Fully Safe Rendezvous Strategy in Cis-Lunar Space: Passive and Active Collision Avoidance

The future assembly of the Lunar Orbital Platform Gateway, on a near 9:2 resonant Rectilinear Halo Orbit, requires the necessity of designing safe and reliable strategies to perform rendezvous and docking with the station. The paper describes and tests a strategy to guarantee the safety of an entire rendezvous manoeuvre in the proximity of the Moon L2 Lagrangian point with respect to a specific set of failures. The safety in the far range is guaranteed through the automatic allocation of selected hold-points, whereas during close range rendezvous the safety is actively guaranteed in the presence of selected failures. The main goal of the paper is to contribute to the very limited literature about autonomous design of the guidance for rendezvous in presence of a non negligible third body influence, where safety considerations are paramount. The proposed approach is based on the exploitation of the manifold theory used in the circular restricted three body problem model to guarantee the passive safety in the far-range section, and on an optimal and reliable active collision avoidance manoeuvre to guarantee the safety for the close range approach.


Introduction
NASA is planning to assemble an orbiting space station in the trans-lunar space under the ambitious ARTEMIS project, in cooperation with several international agencies, and with private enterprises within the current decade. According to the latest information, the station will be located on a 9:2 resonant Near Rectilinear Halo Orbit (NRHO) around the Lagrangian Point L 2 of the Earth-Moon system. The station will be assembled step by step and a series of missions will be required to perform rendezvous and docking for the actual construction, as well as for connecting Earth and Moon, once operational. In the literature [1,2] the rendezvous trajectory is usually designed around a series of hold points (HP) to allow the chaser to stop and check the status of the manoeuvre. The selection of such sequence of way points is based on different criteria, but it is usually obtained, during mission design, as a compromise between communication, energy, safety, and other mission requirements [3,4]. Assuming the manoeuvre is to be fully automated, the paper proposes an algorithm to automatically allocate the HP sequence, to guarantee the safety of the mission and fuel saving. The definition of safety and of safety constraints used in the paper is taken from the document released by ESA in 2019 that standardises the vocabulary and the constraints that must be satisfied to approach the orbiting station [5]. Safety issues have been studied in the past, primarily with reference to Keplerian rendezvous and in Earth orbit. An interesting approach, based on linear model and optimization can be found in [6]. The safety aspect in the dynamic environment described in the paper, is however not sufficiently examined in the current literature, except perhaps in [1].
The proposed approach will consider how the allocation sequence will mitigate safety (both in the far range as well as in the near range) following a set of assumed failures from nominal conditions. The article is structured as follows: Sect. 2 presents the mission scenario used for this study, the relevant reference frames, and the mathematical background. Section 3 defines the concepts of safety, the allocation algorithm, and the failures considered as critical for safety. Sections 4 and 5 describe the results of the simulated tests, followed by the conclusions.

Scenario Definition
This section describes the reference scenario used in the rest of the paper. The significant reference frames are reviewed, together with the relative motion dynamics models.
The mission scenario consists of a foreseen automated rendezvous mission between an active chaser leaving the Moon,to rendezvous with the Gateway orbiting a NRHO. The NRHO orbit properties, shown in Fig. 1, are given and can be found in [4,7,8], for instance. It has a period of about seven days with 70,000 km as the largest distance from our satellite. The final approach is performed via a series of way points, also called hold points. At each hold point the chaser will stop relatively to the target and decide whether to abort the current rendezvous, or to continue the mission.
As mentioned earlier, the hold point relative distance and number are initially set by the mission design, only to be modified if necessary. The number of hold points may vary according to mission specifications. Based on earlier work [8], the number is selected to be five labelled HP0 to HP4. Some hold points are located outside specified safety surfaces (defined later on in the paper), for which the transfer is done in an open-loop fashion and the safety is passively guaranteed. For the hold points inside the safety boundaries, the approach is in closed loop and the safety is actively guaranteed by a collision avoidance algorithm part of the guidance and control closed loop system. A possible graphical representation of the HP sequence is shown in Fig. 2, where the v-bar is the horizontal axis and r-bar the vertical axis

