Incipient Actuator Fault Handling in Nonlinear Model

The International Federation of Congress Automatic Control Proceedings of 20th Proceedings of the the 20th World World The International of Congress Automatic Control Toulouse, France,Federation July 9-14, 2017 The International International Federation of Congress Automatic Control The Federation of Automatic Control Proceedings of the 20th World Toulouse, France, July 9-14, 2017 Available online at www.sciencedirect.com Toulouse, France, July Toulouse, France,Federation July 9-14, 9-14, 2017 2017 The International of Automatic Control Toulouse, France, July 9-14, 2017

ScienceDirect IFAC PapersOnLine 50-1 (2017) 15922–15927 Incipient Actuator Fault Handling in Incipient Actuator Fault Handling in Incipient Actuator Fault Handling in Nonlinear Model Predictive Control Nonlinear Model Predictive Control Incipient Actuator Fault Handling in Nonlinear Model Predictive Control ∗ ∗∗,∗∗∗ Nonlinear Model Control Brage Rugstad KnudsenPredictive ∗ Timm Faulwasser ∗∗,∗∗∗

Brage Rugstad Knudsen Timm Faulwasser ∗ ∗∗,∗∗∗ ∗ Timm ∗∗,∗∗∗ Brage Knudsen Colin N. Jones ∗∗∗ BjarneFaulwasser Foss ∗∗ ∗∗∗ Brage Rugstad Rugstad Knudsen Timm Faulwasser Colin N. Jones Bjarne Foss ∗∗∗ ∗ ∗ ∗∗,∗∗∗ ∗∗∗Timm ∗ Colin N. Jones Bjarne Foss Brage Rugstad Knudsen Faulwasser Colin N. Jones Bjarne Foss ∗ ∗∗∗ ∗ Engineering Cybernetics, Norwegian University of N. Jones Bjarne Foss ∗ Department ofColin Department of Engineering Cybernetics, Norwegian University of ∗ ∗ Department Engineering Cybernetics, Norwegian University Science andof Technology, N-7491 Trondheim, Norway (e-mail: of Department of Engineering Cybernetics, Norwegian University of Science and Technology, N-7491 Trondheim, Norway (e-mail: ∗ Science {brage.knudsen, and Technology, N-7491 Trondheim, Norway (e-mail: bjarne.foss}@ntnu.no). Department of Engineering Cybernetics, Norwegian University of Science and Technology, N-7491 Trondheim, Norway (e-mail: {brage.knudsen, bjarne.foss}@ntnu.no). ∗∗ bjarne.foss}@ntnu.no). Institute{brage.knudsen, forTechnology, Applied Computer Science, Karlsruhe Institute of and N-7491 Trondheim, Norway (e-mail: ∗∗Science {brage.knudsen, bjarne.foss}@ntnu.no). Institute for Applied Computer Science, Karlsruhe Institute of ∗∗ ∗∗ Institute for Science, Karlsruhe Technology, Karlsruhe, Germany, (e-mail: Institute bjarne.foss}@ntnu.no). Institute{brage.knudsen, for Applied Applied Computer Computer Science, Karlsruhe Institute of of Technology, Karlsruhe, Germany, (e-mail: ∗∗ Karlsruhe, Germany, (e-mail: [email protected]). Institute Technology, for Applied Computer Science, Karlsruhe Institute of Technology, Karlsruhe, Germany, (e-mail: [email protected]). ∗∗∗ ´ Germany, [email protected]). Technology, Karlsruhe, (e-mail:F´ed´erale de d’Automatique, Ecole Polytechnique [email protected]). ∗∗∗ Laboratoire ´ Laboratoire d’Automatique, Ecole Polytechnique F´ ∗∗∗ ´ ∗∗∗ Laboratoire [email protected]). d’Automatique, Ecole Polytechnique F´eeed´ d´eeerale rale de de ´ Lausanned’Automatique, (EPFL), Lausanne, Switzerland (e-mail: Laboratoire Ecole Polytechnique F´ d´ rale de Lausanne (EPFL), Lausanne, Switzerland (e-mail: ∗∗∗ ´ Lausanne (EPFL), Lausanne, Switzerland (e-mail: [email protected]). Laboratoire Ecole Polytechnique F´ e d´ e rale de Lausanned’Automatique, (EPFL), Lausanne, Switzerland (e-mail: [email protected]). [email protected]). Lausanne (EPFL), Lausanne, Switzerland (e-mail: [email protected]). Abstract: This paper presents a [email protected]). reconfigurable nonlinear model predictive control (NMPC) Abstract: This paper presents aa reconfigurable nonlinear model predictive control (NMPC) Abstract: This paper presents reconfigurable model predictive scheme for handling of incipient actuator faultsnonlinear in nonlinear plants. The control scheme (NMPC) seeks to Abstract: This paperofpresents a actuator reconfigurable nonlinear model predictive control (NMPC) scheme for handling incipient faults in nonlinear plants. The scheme seeks to scheme for handling of incipient actuator faults in nonlinear plants. The scheme seeks ensure recoverability from an incipient actuator fault in plants where the input redundancy Abstract: This paper presents a reconfigurable nonlinear model predictive control (NMPC) scheme recoverability for handling from of incipient actuator faultsfault in nonlinear plants. Theinput scheme seeks to to ensure an incipient actuator in plants where the redundancy ensure recoverability from an incipient actuator in where the redundancy is insufficient to stabilize the system at thefault nominal operating thereby requiring scheme for handling of incipient actuator faults in nonlinear plants. Theinput scheme seeks to ensure recoverability from an faulty incipient actuator fault in plants plants wherepoint, the input redundancy is insufficient to stabilize the faulty system at the nominal operating point, thereby requiring is stabilize system the nominal operating point, thereby requiring transition to ato safe control-invariant set.actuator To at this the proposed scheme into account ensure recoverability fromthe an faulty incipient fault in plants where the takes input redundancy is insufficient insufficient stabilize the faulty system at theend, nominal operating point, thereby requiring transition to aatosafe control-invariant set. To this end, the proposed scheme takes into account transition to safe control-invariant set. To this end, the proposed scheme takes into account an estimate of the decrease in remaining actuator capacity from the time of detection of an is insufficient to stabilize the faulty system at the nominal operating point, thereby requiring transition to of a safe control-invariant set. To this end, the proposed scheme takes into account an estimate the decrease in remaining actuator capacity from the time of detection of an an estimate estimate of thefault, decrease in remaining remaining actuator capacity from to the timethe ofplant detection ofsafe an incipient actuator and minimizes theTo required control input steer to account theof transition to a safe control-invariant set. this end, the proposed scheme takes into an of the decrease in actuator capacity from the time of detection an incipient actuator fault, and minimizes the required control input to steer the plant to the safe incipient actuator fault, andfor minimizes the required control input input to steer theofplant plant to the theofsafe safe set. We provide conditions stability and fault recoverability ofto the proposed scheme, and an estimate of the decrease in remaining actuator capacity from the time detection an incipient actuator fault, and minimizes the required control steer the to set. We provide conditions for for stability stability and and fault fault recoverability recoverability of of the the proposed proposed scheme, scheme, and and set. We provide conditions demonstrate its applicability onstability a numerical example with two CSTRs inproposed series. incipient actuator fault, and minimizes the required control input to steer the plant to the safe set. We provide conditions for and fault recoverability of the scheme, and demonstrate its applicability on aa numerical example with two CSTRs in series. demonstrate its on with two CSTRs series. set. We provide conditions for and example fault recoverability of thein scheme, and demonstrate its applicability applicability onstability a numerical numerical example two by CSTRs inproposed series. © 2017, IFAC (International Federation of Automatic Control)with Hosting Elsevier Ltd. All rights reserved. demonstrate its applicability on a numerical example with two CSTRs in series. Keywords: Nonlinear Model Predictive Control, Fault-tolerant Control, Process Control Keywords: Nonlinear Model Predictive Control, Fault-tolerant Control, Process Control Keywords: Keywords: Nonlinear Nonlinear Model Model Predictive Predictive Control, Control, Fault-tolerant Fault-tolerant Control, Control, Process Process Control Control Keywords: Nonlinear Model Predictive Control, Fault-tolerant Control, 1. INTRODUCTION