Reconfigurable Fault-tolerant Control: A Tutorial ... - Semantic Scholar

European Journal of Control (2008)5:359–386 # 2008 EUCA DOI:10.3166/EJC.14.359–386

Reconfigurable Fault-tolerant Control: A Tutorial Introduction J. Lunze and J.H. Richter Institute of Automation and Computer Control, Ruhr-Universita¨t Bochum, Universita¨tsstrasse 150, 44801 Bochum, Germany

This paper provides a tutorial introduction to reconfigurable control and surveys recent advances on this topic. Control reconfiguration is an important method of fault-tolerant control that uses the results of a fault diagnosis component to restructure the control loop and to adapt the controller to the faulty plant. This paper describes recent approaches that are suitable for on-line application. These approaches lead to a redesign of the controller or augment the control loop with a reconfiguration block that adapts the nominal controller to the dynamical properties of the faulty plant. The approaches are illustrated by means of a running example and experimental applications of selected methods. Challenges for future research in the field are stated. Keywords: Fault-tolerant control; multivariable control systems; control reconfiguration, reconfigurability.

1. Introduction 1.1. Dependability of Complex Systems The increasing complexity makes man-made systems more and more vulnerable for faults and malfunctions. At the same time, requirements for system dependability are surging as a consequence of increasing economical demands and tightening environmental regulations. Maintaining system dependability at required levels by improving individual components is challenging and expensive. Feedback

Correspondence to: J. Lunze, E-mail: [email protected] E-mail: [email protected]

control is an ideal technology for increasing the system dependability. Control reconfiguration denotes a class of solutions to this problem, where the control loop structure and the controller dynamics are adjusted in response to component malfunctions. This paper gives a tutorial introduction to reconfigurable control (sometimes also referred to as restructurable control) and reviews state-of-the-art control reconfiguration methods. It explains how feedback control can remain operational after severe faults like sensor and actuator faults or failures. Inevitably, components are subject to faults and failures, which fault-tolerant control accepts as a fundamental premise. This survey places emphasis on faults that break the control loop. To bring the controller back into operation, it is not sufficient to change controller parameters. Alternative, albeit not necessarily identical sensors or actuators have to be used instead of the faulty components. Thus the entire control loop must be restructured to utilise the available redundancies. These steps have to be carried out under real-time constraints, which necessitate a tradeoff between the complexity and sophistication of the chosen approach and its real-time applicability. The field of fault-tolerant control was largely motivated by two aircraft incidents. In the first incident, the left elevator was jammed in an upward position. It took considerable time and efforts for the cockpit crew to relearn flying the Lockheed L-1011, which was eventually landed safely, using mostly thrust control [47]. In the second and more severe incident, two engines were torn off the right wing of a

Received 15 November 2007; Accepted 29 June 2008 Recommended by the Survey and Historical Papers Editor M. Gevers

360

Boeing-747 at low altitude, resulting in asymmetrical thrust and additional control surface damage. This incident turned into a severe accident, although it was shown afterwards that the crash was avoidable in principle [45]. The incidents show that fast autonomous, automatic responses to faults might have helped the cockpit crew to avoid accidents, particularly in situations with little time for decisions. As a simplified version of the reconfiguration problem to be solved in these situations consider the yaw motion control of the aircraft shown in Figure 1. Neglecting the coupling between the yaw axis and remaining axes, the yaw angle is primarily controlled by means of the rudder angle uR. When the rudder fails, yaw angle control is impossible, unless a functionally redundant actuator is found, because inflight rudder repair is impossible. To restructure the loop, an alternative actuator such as differential engine thrust must be used. This example illustrates that severe faults or component failures necessitate a change of the control loop structure. Reconfiguration methods should automatically find these changes.

Fig. 1. Aircraft with yaw axis z and yaw angle . The yaw angle is normally controlled by the rudder deflection angle uR . After the rudder fails by blocking in centered position (f), the differential thrust uT can be used to influence the yaw angle. This solution must be automatically and autonomously found by means of a control reconfiguration component.

J. Lunze and J.H. Richter

1.2. Fault-Tolerant Control The main principle of fault-tolerant control (FTC) (Figure 2) consists in augmenting the ordinary control loop (execution level) by a supervision level with the aim to satisfy the loop performance requirements for both the faultless plant and the faulty plant. The execution level works continuously to ensure disturbance attenuation and setpoint following. The supervision level performs the two conceptual steps of FTC, which are fault diagnosis and control re-adjustment, usually accomplished separately and in this order. Control re-adjustment is a collective term for the manipulation of the controller to adequately control the faulty plant. Figure 3 shows the procedure from an event-driven perspective, revealing how the system cycles through different operating modes due to fault occurrence, fault diagnosis, reconfiguration, and finally repair. Several important notions have been introduced to describe the aims and methods of fault-tolerant

Fig. 3. Control loop modes. (a) The loop starts in healthy (faultfree) operation mode. The occurrence of a fault event ef causes the loop to operate in the undesired faulty mode. After the diagnosis event ed , the reconfiguration event erc lifts the system to the more desirable reconfigured mode, where it should be at least stable and should satisfy the control specifications as well as possible. This situation remains until the repair event er recovers the healthy operation mode. (b) The timing diagram shows the temporal relation between the events driving the automaton (a). The diagnosis delay generally varies depending on the diagnosability of the current operating conditions. The fault may not be diagnosed for a long time if the system excitation is not sufficient. The time-toreconfigure adds the computation time for the reconfiguration solution, which typically grows with the dimension of the system.

Fig. 2. Fault-tolerant control loop. A fault f acting on the plant is detected and located by the fault detection and isolation (FDI) module. The fault estimate f^ is then used by the control loop adjustment module to adapt the structure of the control loop and the controller parameters to the faulty plant.

361

Reconfigurable Fault-tolerant Control

control. A fault is an unpermitted condition that changes at least one characteristic property of a component or the whole plant. Faults are triggered internally, for example, by blocked valves in a chemical batch plant, or externally by changes in environmental conditions, such as a temperature drop. Faults can be further classified by their location in a plant. Actuator faults affect actuation components such as pumps, valves, stirrers, switches, drives, motors, or brakes. They concern the efficiency of inputs to the system. Plant faults like clogged pipes or leakages affect internal plant components resulting in changed plant dynamics. Sensor faults lead to in erroneous measurements such as biased, scaled, or constant zero readings. They concern the measured output of a system. A malfunction is an intermittent irregularity in the function of a system whereas a failure of a component or plant is a permanent and complete interruption of the service that this component or plant provides. Faults in a component often turn into failures of parts of a system or into failure of the overall system if there is no response to the fault. Redundancy is a prerequisite for fault-tolerant control. Physical redundancy refers to the duplication of critically important actuators and sensors. This concept, sometimes also called direct redundancy, allows for using simple schemes for the detection and alleviation of faults and failures at the price of increased system cost. Analytical redundancy refers to the functional relationship between system inputs and outputs, rather than to the components themselves. For example, measured quantities can often be calculated from other quantities by means of algebraic or, more often, by means of dynamic relations. Likewise, outputs strongly influenced by some control input are often also controllable from other inputs, albeit with different gains and time constants. Analytical redundancy is more challenging to use than physical redundancy, but it allows for building more cost-efficient systems. All approaches described in this article use analytical redundancy in addition to physical redundancy. Fault diagnosis is a difficult problem and a large area attracting ongoing research, and certainly its integration with reconfigurable control remains a major unsolved problem. Since the inclusion of a detailed treatment of fault diagnosis would exceed any reasonable bound on paper length, the interested reader is referred to the monographs and survey articles [8, 16, 20, 21, 50]. For a general introduction to fault-tolerant control, the reader might want to consult [34]. Furthermore, the advent of self-monitoring actuators and sensor justifies the following focused point of view [30, 69]. This paper singles out

the reconfiguration step for discussion, assuming that the faults have already been detected, isolated, and identified by a diagnosis component to sufficient precision for re-adjusting the control loop. Fault-tolerant control methods have been used in the industry for a long time to varying degree, from simple concepts to sophisticated approaches. Presently, there is still a gap between the achieved rigorous theoretical foundation and the applications in the industry. The open theoretical problems are numerous, as summarised in Section 6 below. Until their resolution, engineering practice will likely continue to rely on extensive simulations and experimental tests. Few actual industrial applications of fault-tolerant control have been reported [49]. A summary of application-oriented studies of fault-tolerant control is available in [34, 76].

1.3. Control Reconfiguration Control reconfiguration deals with severe faults where the structure of the loop needs to be changed in order to ensure fault tolerance. Alternative measured or manipulated variables must be found in order to reroute the signal paths around the faulty component and to bring the control loop back into operation (Figure 4). Hence, control reconfiguration includes the choice of a new loop structure and the adaptation of the control law to the new configuration. In the aircraft yaw control example (Figure 1), differential engine thrust is applicable and can be used to replace the effect of the rudder. This article surveys reconfiguration methods that work autonomously, that find reconfiguration solutions on-line, and that are based on mathematically rigorous methods to guarantee the reconfiguration success. Figure 4 also points out that control reconfiguration starts from the solution of the controller design problem for the nominal plant. The nominal controller can be used as an approximate solution to the controller re-design problem for the faulty plant. Therefore, the reconfiguration problem can also be called a controller redesign problem. The availability of the nominal controller is important since the control reconfiguration is to be completed automatically by the control supervision level without the investigation of a human engineer. For this reason, the model-matching approach to control reconfiguration surveyed in Section 4.1 aims at finding a controller that assigns the reconfigured closed-loop system the same behaviour as the nominal closed-loop system. In contrast, the fault-hiding approach explained afterwards tries to ‘‘hide’’ the

362


Fig. 4. Control reconfiguration idea. For the nominal plant, the controller uses the input u2 (left). If the corresponding actuator fails, the control loop is broken and an adjustment of the controller to the faulty plant is impossible unless other control inputs are used (right). In the reconfigured closed-loop system the effect of the controller on the plant is re-routed around the faulty actuator (two arrows).

fault from the controller. The nominal controller remains in the loop while a reconfiguration block re-routes the input or output signals around the faulty component (Figure 4). This article focuses on methods for reconfiguration that are applied after successful fault diagnosis. After stating the reconfiguration problem in Section 2, control reconfiguration approaches are classified by their underlying paradigms in Section 3. State-of-the-art methods are explained for the two paradigms redesign (Section 4) and fault-hiding (Section 5). Experimental results illustrate and evaluate a recent fault-hiding approach. In Section 6, the perspective is broadened and several other approaches to and aspects of control reconfiguration are briefly sketched. The article concludes with Section 7.

2. Reconfiguration Problem This section introduces the models and reconfiguration goals used throughout the article. The main ideas are explained for linear plants, although many of these ideas are also applicable to nonlinear plants.

Plant ΣP

Bd x

B

C

A uc

Controller ΣK

y r

Fig. 5. Block diagram of the nominal control loop in state-space representation. The controller can have arbitrary linear or nonlinear dynamics. The only assumption used about the controller is that the nominal controller ensures the control objectives.

matrix, and d 2 Rp the disturbance ( Figure 5). The system representation (1), (2) contains known inputs uc as well as disturbances d, which are unknown and can be stochastic or deterministic. For control reconfiguration, the model must include all available inputs and outputs, that is, the input vector uc does not only contain the inputs needed in the faultless case, but also the inputs that can be used in the faulty case. The same requirement holds for the output vector y. In the control loop, the reference input is denoted by r(t). A general linear controller K is represented by x_ c ðtÞ ¼ Ac xc ðtÞ Fc yðtÞ þ Gc rðtÞ; xc ð0Þ ¼ xc0 ;

2.1. Plant Modelling A state-space representation of a linear plant P ¼ (A, B, C, Bd) is given by _ xðtÞ ¼ AxðtÞ þ Buc ðtÞ þ Bd dðtÞ; xð0Þ ¼ x0 ; ð1Þ yðtÞ ¼ CxðtÞ;

d

ð2Þ

where xðtÞ 2 Rn is the state, yðtÞ 2 Rr the output, uc ðtÞ 2 Rm the input from the controller, A 2 Rnn the system matrix, B 2 Rnm the input matrix, C 2 Rrn the output matrix, Bd 2 Rnp the disturbance distribution

ð3Þ uc ðtÞ ¼ Cc xc ðtÞ Kc yðtÞ þ Vc rðtÞ

ð4Þ

This representation includes the important classes of output regulation controllers Bc :¼ Fc ¼ Gc Dc :¼ Kc ¼ Vc

ð5Þ ð6Þ

static state feedback controllers (Ac ¼ Fc ¼ Gc ¼ Cc ¼ 0, C ¼ I), and static output feedback controllers (Ac ¼ Fc ¼ Gc ¼ Cc ¼ 0).

