Fault Tolerant Control: a Simultaneous Stabilization Result

Aalborg Universitet

Fault Tolerant Control: A Simultaneous Stabilization Result

Stoustrup, Jakob; Blondel, V.D.

Published in: IEEE Transactions on Automatic Control

DOI (link to publication from Publisher): 10.1109/TAC.2003.822999

Publication date: 2004

Document Version Tidlig version også kaldet pre-print

Link to publication from Aalborg University

Citation for published version (APA): Stoustrup, J., & Blondel, V. D. (2004). Fault Tolerant Control: A Simultaneous Stabilization Result. IEEE Transactions on Automatic Control, 49(2), 305-310. https://doi.org/10.1109/TAC.2003.822999

General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.

? Users may download and print one copy of any publication from the public portal for the purpose of private study or research. ? You may not further distribute the material or use it for any profit-making activity or commercial gain ? You may freely distribute the URL identifying the publication in the public portal ? Take down policy If you believe that this document breaches copyright please contact us at [email protected] providing details, and we will remove access to the work immediately and investigate your claim.

Downloaded from vbn.aau.dk on: October 02, 2021 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 49, NO. 2, FEBRUARY 2004 305

[2] , “A generalized entropy criterion for Nevanlinna–Pick interpola- and isolation block in the control system. Whenever a fault is detected tion with degree constraint,” IEEE Trans. Automat. Contr., vol. 46, pp. and isolated, a supervisory system takes action, and modifies the struc- 822–839, June 2001. ture and/or the parameters of the feedback control system. In contrast, [3] J. C. Doyle, B. A. Francis, and A. R. Tannenbaum, Feedback Control Theory. New York: Macmillan, 1992. in the passive fault tolerant control approach, a fixed compensator is [4] B. A. Francis, A Course in Control Theory. New York: Springer- designed, that will maintain (at least) stability if a fault occurs in the Verlag, 1987, Lecture Notes in Control and Information Sciences. system. [5] J. W. Helton and O. Marino, Classical Control Using Methods. This note will only discuss the passive fault tolerant control ap- Philadelphia, PA: SIAM, 1998. [6] H. Kwakernaak, “Robust control and -optimization-Tutorial proach, also sometimes referred to as reliable control. This approach paper,” Automatica, vol. 29, no. 2, pp. 255–273, 1993. has mainly two motivations. First, designing a fixed compensator can [7] D. J. N. Limebeer and B. D. O. Anderson, “An interpolation theory ap- be made in much simpler hardware and software, and might thus be ad- proach to controller degree bounds,” Linear Alg. Applicat., vol. missible in more applications. Second, classical reliability theory states 98, pp. 347–386, 1988. that the reliability of a system decreases rapidly with the complexity [8] R. Nagamune, “A shaping limitation of rational sensitivity functions with adegree constraint,” IEEE Trans. Automat. Contr., vol. 49, pp. of the system. Hence, although an active fault tolerant control system 296–300, Feb. 2004. might in principle accomodate specific faults very efficiently, the added [9] , “Robust control with complexity constraint: A Nevanlinna–Pick complexity of the overall system by the fault detection system and the interpolation approach,” Ph.D. dissertation, Dept. Math., Royal Inst. supervisory system itself, might in fact sometimes deteriorate plant re- Technol., Stockholm, Sweden, 2002. [10] , “A robust solver using a continuation method for Nevanlinna–Pick liability. interpolation with degree constraint,” IEEE Trans. Automat. Control, In [10], a fault tolerant control problem has been addressed for sys- vol. 48, pp. 113–117, Jan. 2003. tems, where specific sensors could potentially fail such that the corre- [11] J. L. Walsh, Interpolation and Approximation by Rational Functions in sponding outputs were unavailable for feedback, whereas other outputs the Complex Domain. Providence, RI: AMS, 1956, vol. 20. were assumed to be available at all times. [12] K. Zhou, Essential of Robust Control. Upper Saddle River, NJ: Pren- tice-Hall, 1998. In [11, Sec. 5.5], the question of fault tolerant parallel compensation has been discussed, i.e., whether it is possible to design two compensators such that any of them alone or both in parallel will internally stabilize the closed loop system. The existence results given in [10] and [11] can be considered to be special cases of the main results of this note. Fault Tolerant Control: A Simultaneous In this note, we shall consider systems for which any sensor (or in the Stabilization Result dual case any actuator) might fail, and we wish to determine for which systems such (passive) fault tolerant compensators exist. The main re- Jakob Stoustrup and Vincent D. Blondel sults state that the only precondition for the existence of solutions to this fault tolerant control problem is just stabilizability from each input and detectability of the system from each output. Abstract—This note discusses the problem of designing fault tolerant Throughout this note, pm shall denote the set of proper, real- compensators that stabilize a given system both in the nominal situation, rational functions taking values in gpm,andpm shall denote as well as in the situation where one of the sensors or one of the actuators the set of strictly proper, real-rational functions taking values in gpm. has failed. It is shown that such compensators always exist, provided that pm the system is detectable from each output and that it is stabilizable. The rI shall denote the set of stable, proper, real-rational functions pm proof of this result is constructive, and a worked example shows how to taking values in g . The notation fs PCI X f@sAaHg will design a fault tolerant compensator for a simple, yet challenging system. be used as shorthand for zeros of f@ A on the positive real line. The A family of second order systems is described that requires fault tolerant lim f@sAaH compensators of arbitrarily high order. set includes the point at infinity if s3I . For matrices eY fY gY h of compatible dimensions, the expression Index Terms—Controller order, fault tolerant control, sensor faults, simultaneous stabilization. e f q@sAa gh