economic MPC, tends Process to driveControl the system close to the 1. INTRODUCTION INTRODUCTION economic MPC, MPC, tends tends to to drive drive the the system system close close to to the the 1. economic boundary of the tends feasible region (Lucia et al., 2014), in 1. INTRODUCTION economic MPC, to drive the system close to the boundary of the feasible region (Lucia et al., 2014), in Model predictive 1. control (MPC) has emerged as an atboundary of the feasible region (Lucia et al., 2014), in which an MPC, actuator faultto may reduce the MPC feasible INTRODUCTION economic tends drive the system close to the Model predictive control (MPC) has emerged as an atboundary of the feasible region (Lucia et al., 2014), in which an actuator fault may reduce the MPC feasible Model predictive control (MPC) has emerged as an attractive control scheme for embedding fault tolerance, Model predictive control for (MPC) has emerged as an at- which an actuator fault may the feasible region and hence constraint violations. boundary of the cause feasible regionreduce (Lucia et MPC al., 2014), in tractive control scheme embedding fault tolerance, which an actuator fault may reduce the MPC feasible region and hence cause constraint violations. tractive control scheme for embedding fault tolerance, from itspredictive ability both optimize performance Model control (MPC) has emerged ascomplex an at- region tractive controlto scheme for embedding fault of tolerance, and hence cause constraint violations. which an actuator fault may reduce the MPC feasible from its ability to both optimize performance of complex region and hence cause constraint violations. recoverability from an actuator fault for from to both optimize performance of complex constrained systems while system faults Guaranteeing tractive control foraccommodating embedding fault from its its ability ability toscheme both optimize performance oftolerance, complex Guaranteeing recoverability from violations. an actuator actuator fault fault for for region and hence cause plant constraint constrained systems while accommodating system faults Guaranteeing recoverability from an an NMPC controlled may require a highfault degree constrained systems while accommodating system faults through online adaptation of the internal MPC model Guaranteeing recoverability from an actuator for from its ability to both optimize performance of complex constrained systems while accommodating system faults an NMPC controlled plant may require a high degree through online adaptation of the internal MPC model NMPC controlled plant may require aaof high degree of control-input redundancy, or operation thefault plant through online adaptation of the internal MPC model (Maciejowski, 1999). Whileaccommodating several robust, system passive fault- an Guaranteeing recoverability from an actuator fora an NMPC controlled plant may require high degree constrained systems while faults through online adaptation of the internal MPC model of control-input redundancy, or operation of the plant a (Maciejowski, 1999). 1999). While While several several robust, robust, passive passive faultfault- of control-input or operation of the plant conservative stateredundancy, thatplant warrants recovery from any faultaa (Maciejowski, tolerant MPC 1999). (FTMPC) approaches havepassive been model develan NMPC controlled may require a high degree of control-input redundancy, or operation of the plant through online adaptation of the internal MPC (Maciejowski, While several robust, faultconservative state that warrants recovery from any fault tolerant MPC (FTMPC) approaches have been develstate that recovery from any fault scenario. As an alternative, several preventive tolerant (FTMPC) approaches have been developed, e.g.MPC Maciejowski (1999), the robust, majority of FTMPC of control-input redundancy, or operation of or theproactive plant conservative state that warrants warrants recovery from any faulta (Maciejowski, 1999). While several fault- conservative tolerant (FTMPC) approaches havepassive been develscenario. As an an alternative, several preventive or proactive oped, e.g.MPC Maciejowski (1999), the majority majority of FTMPC FTMPC scenario. As alternative, several preventive or proactive FTMPC schemes have been proposed (Lao et al., 2013; oped, e.g. Maciejowski (1999), the of schemes belong to the class of active (reconfigurable) conservative state that warrants recovery from any fault scenario. As an alternative, several preventive or proactive tolerant MPC (FTMPC) approaches have been developed, e.g. Maciejowski (1999), the majority of FTMPC FTMPC schemes have been proposed (Lao et al., 2013; schemes belong belong to to the the class class of of active active (reconfigurable) (reconfigurable) FTMPC schemes have been proposed (Lao et al., 2013; Bø and Johansen, 2014; Knudsen, 2016; Albalawi et al., schemes fault-tolerant control (FTC) schemes. A variety of active scenario. As an alternative, several preventive or proactive FTMPC schemes have been proposed (Lao et al., 2013; oped, e.g. Maciejowski (1999), the majority of FTMPC schemes belong to the classschemes. of active (reconfigurable) Bø and and Johansen, Johansen, 2014; 2014; Knudsen, Knudsen, 2016; 2016; Albalawi Albalawi et et al., al., fault-tolerant control (FTC) A variety variety of active active Bø 2016). Proactive FTMPC schemes seek toAlbalawi enable a et plant fault-tolerant control (FTC) schemes. A FTMPC schemes have been developed to variety handle of actuator FTMPC schemes have been proposed (Lao et al., 2013; Bø and Johansen, 2014; Knudsen, 2016; al., schemes belong to the class of active (reconfigurable) fault-tolerant control (FTC) schemes. A of active 2016). Proactive FTMPC schemes seek to enable a plant FTMPC schemes have been developed to handle actuator Proactive FTMPC schemes seek enable aa etplant to operate in nominal mode, relying on to aAlbalawi fault detection FTMPC schemes have been developed to handle actuator and system faults, e.g.(FTC) Yetendje et al. (2013); Franz` eactive et al. 2016). Bø and Johansen, 2014; Knudsen, 2016; al., 2016). Proactive FTMPC schemes seek to enable plant fault-tolerant control schemes. A variety of FTMPC schemes have been developed to handle actuator to operate operate in in nominal nominal mode, mode, relying relying on on aa fault fault detection detection and system system faults, faults, e.g. e.g. Yetendje Yetendje et et al. al. (2013); (2013); Franz` Franz`ee et et al. al. to and isolation (FDI) unit to be designed so as to and (2015); Knudsen (2016), and developed sensor faults (Yetendje et al., 2016). Proactive FTMPC schemes seek to enable adetect plant to operate in nominal mode, relying on a fault detection FTMPC schemes have been to handle actuator and system faults, e.g. Yetendje et al. (2013); Franz` e et al. and isolation (FDI) unit to be designed so as to detect (2015); Knudsen Knudsen (2016), (2016), and and sensor sensor faults faults (Yetendje (Yetendje et et al., al., and isolation (FDI) to be designed as to detect early theunit onset an incipient fault, upon (2015); 2010; Xu et faults, al., 2014; et 2016). to in nominal mode, relying on a so fault detection andoperate isolation (FDI) to of be designed so as to detect and system e.g. Knudsen Yetendje et al., al. (2013); Franz`eet etal., al. sufficiently (2015); Knudsen (2016), and sensor faults (Yetendje sufficiently early theunit onset of an incipient fault, upon 2010; Xu et al., 2014; Knudsen et al., 2016). sufficiently early the onset of an incipient fault, upon which the FTMPC controller proactively steers thedetect plant 2010; Xu et al., 2014; Knudsen et al., 2016). and isolation (FDI) unit to be designed so as to sufficiently early the onset of an incipient fault, upon (2015); Knudsen (2016), and sensor faults (Yetendje et al., 2010; Xu et al., 2014; Knudsen et al., 2016). which the the FTMPC FTMPC controller controller proactively proactively steers steers the the plant plant While fault accommodation through online reconfigura- which to a safe set or steady state. These schemes, however, sufficiently