363


2.2. Fault Modelling Strategies Fault-tolerant control is based on the knowledge of the fault. Hence, fault information must be incorporated into the system model (1), (2). Multiplicative faults cause variations of the model parameters and, hence, occur in the model in multiplications of the parameter matrices with the plant signals to yield the model Pf ¼ (Af, Bf, Cf, Bd) x_ f ðtÞ ¼ Af xf ðtÞ þ Bf uf ðtÞ þ Bd dðtÞ; xf ð0Þ ¼ xf 0 ; ð7Þ yf ðtÞ ¼ Cf xf ðtÞ

ð8Þ

For actuators and sensors, a component failure is expressed by replacing the column corresponding to the broken k-th actuator in B or the row corresponding to the broken l-th sensor in C by a zero column or row, respectively, Bf ¼ b 1 . . . bk1 0 bkþ1 . . . bm ;

ð9Þ

Cf ¼ ðc1 . . . cl1 0 clþ1 . . . cr ÞT

ð10Þ

The zero columns or rows are justified, for example, in setpoint control problems. Here the actuators, when blocking, are likely to be near the equilibrium point around that the nonlinear model is linearised to obtain the linear model (1), (2). For nonlinear systems operated near an equilibrium, an equilibrium input translates to a zero input relative to the equilibrium. The output yf differs from the nominal output y, since the fault changes the plant behaviour, either because the state innovations change due to actuator faults, or because the measurement is faulty. Internal component faults are mapped to a modified system matrix Af. For example, a partially clogged pipe connecting two tanks in an industrial process plant changes parameters in the matrix A. On the other hand, complete pipe clogging would induce a zero entry. The model (7), (8) of the faulty system permits a qualitative evaluation of the components to be faultless or faulty. The quantitative description Af ¼ AðÞ;

Bf ¼ BðÞ;

Cf ¼ CðÞ

(8) is adequate. Hence, all control reconfiguration approaches described below use it, where the model parameters are either given by (9) or by (11). Alternatively, additive fault models are commonly used in the fault diagnosis literature [31], but are considered here only for augmenting a multiplicative fault-model by an offset caused by actuator blockage. 2.3. Reconfiguration Goals To ensure that the reconfigured closed-loop system performs in the same way as the nominal one the reconfiguration goals are expressed by comparing the reconfigured control loop to the nominal control loop (Figure 6) as follows, where (t) denotes the unit step function: Loop stabilisation goal. The reconfigured closedloop system should be asymptotically stable. Loop equilibrium recovery goal. The reconfigured closed-loop system should attenuate disturbances d(t), and its output yf should asymptotically follow a given setpoint: rðtÞ ¼ rðtÞ ! yðtÞ rðtÞ ! 0 as t ! 1. Loop output trajectory recovery goal. The reconfigured plant output yf (t) should exactly match the nominal plant output y(t) for arbitrary disturbance inputs d(t) and command inputs r(t). Loop state trajectory recovery goal. The reconfigured plant state xf (t) should exactly match the nominal plant state x(t) for arbitrary disturbance inputs d(t) and command inputs r(t). All methods for achieving these reconfiguration goals should ideally work autonomously, reconfigure

ð11Þ

is obtained if the matrices are represented in terms of a fault parameter vector 2 , where denotes the space over that is defined. This model form is suited to describe changes in component characteristics. Since control reconfiguration deals mostly with severe faults, the multiplicative fault model (7),

Fig. 6. Reconfiguration goals compare the nominal closed-loop system (left) with the reconfigured closed-loop system (right). Both the nominal and reconfigured closed-loop systems should be stable. When setpoint tracking is a nominal control goal, it is important that the equilibrium of the reconfigured closed-loop system matches the nominal loop behaviour with respect to the inputs r and d and the outputs yf or y, respectively. Likewise, to achieve trajectory tracking, the dynamic transmission behaviour is matched.

364


on-line, operate together with any nominal controller structure, meet arbitrary real-time constraints, handle structural faults, and use analytical redundancy. In the explanation of the main ideas of reconfiguration methods below, it will be shown which of the mentioned requirements these methods satisfy. Remark 1 All goals are formulated above in a strict sense. In practice, however, they are often not strictly attainable. In that case, they are approximated or restricted to part of the system. For example, the failure of a dynamic actuator renders its state uncontrollable, hence not stabilisable. However, the control of failed actuators is not of interest, hence the corresponding state is excluded from the stabilisation goal.

reasons used in the normal operation mode. The nominal controller is a static output feedback kR 1 uR ðtÞ ¼ yðtÞ þ rðtÞ; 0 0 uT ðtÞ which only uses the rudder. The zeros in the feedback law result from the consideration of all available inputs to the plant. For illustrative purposes, kR ¼ 1 is used in the following discussions. Examples for fault models are the following: (i)

2.4. Illustrative Example: Aircraft Yaw Control The aircraft example is used throughout this article to illustrate the different reconfiguration methods. The yaw rate _ of the aircraft in Figure 1 is primarily controlled by the rudder deflection angle uR. The turbines are usable to the same end as well, if differential thrust uT is applied. Both the rudder actuation system and the turbines have their own dynamics, which are approximated here as first-order systems with state variables xR and xT and time constants TR ¼ TT ¼ 1 s. A simple linearised model obtained from the momentum balance with respect to the z-axis of the aircraft has the form 0

xR ðtÞ

1

0

T1R

0

0

10

xR ðtÞ

1

dB C B C CB 0 A@ xT ðtÞ A @ xT ðtÞ A ¼ @ 0 T1T dt _ ðtÞ _ ðtÞ 0:27 0:13 103 01 1 TR 0 B C uR ðtÞ 1 þ@ 0 T A ; ð12Þ T uT ðtÞ 0 0 0

yðtÞ ¼ ð 0

0

1 xR ðtÞ 1 Þ@ xT ðtÞ A; _ ðtÞ

ð13Þ

where the inputs uR and uT drive the first-order models of the actuators, whose states physically represent forces. The angular rate _ is considered as the output of the system. The model reflects the intuition that both the rudder uR and the differential thrust uT affect the yaw rate _ . However, due to geometry, the rudder has twice the gain of the differential thrust with respect to creating yaw torque, as visible in the lower row of the system matrix in the model (12), and for this and other

(ii)

Failure of the control channel that moves the rudder to the deflection angle uR ¼ 0 . Within a linear modelling framework, this type of failure is multiplicative, since it can be represented by a modified input matrix 0 1 0 0 ð14Þ Bf ¼ @ 0 T1T A; 0 0 where the first column is set to zero to reflect the rudder command outage. Blockage of the rudder at an arbitrary position uR , which is modelled by the same modified input matrix (14) and an additional disturbance input, 0

xR ðtÞ

1

0

T1R

0

0

10

xR ðtÞ

1

dB C B C CB 0 A@ xT ðtÞ A @ xT ðtÞ A ¼ @ 0 T1T dt _ ðtÞ _ ðtÞ 0:27 0:13 103 1 0 0 u 1 R 0 0 T B 1 C uR ðtÞ B RC þ @ 0 TT A þ @ 0 A; uT ðtÞ 0 0 0 ð15Þ whereas the output equation (13) remains unchanged. Both faults have structural consequences since they break the nominal control loop. The controller is ineffective until further measures are taken to reconfigure the controller to use differential engine thrust for controlling the yaw rate. The model (12), (13) shows that, after command failure, the controller action must be redirected to differential thrust uT and scaled by a factor of two. In case of non-centered rudder blockage, the induced disturbance must in addition be compensated. The least goal is the recovery of the steady-state behaviour as demanded by the equilibrium recovery goal, which simplifies the safe landing of the aircraft.

365


Furthermore, the best-possible recovery of the transient yaw dynamics is desirable to relieve the cockpit crew from re-learning to fly the faulty aircraft. The better the dynamics are recovered, the more the reconfigured aircraft feels, from the viewpoint of the pilot, like the fault-free aircraft. Remark 2 Several phenomena that govern real aircraft as well as any coupling between the yaw, roll and pitch axes have been neglected to obtain a simple model for illustrative purposes. In reality an aircraft model is a nonlinear parameter-varying system. Furthermore, rudders have faster time constants than jet engines, and the saturations in the input channels represent a major challenge for fault-tolerant control. A realistic and detailed multi-axis case study of aircraft under engine thrust control is reported in [13].

3. Reconfiguration Paradigms

framework and follows one of the following paradigms (Figure 7): Direct use of physical redundancy, Projection of the current fault situation to a known scenario, Use of learning control to deal with unanticipated faults, Controller redesign, Fault hiding with respect to the nominal controller input and output. Each paradigm is briefly discussed in the following paragraphs. Detailed explanations of the two most important paradigms to redesign the controller or to hide the fault from the nominal controller are given in the following two sections. The automatic redesign approach represents the core of this article. 3.2. Reconfiguration by Means of Physical Redundancy

3.1. Survey Over the past 30 years, a variety of approaches to control reconfiguration has been developed. The majority of approaches is based on a linear

The concepts following this paradigm originate from safety-critical applications such as the control of nuclear power plants or aircraft control systems and find new attention for all-electric automotive steering

Fig. 7. Classification of control reconfiguration methods. Projection refers to the choice of a control scheme from a list of predefined solutions. Learning control denotes a family of approaches from computer science, specifically artificial intelligence with a strong focus on learning and handling of unanticipated faults. Automatic redesign refers to on-line reconfiguration without reference to predefined solutions. If the nominal controller is discarded, automatic design is called controller redesign. If it is kept in the loop, the automatic redesign is called fault hiding.

366

systems without mechanical backup [32]. In such applications, faults leading to failures potentially cause catastrophic events. To avoid the latter, conceptually simple approaches to control reconfiguration are pursued. They usually involve the installation of physically redundant, identical hardware components, such as duplicate actuators or sensors. After a component fault has been detected, a simple decision logic switches the controller from an impaired to the corresponding redundant component. This approach is expensive, since every critical component must be installed at least twice. The computational effort for the reconfiguration step is negligible, and this approach works well in practice. However, this approach is only capable of exploiting physical redundancy. The use of physical redundancy is appropriate for the mentioned domain of safety-critical applications, however too expensive outside of this domain. This observation motivates the search for methods that can exploit analytical redundancy, such as those methods described below. 3.3. Reconfiguration by Projection to a Known Scenario All methods following this paradigm determine the controllers for the faulty plant prior to plant operation and organise them as banks, from which the controller that is best-suited to the current fault case is selected on-line. Each prepared controller should be robust against uncertainties in the fault model, since the space of possible faults is usually a continuum, whereas only a finite number of sample fault cases can be considered for controller design. Frequently, linear quadratic regulators are used as bank controllers (see [3] and references therein). When a fault occurs, the resulting case is mapped to one of the pre-computed scenarios, which motivates the name ‘‘projection’’ for this reconfiguration paradigm. Both physical and analytical redundancy can be exploited. The concept is simple, however involves considerable off-line efforts for the design of various controllers and on-line effort for the implementation of all these controllers. Projection is not considered as an on-line reconfiguration method and, hence, not further discussed here.