I. INTRODUCTION will be used to denote the transfer function q@sAag@ss eAIf C The interest for using fault tolerant controllers is increasing. A h. Real-rational functions will be indicated by their dependency of a number of theoretical results as well as application examples has now complex variable s (as in q@sAYu@sA), although the dependency of s been described in the literature; see, e.g., [1]–[9] to mention some of will be suppressed in the notation (as in qY u), where no misunder- the relevant references in this area. standing should be possible. The approaches to fault tolerant control can be divided into two main classes: Active fault tolerant control and passive fault tolerant control. II. PROBLEM FORMULATION In active fault tolerant control, the idea is to introduce a fault detection Consider asystem of the form x a ex C fu Manuscript received May 9, 2003; revised September 26, 2003. Recom- mended by Associate Editor F. M. Callier. yI a gIx J. Stoustrup is with the Department of Control Engineering, Institute of . Electronic Systems, Aalborg University, DK-9220 Aalborg, Denmark (e-mail: . [email protected]). V. D. Blondel is with the Department of Mathematical Engineering, Uni- yp a gpx (1) versité Catholique de Louvain, B-1348 Louvain-la-Neuve, Belgium (e-mail: n m [email protected]). where x PYu P Yyi PYiaIFFFYp and eY fY giYi a Digital Object Identifier 10.1109/TAC.2003.822999 IFFFYpare matrices of compatible dimensions. Each of the p measure-