early the onset of an incipient fault, upon While fault accommodation through online reconfigurawhich the FTMPC controller proactively steers the plant 2010; Xu et al., 2014; Knudsen et al., 2016). to aa safe safe set set or or steady steady state. state. These These schemes, schemes, however, however, While fault accommodation online tion attractive through for FTC, therereconfiguraare many to Whilemakes fault MPC accommodation through online reconfiguraas well as set the or related reactive safe-parking schemes, e.g. which the FTMPC controller proactively steers the plant tion makes MPC attractive for FTC, there are many to a safe steady state. These schemes, however, as well as the related reactive safe-parking schemes, e.g. tion attractive for there are many systems withMPC structures or control policies that Whilemakes fault accommodation through online reconfiguration makes MPC attractive for FTC, FTC, there areimpede many as well as the related reactive safe-parking schemes, e.g. Amui and Mhaskar (2009), all assume sufficient remaining to a safe set or steady state. These schemes, however, systems with structures or control policies that impede as well as the related reactive safe-parking schemes, e.g. Amui and Mhaskar (2009), all assume sufficient remaining systems with structures or control policies that impede such simple reactive fault accommodation: An NMPC contion makes MPC attractive for FTC, there areimpede many systems with structures or control policies that Amui and Mhaskar all assume sufficient remaining controllability of the(2009), healthy actuators to steer the plant as well as the related reactive safe-parking schemes, e.g. such simple reactive fault accommodation: An NMPC conAmui and Mhaskar (2009), all assume sufficient remaining controllability of of the the healthy healthy actuators actuators to to steer steer the the plant plant such reactive fault An NMPC controller may require availability of a sufficient input systems with structures or control policies that impede such simple simple reactive fault accommodation: accommodation: Ancontrol NMPC con- controllability to the and safeMhaskar set or steady state. Yet, such safe transition of Amui (2009), all assume sufficient remaining troller may require availability of a sufficient control input controllability of the healthy actuators to steer the plant to the the safe safe set set or or steady steady state. state. Yet, Yet, such such safe safe transition transition of of troller may require of sufficient input in order to robustly operate a plant a small region such simple reactiveavailability fault accommodation: Ancontrol NMPCabout con- to troller may require availability of aa in sufficient control input the operating point ofhealthy a plant may require using the faulty controllability of the actuators to steer the plant in order to robustly operate a plant in a small region about to the safe set or steady state. Yet, such safe transition of the operating operating point point of of aa plant plant may may require require using using the the faulty faulty in order to robustly operate plant in aa small region the nominal steady availability state. Ifaaan actuator failscontrol or the about input the troller may require of a sufficient in order to robustly operate plant in small region about actuator, inset which the controller must take into account to the safe or steady state. Yet, such safe transition of the nominal steady state. If an actuator fails or the input the operating point of a plant may require using the faulty actuator, in in which which the the controller controller must must take take into into account account the nominal steady state. If actuator fails or input capacity decreases, disturbance may cause a actuator, in order to robustly operate aan plant in a small about the nominal steady then state.a Ifsmall an actuator fails region or the the input the gradual decrease inaremaining available input capacity. operating point of plant may require using the faulty capacity decreases, then a small disturbance may cause a actuator, in which the controller must take into account the gradual gradual decrease decrease in in remaining remaining available available input input capacity. capacity. capacity disturbance cause aa the finite timedecreases, escape of then someaaof the plant’s states. Anthe example the nominal steady state. Ifsmall an actuator fails may or input capacity small disturbance may cause actuator, indecrease which the controller must take intocapacity. account finite timedecreases, escape of then some of of the plant’s states. An example example thethis gradual in remaining available input In paper, we propose a fault-tolerant NMPC (FTNfinite time escape of some the plant’s states. An of the latter is process systems with exothermic reactions, capacity decreases, then a small disturbance may cause a finite time escape of some of the with plant’s states. Anreactions, example In this paper, we propose a fault-tolerant NMPC (FTNthe gradual decrease in remaining available input capacity. of the latter is process systems exothermic this paper, we propose aa fault-tolerant NMPC (FTNMPC) scheme that takes into account a gradual decreasing of the latter is process systems exothermic reactions, where it isescape often desirable to with operate the plant at an In In this paper, we propose fault-tolerant NMPC (FTNfinite time of some of the plant’s states. An example of the latter is process systems with exothermic reactions, MPC) scheme that takes into account a gradual decreasing where it is often desirable to operate the plant at an MPC) takes into account aa gradual decreasing input-capacity resulting from an incipient actuator fault. where it is often desirable to operate the plant at an unstable steady state tosystems achieve sufficient conversion rates In thisscheme paper, that we propose a fault-tolerant NMPC (FTNMPC) scheme that takes into account gradual decreasing of the latter is process with exothermic reactions, where it is often desirable to operate the plant at an input-capacity resulting from an incipient actuator fault. unstable steady steady state state to to achieve achieve sufficient sufficient conversion conversion rates rates input-capacity resulting from an incipient actuator fault. The main contribution is the design of a reconfigurable, unstable while avoiding high temperatures (El-Farra et al., 2005). MPC) scheme that takes into account a gradual decreasing input-capacity resulting from an incipient actuator fault. where it is often desirable to operate the plant at an unstable steady state to achieve sufficient conversion rates The main contribution is the design of a reconfigurable, while avoiding avoiding high high temperatures temperatures (El-Farra (El-Farra et et al., al., 2005). 2005). The main contribution is the design of a reconfigurable, stabilizing NMPC scheme for plants that require using while Moreover, economic operation of a plant, e.g. through input-capacity resulting from an incipient actuator The main contribution is the design of a reconfigurable, unstable steady state to achieve sufficient conversion rates while avoiding high temperatures 2005). stabilizing NMPC scheme for plants that require fault. using Moreover, economic operation of of (El-Farra plant, et e.g.al.,through through NMPC for plants require Moreover, economic operation aaa plant, e.g. The main contribution is the a reconfigurable, stabilizing NMPC scheme scheme for design plants ofthat that require using using while avoiding high temperatures 2005). stabilizing Moreover, economic operation of (El-Farra plant, et e.g.al.,through Moreover,© 2017 economic Copyright IFAC operation of a plant, e.g. through 16492stabilizing NMPC scheme for plants that require using Copyright © 2017 IFAC 16492 Copyright © 2017 16492 2405-8963 © IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. Copyright © 2017, 2017 IFAC IFAC 16492 Peer review under responsibility of International Federation of Automatic Control. Copyright © 2017 IFAC 16492 10.1016/j.ifacol.2017.08.1743

