Robustness Issues in Fault Diagnosis and Fault Tolerant Control

Journal of Control Science and Engineering

Guest Editors: Jakob Stoustrup and Kemin Zhou Robustness Issues in Fault Diagnosis and Fault Tolerant Control Journal of Control Science and Engineering Robustness Issues in Fault Diagnosis and Fault Tolerant Control

This is a special issue published in volume 2008 of “Journal of Control Science and Engineering.” All articles are open access articles distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Editor-in-Chief Jie Chen, University of California, USA

Associate Editors

Evgeny I. Veremey, Russia Shinji Hara, Japan Joe Qin, USA V. Balakrishnan, USA Jie Huang, China R. Salvador Sanchez´ Pena,˜ Spain Amit Bhaya, Brazil Pablo Iglesias, USA Sigurd Skogestad, Norway Benoit Boulet, Canada Vladimir Kharitonov, Mexico Jakob Stoustrup, Denmark Tongwen Chen, Canada Derong Liu, USA Jing Sun, USA Guanrong Chen, Hong Kong Tomas McKelvey, Sweden Zoltan Szabo, Hungary Ben M. Chen, Singapore Kevin Moore, USA Onur Toker, Turkey EdwinK.P.Chong,USA Silviu Niculescu, France XiaohuaXia,SouthAfrica Nicola Elia, USA Brett Martin Ninness, Australia George G. Yin, USA Andrea Garulli, Italy Yoshito Ohta, Japan Li Yu, China Juan Gomez, Argentina Hitay Ozbay, Turkey Lei Guo, China Ron J. Patton, UK Contents

Robustness Issues in Fault Diagnosis and Fault Tolerant Control, Jakob Stoustrup and Kemin Zhou Volume 2008, Article ID 251973, 2 pages

On Fault Detection in Linear Discrete-Time, Periodic, and Sampled-Data Systems, P. Zhang and S. X. Ding Volume 2008, Article ID 849546, 18 pages

Optimal Robust Fault Detection for Linear Discrete Time Systems, Nike Liu and Kemin Zhou Volume 2008, Article ID 829459, 16 pages

Computation of a Reference Model for Robust Fault Detection and Isolation Residual Generation, Emmanuel Mazars, Imad M. Jaimoukha, and Zhenhai Li Volume 2008, Article ID 790893, 12 pages

Fault Detection, Isolation, and Accommodation for LTI Systems Based on GIMC Structure, D. U. Campos-Delgado, E. Palacios, and D. R. Espinoza-Trejo Volume 2008, Article ID 853275, 15 pages

A Method for Designing Fault Diagnosis Filters for LPV Polytopic Systems,SylvainGrenaille, David Henry, and Ali Zolghadri Volume 2008, Article ID 231697, 11 pages

Design and Assessment of a Multiple Sensor Fault Tolerant Robust Control System, S. S. Yang and J. Chen Volume 2008, Article ID 152030, 10 pages

Design and Analysis of Robust Fault Diagnosis Schemes for a Simulated Aircraft Model, M. Benini, M. Bonfe,` P. Castaldi, W. Geri, and S. Simani Volume 2008, Article ID 274313, 18 pages

Stability of Discrete Systems Controlled in the Presence of Intermittent Sensor Faults, Rui Vilela Dion´ısio and Joao˜ M. Lemos Volume 2008, Article ID 523749, 11 pages

Actuator Fault Diagnosis with Robustness to Sensor Distortion, Qinghua Zhang Volume 2008, Article ID 723292, 7 pages

Stability Guaranteed Active Fault-Tolerant Control of Networked Control Systems, Shanbin Li, Dominique Sauter, Christophe Aubrun, and Joseph Yame´ Volume 2008, Article ID 189064, 9 pages

Reliability Monitoring of Fault Tolerant Control Systems with Demonstration on an Aircraft Model, Hongbin Li, Qing Zhao, and Zhenyu Yang Volume 2008, Article ID 265189, 10 pages

Fault-Tolerant Control of a Distributed Database System, N. Eva Wu, Matthew C. Ruschmann, and Mark H. Linderman Volume 2008, Article ID 310652, 13 pages Hindawi Publishing Corporation Journal of Control Science and Engineering Volume 2008, Article ID 251973, 2 pages doi:10.1155/2008/251973

Editorial Robustness Issues in Fault Diagnosis and Fault Tolerant Control

Jakob Stoustrup1 and Kemin Zhou2

1 Section for Automation and Control, Department of Electronic Systems, Aalborg University, Fredrik Bajers Vej 7C, 9220 Aalborg, Denmark 2 Department of Electrical and Computer Engineering, Louisiana State University, Baton Rouge, LA 70803, USA

Correspondence should be addressed to Jakob Stoustrup, [email protected]

