in order to ensure that all planners provide feasible solutions. This is also important for a fair comparison of all planners by means of the performance measured by deviation from the waypoints. Otherwise, some of the planners would be infeasible. In step (e), we first find the admissible sets for each failure mode and determine their related inequality sets. Then, we test the RIP motion planner, given the mission time from step (d), in order to find only those inequalities which are not possible to satisfy for the considered mission. To do so, we check the thrust force and the torques obtained by the RIP motion planner against the related admissible sets for each failure mode. In step (f), we form the final optimization framework by including a constraint set consisted of the inequalities extracted from step (e) and the admissible set for the healthy system.

Results for a given mission
The mission is defined in the form of Vivian curve as in proceeding sections. 21 points have been generated uniformly along the curve to define the waypoints. To test the quality of generated trajectories, we use two errors, for position e R and orientation e , as Case 1: For illustration purposes, we first consider only one single failure on DC motor 1 in order to take it into account in the motion planning stage (step (a)). In step (b) and (c) we determined the minimum times to get a feasible solution for the RIP motion planner, which is 16 [s], and for the RCP motion planner, which is 20 [s] (Table 8).
In accordance to step (d), we then choose the mission time to be 20 [s] for the next step. In accordance with step (e), for the thrust forces and torques obtained by the RIP planner, we find all inequalities from the fault-dependent admissible set which are not satisfied during the mission execution. For the considered example, in the case of the RIP planner, the obtained thrust force and torques violate only two inequalities (out of 440 that describe the admissible set of thrust force   and torques) in 111 cases related to 99 discrete positions along the mission curve (out of possible 210). By including only these two additional constraints into the final optimization (step (f)), we get the RSP planner. We have observed that the RSP planner has violated only one inequality constraint at only one position ( Table 9). The comparison of all three planners (RIP, RCP and RSP) for the maximum time obtained (step (d)), is given in Table 9. It can be seen that the RIP and RSP planners obtained similar performances, better than in case of the RCP approach. On the other side, the RIP planner violated the constraints in 51 positions (which might lead to a high deterioration of performance if the fault occurs), while the RSP violated only one inequality constraint at only one position. Case 2: Consider now a double-fault case (Motor 1 and 6). As expected, we can see from Table 10, that the RIP planner obtained the best performance. The RSP and RCP planner have similar performance, except that the RCP planner needs a bit more time (T = 26 s vs. T = 18 s) to complete the mission. This is due to a more restrictive set of inequality constraints included in the optimization for the RCP planner. However, in the case when the execution time is set to the maximum time (see Table 11) obtained from these planners (T = 26 s), the RIP planner has violated fault-dependent inequality constraints 80 times at 73 positions, while the RSP motion planner only 21 times at 21 positions. This indicates that the RSP motion planner is readier than the RIP planner in case this double fault occurs. Unlike the RIP motion planner, we note here that any higher multiple-faults will substantially decrease the manoeuvrability space for the RCP planner.  Case 3: In this case we address all possible single faults (8 for an octocopter). Table 12 shows the results obtained by the RIP, RCP and RSP planners. The RIP and RSP planners as well as different variants of the RCP planner related to different single-faults, that is RCP M i , i = 1, . . . , 8. The RCP M i planner takes into account only the admissible set related to the fault on the ith motor, meaning that the planner is conservatively prepared only for that fault. It should be noted that the RCP planner is not able to take all 8 single faults simultaneosly into account during the planning stage since the final admissible set would be an empty set. However, the RSP planner is capable to address all M i single faults simultaneously. As previously explained, this is possible since the RSP planner takes only a few inequality constraints for the admissible sets related to all M i faults, in order to form the optimization framework. For this reason, the RSP is capable to provide a feasible solution, unlike the RCP planner. One can observe from Table 12 that the RSP planner needs more time (T = 28 s) to complete the mission in a satisfactory manner. This is due to the fact that it is the only planner that takes all 8 single-faults into account. However, for the mission execution time set to the maximum T = 28 s, one can see from Table 13 that the number of violated inequalities related to all single-fault admissible sets (M i ) was significantly smaller for the RSP motion planner with respect to other planners. As expected, the RIP planner violated the largest number of those constraints which makes it unprepared for any single-fault occurrence during the mission executions. It is worth mentioning that the constraints of the admissible set M3 are violated in a huge number except by the RCP planner (RCP M3) that takes into account those constraints in the planning stage. This is probably due to the selected mission which requires such manoeuvers sensitive to those constraints. An additional interesting observation regarding the admissible sets M2 and M5 is that all planners have managed to satisfy all related constraints during the whole mission. Finally, as expected, all RCP planners, RCP M i , have satisfied all constraints related to their own admissible sets M i .

Conclusions
In order to understand how an unexpected rotor-fault may influence the considered MAV mission, we have provided a procedure for obtaining the reduced control admissible set and illustrated it with three most frequently used types of vehicles, quad-, hexa-, and octocopter for different combinations of rotor-faults. We have also briefly presented an RLS tracking controller used to handle every fault which might potentially occur during the mission execution in order to provide a unique testbed for performance analysis of considered motion planners. We have also shown how the reduced control admissible set can be described by a set of inequality constraints and which optimization framework can be appropriate to design the RSP planner. However, we have illustrated that only a subset from those constraints, which is directly related to the given mission, can be used within the optimization to get a less-restricted form of risk-averse motion planner than in case of a highly conservative approach (RCP). We have also devised steps to design such a risk-motion planner for any MAV.