3.4. Reconfiguration by Learning a New Control Algorithm In the projection paradigm and most other paradigms, all relevant faults need to be considered before bringing the control loop into operation. This may be


too restrictive in practice and has led to the idea of combining classical control techniques with learning control methods. Usually, a fast component (e. g. Kalman filter) is employed to obtain quick estimates of changing conditions, and a slower learning component is used to store previous knowledge for future re-use. The concepts of learning control are closely related to adaptive control, which also consist of a fast and a slow loop. Both paradigms, however, differ with respect to the models used in the slower loops. The learning techniques make use of neural networks, expert systems and general problem solvers, while adaptive approaches usually employ in the slow loop the same models that are used in the fast loop. This paradigm is a large topic of its own with a strong focus on computer science, specifically with ideas of artificial intelligence. Since this line of research lies outside the focus of this article, the matter is not discussed here any further and the reader is referred to [19, 66] for further details. In this context it should be mentioned that adaptive control methods can be readily used for fault accommodation but not for control reconfiguration, because they aim at changing the parameters of the controller in order to minimise the distance between the true loop behaviour and a loop reference model (see [1, 10] for an example). Adaptive control does not properly address problems in which alternative inputs or outputs have to be used.

3.5. Reconfiguration by Controller Redesign This paradigm performs a complete controller redesign after the detection and identification of a fault. To facilitate design automation, the desired loop behaviour is represented by a reference model and the nominal controller is designed to match the closedloop behaviour with the reference model. In response to a fault, the same design procedure is followed to bring the behaviour of the reconfigured closed-loop system as close to the reference model as possible. The term ‘‘reference model’’ is used here in a broad sense. The closed-loop behaviour can be represented by quadratic weights for LQ-regulator design or model predictive control, by eigenvalues, by the complete eigenstructure, or by a state-space model. Both analytical and physical redundancy are utilisable by this paradigm. The computational cost varies according to the specific method. Notably, unlike most of the other approaches, model predictive control is not limited to linear systems, and naturally handles constraints, such as actuator saturation [44].

367


However, model predictive control requires the highest on-line computational effort. 3.6. Reconfiguration by Hiding the Fault from the Nominal Controller The motivation of this paradigm is best explained by looking at the faulty plant from the perspective of the controller. Keeping the nominal controller in the closed loop unchanged after a fault is desirable for at least the following three reasons. First, if the controller is a human being (pilot, plant operator, etc.), the technical term ‘‘controller redesign’’ implies that the human being must be trained for all possible fault scenarios before operation. Furthermore, the fault occurrence causes a considerable amount of workload and stress at fault time. Naturally, the number of fault cases that can be trained off-line is limited, and the stress load potentially causes new problems arising from inappropriate decisions. Second, if the nominal controller is automatic, it includes much of the design knowledge that has been gained in the iterative off-line steps of its design. It is desirable to keep as much of this

experience as possible even after faults. Third, in the case of large-scale plants controlled by multivariable controllers, it is unnecessary to replace the entire controller, if the faults affect only a small part of the plant. Keeping the nominal controller is possible if a reconfiguration block is added between the former and the faulty plant that hides the fault effects from the controller. The reconfiguration block together with the nominal controller represents the reconfigured controller. From the controller perspective, the reconfiguration block forms a reconfigured plant whose behaviour is identical with the nominal behaviour. For a human controller, fault-hiding implies that the faulty plant may be operated in the wellknown nominal way. For example, a pilot would not have to figure out which other controls he must use to compensate the effect of lost actuators, but the reconfiguration block takes care of that task. The concepts of controller redesign and fault hiding are compared in Figure 8.

4. Controller Redesign Approach Designing a new dedicated controller from scratch after the identification of faults promises good performance, provided that a suitable controller synthesis approach is used. Therefore, several redesign methods have been developed, whose main ideas are presented in this section together with an evaluation of the suitability of these methods for completely automatic reconfiguration. The section concludes with bibliographical remarks. 4.1. Overview of the Model-Matching Approach This section reviews the basic model-matching idea, which is common for all approaches of the redesign paradigm. Model matching is based on a closed-loop reference model

Fig. 8. Comparison of the controller redesign and fault-hiding paradigms. Controller redesign (left) discards the nominal controller from the closed-loop system and determines, at reconfiguration time, a new controller for the faulty plant. The new controller uses alternative inputs of uf and outputs of yf , if necessary. Fault hiding (right) keeps the nominal controller in the closed-loop system and determines, at reconfiguration time, a reconfiguration block. Both approaches involve an automatic design step, which can be completed by using one of various possible synthesis methods.

x_ m ðtÞ ¼ Mxm ðtÞ þ NrðtÞ

ð16Þ

yðtÞ ¼ P xm ðtÞ;

ð17Þ

where r(t) is a reference input signal, and N is introduced to guarantee a desired steady state gain. The closed-loop system formed by system (1), (2) and a state feedback controller uc ðtÞ ¼ KxðtÞ þ VrðtÞ

ð18Þ

should have the same dynamics as the reference model (16), (17).

368


When the model-matching approach is used for reconfiguration purposes, a standard technique consists in using the model of the nominal closed-loop system as a reference model. In the yaw rate control example, the reference model has the parameters 0 1 0 1 1 1 0 1 M¼@ 0 1 0 A; N ¼ @ 0 A: 0 0:27 0:13 103 The nominal controller is designed to have the closedloop system match the reference model. In explicit model following, the difference between the outputs of the reconfigured plant and the reference model is minimised in a least squares sense. In implicit model following, the difference between the faulty and nominal state innovations are minimised. The goal of control reconfiguration is to match the reference model as close as possible after the occurrence of a fault. Problem 3 (Reconfiguration by Linear Explicit Model Following) Given the system (1), (2), a nominal state feedback (18) and a fault model (7), (8), determine a new controller uf ðtÞ ¼ Kf xf ðtÞ þ Vf rðtÞ

ð19Þ

such that the conditions Af Bf Kf M ¼ 0;

ð20Þ

Bf Vf N ¼ 0

ð21Þ

are satisfied. A zero right-hand side in the conditions (20), (21) is the ideal goal. In this case, the reconfigured closedloop model equals the nominal closed-loop model in terms of both its dynamical and input-output behaviour. If these conditions cannot be satisfied, the goal is to minimise the left-hand sides of the conditions (20), (21). The approaches discussed below differ with respect to the reference model features and with respect to the mathematical tools used for its recovery.

pseudo-inverse matrix, which gives the methods its name. The following first introduces the basic idea, which lacks the guarantee of closed-loop stability, followed by extensions that ensure stability and required performance. A fault results in a modified plant model (7), (8). The goal is to solve Problem 3 such that the right-hand sides of (20), (21) are minimised in the 2-norm k k2 sense, min J1

with

J1 ¼k M ðAf Bf Kf Þ k2

ð22Þ

min J2

with

J2 ¼k N Bf Vf k2 :

ð23Þ

Kf

Vf

The solution is given in terms of pseudo-inverse matrices Kf ¼ arg min J1 ¼ Bþ f ðAf A þ BKÞ

ð24Þ

Vf ¼ arg min J2 ¼ Bþ f N;

ð25Þ

Kf

Vf

where Bþ f denotes the pseudo-inverse of Bf [6]. The controller (19) with the matrices Kf and Vf is then plugged into the closed-loop system instead of the original controller (Figure 9). In the figure, thick arrows indicate that the respective block is subject to changes at reconfiguration time. So far, this method suffers from the severe problem that the stability of the reconfigured closed-loop system cannot be guaranteed. In addition, it may even fail to re-establish a closed-loop system [55]. The stability problem can be addressed by replacing the unconstrained optimisation problems (22) and (23) by constrained problems, where the closed-loop system matrix is required to be stable. The stability constraint is formulated in terms of the stability

4.2. Pseudo-Inverse Methods for Control Reconfiguration The pseudo-inverse method addresses actuator faults modeled by Bf as well as internal plant faults modeled by Af. The nominal plant (1), (2) is controlled by state feedback (18), yielding the closed-loop system (16), (17), which is used as the reference model. The reference model is recovered by determining the

Fig. 9. Pseudo-inverse method for control reconfiguration. The prefilter and feedback gains V and K of the state-feedback control scheme are re-adjusted to reconfigure the closed-loop system after faults, resulting in Vf and Kf . Assuring stability and robust performance with acceptable computational efforts were key problems with this early reconfiguration approach.

369


robustness of linear systems with structured uncertainty. The modified pseudo-inverse method attains the stabilisation goal if possible, but is computationally intensive and its on-line applicability is questionable. Details are described in [24]. Further restrictions on the set of admissible solutions were developed to ensure that controllers are found that satisfy given performance bounds. For example, in [18, 61] a computationally simpler approach based on a set of admissible reference models is described in terms of linear matrix inequalities (LMI). The admissible set can be chosen to ensure adequateness and robust stability. The reconfigurability of a fault situation can be assessed with respect to that admissible set. This framework allows to embed the equilibrium and trajectory recovery goals into a suitable choice of admissible models. In this approach, a set of admissible models is defined as _ ¼ MxðtÞ þ NrðtÞ xðtÞ subject to ðM; NÞ 2 M N ; with the sets M and N , which are defined by LMI as in M ¼ fM such that ðMÞ 0g N ¼ fN such that ðNÞ 0g: Necessary and sufficient conditions for the existence of solutions are given and the solutions are obtained by non-constrained optimisation. The solutions are unique and efficiently computable if the regions described by the LMI are convex. The robustness issues are discussed further in [61].

exactly matching the specified dynamic behaviour after actuator and internal plant faults. Again, the nominal closed-loop system (16), (17) is used as a reference model. Definition 4 A closed-loop system formed by the system (1), (2) and the controller (18) provides PERFECT MODEL FOLLOWING with respect to the reference model (16), (17), if and only if the relations A BK ¼ M; BV ¼ N hold. This approach is illustrated by Figure 10. The reference model T(s) is run in parallel to the faulty plant and implemented in the controller. The control input uðtÞ ¼ ke eðtÞ þ km xm ðtÞ þ kr rðtÞ

ð26Þ

to the plant consists of the stabilising part with gain ke and the model matching part with gains km and kr. The former is chosen to stabilise the output error dynamics and the latter are chosen to decouple the output error from the input. Assume that the relations Cf ¼ P ¼ I

ð27Þ

hold. Then the output error e ¼ ym yp is described by (7), (8), (16), (17), and (26), which yield the dynamical system _ ¼ ðAf Bf ke ÞeðtÞ þ ðM Af Bf km Þxm ðtÞ eðtÞ þ ðN Bf kr ÞrðtÞ:

ð28Þ

4.3. Linear Model-Following Approach to Control Reconfiguration Three linear model-following approaches are described in this section. The first one, perfect model following, uses stabilising feedback with dynamic compensators. The second one, adaptive model following, applies an adaptive feedback control algorithm consisting of state feedback, a reference prefilter and an affine term to the faulty plant. In eigenstructure assignment, the nominal eigenvalues and eigenvectors are recovered after a fault has occurred. 4.3.1. Perfect Model Following This approach combines the use of a stabilising feedback with the design of a dynamic compensator for

Fig. 10. Perfect model-following method for control reconfiguration. The plant GðsÞ subject to a fault f is controlled after reconfiguration by the stabilising gain Ke and model-matching gains Kr and Km . Note that the reference model TðsÞ is an integral part of the controller.