ments yiYiaIY FFFYp, is the output of a sensor, which can potentially We will need the following result (see [13, Th. 5.2, p. 106] or [11, fail. Cor. 6, p. 118]) on the strong stabilization problem, i.e., the problem of In this note, we will determine whether it is possible to design a finding a stable stabilizing compensator. feedback compensator that is guaranteed to stabilize a given system, Lemma 1: Let e@sAYf@sA be stable proper transfer functions. Then in case any sensor could potentially fail. To be more precise, we are there exists a stable proper transfer function @sA such that the function u a u@sAyY u Pmp looking for a dynamic compensator , with e@sACf@sA@sA the property, that each of the following feedback laws: is a unit in the ring of stable proper rational functions, if and only if u a u@sAyua u@sAyfYIY Yua u@sAyfYp e@zipA has constant sign for all zip Pfs PCI X f@sAaHg. yI H yI y y y P P P IV. MAIN RESULTS y a yfYI a Y YyfYp a (2) ...... In this section, we will present our main results which state that for yp yp H systems with several outputs, it is always possible to find a compen- are internally stabilizing, i.e., that both the nominal system as well as sator, that both stabilizes the nominal situation, as well as the situation each of the systems resulting from one of the sensors failing are all where any of the sensors fails. In a similar fashion, it is shown, that it stabilized by u@sA. is always possible to design a fault tolerant feedback compensator for It is obvious, that the answer to this question immediately provides a system with several actuators. The only precondition to these results, the answer to the corresponding dual question, i.e., whether is possible is in the first case that all unstable modes for the system are observable to design a compensator, that works in the nominal situation, but also by each sensor and in the second (dual) case, that all modes are con- if any of the actuators would fail. trollable by each actuator. Theorem 1: Consider asystem given by astate-spacemodel of the form (1). Assume, that the pair @eY fA is stabilizable, and that each III. PRELIMINARIES of the pairs @giYeAYi aIY FFFYp, is detectable. Then, there exists a We remind the reader (see, e.g., [12, Th. 5.9, p. 127]) that a doubly dynamic compensator u@sA such that each of the p CIcontrol laws coprime factorization of a strictly proper plant and a stabilizing com- (2) internally stabilizes (1). pensator The proof will be constructive, and we shall give some comments on q@sAax@sAw I@sAaw~ I@sAx~@sA practical computations in the sequel of the proof. Proof: First, let us note that it suffices to prove the result in the u@sAa @sA I@sAa~ I@sA ~@sA case where m aIand p aP. To see that m aIcan be assumed where without loss of generality, one can just consider the system pm pm mm " q P x PrI w PrI x a ex C fu" ~ pp ~ pm w PrI x PrI yI a gIx mp mp pp u P PrI PI . ~ mm ~ mp . PrI PrI . y a g x can be found from an observer based controller by the formulas p p (4) " mI e C fp f v where f a fvYv P Y u" P,andv is any vector such that the w @eY f"A a pair is also stabilizable. This is always possible (see, e.g., [14, x psH Cor. 1.1, p. 43]). Thus, if u" a u" @sAy is a fault tolerant feedback law g H s for (4), then u a u@sAy is a fault tolerant feedback law for (1) with e C vg fv u@sAavu" @sA. ~ ~ a Next, if x~ w~ psH (3) g H s u@sAa@uI@sA uP@sAA (5) where eY fY g are parameters for a (minimal) state space representa- is a fault tolerant feedback compensator for this system tion for q@sA, i.e., matrices of smallest, compatible dimensions such that x a ex C fu e f yI a gIx q@sAa g H yP a gPx (6) then p is an arbitrary stabilizing state feedback gain and v is an arbitrary p v stabilizing observer gain, i.e., and are matrices of compatible di- u@sAa@uI@sA uP@sAH HA (7) mensions such that both e C fp and e C vg have characteristic polynomials which are Hurwitz. is a fault tolerant feedback compensator for (1). Indeed, in the nominal The eight matrices defined by (3) satisfy the double Bezout identity situation or if one of the sensors corresponding to yiYiaQY FFFYpfails, w ~ ~ s H the control signal generated by (7) will be the same as the control signal a X generated by (5) in the nominal situation. If yiYi aIY P fails, (7) will x x~ w~ H s still generate the same control signal as (5) which is known to stabilize We also remind the reader, that a unit is an element of a ring, which the shared dynamics of the two systems. has an inverse in that ring. In particular, a unit in the ring of stable Thus, without loss of generality, we will assume that the system in proper rational functions, is simply a stable proper