Reference Systems and Equations of Relative Motion
The key reference frames used in the description of the relative motion are recalled next. They are based on the assumption that the motion of the spacecraft is subjected to the gravitational attraction of both Earth and Moon, and follows the standard definitions in the literature [7,9]. The selected inertial frame is centered at the primaries common center of mass C, with the K̂ unit vector normal to the plane where the primaries revolve, and with the other unit vectors spanning the primaries rotating plane (according to the right-handed rule). The most commonly used non inertial frames are the Synodic and Local Vertical Local Horizon (LVLH) frames depicted in Fig. 3.
The Synodic frame is useful to describe a spacecraft motion in a system with two main primary bodies. The center of the frame is the Moon for convenience. The î unit vector is directed towards the Earth, the ĵ unit vector is perpendicular on the plane of motion, and k̂ completes the right-handed frame.
Rendezvous trajectories, in particular during the terminal phase, are usually described in a target-centered frame called LVLH. This frame is useful to simplify the analysis of the relative motion with respect to the chaser and the definition of boundaries for the trajectory. The LVLH frame unit vectors are defined as follows: -̂ = − it ∕|| it || with it being the position of the target with respect to the primary M i it is orbiting, which in our case is the Moon. This vector is also referred to as R-bar. -̂ = − it ∕|| it || perpendicular to the target's orbital plane, with it = it ×̇r it being the target angular momentum with respect to the primary it is orbiting. This vector is also referred to as H-bar. -̂ =̂ ×̂ completes the coordinate system according to the right hand rule. This vector is also referred to as V-bar.
Note that the reference to R-bar, H-bar, and V-bar is not formally correct here (it refers to Keplerian motion), but it is commonly used in the guidance community.

Restricted Three-Body Problem
The location of the target orbit and the mission scenario require the use on non Keplerian dynamics, in particular the 3-body problem. The physics of the problem are well known, and the reader can refer to [10][11][12][13], for details. The spacecraft motion variables in the 3-Body Problem are shown schematically in Fig. 4 on the left, with 2 primary bodies (with masses M 1 and M 2 ) and a spacecraft (with mass m). Due to the configuration, since the mass m of the spacecraft is negligible with respect to the primaries' masses M 1 and M 2 , m << M 1 and m << M 2 , the dynamics can be further simplified to yield the known restricted 3-Body Problem.
Under this common assumption the motion of the two primaries is independent of the spacecraft gravitational pull. If the two primaries are placed in an elliptical orbit around their common centre of mass the motion becomes the Elliptic Restricted 3-Body Problem (ER3BP), if the primaries follow circular orbits the motion becomes the the Circular Restricted 3-Body Problem (CR3BP). The complete set of equations for the restricted three body problem can be found in the standard literature, see [14], and [13] for instance, and will not be repeated here.
The equations of relative motion, following the derivation in [7], in the LVLH frame and in nondimensional units are given in Eq. (1): where , r , and r em are defined in Fig. 4, is the Earth-Moon mass parameter, ̇| |L and ̈| |L are the relative velocity and acceleration as seen in the LVLH frame, whereas l∕i and ̇l ∕i | |L are the angular velocity and angular acceleration of the LVLH frame with respect to an inertial reference frame I. (1)

Rendezvous Approach
The mission scenario described earlier refers to a rendezvous mission unlike what has been performed in the past, and what is currently performed with the international space station (ISS). For clarity's sake, the current approaches to the ISS is briefly reviewed, then the safety boundaries of interest will be specified. The way in which the HP are located is usually standardised as in the ISS approaches shown in Fig. 5.
In the case of relative motion under third body perturbation, the allocation also needs to guarantee safety, and this process is still under study and obviously never flight tested.
Prior to the construction of a safe trajectory, some safety envelopes are established and then define formally the safety concepts. In this work three safety areas are used (also named spheres or zones) shown in Fig. 6 and given by: -Rendezvous Sphere (RS): a sphere of radius 10km around the target. Outside of this perimeter the safety of the manoeuvre must be passively guaranteed.  -Keep Out Zone (KOZ): a sphere of 1 km around the target that should be avoided to consider the trajectory safe. Of course, at some point such KOZ will be entered to complete the rendezvous, so that at least the last HP will be inside of it. -Safety Boundary (SB): a smaller sphere of 100 meters around the target, based on the physical dimensions of the two vehicles. The chaser must enter the SB in a closed loop controlled way, in order to perform the docking or being grasped by the LOP-G in a berthing fashion.