370


This error model motivates to use a controller where the gain ke stabilises the matrix Af Bf ke and the gains km and kr must decouple the error dynamics from the model state xm and the reference input r, respectively. Perfect model following is obtained for km ¼ Bþ f ðM Af Þ kr ¼

ð29Þ

Bþ f N:

ð30Þ

Perfect model following guarantees closed-loop stability if the pair (Af , Bf ) is stabilisable. The stabilising gain can be determined, for instance, by pole placement or LQ-design. The bounded-input boundedoutput (BIBO) stability of the closed-loop system is even assured if the model following is not perfect, due to the bounded nature of the reference signal r. The loop output trajectory recovery goal is met if full decoupling is achieved. Perfect model following can be obtained only if the assumption (27) is satisfied and the faulty plant has the same zero structure as the nominal plant. If new zeros are introduced by faults, a dynamic component is needed to compensate these zeros. An extension of perfect model following referring to this idea shows that the design of the dynamic compensator turns out to be computationally demanding, which makes this approach questionable under real-time constraints [25]. In the yaw control example, the output matrix is not an identity matrix. Furthermore, the fault introduces a plant zero at 1, while there were no zeros in the nominal plant. Hence, the fault in the yaw control example cannot be handled by this approach. 4.3.2. Adaptive Model Following In adaptive model following a closed-loop reference model including the reference signal is recovered by using a control law of the form uðtÞ ¼ K1 ðtÞxðtÞ þ K2 ðtÞrðtÞ þ k3 ðtÞ;

ð31Þ

K_ 1j ðtÞ ¼ G1j xðtÞeT ðtÞPbj ; K_ 2j ðtÞ ¼ G2j rðtÞeT ðtÞPbj ;

ð33Þ

k_3j ðtÞ ¼ 3j eT ðtÞPbj ;

ð34Þ

j ¼ 1; :::; m

ð32Þ

(Figure 11), where an adaptive scheme for the gains K1 ðtÞ, K2 ðtÞ, k3 ðtÞ is used that results in a stable

Fig. 11. Adaptive model following method for control reconfiguration. The controller consists of a static state feedback K1 , a feedforward pre-filter K2 and an affine source term K3 that are tuned by an adaption algorithm based on the closed-loop reference model shown on the bottom of the figure.

closed-loop system and statically tracks the reference signal [17]. Here, G1;j , G2;j , 3;j are constant matrices, eðtÞ ¼ xðtÞ xm ðtÞ is the state tracking error, and P is the solution of the Lyapunov equation PM þ MT P þ Q ¼ 0; where Q ¼ QT 0 is some symmetric positive-definite matrix. This method covers the blocking of actuators at arbitrary positions. No assumptions have to be made about the blocking position, which is an advantage of this approach over many other methods in the literature. However, adaptive model following prescribes the use of state-feedback control. 4.3.3. Eigenstructure Assignment The nominal closed-loop eigenstructure can be considered as the important quantity to be restored after the occurrence of a fault as proven in [35]. In case of full state-feedback (18), the eigenvalues i of the nominal closed-loop system are fully recovered by the reconfigured feedback law K ¼ ðS A1 Vf ÞðCf Vf Þ1 ;

ð35Þ

where the matrix of eigenvectors is defined by maxðr;mÞ Þ, and the matrix concerning Vf ¼ ðv1f ; v2f ; . . . ; vf eigenvalues is S ¼ ð1f s1 ; 2f s2 ; . . . ; rf smaxðr;mÞ Þ with parameters si defined in [35]. The closed-loop stability can be guaranteed, and furthermore the closed-loop eigenvalues satisfy the equation f;i ¼ ðAf Bf Kf Cf Þ ¼ i ¼ ðA þ BKCÞ;

i ¼ 1; . . . ; maxðr; mÞ:

371


The closed-loop eigenvectors v f;i ¼ ðf;i I Af Þ1 Bf KCf vf;i are recovered as closely as possible. In case of output feedback, only the most dominant eigenvalues and eigenvectors are recovered, while the remaining ones are fixed. Eigenstructure assignment prescribes static statefeedback or output-feedback as control structure. The shown basic approach to eigenstructure assignment can deal neither with faults that result in an order reduction of the system, nor with cases where nominal closedloop eigenvalues equal post-fault open-loop eigenvalues. The approach lacks robustness properties against uncertainties in the fault model. Eigenstructure assignment augmented to include integral action was applied to the nonlinear model of a pressuriser in [36]. All of these issues are addressed in a recent extension [4]. A modified redesign of a static output feedback controller is given to allow for plant order reduction and equal pre-fault closed-loop as well as post-fault open-loop eigenvalues by formulating an appropriate optimisation problem. If the degrees of freedom for matching all eigenvalues are not sufficient, a dynamic controller design approach is used. Robustness is achieved by ensuring the appropriate alignment of the resulting eigenvectors to minimise the eigenvalue sensitivity with respect to uncertain plant parameters by means of a corresponding term in the cost functional. Sufficient conditions are given for the possibility to place poles in a prescribed region by means of static output feedback, which imply that trajectory recovery is possible. These algorithms require the solution of a nonconvex global optimisation problem for that the authors suggest the application of genetic optimisation. Furthermore, there is no a-priori guarantee of success in placing the eigenvalues inside a specified target region. In case of a negative result the procedure must be repeated with a relaxed target region. These properties render the otherwise interesting approach intractable for on-line use unless the problem can be relaxed to convex problems for specific problem instances and solved by using more efficient optimisation techniques.

4.4. Reconfiguration by Optimal Control 4.4.1. LQ-Optimal Redesign The basic idea of linear quadratic optimal control [2, 40] is shown in Figure 12(a). Before the plant is

Fig. 12. Optimisation approach to control reconfiguration by controller redesign. In LQ-optimal redesign, the nominal performance weights Q and R are used to re-synthesise the control law for the faulty plant. In model predictive control, the plant model is updated to reflect the fault, for example, by adding constraints on actuator variables.

put into operation, a linear time-invariant controller is designed off-line using LQ-optimal design according to the optimisation goal Z 1 xðtÞT QxðtÞ þ uðtÞT RuðtÞ dt: ð36Þ min K

0

The positive semi-definite weighting matrix Q penalising the state error and positive definite weighting matrix R penalising control energy are stored for later on-line reuse. After a fault is identified, a new controller is designed by recalculating the state feedback using the model (7), (8) of the faulty plant and the nominal weights Q, R, where Pf is the solution of a matrix Riccati equation K ¼ R1 BTf Pf

ð37Þ

0 ¼ ATf Pf þ Pf Af Pf Bf R1 BTf Pf þ Q:

ð38Þ

If the faulty plant is controllable, a controller is found that solves the control problem with respect to the original weighting in the optimal way, and the stabilisation goal is attained. Although neither the equilibrium nor the trajectory recovery goal are pursued explicitly, gross violations of either goal are penalised by the performance functional (36). The main drawback of this method lies in completely discarding the nominal controller. Although some information about the nominal case is retained in the weights Q and R, the relation between those nominal weights and the reconfigured closed-loop performance is generally unclear. In particular, due to fine-tuning during nominal controller design, the adequateness of those weights for the faulty plant is doubtful. There are also numerical issues to be considered. The matrices Bf and Cf should have full rank

372


in LQ-optimal regulator design in order to avoid numerical singularities. However, these matrices rarely satisfy this restriction after faults [43], and model reduction steps become necessary in general. 4.4.2. Reconfiguration by Model Predictive Control Model predictive control (MPC) is capable of solving the reconfiguration problem with little extra effort compared with control of the nominal plant [44, 54]. A basic model predictive control scheme generates at each discrete time step an optimal sequence of control inputs uk::kþHu for the control horizon Hu with respect to the predicted output error trajectory (Figure 12(b) ). The input is calculated to minimise a cost function VðkÞ ¼

Hp X

k rðk þ iÞ yðk þ iÞ k2Q

i¼Hr

þ

H u 1 X

ð39Þ k uðk þ iÞ k2R

i¼0

subject to constraints G1 uðkÞ 0 G2 uðkÞ 0

ð40Þ ð41Þ

G3 yðkÞ 0

ð42Þ

where k x k2Q :¼ xT Qx; Q ¼ QT 0, k x k2R :¼ xT Rx; R ¼ RT 0 impose weights on the state and input, and u describes the change in control action from one instant to another. G1 , G2 , and G3 are matrices used to express constraints on the input change u, the absolute input magnitude u, and the outputs y as linear inequalities. Over the finite-time horizon subject to the plant dynamics and constraints, the obtained solution of the optimisation problem is a control input sequence uk::kþHu minimising that error. The horizons for input and output penalty,Hp, Hu, need not coincide, and the output is frequently penalised not from the beginning, but after time Hr. Only one step of the input sequence is applied to the plant, which generates the next output measurement, and the optimisation is repeated. To achieve control reconfiguration after fault identification, the internal plant model of the MPC is updated to reflect the faults. Faults are usually expressed by additional inequality constraints (rate limits, position limits), which already form an integral part of the control approach. By that way, all kinds of redundancy can be exploited, and the plant can be stabilised if it is detectable as well as stabilisable with the fault.

MPC is not limited to linear plants. Nonlinear and even hybrid plants can be handled in principle, thus also reconfigured by means of MPC. The major drawbacks concern the high computing power requirements that practically limit the applicability of this method to slow plants and the requirement to know the reference trajectory ahead of time, which limits the applicability to recipe-like domains. A relaxation of the on-line computational requirements for MPC results from multi-parametric extensions to model predictive control (see the survey [48] for an introduction). In this approach, the reference input is included into the optimisation problem as a free parameter. The result is a controller in the form of an easily implementable lookup table. Consequently, the reference trajectory needs no longer to be known a-priori. The practical applicability depends on the allowable time-toreconfigure. Chemical process control applications are frequently governed by slow nonlinear processes, which is the reason why MPC is rooted and frequently used within this domain.

4.5. Evaluation of Reconfiguration by Control Redesign Controller redesign is based on control synthesis methods that have been developed for use by design engineers. These methods are modified so that they can be used on-line without the usual iterative engineering design cycle. Notably, predictive control also handles system classes beyond linear systems. However, there are two difficulties associated with completely discarding the nominal controller and designing a reconfigured controller for the faulty plant from scratch. The first issue arises from the mentioned iterative nature of manual controller design. The controller structure and parameters contain more information than can be coded into single-step synthesis parameters. In practice, the nominal controller is a result of human inspection of the closed-loop time responses and repetitive use of automated design algorithms. This procedure cannot be repeated on-line at fault-time. Secondly, certain problem formulations of linear control design turn out to be more suitable for automatic application than others. For example, the target pole regions during pole placement are not a practically suitable specification for automatic design. Design parameters with a closer relation to the time response tend to yield better results.

373


These difficulties have led to the development of the fault hiding paradigm, which retains the nominal controller in the closed-loop system. This paradigm is explained in the next section. 4.6. Commented Bibliography on Controller Redesign The pseudo-inverse method was the first systematic approach to control reconfiguration after actuator faults [14]. Its origin lies in the domain of aircraft applications. Surprisingly, in its original formulation, the stability of the resulting closed-loop system is not guaranteed, and it is limited to state feedback control. The lack of stability guarantee was removed by Gao and Antsaklis in an influential publication, presenting the modified pseudo-inverse method [24]. Further concerns regarding the robustness of the obtained solution were addressed by Staroswiecki in the admissible pseudo-inverse method [61], where constraints on the closed-loop system behaviour are expressed as linear matrix inequalities. The latter extended approach was applied to a numerical example in [18]. Three approaches termed as linear model following use a similar methodology. A method for perfect model following was developed by Gao and Antsaklis in [25]. Recently, a variation using adaptive model following was published by Chen et al. [17]. Another adaptive approach is reported by Bodson and Groszkiewicz [10], where several approaches to adaptation are compared with a focus on dealing with unanticipated faults. Variations are discussed regarding direct versus indirect controller adaptation, and schemes based on the output error versus the input error. An approach based on the eigenstructure assignment of the reconfigured closed-loop system was introduced by Jiang [35] and generalised by Ashari et al. [4]. Implicit model following is a further method, where the error between the reference model and the reconfigured closed-loop system is minimised, as detailed by Huang and Stengel [28]. Further linear model following approaches exist, which are not discussed further in this article. The generalised plant transfer function of the faulty plant is matched to that of the nominal plant by an H1 criterion by Jonckheere and Yu [37]. The solution is tested using a linear aircraft model. Two approaches based on optimal control concepts depend on LQregulator design or model predictive control. LQregulator design was used by Looze et al. [40], and more recently by Staroswiecki et al. [64]. Model predictive control was taken as a basis for control reconfiguration by Maciejowski and Jones [45], and Kerrigan et al. [39, 70].