Proceedings of the 20th IFAC World Congress Brage Rugstad Knudsen et al. / IFAC PapersOnLine 50-1 (2017) 15922–15927 Toulouse, France, July 9-14, 2017

15923

the faulty actuator in order to steer the plant from a nominal setpoint to a safety set. The remainder of the paper is structured as follows: In Section 2 we present the system and problem structure. Section 3 describes the design of the proposed FTNMPC scheme, with stability properties described in Section 4. In Section 5, we illustrate the proposed scheme through simulations of a two-series CSTR. Section 6 ends the paper with concluding remarks.

Demetriou and Polycarpou (1998). Other models may also be considered, including linear and Sigmoidal profiles, as well as probabilistic approaches (Salfner, 2007).

2. PROBLEM STATEMENT

i.e. with element Θkjj equal to ψˆt+k . The reduced input capacity of actuator j can then be simply incorporated by modifying (3) as −Θk u ¯ ≤ uk ≤ Θ k u ¯. (5) Remark 1. Note that instead of (5), we may define uk := Θk u ˜k , (6) and equivalently characterize the reduced input capacity by modifying the plant model and input box constraints as xk+1 = f (xk , Θk u ˜k ), (7) −¯ u≤u ˜k ≤ u ¯. (8) This latter form is particularly useful for detection of incipient faults, as it enables the use of parameter estimation techniques or dedicated observer schemes for fault diagnosis. For methods on diagnosis of incipient actuator faults, see e.g. Demetriou and Polycarpou (1998); Zhang et al. (2002); Armaou and Demetriou (2008). We further ˆ tfa ) is note that one way of obtaining an estimate ψ(t, through parameter estimation on past input data in a time window prior to the time of fault alarm tfa .

2.1 System Description In this paper, we consider nonlinear discrete-time systems xk+1 = f (xk , uk ), (1) where xk ∈ Rnx is the state of the system, uk ∈ Rnu with nu > 1, the input, and where f : Rnx × Rnu → Rnx is twice continuously differentiable. We denote the set I := {1, . . . , nu } as the set of inputs for (1). The control of the plant described by (1) is subject to state constraints, (2) x k ∈ X ⊆ Rn , and input box constraints of the form ¯, (3) −¯ u ≤ uk ≤ u where u ¯ ∈ Rm is a vector of capacity constraints on the inputs. The set X is assumed compact and time invariant. We denote x(t) as the state of the system at time t, and we assume that the full state can be measured. Furthermore, we use k ∈ Z[a,b] to denote the discrete time-index for the predictions, where Z is the set of integers on the interval [a, b]. During nominally conditions, we assume that the system (1) is stabilized at a feasible steady state (xs , us ) by a nominal NMPC controller, see e.g. Mayne et al. (2000). Consequently, we focus in the sequel on the formulation and design of the FTNMPC scheme. 2.2 Problem Description We consider the problem of stabilizing the plant described by (1) subject to an incipient fault in actuator uj j ∈ I. Incipient faults, in contrast to abrupt step-wise faults, are characterized by slowly developing performance degradation of the faulty component. This performance degradation can be described by a time profile (or decrease function) (Zhang et al., 2002) which we will denote as ψ(t, tfa ) ∈ [0, 1]. As we focus on the design of an NMPC controller that properly accommodates an incipient actuator fault, we make the following fault-detectability assumption: Assumption 1. At time tfa (fault alarm), an FDI unit detects the onset of an incipient fault in actuator uj , j ∈ I, ˆ tfa ) ≤ ψ(t, tfa ), and provides a worst-case estimate ψ(t, ˆ with ψ : t → R monotonically decreasing, of the decrease in the remaining capacity of the faulty actuator. The incipient fault occurs in one control input only. For incorporation in a discrete-time NMPC formulation, we denote ψˆt+k as the discrete-time values of the estimate ˆ tfa ) predicted k timesteps ahead from sampling time ψ(t, t. Decrease functions of incipient faults, and hence the decrease in remaining actuator capacity, are often modeled as exponential relations, see e.g. Zhang et al. (2002);