function with a consideration has the form (6), where f is now asingle column matrix, stable proper inverse. giYiaIY P are single row matrices, uY yi PYiaIY P. Thus, it will IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 49, NO. 2, FEBRUARY 2004 307 be assumed that the transfer functions from u to each of the outputs are Thus, the existence of a fault tolerant controller has now been shown scalar. to be inferred from the existence of stable proper rational functions gI Y Y u Yu Define g a@ A and let uH@sA be an internally stabilizing com- I P Q, such that I P become units. We will prove this exis- gP tence by first choosing I appropriately. Subsequently, (10) and (11) pensator for the system (6), which has the transfer function q@sAa will be considered as equations for Q and P which are no longer g@ss eAIf. Introduce a doubly coprime factorization of q@sA and ~ ~ coupled, and show that each has an admissible solution. uH@sA, i.e., stable proper functions wYxYHY H To that end, first note that it is possible to determine a stable proper x @sA q@sAax@sAw I@sAa I w I@sA function I, such that: x @sA P ~ I ~ I ~ ~ I ~ ~ I@sAxI@sAxP@sA HYI@sAxI@sAjsaz a (12) uH@sAaH @sA H@sAaH @sA@ HYI@sA HYP@sAA P z Pfz P X w@zAaHg satisfying the Bezout identity for every value of ip CI , since xI@zipAxP@zipA can not be zero for w@zipAaHdue to coprimeness ~ w ~ x a ~ w ~ x ~ x aIX H H H HYI I HYP P (8) of w and xI and of w and xP. To determine I satisfying (12) in This can always be done—explicit formulas are given by (3). practice can be done by a standard rational interpolation. Next, we note that replacing in (8) the triplet Now, for afixed I, (10) can be recognized as a strong stabilization problem in the variable Q. It is known from Lemma1 thatsuch Q @~ ~ ~ A y @~ ~ ~ A H HYI HYP I P exists if and only if ~ ~ where Hw HYIxI C IxPxIjsaz ~ a ~ x x H P I Q P has constant sign for every value of ~ a ~ x w I HYI I P P z Pfz P X w@zAaH or x @zAaHgX ~ ~ ip CI P P a HYP C IxI Qw For w@zipAaH, we obtain also provides a solution to (8), as this simple calculation shows ~ @sAw@sA ~ @sAx @sAC @sAx @sAx @sAj ~ ~ ~ H HYI I I P I saz w IxI PxP ~ I ~ ~ a HYI@sAxI@sACI@sAxP@sAxI@sAjsaz a (13) a@H PxI QxPAw @ HYI IxP PwAxI P ~ @ HYP C IxI QwAxP from (12). For xP@zipAaH, we get a ~ w ~ x ~ x aIX ~ ~ H HYI I HYP P H@sAw@sA HYI@sAxI@sACI@sAxP@sAxI@sAjsaz ~ ~ Consequently, any transfer function of the form a H@sAw@sA HYI@sAxI@sAjsaz aI (14) ~ I ~ ~ ~ I @ I PAa@H PxI QxPA where (8) has been applied. This proves the existence of an admissible ~ ~ @ HYI IxP Pw HYP C IxI QwA (9) function Q. To determine Q in practice, one approach is first to find uI that interpolates the constraints (13) and (14), and subsequently to IYPYQ where are all stable proper rational functions, is also a sta- determine Q as a solution to (10). If uI in addition is chosen to inter- bilizing compensator. polate all constraints arising from zeros of w and xP in the right half IYPYQ In the sequel, we shall demonstrate, that can be chosen plane (not just the positive half line), Q can be computed by ~ I@ ~ ~ A such that I P stabilizes both the nominal and the faulty sys- ~ ~ Hw HYIxI C IxPxI uI tems. Q a X (15) If the sensor corresponding to one of the outputs fails, the controller xPw ~ I ~ ~ @ I PA has to stabilize a system of the form: The proof of existence of an admissible P is completely analogous Q xI@sA H to the proof of existence of . The interpolation constraints for (11) q a or q a corresponding to w@zipAaHamounts to H xP@sA ~ @sAw@sA ~ @sAx @sA @sAx @sAx @sAj which means that stability is obtained if and only if the compensator H HYP P I I P saz ~ (9) satisfies the following two equations: a HYP@sAxP@sA I@sAxI@sAxP@sAjsaz ~ ~ ~ @H PxI QxPAw aI H@sAw@sAC HYI@sAxI@sA ~ ~ @ HYI IxP Pw HYP I@sAxI@sAxP@sAjsaz x I I C x wA I aI a (16) I I Q H P P ~ x @z AaH a Hw PxIw QxPw where (8) and (12) has been exploited. For I ip , we obtain the ~ constraints HYIxI C IxPxI C PwxI ~ ~ ~ ~ ~ H@sAw@sA HYP@sAxP@sAjsaz a H@sAw@sA a Hw HYIxI C IxPxI QxPw a uI (10) ~ nd HYP@sAxP@sA I@sAxI@sAxP@sAjsaz aI (17) ~ @H PxI QxPAw from (8). P can now be found as a solution to (11), and the resulting ~ ~ uP P @ HYI IxP Pw HYP will interpolate the conditions (16) and (17). Again, might be u H computed by first finding P interpolating all constraints arising from C IxI QwA zeros of w and xI in the right half plane [not just (16) and (17)], and xP then computing P as a ~ w ~ x x x x w a u H HYP P I I P P I P (11) ~ ~ Hw HYPxP IxIxP uP P a X uIYuP (18) where are units in the ring of stable proper rational functions. xIw 308 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 49, NO. 2, FEBRUARY 2004