Definition of Safety
Based on the safety areas above, the passive and active safety concepts are now introduced.
-Passive Safety is defined as the strategy of avoiding collisions by using a collision-free trajectory, often defined with additional safety boundaries to be enforced, with the potential drawback of ending up generating a very conservative trajectory. To ensure passive safety, the hold point sequence for the chaser must guarantee a position outside the RS. Passive safety has the advantage of guaranteeing a collisions-free path under many possible failures and malfunctions. Additionally, by not using fuel for an abort burn for example, it increases the chances of additional attempts in case of a failure, thus increasing the likelihood of mission success. It also does not rely on any actuators or specific sensors and will keep guaranteeing safety even in the most hazardous failures of the chaser spacecraft, including a complete loss of its control.
-Active Safety is the strategy of detecting a possible collision and performing a Collision Avoidance Manoeuvre (CAM) by actively using the chaser propulsion system. This approach has the advantage of being less conservative than the passive one and better suited during the terminal phase, where the two spacecraft are in close proximity. Active Safety requires the use of fuel, which is usually a very precious resource. An appropriately designed GNC system that includes the CAM must consider, for instance, the risk of damaging the target with the engines plumes in case the avoidance burns are executed in the close proximity of the target. The CAM should be as simple as possible and executable with minimal resources, both in terms of fuel (to minimize V usage) and on-board resources (such as processing capabilities and attitude control accuracy).

Failures
An important design point, which is outside the scope of this work, is a comprehensive analysis of failed states and their impact to the mission. In the paper, a limited set of failures are considered that appear however critical and that impact rendezvous strategies.

3
The hold point allocation algorithm and the CAM structure described in the next section are designed to guarantee the safety for a specific set of failures. The set of failures considered in this paper are related to actuator malfunctions, for the assumed nominal two -impulse standard bang-bang manoeuvre from one waypoint to the next. In particular: -No departing burn the absence of a departing firing from a HP is critical, in that the rendezvous sequence will be interrupted. In this case, the chaser shall continue on a passively safe trajectory. -No arrival burn this failure could occur when the chaser is not capable of braking in order to stop at the following hold point. This type of failure is perhaps the most critical and it may require an active intervention from the thrusters to avoid the violation of the safety unless the resulting trajectory is intrinsically passively safe. -Random burn before or after arrival burn this failure consists of a random directed firing with a constant amplitude (0.05m/s in the paper) that occurs right before or after the arrival burn at a HP.
The definition of the above failures is more significant in case of passive safety requirements, since the off-line design of the hold-point sequence must be able to guarantee it, and to verify the potential of performing a second rendezvous attempt after one orbit of the target.

Safe Rendezvous Strategy
The methodologies proposed to guarantee the safety in the case of the failures listed above for the rendezvous manoeuvre are presented in this section. Two main approaches are considered: hold point selection and active collision avoidance. The first is used outside the RS or KOZ, depending on the failure occurrence, when the rendezvous is performed through an open loop guidance. Since the specifics of the guidance are of no interest here, an open loop adjoint guidance taken from [15] is assumed herein. It guarantees the safety with respect to the failures thanks to the proper allocation of the hold points: in other words the position and the velocity of the hold points are selected to guarantee that no violation of the KOZ happens in case of failure, moreover they are located to allow another rendezvous attempt after one orbit.
The active safety, instead, is used inside the KOZ, where the guidance algorithm acts in a closed loop fashion, and the distances involved are so small that it is no more possible to rely on passive safety. To this end, two CAM methodologies are proposed: optimal active safety, and swift active safety.