The decreasing capacity of actuator j naturally affects the input box constraints (3). Let Θk ∈ Rm×m be a timedependent matrix defined as   (4) Θk = diag 1, . . . , 1, ψˆt+k , 1, . . . , 1 ,

As discussed in Section 1, conventional reactive FTNMPC schemes may fail in recovering a plant from an actuator fault if the faulty system looses stabilizability at the current operating point. This motivates the following problem definition: Problem 1. Upon detection of an incipient fault in actuator j, stabilize the system (1) at a given safe steady state safe ∈ Xsafe is a safety set for (1), taking xsafe s f , where Xf explicitly into account the remaining capacity of the faulty actuator. 3. PROPOSED FTNMPC SCHEME In order to accommodate the incipient fault in actuator j, we resort to a switching of operation mode from a nominal to a safe-transition NMPC controller. The appropriate control action for steering the system from xs to the safety set Xsafe lends itself to a trade-off between the control effort f and transition time. Using a large control input decreases the transition time to Xsafe f , which in the extreme case resorts to minimum-time control. On the other hand, using the control input aggressively may cause additional damage to the faulty actuator, thereby advancing the complete failure of the actuator. Minimizing the control input of the faulty actuator in a safe-transition to a safety set thus alleviates the danger of sudden actuator breakdown. Consequently, the NMPC safe-transition mode should enable optimization of the desired control action as a function of the characteristics of the incipient fault such as the observed decrease of actuator capacity at the time of detection and operation time of the faulty component.

16493

Proceedings of the 20th IFAC World Congress 15924 Brage Rugstad Knudsen et al. / IFAC PapersOnLine 50-1 (2017) 15922–15927 Toulouse, France, July 9-14, 2017

While safety sets for (1) may be formulated based on known properties of the plant or through the maximum controlled invariant set with the faulty actuator inactive, such safety sets may be computationally intractable for nonlinear models or difficult to prove invariant. To formulate a generic safety set, we thus propose to impose the safety set Xsafe through computation of an NMPC terminal f constraint set. To this end, we first precompute a shifted steady-state xsafe by solving the steady-state problem s (xsafe , usafe ) = arg min{g(x, u) | x = f (x, u), x ∈ X, s s −u ¯ i ≤ ui ≤ u ¯i , ∀i ∈ I \ j, uj = 0}, (9) where g(x, u) is some, typically economic, performance measure of the plant set by a supervisory level, seeking to preserve a minimum level of economic performance when operating the plant inside the safety set of the faulty actuator. We assume that the plant described by (1)–(3) admits a steady state pair (xsafe , usafe ) with uj = 0, and s s safe that xs is in the interior of X with −¯ u < usafe < u ¯. s Observe that we must compute the solution to (9) for each set of actuator fault-scenarios, however, by an offline procedure. Note also that by Assumption 1, we restrict our study to single actuator faults. To steer the plant into the safety set Xsafe by means of f the provided estimate of remaining input capacity, we update the setpoints and switch from the nominal NMPC controller to solving the safe-transition problem P safe (x, t): VNsafe (x, t) = min

x,u,ξ,γ

s.t. xk+1 x0 xk −¯ ui

N −1  k=0

, u − usafe ) l(xk − xsafe s s

 1 ργ γ 2 + ρξ ξ02 + Vfsafe (xN − xsafe ) + s 2

= f (xk , uk ), = x(t), ∈ X, ≤ uik ≤ u ¯i , ∀i ∈ I \ j, ˆ ¯j ξk ψt+k , |ujk | ≤ u ξk+1 ≤ γξk , 0 ≤ ξk ≤ 1, 0 ≤ γ ≤ 1, xN ∈ Xsafe f .

k ∈ Z[0,N −1] ,

k ∈ Z[0,N −1] , k ∈ Z[0,N −1] , k ∈ Z[0,N −1] , k ∈ Z[0,N −1] , k ∈ Z[0,N ]

(10a)

(10b) (10c) (10d) (10e) (10f) (10g) (10h) (10i) (10j)

In (10), l(x, u) := 21 ||x| |2Q + 12 ||x| |2R is a quadratic stage cost with positive definite matrices Q and R, ξk ∈ R are auxiliary variables for penalizing the input usage, required through (10g) to be exponentially decreasing, while the nonnegative variable γ ∈ R controls the decrease rate in use of uj . By including the term 1/2(ργ γ 2 + ρξ ξ02 ) in (10a), where ργ ≥ 0 and ρξ ≥ 0 are tuning parameters, we enable tuning with respect to the trade-off between short transition time or low input usage. In particular, P safe (x, t) enables a safe-transition control policy that assures the plant to be steered to a safe set Xsafe within f the prediction horizon, while at the same time optimizing on the exponential decay constant γ and the margin ξ0 to the current remaining capacity of the faulty actuator. The values of ργ and ρξ would normally be set by a supervisory level as a function the severity and time of detection of the incipient fault. Observe that by Assumption 1, ψˆt+k is a

worst-case decrease of the remaining capacity of actuator j, and that this estimate is kept constant and only shifted forward in time in P safe (x, t). 3.1 Terminal Safety Set In order for P safe (x, t) to stabilize the faulty system at the safe steady state xsafe , we must construct an appropriate s terminal set Xsafe and terminal cost Vfsafe (·). To ease this f design, we make a change of coordinates, , (11a) z = x − xsafe s safe (11b) v = u − us , from which we redefine the plant dynamics (1) as   zk+1 = f zk + xsafe − xsafe , vk + usafe , s s s (12) ¯ := f (zk , vk ), such that f¯(0, 0) = 0. The state and input constraints ¯ and v¯ as are updated accordingly, where we denote X the shifted state and input box-constraints, respectively. Moreover, for notational convenience, we define a modified stage cost ¯l (z, v, γ, ξ0 ) := l(z, v) + ρ (γ 2 + ξ 2 ), (13) 0 N −1 with ¯l(0, 0, 0, 0) = 0. For the design of the terminal set, we invoke the following stabilizability assumption: Assumption 2. The pair (A, Bjf ) of the linearized system ¯

zk+1 = Azk + Bjf vk is stabilizable, where A = ∂∂zf (0, 0) and Bjf = B · diag([1, 1, . . . , βj , 1, . . . , 1]), with βj = 0 and ¯ B = ∂∂vf (0, 0). Furthermore, f¯(·, ·) is twice continuously differentiable. This latter assumption enables construction of a linear state-feedback controller vk = Kj zk that exponentially stabilizes the linearized system zk+1 = (A + Bjf Kj )zk . Observe that Kj sets the faulty input to 0. By ensuring that the terminal cost Vfsafe (·) satisfies Vfsafe (f¯(z, Kj z), t) − Vfsafe (z, t) ≤ −¯l(z, Kj z, 0, 0), ¯ safe , (14) ∀z ∈ X f