Thus, one possible fault tolerant compensator is From the last equation, we infer that either vP@I C 4A @IaPA or v @IC4A @IaPA v @IC4A ~ I Q . Assume without loss of generality that P u a@H PxI QxPA @IaPA. Then, vP is aunit such that @ ~ x w ~ C x wA HYI I P P HYP I I Q (19) I vP@IA a I Xa vP@I C 4A nd vP@IAaIX which stabilizes the system given by (6) in the nominal case, as well as P in the case, where one of the two sensors fail. The constraint at infinity, means that we can assume vP to be of the A corresponding result for actuator failures follows trivially from form Theorem 1 by duality. sn C snI C C Theorem 2: Consider asystem given by astate-spacemodel of the v @sAa I n P n nI (23) form s C Is C C n

x a ex C fIuI C C fmum for some n, which leads to the conditions y a gx (20) ICI C C n aICI C C n (24) n p where x PYui PYi a IFFFYmYy P and eY fiYi a nd IFFFYmYgare matrices of compatible dimensions. Assume, that each n nI @I C 4A C@IC4A I C C n of the pairs @eY fiAYi aIY FFFYm, is stabilizable and that the pair a @I C 4An C @I C 4AnI C C X @gY eA is detectable. Then, there exists a dynamic compensator u@sA I n (25) such that the nominal control law Subtracting (24) from (25) gives uI @I C 4An I uP u a a u@sAy nI . C @@I C 4A IAI C C @@I C 4A IAnI . n nI a@@I C 4A IA C @@I C 4A IAI um C C@ IAnX (26) as well as each of the m control laws