Hold Point Selection Algorithm: Passive Safety
During most space missions and particularly in critical rendezvous operations, it is common to establish specific locations in time and space (here called hold points) where to evaluate the state of the system, to change sensor suites and to perform trajectory maneuvers/corrections. The selection of the number and location of such points is mission dependent and is often used as a design parameter by mission control. In this work, the guidelines set forth by ESA for their HERACLES mission study were taken as baseline. The rendezvous trajectory is composed by five hold points, starting from HP0 and ending at HP4 located on the immediate vicinity of the target station, where berthing (or docking) will be performed. HP3 and HP4 are assumed to be fixed within the KOZ and SB respectively, while the others are selected from a pool of candidates based on three main metrics: -The drift of the free trajectory after one orbital period of the target.
-The number of directions that may lead to a collision if an unexpected firing in a random direction were to happen, -The V consumption to perform the manoeuvre.
The HP0 -HP2 hold points are chosen from three pools of 20 possible locations (the number could be changed during fine tuning of the design), created using the computation of invariant manifolds of the orbit, which can be stable, meaning they will drift towards the target, or unstable, meaning they will instead drift away. The procedure is based on the CR3BP model, and the details of their computation can be found in [16,17], and proposed in [14,18], and [19] among others.
A passively safe approach can be obtained by only choosing candidate HPs on an unstable manifold, or in its proximity, to guarantee that, in case of a failure, the chaser spacecraft will drift away from the target, even if completely uncontrolled.

Mathematical Formulation
The selection of the most appropriate and feasible hold point sequence among those associated with an unstable manifold is performed using a linear programming optimisation process.
Basic parameters such as duration of the total rendezvous, duration of each trajectory sequence and initial relative distance are established. A cluster of possible hold point is created, located on unstable manifolds, then the sequence that minimises the cost function in Eq.(2) is selected, which includes safety constraints and fuel consumption.
Specifically, the cost function is composed of three terms: J 2attempt , J rmdDirection , and J V .
-J 2attempt is the change in relative distance between chaser and target after one orbit, computed with the CR3BP. In the likelihood of a second rendezvous attempt, the two vehicles should be close enough not to invoke an additional phasing manoeuvre. This part of the cost is computed propagating the relative dynamics under the CR3BP for a whole orbit and the cost contribution is: where 0 is the relative position vector at initial time and 1Orbit is the relative position after one orbit according to CR3BP.
-J rmdDirection is proportional to the collision angle in degrees. The collision angle is defined as the solid angle of all the possible directions that may lead to a collision if a random firing happens, yielding a straight line trajectory within the cone, as shown in Fig. 7.
-J V is related to the V consumption of moving from an HP to the next. The transfer between two consecutive HPs is achieved by a two-impulse manoeuvre transferring the target from the initial state given by the starting HP to a final state at the next HP in a given amount of time. Given these known quantities the V for the two burns of the manoeuvre can be computed using the adjoint theory described in [15], and [20].
This cost is defined as: The total cost, given in Eq. (2), is the absolute sum of the three terms described above, each of which is scaled through a min-max normalisation. The total cost function is associated to every hold-point to search for the optimal sequence.

Selection of the Optimal Sequence
To find the optimal sequence a graph is constructed according the flowchart in Fig. 8, where the nodes are all the candidate HPs and the oriented edges represent The graph is based on a 62 by 62 adjacency matrix given by: The resulting graph is depicted in Fig. 9. The first node represents a fictional starting point connecting the 20 possible candidates for HP0, the initial location of the spacecraft, but the choice of HP0 is still subject to its cost in drift and random firing.
Then from the 20 possible HP0s the edges are originated, leading to 20 possible candidates for HP1, where each edge is now the sum of the contributions from the drifting and random firing of the HP2 candidate, and the V cost to go from a specific HP1 to that specific HP2. The same holds for the following couple of rows, containing the transfers from the candidates HP2s to HP3, which is fixed to be at a distance of 100m (right at the border of the safety boundary on R-bar).
Once the graph is built, then the optimal path is found by applying Dijkstra's algorithm [21].
Lastly, the feasibility of the manoeuvre is checked. The manoeuvre is feasible if the two burns of the two-impulse manoeuvre between each pair of HPs is viable with the thrust provided by the chaser thrusters. If not, then the cost between the obtained nodes is set to infinite and the search of the optimal path is repeated.