¯ with 0 ∈ X ¯ safe as a suitable ¯ safe ⊂ X and choosing X f f safe ellipsoidal level set of Vf (·),     ¯ safe := z ∈ Rn  1 z  P z ≤ α , X (15) f  2 where α is a positive constant and P a positive definite matrix, we can assure that the linear state feedback vk = Kj zk stabilizes the origin of the closed-loop system ¯ safe . By designing X ¯ safe as a zk+1 = f¯(zk , Kj zk ) inside X f f safe safe ¯ level set of Vf (·), we further assure that Xf is positively invariant under the control law vk = Kj zk (Mayne et al., ¯ safe is 2000). More precisely, there exists α > 0 such that X f forward invariant and Vfsafe (·) is a local Lyapunov function for the system zk+1 = f¯(zk , Kj zk ). To design the terminal ¯ safe and cost V safe (·) that satisfies (14) and (15), we set X f f adopt a discrete-time variant of Chen and Allg¨ower (1998) as outlined in Johansen (2004), with an iterative procedure for computing a value of α that satisfies (14).

It is worth pointing out that while we do not necessarily have sufficient actuator redundancy to stabilize the faulty system at the nominal equilibrium point, we require the

16494

Proceedings of the 20th IFAC World Congress Toulouse, France, July 9-14, 2017 Brage Rugstad Knudsen et al. / IFAC PapersOnLine 50-1 (2017) 15922–15927

system to be stabilizable by the nu − 1 healthy actuators at the safe steady state. 4. PROPERTIES OF PROPOSED FTNMPC SCHEME In this section, we establish conditions for stability and recursive feasibility of P safe (x, t), using the translated system (12). To this end, we denote zs = xs − xsafe as s the nominal steady state in the translated system. safe

For the safe-transition problem P (x, t), the following nominal stability property holds: Theorem 3. (Stability of safe steady state). Let Assumption 1 and 2 hold, and suppose that P safe (x, t) is feasible at time tfa . Then P safe (x, t) is recursively feasible, and (xsafe , usafe ) is a locally asymptotic stable steady s s state of the closed-loop system under the safe-transition NMPC control law. Proof. Feasibility of P safe (x, t) at time tfa implies reach¯ safe from zs . Within X ¯ safe , the linear feedback ability of X f f v = Kj z with ξk = 0 is admissible for problem P safe (x). By Assumption 1, then at time tfa + 1, the optimal input sequence {v0 , v1 , . . . , vN −1 }, shifted one step ahead and appended with Kj zN satisfies the shifted time-varying input constraints |vjk | ≤ ξk v¯j ψˆtfa +1+k , since Kj is designed with vj = uj = 0, ensuring that Kj zN is feasible with ξN = 0. Similarly, the sequence {ξ0 , ξ, . . . , ξN −1 , ξN } computed at time tfa shifted one step ahead and appended with 0 is feasible for P safe (x) at time tfa + 1. The monotonicity assumption of ψˆ with the required exponential decrease of ξk assures that the optimal decay rate γ computed at time tfa is also feasible at time tfa + 1. Hence, using standard arguments, the construction of the positively ¯ safe implies recursive feasibility invariant terminal region X f safe ower (1998, Lm. 2). of P (x, t), cf. Chen and Allg¨ ¯ safe are For stability, we first note that Vfsafe (·) and X f safe ¯ by design time invariant, X contains the origin in f its interior, and ¯l(·) is convex with ¯l(0, 0, 0, 0) = 0. Furthermore, the additional variables γ and ξ0 in the stage cost are both bounded, and can be considered as ¯ safe , γ = 0 and additional input variables to v. Inside X f ξk = 0, ∀k ∈ Z[0,N ] is feasible. By Assumption 2, Vfsafe (·) ¯ safe . can be bounded above by a class K function in X f Moreover, if P safe (x) is feasible at time tfa , the cost of ¯ safe is bounded. We can steering the system from zs to X f thus apply Prop. 2.35 of Rawlings and Mayne (2009) to establish time independent lower and upper bounds on the optimal cost VNsafe (x, t) by class K functions. This ensures that VNsafe (x, t) satisfies a value function also in the timevarying case, as well as by design of the terminal cost and constraints, satisfies a Lyapunov-like cost decrease. Hence, by (Rawlings and Mayne, 2009, Th. 2.37, p.131), conclude asymptotic stability of the origin for the translated closedloop system under the NMPC control law, and hence for (xsafe , usafe ) by (11).  s s Observe that solving (9) does not necessarily render a steady state with a stabilizable linearization as defined in Assumption 2. This must be checked a posteriori and, if necessary, with tightening of the state and input constraints in (9) in order to achieve a stabilizable linearization around (xsafe , usafe ). Furthermore, one may encounter s s

15925

situations where (xsafe , usafe ) and (xs , us ) coincide, that s s is, the nominal steady state is actually optimal and safe stabilizable with uj = 0. The next result follows from Theorem 3. Corollary 4. (Fault recoverability). The NMPC problem ¯ safe and P safe (x, t) solved on a receding horizon with X f safe Vf (·) described in Section 3.1 solves Problem 1. Remark 5. Infeasibility of P safe (x, t) at time tfa implies a failure of the proposed FTNMPC scheme in stabilizing the faulty system. That is, the fault-tolerant controller fails in preventing a fault from developing into an actuator failure. In this case, some emergency mode must be activated. Remark 6. For abrupt-like faults, ψ(t, tfa ) approaches or is equal to the unit step function. The proposed framework also covers this scenario, leaving ξk = 0 and γ = 0, with conditions for stability and fault recoverabilty equal to Theorem 3. However, while we consider fault recovery that explicitly requires use of the faulty actuator, fault recoverability by P safe (x, t) from abrupt fault depends on whether the plant actually can be stabilized at xsafe by s means of the healthy inputs only. 5. NUMERICAL EXAMPLE F0 , T0 , CA0 F3 , T03 , CA03