H uI uI We remind the reader, that a necessary condition for (23) to be a unit uP H uP is that i b HYi b HYi aIY FFFYn. Thus, all the terms on the left u a . u a . Y Yua . hand side of (26) are positive. This means, however, that (26) can only . . . . . be true if um um H I @I C 4An b ! P internally stabilizes (20). Proof: Follows by transposing the system and the compensator. It is interesting to note that it might be necessary to resort to ar- or, equivalently bitrarily high controller orders even for a system of low order. As an log P example, consider for 4bH nb 3I for 4 3 HCX log@I C 4A sI @s@IC4AA@sCIA q4@sAa sI (21) From (22), we obtain @s@IC4AA@sCIA ~ s@IC4A ~ sI with the following coprime factorization: uP sCI P @sCIA vP a a s@IC4A sI sI sI I uI ~ ~ ~ s @I C 4A sCI I @sCIA P @sCIA q @sAax@sAw@sAI a @sCIA 4 sI s CI @s @I C 4AA@s CIA @s IA~ I ~ @sCIA a P X @s @I C 4AA@s CIA @s IA~ I ~ @s IA~ I ~ for which the fault tolerant control problem is equivalent to finding I P u@sAa~ I@ ~ ~ A I P such that Since the order of the left-hand side of this equation tends to infinity ~ I ~ ~ I ~ s @I C 4A s I s I as 4 tends to zero, clearly also the order either of I or of P ~ ~ ~ a u s CI I @s CIAP P @s CIAP I has to tend to infinity. s @I C 4A s I Thus, the order of the resulting controller can be required to be of ~ H ~ a u s CI P @s CIAP P arbitrarily high order even for this family of second-order systems. s @I C 4A s I ~ ~ Hau s CI I @s CIAP Q (22) V. F AULT TOLERANT CONTROL DESIGN EXAMPLE In this section, we shall apply the method of the constructive exis- where uIYuPYuQ are all units in the ring of stable proper functions. Evaluating these equations at s aIat s a I, we notice that tence proof for asystem which is only of second order, but yet difficult to reliably stabilize u @IA a u @IA a u @IA nd u @IAau @IAau @IAX I P Q I P Q QH I x a x C u On the other hand, we also have I I H yI a@I PAx uI@I C 4AauP@I C 4ACuQ@I C 4AX yP a@I QAxX (27) Let us define the units vP a uPauI and vQ a uQauI. Then, we have This system has a stable pole in I and an unstable pole in 3. The vP@IA a vQ@IA a I transfer function from u to yI has a zero in 1, whereas the transfer vP@IAavQ@IAaI vP@I C 4ACvQ@I C 4AaIX function from u to yP has a zero in 2. IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 49, NO. 2, FEBRUARY 2004 309

The objective is now to find acompensator u@sA, such that all the (10) where uI is astableproper function with astableproper inverse. three control laws The interpolation points are the positive real zeros (including I)ofxP and of w which are zx a fPY IgYzw aQ, for which we have y H y u a u@sA I u a u@sA u a u@sA I ~ ~ yP yP H H@PAw@PA HYI@PAxI@PA C I@PAxI@PAxP@PA a I I ~ @QAw@QA ~ @QAx @QA C @QAx @QAx @QA a internally stabilize (27). H HYI I I I P P We will find the doubly coprime factorization by designing an ob- ~ ~ H@IAw@IA HYI@IAxI@IA server based compensator. One possible observer gain matrix (there are C @IAx @IAx @IAaIX infinitely many) that assigns the observer poles to the set fPY Ig is I I P the following gain: A possible uI that interpolates @PY QY IA to @IY @IaPAY IA can be found IP V from the Routh–Hurwitz conditions: v a X R Q sQ CPRsP CURs C IUTT u a X I Q P The (unique) feedback gain that also assigns poles to the set fPY Ig s C RVHs CPSs CRH is Thus, Q can be computed from (15) as p a@SHAX ~ ~ Hw HYIxI C IxIxP uI Q@sAa xPw Consequently, the transfer matrix for the system RSTsR C RVHUsQ SH WWQsP SVVVs RVVR a X I s I sR C RVIsQ C SHSsP CTSs CRH q@sAa P s Ps Q s P For the second strong stabilization problem ~ ~ can be written in the following coprime factorization form: Hw HYPxP IxIxP PxIw a uP