Active Collision Avoidance Design
While the far range hold point allocation guarantees passive safety, in the near range rendezvous active safety may be necessary. The design of an active collision avoidance depends on the location of the chaser being inside the keep out zone or inside the safety boundary. For this paper, the actuators are assumed perfect, with no inherent delay. In addition, factors such as attitude/thruster misalignment, plume impingement are not considered, since they require second level detailed analysis, which are beyond the scope of the present work.

Optimal Collision Avoidance Manoeuvre
The algorithm used for resolving safety issues inside the KOZ is called Optimal Collision Avoidance Manoeuvre (OCAM). The main idea behind the design of the OCAM is to execute a single burn, immediately after the failure, designed to move outside of the safety boundary of the target the Closest Approach Vector (defined as the chaser-target relative position vector with the smallest norm) of the current trajectory, while at the same time minimizing the usage of V. In order to save V , the OCAM is not executed after every failure, but only if the resulting trajectory actually presents a collision risk because it enters in the target's safety boundary. To evaluate the success of the procedure, three main requirements were defined and checked after the optimization is performed: 1. The Closest Approach Vector shall be outside the Safety Boundary for the next period of the target's orbit. 2. The Closest Approach Vector shall be outside the Keep Out Zone for the next period of the target's orbit. Or, if the failure happened already inside the KOZ, then the chaser exits it and then stays outside of it for the remaining time of the period of the target's orbit. 3. The OCAM burn is feasible with the on-board thrusters.
The energy consumption is expressed as usual with a V . Given the duration of the impulse and the mass of the spacecraft, the amount of thrust required, can be verified as follows: The paper assumes MaxThrust = 20N thrusters on-board the chaser.

Swift Collision Avoidance Manoeuvre
A failure within the Safety Boundary can be critical especially for the integrity of the vehicles, and safety of the crew. To this end a "quick CAM", called Swift Collision Avoidance Manoeuvre (SCAM), was implemented inside the SB. In particular, three possible SCAM versions were analyzed. The objective of the three versions is very similar: achieve a desired relative velocity ̇fi nal (in the LVLH frame) that pushes the chaser away from the target.
SCAM v1 the manoeuvre is designed to burn against the relative velocity ̇ until it is positive and equal to a desired quantity ̇fi nal , as shown in Fig. 10.
SCAM v2 the manoeuvre is designed to burn until the relative velocity ̇ is positive, aligned to , and equal to a desired quantity ̇fi nal , as shown in Fig. 11.
With SCAM v2 the required V decreases the less ̇ is aligned to . SCAM v3 the manoeuvre is designed to burn until the relative velocity ̇ is positive and equal to a desired quantity ̇fi nal , with the V aligned with , as shown in Fig. 12. The V decreases the less ̇ is aligned to . The three SCAM versions are in decreasing order of V consumption, and this difference is more noticeable the less ̇ is aligned to . There is a slight increase in algorithm complexity, but they all fall within the required and desired simplicity of the SCAM.
SCAM v2, however, has the advantage of pushing the chaser directly away from the target, minimizing the time it spends inside the SB, which could be potentially beneficial and reduce the risk of impacting on the structure of the target. For this reason, based on numerical simulations, SCAM v2 was selected, since it consumes about a third of V with respect to the SCAM v1, while there is almost no difference with the SCAM v3, and has the advantage of pushing the chaser directly away.
As it was previously done for the OCAM, the SCAM computation has two mandatory constraints: 1. The chaser does not collide with the target. 2. The Closest Approach Vector is outside the Safety Boundary for the next period of the target's orbit, as soon as the chaser exits it after the SCAM application.
With respect to the OCAM, there are now no requirements on the thrust of the burn. This is because the manoeuvre is designed to be executed as quickly as possible. Therefore, instead of having the usual burn duration of 30 seconds, the SCAM duration is obtained assuming a thruster firing at the its full capacity of MaxThrust = 20N for the shortest amount of time necessary to achieve the desired V . The outcome of the SCAM strongly depends on the location of the failure occurrence, and this is outside the scope of the paper. The duration of the SCAM depends on the V and the available thrust via Eq. (7): In addition, the SCAM V depends on the magnitude of the desired positive relative velocity ̇d es , if decreased then the duration of the SCAM will also decrease.