CSTR 1

F1 , T1 , CA1

Coolant in Coolant out

CSTR 2

T2 , CA2

Coolant in Coolant out

Fig. 1. Illustration of two CSTRs in series. To illustrate the proposed FTNMPC controller, we consider an example with two non-isothermal continuous stirred-tank reactors (CSTRs) in series, adopted from ElFarra et al. (2005). The interconnections of the two CSTRs are illustrated in Fig. 1. In each CSTR, three parallel irreversible elementary exothermic reactions of the form k2 k3 k1 B, A −→ U and A −→ R take place, where A is the A −→ reactant and B is the desired product. U and R are undesired byproducts. Individual jackets are used to remove heat or supply heat to each reactor. We assume that the temperature and composition of the CSTRs are uniform. The feed to CSTR 1 consists of pure A at a flow rate F0 , molar concentration CA0 , and temperature T0 , while the feed to CSTR 2 consists of the output from CSTR 1, together with an additional fresh stream feeding pure A at flow rate F3 , molar concentration CA03 , and temperature T03 . The resulting interconnected CSTR model reads F0 dT1 = (T0 − T1 ) dt V1 (16a) 3  Q1 (−∆Hi ) + ri (CA1 , T1 ) + , ρcp ρcp V1 i=1

16495

350 300 250

0

5

10

4

3.5

300 250

0

5

10

Concentration CA2 [kmol/m3 ]

Temperature T2 [K]

350

3.5

4

6

8

10

12

8

10

12

1000 0 -1000 -2000 2

4

6

Time [min] 3 0

5

10

Time [min]

3  dCA1 F0 = (CA0 − CA1 ) − ri (CA1 , T1 ), dt V1 i=1

dT2 F1 F3 = (T1 − T2 ) + (T03 − T2 ) dt V2 V2 3  Q2 (−∆Hi ) + ri (CA2 , T2 ) + , ρcp ρcp V2 i=1

F1 F3 dCA2 = (CA1 − CA2 ) + (CA03 − CA2 ) dt V2 V2 3  − ri (CA2 , T2 ),

(16b)

(16c)

(16d)

i=1

where

E

d

2

2000

0

Fig. 2. Closed loop states of the proposed FTNMPC scheme applied to (16) with small (dashed lines) and large (solid lines) values for ργ and ρξ , respectively.

ri (CAd , Td ) = ki0 e

-2000

10

4

Time [min]

− RTi

0 -1000

Time [min] 5

Time [min]

400

1000

0 0

Time [min]

450

Small (ργ , ρξ ) Large (ργ , ρξ ) ¯ 1 ψˆt Q

2000

3

Heat rate Q2 [kJ/h]

Temperature T1 [K]

400

Heat rate Q1 [kJ/h]

Small (ργ , ρξ ) Large (ργ , ρξ ) Safe steady state

450

Concentration CA1 [kmol/m3 ]

Proceedings of the 20th IFAC World Congress 15926 Toulouse, France, July 9-14, 2017 Brage Rugstad Knudsen et al. / IFAC PapersOnLine 50-1 (2017) 15922–15927

CAd ,

d = 1, 2

(17)

are the reaction rates. The inputs of (16) are the jacket heat rates, ui = Qi for i = 1, 2, with available control ¯ 1 = 2.7 × 103 kJ/h and |Q2 | ≤ Q ¯ 2 = 2.8 × energy |Q1 | ≤ Q 3 10 kJ/h. For numerical values of the parameters in(16), we refer the reader to El-Farra et al. (2005). The CSTR model (16) is discretized in time using the backward Euler method. We initialize the system at the nominal steady-state xs = (T1s , CA1s , T2s , CA2s ) = (463.71, 3.24, 410.00, 2.93), which is an unstable steady state for CSTR 1 while stable for CSTR 2, and assume that the control system receives a warning about an incipient fault in actuator u1 = Q1 at tfa = 1 min. To compute xsafe through (9), we set the economic objective g(x, u) = s 2 as a steady − d=1 r1 (CAd , Td ), that is, we compute xsafe s state where the reaction rates of the desired product B can be safely maximized with Q1 = 0. This approach yields xsafe s,j = (300.17, 3.99, 394.00, 3.38), which is verified to be a stabilizable steady state for (16) with Q1 = 0. We implement the NMPC in GAMS, using IPOPT (W¨achter and Biegler, 2005) with a prediction horizon of N = 150 (i.e. 9 min) and a sampling time of 3.6s to solve the NLPs.

Fig. 3. Control inputs with an incipient fault in the cooling for CSTR 1. The dashed lines shows the simulation with small values for ργ and ρξ , while the solid lines shows simulations with corresponding large values for ργ and ρξ . The time decrease-profile of the faulty actuator is shown with a cyan dashed-dotted line. In the considered example, incipient actuator faults imply a slow decrease in available cooling/heating capacities due to leakages in the jacket system, or fouling in the jacket control-valves. For the simulations, we consider a scenario where an incipient fault is detected in the first reactor when 70% of the heat-rate of capacity Q1 is remaining. Following Zhang et al. (2002), we further assume that the worst-case estimate of the reaming cooling capacity can fa be characterized by ψˆt = µ1 e−µ2 (t−t ) , with µ1 = 0.7 and µ2 = 0.02. For the terminal set and cost described in Section 3.1, we compute Kj as the LQR optimal gain matrix and P from the associated Lyapunov equation for the linearized closed-loop system, see Chen and Allg¨ ower (1998) and Rawlings and Mayne (2009, Ch. 2.6) for details. Fig. 2 and 3 show the states and inputs for (16) from simulations of the FTNMPC scheme with two sets of values for ργ and ρξ . Imposing large values for ργ and ρξ is seen to render a cautious use of the faulty control input Q1 ¯ 1 ψˆt . In comparison, imposing with a large margin ξ0 to Q small values to ργ and ρξ causes a more aggressive use of the faulty actuator with an input for a short timewindow equal or close to the estimate of the decrease in cooling capacity. This trade-off in utilization of the faulty actuator is clearly reflected in the transition time of T1 from nominal to safe steady-state, seen in the upper-left plot of Fig. 2. Note that the slow concentration dynamics are less affected by the aggressive and cautious usage of the faulty input, respectively. For the two CSTRs (16) in series, an abrupt fault in the jacket for CSTR 1 with a conventional reactive FTNMPC strategy (see e.g. Yetendje et al. (2013)), where the internal NMPC model is updated first after the fault occurs, would destabilize the plant. To illustrate this, we show in Fig. 4 a simulation where the cooling Q1 is rendered completely useless after time t = 1 min. As Q1 at nominal steady state is 0, cf. Fig 3, the plant remains at xs , while the controller is unable to steer the plant xsafe since the stabilizability of s CSTR 1 is lost. For the purpose of illustration, we add a