5. Fault Hiding Approach This section reviews the reconfiguration paradigm that allows to keep the nominal controller in the reconfigured closed-loop system, thus preserving the design knowledge it contains after control reconfiguration. First, the basic idea of fault-hiding is introduced, followed by a discussion of virtual sensors and virtual actuators, that achieve fault-hiding after sensor or actuator faults and failures, respectively. The section closes with bibliographical notes. 5.1. The Idea of Fault Hiding The key idea of the fault-hiding paradigm of control reconfiguration is to place a reconfiguration block between the faulty plant and the nominal controller in order to hide the fault from the controller (Figure 13). From an implementation-oriented viewpoint, the reconfiguration block is part of the reconfigured controller. The reconfiguration block is connected to all accessible sensors and actuators of the plant through the signal vectors uf and yf, which include those signals that are not used by the nominal controller. The fault-hiding goal is accomplished by rerouting the signal paths from the nominal controller through the faulty plant and back to the controller by means of the reconfiguration block. The nominal controller is connected to the reconfiguration block by means of the signals uc and yf. For the purpose of designing the reconfiguration block, a different perspective is helpful. The

Fig. 13. Control reconfiguration from a fault-hiding perspective. Fault-hiding is accomplished by introducing a reconfiguration block such that the reconfigured plant has the same I/O behaviour as the nominal plant with respect to the inputs uc and d and the output yc or yf , respectively.

374

reconfiguration block connected to the faulty plant is viewed as the reconfigured plant. The fault-hiding goal is satisfied if the input/output (I/O) behaviour of the reconfigured plant is identical to the I/O behaviour of the nominal plant for a suitable initial state of the reconfiguration block (Figure 13). The original closed-loop-related reconfiguration goals described in Section 1 are replaced by the following plant-related goals as follows. Stabilisability goal. The reconfigured plant should be stabilised by the nominal controller. Equilibrium recovery goal. The static I/O relation of the reconfigured plant with respect to the input uc, the disturbance d, and the outputs yf should be the same as the static I/O relation of the nominal t !1 plant: for all uc(t) ¼ uðtÞ : y(t) yf (t) ! 0. Output trajectory recovery goal. The I/O behaviour of the reconfigured plant with respect to the input uc and the disturbance d and the control outputs yf should be dynamically the same as the I/O behaviour of the nominal plant: for all uc(t), d(t), t > 0 : y(t) yf (t) ¼ 0. State trajectory recovery goal. The state trajectories of the faulty plant inside the reconfigured plant and of the nominal plant should be identical for all initial states and inputs: for all uc(t), t > 0: x(t) xf (t) ¼ 0. The state trajectory recovery goal is rather strong. However, it is interesting to see under what conditions this goal can be satisfied. For linear systems, the plant-related goals are equivalent to the closed-loop-related goals. For the stabilisation goal of the reconfigured closed-loop system, the stabilisation goal of the reconfigured plant is necessary and sufficient. Equilibrium recovery of the plant is equivalent to having the closed-loop system meet the loop equilibrium recovery goal. Further, the loop trajectory recovery goal is met if and only if the reconfigured plant recovers the I/O behaviour of the nominal plant. The latter insight implies that the reconfigured closed-loop system behaves exactly like the nominal closed-loop system from an exterior viewpoint. The attainability of the stabilisation goal can be directly derived from the fault-hiding principle for linear time-invariant systems. It is attainable if and only if the pair ðAf ; Bf Þ is stabilisable and the pair ðAf ; Cf Þ is detectable [65]. No weaker goal is practically admissible. The attainability conditions for the other goals are stated below within the contexts of the virtual sensor and virtual actuator for sensor and actuator faults and failures.


5.2. Reconfiguration after Sensor Failures: The Virtual Sensor The virtual sensor is a reconfiguration block R that hides multiplicative sensor faults modeled by a modified output matrix Cf . Its properties are only briefly sketched, since it is essentially a state observer. The virtual sensor is defined by the equations x^_ ðtÞ ¼ A x^ðtÞ þ Buc ðtÞ þ Lyf ðtÞ; x^ð0Þ ¼ x^0 ð43Þ yc ðtÞ ¼ C x^ðtÞ þ Pyf ðtÞ

ð44Þ

uf ðtÞ ¼ uc ðtÞ

ð45Þ

where A :¼ A LCf

ð46Þ

C :¼ C PCf

ð47Þ

(Figure 14). It consists of a state observer for the faulty plant, the output map C , a feedthrough P, and an identity throughput at the input. Once the state is estimated, the reconstruction of the closed-loop output is straightforward. The stabilisation goal is attainable if and only if the pair ðA; Cf Þ is detectable. In this case, the virtual sensor satisfies all reconfiguration goals. The state trajectory recovery goal is met with the exception of the faulty sensor state,

Fig. 14. Control reconfiguration after sensor faults by means of a virtual sensor. The virtual sensor consists of a Luenberger-type state observer that reconstructs the plant state x^ using the faulty measurements. The free design parameter L is chosen to stabilise the pair ðAT ; CTf Þ. The reconstructed state x^ together with the faulty measurement yf are used to determine the nominal measurement yc by means of the matrix C , which is fed back to the nominal controller.

375


which cannot be recovered, but the physical quantity to be measured is recovered. Disturbances are rejected in the same way as in the nominal closed-loop system. In the model of the faulty plant, only the matrix C is changed to Cf . After attaching the virtual sensor to the faulty plant and introducing the new state vector eðtÞ ¼ x^ðtÞ xf ðtÞ, the combined state equations for the reconfigured plant become

0 xf ðtÞ A eðtÞ Bd B dðtÞ þ uc ðtÞ þ Bd 0 x~ð0Þ x0 ¼ x^0 x0 eð0Þ x_ f ðtÞ _ eðtÞ

¼

A 0

and the virtual sensor (43)–(45) form the reconfigured closed-loop system 1 0 1 0 xf 0 xf ð0Þ @ xc ð0Þ A ¼ @ xc0 A ð49Þ x^0 x^ð0Þ

yf ðtÞ yc ðtÞ

¼

Cf PCf

0 0

0 C

0

1 xf ðtÞ @ xc ðtÞ A x^ðtÞ

ð50Þ

It is straightforward to verify the closed-loop separation principle by introducing the state eðtÞ ¼ x^ðtÞ xf ðtÞ into Equations (48), (50). 5.3. Reconfiguration after Actuator Failures: The Virtual Actuator

yc ðtÞ ¼ Cxf ðtÞ þ C eðtÞ:

5.3.1. Structure of the Virtual Actuator This model shows the success of reconfiguration. Due to the well-known separation principle, the model has two parts. The first state equation concerning xf shows that the reconfigured plant behaves exactly like the nominal plant, including the disturbance influence. Its eigenvalues are determined by the matrix A of the nominal plant, and it is driven by the input uc through the nominal input matrix B. The fault is hidden asymptotically, unless the initial state x0 is precisely known. The error system with the difference state e is autonomous and designed to be stable. The initial observer error is non-vanishing, because, in general, the initial state x0 is not precisely known. Hence, the error vanishes asymptotically and the fault-hiding goal is asymptotically satisfied. Its poles are assigned, and determined by the matrix A LCf . The feedback gain L ensures that the error signal asymptotically vanishes. The reconfigured output equals the nominal output once e has vanished. The feedthrough gain P does not affect the error system stability. A good heuristic choice for P is, for example, P ¼ Ir , where the rows corresponding to faulty sensors should be set to zero. The feedthrough gain P can also be used to systematically decouple the output yc from constant disturbances d. The faulty plant (7), (8) together with the linear controller (3), (4) in output regulation form (5), (6) 1 0 A BDc PCf x_ f ðtÞ @ x_ c ðtÞ A ¼ @ Bc PCf LCf BDc PCf x^ðtÞ 0

BCc Ac BCc A

The virtual actuator is a reconfiguration block R used to hide multiplicative actuator faults modeled by a modified input matrix Bf . Contrary to its dual, the virtual sensor, the virtual actuator R is a new concept for control reconfiguration [65]. It is defined by the equations x_ ðtÞ ¼ A x ðtÞ þ B uc ðtÞ; uf ðtÞ ¼ Mx ðtÞ þ Nuc ðtÞ

x ð0Þ ¼ x0 ð51Þ ð52Þ

yc ðtÞ ¼ Cx ðtÞ þ yf ðtÞ

ð53Þ

Where A :¼ A Bf M B :¼ B Bf N

ð54Þ ð55Þ

(Figure 15). The degrees of freedom for its design consist in a feedforward matrix gain N and a feedback matrix gain M. Both gains are chosen by means of different techniques according to the attainable goals, as described below. The virtual actuator reduces to a static input correction block if the matrices M and B are set to zero. If the state trajectory recovery goal is attainable and N is designed accordingly, the relation B ¼ 0 holds and the integrator of the virtual actuator never leaves the origin and can be omitted in the implementation. If

10 1 1 0 0 1 BDc C Bd BDc xf ðtÞ Bc C A@ xc ðtÞ A þ @ Bc ArðtÞ þ @ 0 AdðtÞ BDc C BDc x^ðtÞ 0

ð48Þ

376


Fig. 15. Control reconfiguration after actuator faults by means of a virtual actuator. The state x of the virtual actuator tracks the state error between the nominal and faulty plants resulting from the actuator fault. By means of the feedback M, the plant is stabilised. A static feedforward block N ensures quick reaction to control commands and is further used to achieve the equilibrium or trajectory recovery goals.

B 6¼ 0 holds, then the output is corrected to ensure fault-hiding. 5.3.2. Analysis of the Reconfigured Plant For the analysis of the reconfigured plant, the virtual actuator (51)–(53) is combined with the plant (7), (8), where only the input matrix Bf is faulty, and all other matrices are nominal. After the state transformation xf ðtÞ I I x~ðtÞ ¼ ; x ðtÞ 0 I x ðtÞ |fflfflfflfflffl{zfflfflfflfflffl} T 1

with T

¼

I I 0 I

ð56Þ

the combined state equations for the reconfigured plant become ! x~ðtÞ B A 0 x~_ ðtÞ uc ðtÞ þ ¼ x ðtÞ B 0 A x_ ðtÞ Bd þ dðtÞ ð57Þ 0

x~ð0Þ x ð0Þ

¼

x0 þ x0 x0

ð58Þ

Fig. 16. Analysis of the reconfigured closed-loop system. The difference system is decoupled from the reconfigured plant. After transformation, it is apparent that the fault is contained in the autonomous difference system that is excited by the control input but converges to the origin if it is not excited. The reconfigured plant is decoupled from the difference system showing that the reconfiguration is successful.

yc ðtÞ ¼ ðC 0Þ

x~ðtÞ x ðtÞ

ð59Þ

This model shows that, like for virtual sensors, a separation principle holds for the reconfigured plant. The first state equation concerning x~ shows that the reconfigured plant model seen by the controller equals the nominal plant model if x0 ¼ 0 is chosen. The first subsystem has the eigenvalue set ðAÞ and it is driven by the input uc through the nominal input matrix B. The disturbance influence is nominal. The second part concerns the state x ðtÞ ¼ xðtÞ xf ðtÞ; which, according to Equation (56), describes the deviation of the state xf of the faulty plant from the state x of the nominal plant. The difference system has no connection to the control output yc . The difference system is, therefore, structurally unobservable from the controller (Figure 16). Hence, the fault-hiding goal is satisfied for x0 ¼ 0. The difference system poles, which are given by ðA Bf MÞ, are assigned by appropriate choice of the feedback gain M. Any state feedback controller synthesis method is applicable for this task, such as pole placement or LQ-design. If x0 ¼ 0 holds, then the transformed state x~ of the virtual actuator is decoupled and equals the nominal case, see Equation (58). In combination with the general linear feedback controller (3), (4) in output regulation form (5), (6), the reconfigured closed-loop system becomes