Detailed Failure Analysis
This section describes in detail the failures considered for the validation of the algorithms proposed in the previous section. The failures are divided into two groups according to the part of the trajectory where they occur: either during the transfer between HP0 and HP3, or during the final approach from HP3 to HP4. For each failure, the allocation sequence and the collision avoidance algorithm will be evaluated in terms of safety of the trajectory. Of course in the nominal case the rendezvous is assumed to be safe within each boundary zone [7] (recall Fig. 6).

Failures During the HP0-HP3 Transfer: fully Missed Firings
The first, and longer, phase of the rendezvous process consists of the trajectories and burns necessary transfer the chaser from HP0 to HP3. Several possible failures may happen in this phase, such as a thruster misfire during one of the burns between the hold points, a random and undesired firing, a timing error during a burn leading to a shorter or longer firing, and many more possible and unpredictable failures related to the thrusters. During this phase, passive safety must be guaranteed. A graphical representation of failure occurrence and HP sequence is shown in Fig. 13.
With reference to Fig. 13, consider the following scenarios: -FAILURE 1: missed firing at the braking burn of the transfer between HP0 and HP1. -FAILURE 2: missed firing at the braking burn of the transfer between HP1 and HP2. -FAILURE 3: misfire at HP2 departure burn leading to a direct collision course.
In this case OCAM should be invoked. -FAILURE 4: no firing at the braking burn of the transfer between HP2 and HP3.

Failures During the HP0-HP3 Transfer: Random Firings
A graphical representation of failure occurrence and HP sequence is shown in Fig. 14.   Fig. 13 Failure scenarios schematic-fully missed firings 1 3 -FAILURE 1: short firing in a random direction at the braking burn of the transfer between HP0 and HP1. -FAILURE 2: short firing in a random direction at the departure burn of the transfer between HP1 and HP2. -FAILURE 3: short firing in a random direction at the braking burn of the transfer between HP1 and HP2. -FAILURE 4: short firing in a random direction at the departure burn of the transfer between HP2 and HP3. -FAILURE 5: short firing in a random direction at the braking burn of the transfer between HP2 and HP3.

Failures During the Final Approach: HP3-HP4 Transfer
During the final approach from the last HP to the target, the chaser motion is governed by a closed loop GNC controller. Since the scope of the paper is not to design a guidance system, a State Dependent Riccati Equation (SDRE) controller available in the literature [22] is used, which will put the chaser in a nominal, low speed and controlled, course with the target providing zero relative velocity at the final point. Typical nominal performance of the SDRE controller are shown in Fig. 15, where the chaser is taken from 100 to 5 m along the R-bar direction.
In the event of a failure at this point, passive safety is not achievable, and the only solution is the use of SCAM.

Simulation Results
This section presents numerical simulations relative to selected failures described earlier and summarized in Figs. 13 and 14.
The  The HP sequence (HP0-HP2) was allocated through the automatic allocation algorithm proposed above, with the corresponding distances set to 60km, 15km, and 2km. The last two HP inside the KOZ and SB were fixed, since only active safety would be operational.

Transfer HP0-HP3: Fully Missed Firings
The simulations relative to the failures described in Sect. 4.1 are described next.