xI@sA q@sAa w I@sA the interpolation points are: zx a fIY IgYzw aQA possible x @sA P uP that interpolates @IY QY IA to @IY @IaPAY IA can be found from the Routh–Hurwitz conditions where sP CPs CPI s Q uPa w@sAaICp @ss e fpAIf a sP CPHs CQ s CP sI xI@sA which enables us to compute P from (18) as a g@ss e fpAIf a s CQsCP X x @sA sP P s CQsCP ~ ~ Hw HYPxP IxIxP uP P@sAa The compensator has the following factorization: xIw IVsQ C QHPsP C QRPHs C RWT a X ~ I ~ ~ Q P uH a H @ HYI HYPA s CPIs CPQs CQ with Now, we are ready to compute a fault tolerant controller as ~ I sP CVs CIP u a@H PxI QxPA ~ aI p @ss e vgAIf a H P ~ ~ s CQs CP @ HYI IxP Pw HYP C IxI QwA ~ ~ I I @ HYI HYPAap @ss e vgA v a I sR CPWsQ UWUVsP IP RPTs PHHT a @Qs TPs CRAX PH IVsR C VTSVsQ C WHWHsP C IIUHs C UPH X RSTsR C IH RQWsQ C PV TIIsP C PI PIUsI C PSVW It is easy to verify, that the aforementioned six functions satify the Be- zout identity It can be verified, that this compensator manages to stabilize both the nominal system, as well as the faulty system, in case either of (but ~ w ~ x ~ x aIX H HYI I HYP P of course not both) the two sensors fails. The stability margin is rather poor, but numerical experience suggests that it can only be improved Next, we would like to select I satisfying (12), i.e., such that substantially by going to (even) higher order compensators which was I not done, as this example just serves as an illustration of the principle. @z Ax @z Ax @z A ~ @z Ax @z Aa I ip I ip P ip HYI ip I ip P VI. CONCLUSION whenever w@zipAaHon the positive real half-line, which in our case means zip aQ. Since we have only one interpolation point, a possible In this note, we have proved the existence for any given system of choice of I@sA is aconstant a fault tolerant compensator, which stabilizes the system during its normal operating conditions, but also in the case that one of the sensors ~ ICP HYI@zipAxI@zipA or actuators would fail. I@sAa a PHHX PxI@zipAxP@zipA The proof given was constructive, and it was demonstrated for a simple example that carrying out the steps of the proofs can lead to The remaining two steps are to solve the two (independent) strong a fault tolerant compensator. It should be stated, however, that the de- stabilization problems (10) and (11). First, we should find Q satisfying sign process is not easy. Also, in practice, the issue of performance 310 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 49, NO. 2, FEBRUARY 2004 should be addressed, which can, unfortunately, not easily be done in Nonlinear Control Synthesis by Convex Optimization the framework suggested here. It was also shown that the dynamical order of any fault tolerant com- Stephen Prajna, Pablo A. Parrilo, and Anders Rantzer pensator for some systems even of order two might have to be consid- erably large, due to intrinsic properties of the system. Abstract—A stability criterion for nonlinear systems, recently derived by A subject of future research is to clarify whether the same results the third author, can be viewed as a dual to Lyapunov’s second theorem. hold for systems in which several sensors and actuators (but not all of The criterion is stated in terms of a function which can be interpreted as the either kind) can fail simultaneously. stationary density of a substance that is generated all over the state–space and flows along the system trajectories toward the equilibrium. The new criterion has a remarkable convexity property, which in this note is used ACKNOWLEDGMENT for controller synthesis via convex optimization. Recent numerical methods The authors did the research on which this note is based during a for verification of positivity of multivariate polynomials based on sum of squares decompositions are used. stay at the Institut Mittag–Leffler, Stockholm, Sweden, in the spring of 2003, under aprogramentitled Mathematical Control and Systems Index Terms—Density functions, nonlinear control, semidefinite pro- gramming relaxation, sum of squares decomposition. Theory. They would like to thank the organizers of this Mittag–Leffler program for inviting them. The authors would also like to thank the anonymous reviewers for reading the manuscript with extraordinary I. INTRODUCTION care. Lyapunov functions have long