377


1 0 10 1 0 1 A Bf NDc C Bf NCc Bf ðM NDc C Þ xf ðtÞ Bf NDc x_ f ðtÞ C B CB C B C B Bc C Ac Bc C A@ xc ðtÞ A þ @ Bc ArðtÞ @ x_ c ðtÞ A ¼ @ x_ ðtÞ B Cc A B Dc C B Dc B Dc C x ðtÞ 1 0 1 0 0 1 x0 xf ð0Þ Bd C B C B B C þ @ 0 AdðtÞ; @ xc ð0Þ A ¼ @ xc0 A x0 0 x ð0Þ 0

yf ðtÞ yc ðtÞ

¼

C C

0 1 x ðtÞ 0 0 @ f A xc ðtÞ : 0 C x ðtÞ

ð61Þ

The closed-loop separation principle is easily obtained from Equation (60) by means of the transformation (56). The fault-hiding and separation properties of the virtual actuator do not depend on any specific controller [65]. Any arbitrary, even nonlinear, controller can be used. However, the linear controller simplifies the analysis of the reconfigured closed-loop system. The virtual actuator handles multiplicative faults. In addition, blockage off the operating point is handled as well, if the nominal closed-loop system rejects constant disturbances, as shown in [57]. 5.3.3. Design of the Virtual Actuator This section summarises design approaches for the reconfiguration goals stated above for actuator faults. Lemma 5 (Stabilising virtual actuator [65]) The fault hiding and stabilisation goals are attainable for the faulty plant (7), (8), if and only if the pair ðA; Bf Þ is stabilisable. The reconfigured plant (57), (59) containing the virtual actuator (51)–(53) satisfies the stabilisation and fault hiding goals for x0 ¼ 0, if a stabilising gain M is determined using any state feedback synthesis approach. The attainability condition mentioned in Lemma 5 means that the faulty plant must not contain any fixed unstable pole. The feedforward gain N may be arbitrarily chosen for achieving the fault hiding and stabilisation goals, where N ¼ I and N ¼ 0 are reasonable choices. The former choice quickens the effect of healthy actuator signals that would otherwise have to pass the virtual actuator integrator. The matrix N adds a degree of freedom that can be used systematically and independently of the stabilising step for designing M to achieve steady state tracking (equilibrium recovery goal). The following considerations summarise the attainability of the equilibrium recovery goal and the design of the virtual actuator for that case.

ð60Þ

Consider the virtual actuator state (51). The steady state tracking error between the nominal plant and the reconfigured plant is obtained from setting x_ ¼ 0, uc : y ¼ C x ¼ CðA Bf MÞ1 ðB Bf NÞ For the equilibrium recovery goal, this error must vanish for arbitrary constant inputs uc : y ¼ 0. The goal is attainable after actuator faults if and only if A Bf B A Bf ¼ rank ð62Þ rank Cz 0 Cz 0 0 holds. The solution is then given by N ¼ ðCðA Bf MÞ1 Bf Þy CðA Bf MÞ1 B;

ð63Þ

where y denotes the right-inverse. Lemma 6 (Setpoint-tracking virtual actuator [65]) The equilibrium recovery goal is attainable for the faulty plant (7), (8), if and only if Condition (62) is met. The reconfigured plant (57), (59) containing the virtual actuator (51)–(53) solves the equilibrium recovery goal, if M is designed as in Lemma 5, and the feedforward gain N is chosen as in Equation (63). Another approach to achieve setpoint tracking consists in adding one new integrator per output to the virtual actuator whose outputs are added on the input uf in order to get setpoint tracking for the relevant states [65]. The trajectory recovery goal is attainable after actuator faults by using the static input reconfiguration block uf ðtÞ ¼ Nuc ðtÞ

ð64Þ

if and only if the condition im SO B im SO Bf

ð65Þ

is satisfied, where SO denotes the observability matrix of the nominal plant. The feedforward gain N is obtained from the equation N ¼ ðSO Bf Þþ SO B:

ð66Þ

378


This approach is called Markov-parameter matching because the rows of the matrix SO B constitute the Markov parameters of the nominal plant.

static block (64). If Condition (67) is not met, the pseudo-inverse solution (68) directly provides an approximation [24].

Lemma 7 (Static trajectory recovery [55]) The trajectory recovery goal is attainable for the faulty plant (7), (8) using the static input reconfiguration block (64), if and only if Condition (65) is met. The reconfigured plant (7), (8), (64) solves the trajectory recovery goal, if and only if N is designed as in Equation (66).

Example. In the yaw control example, after the rudder failure the attainability conditions (62)–(65) are all satisfied. Hence, all goals are attainable with the exception of the state trajectory recovery goal. The design of a stabilising virtual actuator by pole placement with target poles T ¼ ð20; 21; 22Þ results in the feedback gain 0 0 0 M¼ ; 0 3:1 323:1

holds for all frequencies s. To this end, the reconfiguration problem is reformulated as a disturbance decoupling problem. The reconfiguration algorithm is reported in [42, 65], where the disturbance decoupling problem is solved using techniques from geometric systems theory [5, 71]. The state trajectory recovery goal is attainable after actuator faults by means of a static block (64) if and only if im B im Bf

ð67Þ

holds. The matrix N realising that goal is obtained from the equation N ¼ Bþ f B:

ð68Þ

/

If Condition (67) is met, Solution (68) recovers the forcing action on the state. The difference state is not excited and the virtual actuator reduces to the

which shows that especially deviations of the yaw rate from their nominal trajectory are fed to the differential thrust input. Subsequent computation of an equilibrium-recovering feedforward gain (63) results in the feedforward gain 0 0 N¼ : 8:2 1 Now consider the application of the feedforward reconfiguration block (64) without the virtual actuator dynamics. The application of Solution (66) to the yaw control reconfiguration example (12)–(14) leads to the solution 0 1 0 0 0 0 0 B C 0:13 A N¼ @ 0:27 0 3:73 3:73 0:27 0:13 0 0 ¼ ; 2 1

/

If Condition (65) is violated, the trajectory recovery goal is attainable using the virtual actuator if and only if rank Gf ðsÞ ¼ rank GðsÞ Gf ðsÞ

Fig. 17. Behaviour of the reconfigured aircraft yaw control loop after rudder failure. The virtual actuator is designed by two different methods, which aims at the stabilisation with subsequent equilibrium recovery (left axes) or the Markov-parameter recovery (right axes). The actual plant-related signals are shown in black, whereas the controller-related signals are shown in grey. Rudder motion is shown in solid, differential turbine thrust in dash-dotted.


which shows that the first rudder input is correctly redirected to the second differential thrust input with a factor two. Figure 17 shows the behaviour of the reconfigured closed-loop system. The stabilising approach with equilibrium recovery (left axes) reaches the same setpoint, but a small difference between the fault-hiding signal yc and the true yaw rate yf is visible in the transient phase. In contrast to this, the Markov-parameter approach (right axes) achieves the trajectory recovery goal, as seen by agreement between the black (plantrelated) and grey (controller related) yaw rate signals.

379

5.4. Experimental Evaluation: Reconfiguration of a Thermofluid Process after Actuator Failures To illustrate the function of the virtual actuator, experimental results from a laboratory application are described in this section. The chemical pilot plant VERA at the Institute of Automation and Computer Control in Bochum (Germany) was used for the reconfiguration experiments (Figure 18). A thermofluid process (Figure 19) that requires the regulation of fluid level lTS , fluid electrical conductivity TS and fluid temperature #TS to given setpoints was implemented. This continuous flow process

Fig. 18. Chemical pilot plant VERA. The plant consists of standard industrial components and contains 64 sensors as well as 82 actuators. The automation equipment includes industrial programmable logic controllers, which provide safety interlocks, subordinate control loops and an interface to the rapid prototyping environment MATLAB/Simulink.

380

Fig. 19. Flow scheme of the thermofluid continuous-flow process realised on the pilot plant VERA. Cold non-salty water is continuously blended with salt concentrate in the container TS. The temperature, fluid level, and electrical conductivity in the container TS are controlled by decentralised nominal control loops. Failure of the control valve input uTB , the heater input uel;TS , or the pump input uPS break one of the control loops. Reconfiguration must automatically and adequately use the redundant components to bring the control loop back into operation.

results from continuously blending warm salt concentration from the supply tank TB with salt-free water at room temperature from the cold water supply CW. The goal variables are controlled by manipulating the supply valve uTB , heater uel;TS and pump uPS by means of decentralised control loops. Three actuator fault scenarios were considered for testing the virtual actuator, namely the failure of the control valve uTB , the failure of the heater uel;TS , and the failure of the pump uPS . All failures mean blocking of the component at the operating point. The process contains redundant components. The cold water supply is kept at a constant flow rate in the fault-free situation. However, the flow setpoint uCW for its subordinate control loop is available as a free plant input. In addition, the heater uel;TB in the supply container TB is a manipulable input. The spare supply container TM serves as a backup supply in case the valve to the tank TB fails. The container TM holds the same substance as the tank TB and is accessed through the control valve uTM . A linearised model (1), (2) for the entire plant, including redundant inputs and components, was derived from a nonlinear plant model at the desired setpoint used as the operating point by means of


linearisation [57]. Fault models (7), (8) were obtained by suitably modifying the input matrices Bf for all three fault cases. The successful use of the static reconfiguration block (64) for trajectory recovery is shown in Figure 20. The output trajectories are recovered for all output signals up to slightly increased oscillations, where the nominal scenario is not shown separately because it gives nearly the same response. The reconfiguration process was fully automated and required no human intervention at reconfiguration time. The solution was found on the basis of the linear plant model. The solution also shows the effects of nonlinearities in the plant that are not captured by the linear model. Relevant effects are actuator saturations, dead zones and actuation range quantisation. Especially, the effects of saturations are visible in the figure. The heater uel;TS repeatedly reaches its limits 0 and 1. This effect leads to the mentioned oscillations, which have slightly larger magnitudes than in the fault-free case. The linear theory makes no statements about the effects of saturations and other nonlinear phenomena. Table 1 summarises the shown results and further experimental results not reported here by stating the fault scenario together with the analytical attainability of each goal by Conditions (62), (65). In addition, the practical success of reconfiguration on the real plant is given. On the one hand, the good agreement shows that the attainability conditions are adequate and that the virtual actuator is practically useful, if the plant remains close enough to the equilibrium point used for linearisation. On the other hand, the discrepancy in certain cases shows the limits of the purely linear theory if substantial nonlinear phenomena, as mentioned, become effective. In particular, the mentioned saturation effects are more pronounced than in the given example in some fault scenarios.

5.5. Commented Bibliography on Fault Hiding The fault-hiding paradigm was first used in a loose sense by Looze et al. [40] and introduced as a strict conceptual basis for a family of reconfiguration approaches for sensor and actuator failures by Lunze and Steffen [42, 65], where the loop-related reconfiguration goals were also transformed into plant-related goals. Lemmas 5 and 6 have been proven in [65]. The authors have extended the virtual actuator concept by new design approaches and put it into relation with model following concepts [41, 58]. The problem of attaining the trajectory recovery goal using a static reconfiguration block was given special

381


Fig. 20. Output and input trajectories of thermofluid process with valve failure uTB at tf ¼ 340 s and reconfiguration at tr ¼ 350 s. A reference step of TS ¼ 0:15 mS/cm was issued at t ¼ 300 s. Control reconfiguration is achieved by a static reconfiguration block that was designed for trajectory recovery. The trajectories show that the setpoints are reached, hence the reconfiguration goal is achieved. The inputs are shown twice: black curves correspond to controller commands uc , grey curves to the inputs uf of the plant. The valve uTB blocks at its operating point (right figure in 4th row). After reconfiguration at t ¼ 350 s, the valve uTM is used, which was inactive before the fault (left figure in 4th row). In addition, manipulation of the input uPS to the pump and the input uel;TB to the heater in TB are observed.