Failure 1 Scenario
In this scenario, after a successful departure burn from HP0, the chaser fails to activate a braking firing necessary to stop at HP1.
The chaser's and target's orbits are propagated for one orbital period and the closest approach distance is found to be of 13.68 km. Therefore there is no need to perform a CAM, since the HP sequence is passively safe with respect to the rendezvous sphere. The resulting relative range from HP0 to the failure at HP1 and after the failure are shown in Fig. 16.

Failure 2 Scenario
In this scenario, the sequence HP0 -HP1 is performed with no failures. The chaser leaves HP1 with a departing burn but it experiences a braking failure upon arrival to HP2. Again the chaser's and target's orbits are propagated for one orbital period and the closest approach distance is found to be of 1.2063 km. This brings the chaser outside the KOZ, therefore there is no need to perform a CAM. Figure 17 shows the distance between the target and the chaser along the trajectory, up to the failure and during the next orbital period. This failure is more critical since it occurs at HP2, however a new rendezvous could be attempted. Figure 18 shows a close-up of the previous plot around the failure. The chaser never enters either the Keep Out Zone or the Safety Boundary, thanks to the passive safety of the trajectory.

Failure 3 Scenario
In this scenario, after nominal transfers from HP0 to HP2, there is a misfire at HP2 departure leading to a direct collision path. Although not realistic (being not random), is was selected to test the OCAM in a worst-case scenario during the far range rendezvous trajectory.
The OCAM computes the manoeuvre in 16 iterations and finds a burn that changes the closest approach distance to a safer distance of 2.21 km, with a cost of V = 0.16248 m/s, and feasible with the available thrust.  Figure 19 shows the relative distance until the failure and during the next orbital period. The chaser stays out of the KOZ after the application of the OCAM, and since the distance in the end is relatively small, a next rendezvous could be attempted. Figure 20 shows a zoom of the previous plot around the failure showing that the chaser never enters the KOZ.

Failure 4 Scenario
In this scenario, the transfers HP0-HP1-HP2 are nominal. The failure occurs with a failed braking manoeuvre at HP3, after a successful departure from HP2. This is an extremely tough scenario for the OCAM since, without a braking burn, the chaser arrives at HP3, which is only 50 meters away from the Safety Boundary, with the full speed of the HP2-HP3 transfer. If no action is taken the chaser would pass at a distance of 20.9 meters from the target, resulting in an almost certain impact at a highly dangerous relative speed of 0.096140 m/s. The OCAM computes the collision avoidance manoeuvre in only 13 iterations and finds a burn capable of changing the closest approach distance to a safer distance of 140.1 meters, with a cost of V = 0.46154 m/s, and also feasible with the available thrust. In addition, the post-OCAM trajectory quickly leaves the KOZ, and stays out of it for the rest of the orbital period. The relative distance profile is shown in Figs. 21 and 22.   Figure 21 shows the distance between the target and the chaser along the trajectory, up to the failure and during the next orbital period. The chaser stays out of the KOZ after the application of the OCAM, and the distance in the end is such that a new rendezvous could be attempted. Figure 22 shows a close-up of the previous plot around the failure. The chaser inevitably enters the KOZ, but then it manages to stay out of the Safety Boundary and after less than an hour it is also out of the KOZ.

Transfer HP0-HP3: Random Firings
The simulations relative to the failures described in Sect. 4.2 are presented next. The pseudo-random firing is performed at constant thrust in 20 uniformly distributed directions (this is a limited, yet indicative, validation compared to a more comprehensive Montecarlo simulation, but within the constraints of the nature of the work).

Failures 1 and 2 Scenarios
In both cases, the minimum relative distances are always greater than the assumed rendezvous boundary (15km and 16km respectively). No Cam is necessary and a rendezvous attempt can be performed after one orbit.