been recognized as one of the most fundamental analytical tools for analysis and synthesis of nonlinear REFERENCES control systems; see, for example, [2]–[4], [6], [7], and [9]. [1] M. Blanke, M. Kinnaert, J. Lunze, and M. Staroswiecki, Diagnosis and There has also been a strong development of computational tools Fault-Tolerant Control. New York: Springer-Verlag, 2003. based on Lyapunov functions. Many such methods are based on convex [2] H. Niemann and J. Stoustrup, “An architecture for fault tolerant controllers,” , Jan. 2003. optimization and solution of matrix inequalities, exploiting the fact that [3] , “Passitive fault tolerant control of an inverted double pen- the set of Lyapunov functions for a given system is convex. dulum—A case study example,” in Proc. IFAC SAFEPROCESS 2003, A serious obstacle in the problem of controller synthesis is however Washington, DC, 2003, p. 6. that the joint search for a controller u@xA and a Lyapunov function [4] , “Reliable control using the primary and dual Youla parameteriza- @xA tion,” in Proc. 41st IEEE Conf. Decision Control, Las Vegas, NV, 2002, is not convex. Consider the synthesis problem for the system pp. 4353–4358. [5] J. Stoustrup and H. Niemann, “Fault tolerant feedback control using the x a f@xACg@xAuX youla parameterization,” in Proc. 6th Eur. Control Conf., Porto, Por- tugal, Sept. 2001. u [6] R. Pattern, “Fault tolerant control: The 1997 situation,” in Proc. IFAC The set of and satisfying the condition Symp. SAFEPROCESS’97, Hull, U.K., 1997, pp. 1033–1055. d [7] N. Wu, Y. Zhang, and K. Zhou, “Detection, estimation and accommo- f@xACg@xAu@xA ` H dation of loss of control effectiveness,” Int. J. Adapt. Control, Signal dx Processing, vol. 14, pp. 775–795, 2000. [8] N. Wu, K. Zhou, and G. Salomon, “Control reconfigurability of linear is not convex. In fact, for some systems the set of u and satisfying time-invariant systems,” Automatica, vol. 36, pp. 1767–1771, 2000. the inequality is not even connected [14]. [9] K. Zhou and Z. Ren, “A new controller architecture for high performance robust, and fault-tolerant control,” IEEE Trans. Automat. Contr., vol. 46, Given the difficulties with Lyapunov based controller synthesis, it is pp. 1613–1618, Oct. 2001. most striking to find that the new convergence criterion presented in [10] A. Alos, “Stabilization of a class of plants with possible loss of out- [15] based on the so-called density function & (cf. Section II) has much puts or actuator failures,” IEEE Trans. Automat. Contr., vol. AC-28, pp. better convexity properties. Indeed, the set of @&Y u&A satisfying 231–233, Feb. 1983. [11] M. Vidyasagar, Control System Synthesis: A Factorization Ap- proach. Cambridge, MA: MIT Press, 1987. r&@f C guA b H (1) [12] K. Zhou, J. Doyle, and K. Glover, Robust and Optimal Control. Upper Saddle River, NJ: Prentice-Hall, 1996. is convex. In this note, we will exploit this fact in the computation of [13] V. Blondel, Simultaneous Stabilization of Linear Systems, ser. Lecture Notes in Control and Information Sciences. Heidelberg, Germany: stabilizing controllers. For the case of systems with polynomial or ra- Springer-Verlag, 1994. tional vector fields, the search for a candidate pair @&Y u&A satisfying [14] W. Wonham, Linear Multivariable Control: A Geometric Ap- the inequality (1) can be done using the methods introduced in [12]. In proach. New York: Springer-Verlag, 1979. particular, a recently available software SOSTOOLS [13] can be used for this purpose.

Manuscript received November 6, 2002; revised August 29, 2003. Recom- mended by Associate Editor W. Kang. This work was supported by an exchange grant from the Swedish Foundation for International Cooperation in Research and Higher Education. The work of A. Rantzer was supported by the Swedish Research Council. S. Prajna is with Control and Dynamical Systems, California Institute of Technology, Pasadena, CA 91125, USA (e-mail: [email protected]). P. A. Parrilo is with the Automatic Control Laboratory, ETH Zürich, CH-8092 Zürich, Switzerland (e-mail: [email protected]). A. Rantzer is with the Department of Automatic Control, Lund Institute of Technology, S-221 00 Lund, Sweden (e-mail: [email protected]). Digital Object Identifier 10.1109/TAC.2003.823000