Table 1. Analytical (left) and practical (right) attainability of the stabilisation, equilibrium recovery, and trajectory recovery goals. This table refers to practical reconfiguration experiments conducted on the chemical pilot plant VERA. It shows the prediction of reconfigurability in the sense of the goals (right) and the practical success with respect to that goal. The scheme shows good agreement between the criteria and practice for stabilisability, but reveals the tests’ inadequateness in general. Goal Stabilisation Equilibrium recovery Trajectory recovery (static block)

f1 pp / pp /p –/

f2 p p / p /– p –/

f3 pp / p /– –/–

382

attention. A dual approach for sensor faults has been given in [55], and the robustness of the design with respect to slight violations of goal attainability conditions has been discussed in [58]. Furthermore, the reconfiguration problem for Hammerstein systems was solved by an extension of the virtual actuator concept based on the fault-hiding principle. In particular, a stabilising synthesis method is provided for the important class of saturated systems [56]. The virtual actuator was applied to a two-degreeof-freedom helicopter model [43], to a laboratory two-tank system [65] and recently to a thermofluid process [57].

6. Related Topics and Extensions In this section, fault-tolerant control in a broader perspective and several different but related topics and approaches that concern dependability of controlled systems are outlined. 6.1. Building Dependable Systems It was noted in the introduction that control reconfiguration is one building block of active fault-tolerant control. FTC denotes the general field of automatic control that aims at creating closed-loop systems with increased dependability compared to systems under standard control. The following clarifies the basic terminology used to characterise dependability. Different terms describe system properties that are related to fault tolerance [8]. A system is said to be safe if faults cannot lead to dangerous situations. It is said to be reliable if it can fulfill its function without interruption for a specified period of time. Hence, reliability is a statistical property and reliability analysis is concerned with failure probabilities. Availability expresses the fraction of time that the system under consideration is operational when needed. In contrast to reliability, availability also depends on maintenance strategies. A dependable system is a safe, reliable and highly available system. These notions are used in dependability analysis of technical systems, however they do not tell anything about how to respond to a specific fault at plant operation time. If an irregularity occurs during the operation of a system, one of several possible actions is taken, depending on its severity. Minor plant changes such as worn brushes in electric DC motors require no immediate action, since they are accommodated by robust control. In this case, repair can be postponed to maintenance. On the other hand, if an irregularity


considerably affects the safety or reliability of the plant, actions ranging from transfer to a safe operation mode to complete plant shutdown may be necessary. Control reconfiguration is such an action, which aims at postponing the necessary plant shutdown by maintaining the plant in a safe and reliable condition. 6.2. Further Approaches to Fault-Tolerant Control Fault-tolerant control describes techniques for adapting controllers of closed-loop systems to faulty plants [21, 51–53] by using the available redundancy (Figure 21). It aims at preventing component faults, component failures or subsystem faults from causing a system failure. Passive FTC denotes techniques to make the controller tolerate a set of possible faults, such as by means of robust control [78], by using the integrity property [15, 23, 26, 59], by reliable H1 design [73], or by simultaneous stabilization [9, 67]. Once operational, the closed-loop system need not be changed to respond to a fault. However, as known from robust control, the set of faults that can be tolerated without active controller re-adjustment is severely limited. Active FTC denotes techniques to achieve fault tolerance by changing the closed-loop system after fault-time. All methods explained in this paper belong to this class. Fault diagnosis seeks to find out whether the plant is subject to a fault and to identify the fault [8, 31]. Monitoring denotes system supervision by analysis of the measurable variables. Analytic redundancy relations are used to determine whether systems meet the nominal constraints or not. Controller re-design methods, which match the controller to the faulty plant, are classified into the following two groups. Fault accommodation is applicable whenever adaptation of the controller internals (dynamic order, parameters) is sufficient for satisfying

Fig. 21. A classification of controller re-adjustment methods. In passive approaches, the nominal controller is designed in order to tolerate a set of possible faults without any re-adjustment, whereas active approaches change the closed-loop system. Reconfiguration adapts the closed-loop structure and the controller parameters, whereas fault accommodation methods change the controller but retain the structure of the closed-loop system.

383


the requirements on the closed-loop system with the faulty plant. The controller uses the same measurements and control inputs to the plant as before the fault. Control reconfiguration also changes the closedloop structure in response to the fault. After reconfiguration, the signals measured and manipulated by the controller and the controller internals are adjusted to the fault [8]. Control reconfiguration is the most powerful and difficult approach to active control re-adjustment, which aims at preventing faults and malfunctions from turning into system-level failure. 6.3. Open Problems in Control Reconfiguration Since fault diagnosis is not the focus of this article, it has been assumed that the diagnostic task was already solved. In applications, however, the interplay between fault diagnostic and reconfiguration approaches poses intricate problems both from a theoretical and from a practical viewpoint. Problems are caused by missed, delayed, and wrong fault detection, as well as by false alarms [36, 76, 77]. While the problem of joint diagnosis and reconfigurable control has not yet been solved, some preliminary work on the topic is available. The effect of delayed fault detection was explicitly considered in [64]. A very complex approach that models both the fault processes and the diagnosis component as Markov chains is shown in [46], where a stochastic stability notion is defined and state-feedback controllers are designed that maximise the probability of stable operation. A similar approach was recently presented that considers detection delay and results in output feedback controllers [68]. An H1 -based reconfiguration approach that takes into account uncertain fault models is reported in [38]. For nonlinear systems, few approaches have been developed that qualify as control reconfiguration methods by the above definition. The extension to nonlinear dynamical systems is of paramount importance, since faults usually take the plant outside the validity of linearised models. When enlarging the scope to include accommodation techniques, a few approaches have been reported [11, 12, 33, 75]. In hybrid systems, few approaches for special switching schemes are available, for example [74]. Certainly, the development of realistically applicable fault-tolerant control approaches that take into account nonlinear dynamics, as well as the integrated analysis and synthesis of diagnostic systems and fault-tolerant controllers remain the current frontier of fault-tolerant control. The nonlinear model-matching might be a suitable conceptual basis for the development of new nonlinear fault-tolerant control approaches [29].

It is furthermore desirable to know a-priori the achievable control goals for a given faulty system. In particular, it is valuable to characterise the class of faults that permit a recovery of some nominal closed-loop performance. These ideas have led to the development of reconfigurability notions, where reconfigurability should be interpreted as a system property, quite similar to the well-known concepts of controllability and observability. The notions developed so far are based on structural considerations [7, 27, 62, 63, 65], [8 Chapter 5], and on energy considerations [60, 72]. In practical systems, however, the actuation limitations typically represent the true problem. Further work on the topic is hence necessary.

7. Conclusion This article has presented the state of the art in the field of control reconfiguration, which handle component failures in addition to faults that change component characteristics. Several approaches have been explained and evaluated. The focus of this article was on automatic redesign approaches that enable autonomous reconfiguration at fault time, which is a crucial requirement in most practical applications, since the combinatorial effort of off-line pre-designing fault-case specific controllers is often overwhelming. In conclusion, the linear reconfiguration framework provides basic and fundamental insight into the feasibility and applicability of control reconfiguration. This linear framework is, however, not sufficient for solving practical problems that are governed by nonlinear dynamics. These observations motivate the further exploration of nonlinear fault-tolerant control techniques. In particular, the presence of input limitations and state bounds for safe plant operation present particular challenges for control reconfiguration after actuator failures, since usually the failed actuators have the best effect on some controlled output, and any redundant components usually have much less effect on the controlled quantity. Furthermore, the interplay between diagnosis components and reconfigurable controllers in closedloop configuration, as well as the consideration of uncertain diagnosis results are important topics that require deeper investigation.

References 1. Ahmed-Zaid F, Ioannou P, Gousman K, Rooney R. Accommodation of failures in the F-16 aircraft using adaptive control. IEEE Control Syst Mag 1991; 11(1): 73–78

384 2. Anderson BDO, Moore JB. Optimal control – Linear quadratic methods. Prentice Hall, 1989 3. Aravena J, Zhou K, Li XR, Chowdhury F. Fault tolerant safe flight controller bank. In Proceedings of the 6th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes (Safeprocess), pp 859–864, Beijing, 2006 4. Ashari AE, Sedigh AK, Yazdanpanah MJ. Reconfigurable control system design using eigenstructure assignment: static, dynamic and robust approaches. Int J Control 2005; 78(13): 1005–1016 5. Basile G, Marro G. Controlled and Conditioned Invariants in Linear Systems Theory. Prentice Hall, University of Bologna, 1992 6. Ben-Israel A, Greville TNE. Generalized inverses – theory and application, vol. 15 of CMS Books in Mathematics. Springer, New York, second edition, 2003. ISBN 0387002936 7. Bingulac SP, Krtolica RV. On admissibility of pseudoobservability and pseudocontrollability indices. IEEE Trans Autom Control 1987; 32 (10): 920–922 8. Blanke M, Kinnaert M, Lunze J, Staroswiecki J. Diagnosis and Fault-Tolerant Control. Springer Verlag, Heidelberg, 2nd. edition, 2006. ISBN 3-540-35652-5 9. Blondel VD. Simultaneous Stabilization of Linear Systems, volume 191 of Lecture Notes in Control and Information Sciences. Springer Verlag, Heidelberg, 1994. ISBN 3-540-19862-8 10. Bodson M, Groszkiewicz JE. Multivariable adaptive algorithms for 46 reconfigurable flight control. IEEE Trans Control Syst Technol 1997; 5(2): 217–229 11. Bonivento C, Gentili L, Paoli A. Internal model based fault tolerant control of a robot manipulator. In Proceedings of 43rd IEEE Conference on Decision and Control, Paradise Island, Bahamas, 2004 12. Bonivento C, Isidori A, Marconi L, Paoli A. Implicit fault-tolerant control: application to induction motors. Automatica 2004; 40(3): 355–371 13. Burcham FW Jr, Maine TA, Burken JJ, Bull J. Using engine thrust for emergency flight control: MD-11 and B-747 results. Technical Report NASA/TM-1998206552, NASA, Dryden Flight Research Center and NASA Ames Research Center, 1998 14. Caglayan AK, Allen SM, Wehmuller K. Evaluation of a second generation reconfiguration strategy for aircraft flight control systems subjected to actuator failure/ surface damage. In Proceedings of the 1988 National Aerospace and Electronics Conference, pp 520–529, 1988 15. Campo PJ, Morari M. Achievable closed-loop properties of systems under decentralized control: Conditions involving the steady-state gain. IEEE Trans Autom Control 1994; 39(5): 932–943 16. Chen J, Patton RJ. Robust Model-Based Fault Diagnosis for Dynamic Systems. Kluwer Academic, 1999 17. Chen S, Tao G, Joshi S. On matching conditions for adaptive state tracking control of systems with actuator failures. IEEE Trans Autom Control 2002; 47(3): 473–478 18. Ciubotaru B, Staroswiecki M, Christophe C. Fault tolerant control of the Boeing 747 short-period mode using the admissible model matching technique. In Proceedings of 6th IFAC Symposium on Fault Detection Supervision and Safety for Technical Processes, Beijing, China, 2006