Failure 3 Scenario
In this scenario, after a nominal transfer from HP0 to HP1, and a successful departure burn to HP2, an unwanted short firing in a random direction occurs instead of the planned braking burn at HP2 located within the RS. The failure happens when the relative distance is about 2km, however it reaches its minimum at 1.2km, outside the KOZ in all simulations.
Depending on the mission status, an active collision avoidance may be necessary. Figures 23, and 24 show the behavior of the relative distance. The chaser never enters the Keep Out Zone or the Safety Boundary, due to the passive safety of the trajectory. A similar situation happens for the scenario of Failure 4, whose results are not reported.

Failure 5 Scenario
This scenario is more critical due to the fact that the failure occurs within the KOZ. After nominal transfers from HP0 to HP1 and from HP1 to HP2, and a successful departure burn to HP3, an unwanted short firing occurs in a random direction instead of the planned braking burn at HP3. All simulation runs result in a collision with the chaser passing at a distance between 8m and 20m with a relative velocity  Figure 25 shows the distance between the target and the chaser along the trajectory, up to the failure and during the next orbital period. As it can be seen, not all the 20 cases result in a small enough distance after one period, meaning that another rendezvous might be hard to reattempt, and a quick planning or further phasing maneuvers could be needed. Figure 26 shows a close-up of the previous plot around the failure. The chaser inevitably enters the KOZ, but then it manages to stay out of it for the remaining orbital period. Figure 27 shows an additional close-up of the previous plot where the chaser, never enters the Safety Boundary either. If this were to happen, the best strategy would probably be to use the second CAM.

Transfer During Final Approach
This section briefly examines the behavior of SCAM when chaser and target are in close proximity. The trajectory of interest is relative to the transfer between HP3 and HP4. Here, the chaser moves inside the KOZ to stop just prior to berthing (docking). The critical distances are the sizes of KOZ and SB. The test was performed with the generation of ten controller failures at uniformly distributed points in the last 100 m within the section HP3-HP4, so that the chaser drifts uncontrolled towards the target. The SCAM algorithm was activated just after each failure using using Eq. (7) and the direction shown in Fig. 11. The value for the desired relative velocity was set at ̇d es = 1e-6 m/s, which always provided successful SCAM earlier. Unfortunately, such a small positive relative velocity, while being able to avoid collision, would not satisfy the requirement of keeping the chaser outside the safety boundary for a whole orbital period, as shown in Fig. 28. The distance between the vehicles is below the SB constraint (100 m).
Additional simulations led to the value of ̇d es = 0.002 m/s, which was a compromise between avoiding the SB for one orbital period and rate of success. Figure 29 shows the results, where the trajectory of the target, after exiting the safety boundary, stays out of it for an entire orbital period, even moving the chaser beyond the KOZ when the target is at the periselene of its orbit. With this value the SCAM would not be able to push the chaser away during the last 42.97 seconds of the approach, corresponding to a distance of 1.89 cm and a relative velocity of 1.8405e-2 mm/s. At this extremely small relative velocity, the contact between chaser and target would definitely count as soft docking, considering the terminal docking speed for the Soyuz/Progress with the ISS being of the order of 0.1-0.3 cm/s [9]).

Conclusions and Future Work
The paper presents the design of an automated rendezvous trajectory in cislunar space, which satisfies passive and active safety with an optimized hold point allocation using unstable manifold theory in the far range, and active collision avoidance when the vehicles are closer than specified safety zones. The safety of the trajectory is validated taking into account a selected number of actuator failures and simulating the behaviour of the relative distance between chaser and target over one orbital period. Although not a comprehensive analysis, simulation based, and somehow constrained by a specific set of failures, the paper addresses a fundamental problem that is not yet sufficiently discussed in the literature, where the research is still concentrated on methodology for trajectory determination. The analytical basis was the circular restricted three body problem, however the simulations in the paper were all obtained using the elliptic version.
Future activity is directed to hold point reallocation, and simulation of the relative dynamics using more accurate models, such as those based on Ephemeris data.
The Journal of the Astronautical Sciences (2022) 69:1319-1346 Funding Open access funding provided by Università di Pisa within the CRUI-CARE Agreement.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/ licenses/by/4.0/.