16496

Temperature T1 [K]

1200 1000 800 600 400

0

1

2

3

Concentration CA1 [kmol/m3 ]

Proceedings of the 20th IFAC World Congress Toulouse, France, July 9-14, 2017 Brage Rugstad Knudsen et al. / IFAC PapersOnLine 50-1 (2017) 15922–15927

4 3 2 1 0

0

1

Temperature T2 [K]

600

400

200

0

0

1

2

2

3

Time [min]

3

Concentration CA2 [kmol/m3 ]

Time [min] 4 3 2 1 0

0

Time [min]

1

2

3

Time [min]

Fig. 4. Simulation of an abrupt fault in the cooling of CSTR 1 with a reactive FTNMPC scheme. small disturbance to the plant after t = 4 min, which is seen to eventually cause a runaway of the temperature T1 . This highlights the necessity for this application to detect an incipient actuator fault sufficiently early, and transfer the plant to a safe steady state. 6. CONCLUDING REMARKS This paper has presented an FTNMPC scheme for handling of incipient actuator faults in nonlinear plants, where stabilization of the faulty plant requires a safe transition with use of the faulty actuator. The proposed scheme can efficiently complement existing FTC schemes for nonlinear plants. The proposed framework naturally lends itself to an extension with a probabilistic approach for explicitly incorporating uncertainty in the decrease function of the faulty actuator. 7. ACKNOWLEDGMENT BRK and BF gratefully acknowledges financial support from Cybernetica AS. TF thanks the Baden-W¨ urttemberg Stiftung for the financial support of this research by the Elite Programme for Postdocs. REFERENCES Albalawi, F., Alanqar, A., Durand, H., and Christofides, P.D. (2016). Simultaneous control of safety constraint sets and process economics using economic model predictive control. In Proc. Amer. Cont. Conf., 5062–5067. Amui, S. and Mhaskar, P. (2009). Safe-steering of batch process systems. AIChE J, 55(11), 2861–2872. Armaou, A. and Demetriou, M.A. (2008). Robust detection and accommodation of incipient component and actuator faults in nonlinear distributed processes. AIChE J, 54(10), 2651–2662. Bø T.I. and Johansen, T.A. (2014). Dynamic safety constraints by scenario based economic model predictive control. In Proc. IFAC World Congress. Chen, H. and Allg¨ ower, F. (1998). A quasi-infinite horizon nonlinear model predictive control scheme with guaranteed stability. Automatica, 34(10), 1205–1217.

15927

Demetriou, M.A. and Polycarpou, M.P. (1998). Incipient fault diagnosis of dynamical systems using online approximators. IEEE Trans. Autom. Control, 43(11), 1612–1617. El-Farra, N.H., Gani, A., and Christofides, P.D. (2005). Fault-tolerant control of process systems using communication networks. AIChE J, 51(6), 1665–1682. Franz`e, G., Tedesco, F., and Famularo, D. (2015). Actuator fault tolerant control: A receding horizon settheoretic approach. IEEE Trans. Autom. Control, 60(8), 2225 – 2230. Johansen, T.A. (2004). Approximate explicit receding horizon control of constrained nonlinear systems. Automatica, 40, 293–300. Knudsen, B.R. (2016). Proactive actuator fault-tolerance in economic MPC for nonlinear process plants. In Proc. of IFAC Symp. on Dynamics and Control of Process Systems. Trondheim, Norway. Knudsen, B.R., Alessandretti, A., and Jones, C.N. (2016). Sensor fault tolerance in output feedback nonlinear model predictive control. In Proc. Conf. Control and Fault-Tolerant Sys. (SysTol). Barcelona, Spain. Lao, L., Ellis, M., and Christofides, P.D. (2013). Proactive fault-tolerant model predictive control. AIChE J, 59(8), 2810–2820. Lucia, S., A.E. Andersson, J., Brandt, H., Diehl, M., and Engell, S. (2014). Handling uncertainty in economic nonlinear model predictive control: A comparative case study. J. Process Control, 24(8), 1247–1259. Maciejowski, J.M. (1999). Modelling and predictive control: Enabling technologies for reconfiguration. Annu. Rev. Control, 23, 13–23. Mayne, D.Q., Rawlings, J.B., Rao, C.V., and Scokaert, P.O.M. (2000). Constrained model predictive control : Stability and optimality. Automatica, 36(6), 789–814. Rawlings, J. and Mayne, D. (2009). Model Predictive Control: Theory and Design. Nob Hill Publishing. Salfner, F.and Malek, M. (2007). Using hidden semiMarkov models for effective online failure prediction. In Proc. IEEE Symp. on Reliable Dist. Syst., 161–174. W¨achter, A. and Biegler, L.T. (2005). On the implementation of an interior-point filter line-search algorithm for large-scale nonlinear programming. Math. Program., 106(1), 25–57. Xu, F., Olaru, S., Puig, V., Ocampo-Martinez, C., and Niculescu, S.I. (2014). Sensor-fault tolerance using robust MPC with set-based state estimation and active fault isolation. In Proc. Conf. Decision Control, 4953– 4958. Yetendje, A., Seron, M.M., and De Don´a, J.A. (2010). Robust MPC design for fault tolerance of constrained multisensor linear systems. In Proc. Conf. Control and Fault-Tolerant Sys. (SysTol), 4678–4683. Yetendje, A., Seron, M.M., and Don´a, J.A.D. (2013). Robust multiactuator fault-tolerant MPC design for constrained systems. Int. J. of Robust Nonlin., 23(16), 1828–1845. Zhang, X., Polycarpou, M.M., and Parisini, T. (2002). A robust detection and isolation scheme for abrupt and incipient faults in nonlinear systems. IEEE Trans. Autom. Control, 47(4), 576–593.

16497