19. Farrell J, Berger T, Appleby B. Using learning techniques to accommodate unanticipated faults. IEEE Control Syst Mag 1993; 13(3): 40–49 20. Frank PM. Fault diagnosis in dynamic systems using analytical and knowledge-based redundancy – a survey and some new results. Automatica 1990; 26: 459–474 21. Frank PM. Analytical and qualitative model-based fault diagnosis – a survey and some new results. Eur J Control 1996; 2(1): 6–28 22. Frank PM, Blanke M. Fault diagnosis and faulttolerant control. In: Control Systems, Robotics and Automation, from Encyclopedia of Life Support Systems (EOLSS), Developed Under the Auspices of the UNESCO. Eolss Publishers, Oxford, UK, 2004 23. Fujita M, Shimermura E. Integrity against arbitrary feedback-loop failure in linear multivariable control systems. Automatica 1988; 24(6): 765–772 24. Gao Z, Antsaklis PJ. Stability of the pseudo-inverse method for reconfigurable control systems. Int J Control 1991; 53(3): 717–729 25. Gao Z, Antsaklis PJ. Reconfigurable control system design via perfect model following. Int J Control 1992; 56(4): 783–798 26. Gndes AN. Stability of feedback systems with sensor or actuator failures: analysis. Int J Control 1992; 56(4): 735–753 27. Hoblos G, Staroswiecki M, Aitouche A. Fault tolerance with respect to actuator failures in LTI systems. In Proceeding of SAFEPROCESS 2000: 4th Symposium on Fault Detection, volume 2, pp 804–809, Budapest, Hungary, 2000 28. Huang CY, Stengel RF. Restructurable control using proportional integral implicit model following. J Guid Control Dyn 1990; 13(2): 303–309 29. Huijberts HJC, Nijmeijer H. Local nonlinear model matching: from linearity to nonlinearity. Automatica 1990; 26(6): 973–983 30. Proceedings of IEE Colloquium on Intelligent and SelfValidating Sensors, Jun 1999. IEE. http://ieeexplore. ieee.org/servlet/opac?punumber ¼ 6421 31. Isermann R. Fault-Diagnosis Systems. An Introduction from Fault Detection to Fault Tolerance. Springer Verlag, Berlin Heidelberg, 2006. ISBN 3540241124 32. Isermann R, Schwarz R, Sto¨lzl S. Fault-tolerant driveby-wire systems. IEEE Control Syst Mag 2002; 22(5): 64–80 33. Jiang B, Staroswiecki M, Cocquempot V. Fault accommodation for nonlinear dynamic systems. IEEE Trans Autom Control 2006; 51(9): 1578–1583 34. Jiang J. Fault-tolerant control systems – an introductory overview. Acta Automatica Sinica 2005; 31(1): 161–174 35. Jiang J. Design of reconfigurable control systems using eigen structure assignments. Int J Control 1994; 59(2): 395–410 36. Jiang J, Zhang Y. Fault diagnosis and reconfigurable control of a pressurizer in a nuclear power plant. In Proceedings of the 5th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes (SAFEPROCESS), pp 1095–1100, Washington D.C., USA, 2003 37. Jonckheere EA, Yu G-R. Propulsion control of crippled aircraft by H1 model matching. IEEE Trans Control Syst Technol 1999; 7(2): 142–159

385


38. Kanev S, Verhaegen M. Controller reconfiguration in the presence of uncertainty in the FDI. In Proceedings of the 5th IFAC Symposium on Fault Detection, Supervision, and Safety of Technical Processes (SAFEPROCESS), pp 145–150, Washington, D.C., USA, 2003 39. Kerrigan EC, Bemporad A, Mignone D, Morari M, Maciejowski JM. Multi-objective priorisation and reconfiguration for the control of constrained hybrid systems. In Proceedings of the 2000 American Control Conference, vol 3, pp 1694–1698, 2000 40. Looze DP, Weiss JL, Eterno JS, Barrett NM. An automatic redesign approach for restructurable control systems. Control Syst Mag 1985; 5(2): 16–22 41. Lunze J, Richter JH. Entwurfsmethode fu¨r den verallgemeinerten virtuellen Aktor zur Rekonfiguration von Regelkreisen. Automatisierungstechnik 2006; 54(7): 353–361 42. Lunze J, Steffen T. Control reconfiguration after actuator failures using disturbance decoupling methods. IEEE Trans Autom Control 2006; 51(10): 1590–1601 43. Lunze J, Rowe-Serrano D, Steffen T. Control reconfiguration demonstrated at a two-degrees-of-freedom helicopter model. In Proceedings European Control Conference, Cambridge, UK, 2003 44. Maciejowski JM. Predictive Control with Constraints. Pearson Education Limited, Harlow, England, 2002. ISBN 0201398230PPR 45. Maciejowski JM, Jones CN. MPC fault-tolerant flight control case study: Flight 1862. In Proceedings of the SAFEPROCESS 2003: 5th Symposium on Fault Detection and Safety for Technical Processes, number M1C1, pp 121–126, Washington D.C., USA, 2003. IFAC 46. Mahmoud M, Jiang J, Zhang Y. Active Fault Tolerant Control Systems, volume 287 of Lecture notes in Control and Information Sciences. Springer Verlag, Berlin Heidelberg, 2003. ISBN 3540003185 47. McMahan J. Flight 1080. Air Line Pilot 1980; 47(7): 6–11 48. Morari M, Baotic M, Borrelli F. Hybrid systems modeling and control. Eur J Control 2003; 9(2–3): 177–189 49. Noura H, Sauter D, Hamelin F, Theilliol D. Faulttolerant control in dynamic systems: Application to a winding machine. IEEE Control Syst Mag 2000; 20(1): 33–49 50. Patton R, Chen J. A review of parity space approaches to fault diagnosis. In IFAC-Symposium on Fault Detection Supervision and Safety for Technical Processes, pp 239–255, Baden-Baden, 1991. SAFEPROCESS’91 51. Patton RJ. Fault-tolerant control: the 1997 situation. In Patton R, Chen J, eds, Preprints of IFAC Symposium on Fault Detection Supervision and Safety for Technical Processes, pp 1033–1055, Kingston upon Hull, 1997. SAFEPROCESS’97 52. Rauch HE. Intelligent fault diagnosis and control reconfiguration. IEEE Control Syst Mag 1994; 14(3): 6–12 53. Rauch HE. Autonomous control reconfiguration. IEEE Control Syst Mag 1995; 15(6): 37–48 54. Rawlings JB. Tutorial overview of model predictive control. IEEE Control Syst Mag 2000; 20(3): 38–52 55. Richter JH, Lunze J. Markov-parameter-based control reconfiguration by matching the I/O-behaviour of the

56.

57.

58. 59. 60. 61.

62.

63.

64.

65.

66. 67. 68. 69. 70.

71.

72.

plant. In Proceedings of the European Control Conference (ECC) 2007, pp 2942–2949, Kos, Greece, July 2–5, 2007 Richter JH, Lunze J. Reconfigurable control of Hammerstein systems after actuator faults. Proceedings of 17th IFAC World Congress, Seoul, Korea, 2008, pp. 3210–3215. Richter JH, Schlage T, Lunze J. Control reconfiguration after actuator failures by Markov parameter matching (2008). International Journal of Control Vol. 81, No. 9, pp. 1382–1398. Richter JH, Lunze J, Schlage T. Control reconfiguration after actuator failures by Markov parameter matching. Int J Control 2008; 81(9): 1382–1398. Sala A, Albertos P. Fault-tolerant time-invariant feedback control. In Proceedings of the 16th IFAC World Congress. IFAC, 2005 Staroswiecki M. On reconfigurability with respect to actuator failures. In Proceedings of the 15th IFAC World Congress, pp 257–262, Barcelona, Spain, 2002 Staroswiecki M. Fault tolerant control: The pseudoinverse method revisited. In: Piztek P, ed. Proceedings of the16th IFACWorld Congress, Prague, Czech Republic, 2005 Staroswiecki M, Attouche S, Assas ML. A graphic approach for reconfigurability analysis. In 10th International Workshop on Principles of Diagnosis DX ’99, Loch Awe, UK, 1999 Staroswiecki M, Hoblos G, Aitouche A. Fault tolerance analysis of sensor systems. In Proceeding of 38th IEEE Conference on Decision and Control, vol 4, pp 3581– 3586, Phoenix, AZ, 1999 Staroswiecki M, Yang H, Jiang B. Progressive accommodation of aircraft actuator faults. In Proceedings of the 6th IFACSymposium on Fault Detection Supervision and Safety for Technical Processes, pp 877–882, Beijing, China, 2006 Steffen T. Control Reconfiguration of Dynamical Systems: Linear Approaches and Structural Tests, vol 320 of Lecture Notes in Control and Information Sciences. Springer-Verlag, Heidelberg, 2005. ISBN 3540257306 Stengel RF. Intelligent failure-tolerant control. IEEE Control Syst Mag 1991; 11(4): 14–23 Stoustrup J, Blondel VD. Fault tolerant control: a simultaneous stabilization result. IEEE Trans Autom Control 2004; 49(2): 305–310 Tao F, Zhao Q. Synthesis of stochastic fault tolerant control systems with random FDI delay. Int J Control, 2007; 80(5): 684–694 Tortora G, Kouvaritakis B, Clarke D. Fault-accommodation with intelligent sensors. Automatica 2003; 39(7): 1227–1233 Tsuda K, Mignone D, Ferrari-Trecate G, Morari M. Reconfiguration strategies for hybrid systems. In Proceedings of the 2001 American Control Conference, vol 2, pp 868–873, Arlington, VA, USA, 2001 Wonham WM. Linear Multivariable Control: A Geometric Approach, vol 10 of Applications of Mathematics. Springer-Verlag, New York Heidelberg Berlin, second edition, 1979 Wu NE, Zhou K, Salomon G. On reconfigurability. In Proceeding of SAFEPROCESS 2000: 4th Symposium on Fault Detection, vol 2, pp 50 846–851, Budapest, Hungary, 2000

386 73. Yang G-H, Zhang S-Y, Lam J, Wang J. Reliable control using redundant controllers. IEEE Trans Autom Control 1998; 43(11): 1588–1593 74. Yang H, Jiang B, Cocquempot V, Staroswiecki M. Adaptive fault tolerant strategy for hybrid systems with faults independently affecting on outputs. In Proceedings of the 6th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes (SAFEPROCESS), pp 1021–1026, Beijing, China, 2006 75. Yang H, Jiang B, Staroswiecki M. Observer-based faulttolerant control for a class of switched nonlinear systems. IET Proc Control Theory Appl 1(5): 1523–1532


76. Zhang Y, Jiang J. Bibliographical review on reconfigurable fault-tolerant control systems. In Proceedings of the SAFEPROCESS 2003: 5th Symposium on Fault Detection and Safety for Technical Processes, number M2-C1, pp 265–276, Washington D.C., USA, 2003 77. Zhang Y, Jiang J. Issues on integration of fault diagnosis and reconfigurable control in active fault-tolerant control systems. In Proceedings of the 6th IFAC Symposium on Fault Detection Supervision and Safety for Technical Processes, pp 1513–1524, Beijing, China, 2006 78. Zhao Q, Jiang J. Reliable state feedback control system design against actuator failures. Automatica 1998; 34(10): 1267–1272, 1998

Reconfigurable Fault-tolerant Control: A Tutorial ... - Semantic Scholar

Reconfigurable Fault-tolerant Control: A Tutorial ... - Semantic Scholar

Suggest Documents

MONITORING, FAULT DIAGNOSIS, FAULTTOLERANT CONTROL ...

Tutorial TT3: A Tutorial on Visual Servo Control - Semantic Scholar

Using Reconfigurable Processors as Control ... - Semantic Scholar

Reconfigurable Intelligent Control Architecture for ... - Semantic Scholar

Reconfigurable Cooperative Control of Networked ... - Semantic Scholar

A Novel Reconfigurable Control Method for an ... - Semantic Scholar

Reconfigurable Displays - Semantic Scholar

Reconfigurable Displays - Semantic Scholar

Reconfigurable computing - Semantic Scholar

A Tutorial on Visual Servo Control - Semantic Scholar

A Prognostics Enhanced Reconfigurable Control

SNORT OFFLOADER: A RECONFIGURABLE ... - Semantic Scholar

A Frequency-Reconfigurable Circularly Polarized ... - Semantic Scholar

A Coarse-Grained Dynamically Reconfigurable ... - Semantic Scholar

STARCON - A Reconfigurable Fieldable Signal ... - Semantic Scholar

A novel reconfigurable optical interconnect ... - Semantic Scholar

REDS: A Reconfigurable Dispatching System - Semantic Scholar

A Low Power Reconfigurable Heterogeneous ... - Semantic Scholar

a course on reconfigurable processors - Semantic Scholar

Adaptive Instrument Module - A Reconfigurable ... - Semantic Scholar

Reconfigurable Systems: A Survey - Semantic Scholar

Reconfigurable Multiparameter Biosignal ... - Semantic Scholar

Dynamically Reconfigurable Embedded ... - Semantic Scholar

ScaLAPACK Tutorial - Semantic Scholar