Received 24 January 2008; Accepted 24 January 2008

Copyright © 2008 J. Stoustrup and K. Zhou. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Fault diagnosis and fault tolerant control have become criti- The robust fault detection and isolation problem is stud- cally important in modern complex systems such as aircrafts ied in the paper by E. Mazars et al., where an H criterion is and petrochemical plants. Since no system in the real world used, giving rise to a quadratic matrix inequality problem. A can work perfectly at all time under all conditions, it is crucial jet engine example is provided. to be able to detect and identify the possible faults in the sys- D. Campos-Delgado et al. suggest an active fault-tolerant tem as early as possible so that measures can be taken to pre- control, and a design strategy is provided, which takes model vent significant performance degradation or damages to the uncertainty into account. The methods are illustrated for a system. Fault diagnosis is not relevant only for safety critical DC motor example. systems, but also for a significant number of systems, where Systems that can be described by linear parameter vary- availability is a major issue. ing models are considered by S. Grenaille et al. where robust- In the past twenty some years, fault diagnosis of dynamic ness constraints are included in the design of fault detection systems has received much attention and significant progress and isolation filters. An illustration of the methods is given has been made in searching for model-based diagnosis tech- in terms of an application to a nuclear power plant. niques. Many techniques have been developed for fault detec- A method for design of a diagnosis and a fault tolerant tion and fault tolerant control. However, the issue of robust- control system using an integrated approach is presented in ness of fault detection and fault tolerant control has not been the paper by S. Yang and J. Chen. The design is illustrated for sufficiently addressed. Since disturbances, noise, and model a double inverted pendulum system. uncertainties are unavoidable for any practical system, it is essential in the design of any fault diagnosis/fault tolerant M. Benini et al. present both a linear and a nonlinear fault control system to take these effects into consideration, so that detection and isolation scheme. This paper focuses on robust fault diagnosis/tolerant control can be done reliably and ro- fault diagnosis for an aircraft model, and has extensive simu- bustly. The objective of this special issue is to report some lations. most recent developments and contributions in this direc- The fault tolerant scheme proposed by R. Dionisio and tion. J. Lemos is capable of stabilizing systems with intermittent The special issue is initiated by a paper by P. Zhang and sensor faults. The approach is based on reconstructing the S. Ding, which gives a review of standard fault detection for- feedback signal, using a switching strategy where a model is mulations, focusing on robustness issues for model-based di- used in the intermittent periods. agnosis systems. A design method for actuator fault diagnosis is proposed N. Liu and K. Zhou then study a number of robust fault in the paper by Q. Zhang, where the focus is to obtain robust- detection problems, such as H/H, H2/H,andH/H prob- ness with respect to nonlinear sensor distortion. A numerical lems, and it is shown that these problems share the same op- exampleisgiven. timal filters. The optimal filters are designed by solving an The problem of designing fault tolerant control systems algebraic Riccati equation. for networked systems with actuator faults is treated in the 2 Journal of Control Science and Engineering paper by Li et al. The proposed design method is demonstrated by a numerical example. The notion of a reliability index is introduced by H. Li et al., for monitoring fault tolerant control systems. The reliability is evaluated based on semi-Markov models, and the approach is applied to an aircraft model. The final paper of the special issue by N. Wu et al. addresses fault tolerant control of a distributed database system. The fault tolerant design relies on data redundancy in the partitioned system architecture. Robustness is represented by the introduction of additional states modeling delays and decision errors. The design is based on solving Markovian decision problems. Jakob Stoustrup Kemin Zhou Hindawi Publishing Corporation Journal of Control Science and Engineering Volume 2008, Article ID 849546, 18 pages doi:10.1155/2008/849546

Review Article On Fault Detection in Linear Discrete-Time, Periodic, and Sampled-Data Systems

P.Zhang and S. X. Ding

Institute for Automatic Control and Complex Systems, Faculty of Engineering, University of Duisburg-Essen, Bismarckstrasse 81 BB, 47057 Duisburg, Germany

Correspondence should be addressed to S. X. Ding, [email protected]

Received 30 April 2007; Accepted 4 October 2007

Recommended by Kemin Zhou

This paper gives a review of some standard fault-detection (FD) problem formulations in discrete linear time-invariant systems and the available solutions. Based on it, recent development of FD in periodic systems and sampled-data systems is reviewed and presented. The focus in this paper is on the robustness and sensitivity issues in designing model-based FD systems.

Copyright © 2008 P. Zhang and S. X. Ding. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION thus the central problem in model-based FDI. This is the first difference of FDI problems from control and standard filter- With the increasing requirements of modern complex con- ing problems, where the focus is put on disturbance atten- trol systems on safety and reliability, model-based fault de- uation. Bearing this in mind, full-decoupling problem and tection and isolation (FDI) technology has attracted remark- optimal design of FDI systems have been studied [3–6]and able attention during the last three decades [1–6]. In major different types of indices have been introduced to describe industrial sectors, it has become an important supporting the sensitivity to the faults. Secondly, for the purpose of FDI, technology and is replacing the traditional hardware redun- a fault indicating signal, called residual, needs not only to be dancy technique in part or totally. As a standard functional generated, but also to be evaluated and, based on it, a deci- module, FDI systems are increasingly integrated in mod- sion for the existence, location, and size of the faults needs ern technical systems and provide valuable information for to be made. Therefore, an FDI procedure includes residual condition-based predictive maintenance, higher-level fault generation and residual evaluation. An integrated design of tolerant control, and plant-wide production optimization. these two parts is needed to guarantee the optimal FDI per- Though closely related to the development of control formance [7]. and filtering theory, there are several distinct features of the In this paper, we will first give a review of some stan- model-based FDI problems that justify the efforts made in dard fault detection (FD) problem formulations in discrete- this field. To evaluate the performance of an FDI system in time systems and the available solutions. There are two types practice, miss alarm rate, false alarm rate, and detection de- of discrete-time model-based FD systems: the parity space lay are the most important criteria that decide the accep- and the observer-based ones. The former is, in its original tance of the methods. It is widely accepted that these func- form, specially dedicated to the discrete-time systems [8], tional requirements can be reformulated as a multi-objective while the latter is analogous to the continuous-time sys- problem. Enhancing the robustness of the FDI system to un- tems and its development shares the same essentials with the known disturbances and modeling errors is an essential ob- continuous-time systems. Perhaps for this reason, besides the jective. However, alone the robustness does not guarantee a early research activity on the parity space approaches, only good FDI performance. The sensitivity of the FDI system to fewstudieshavebeenspecificallydevotedtotheFDprob- faults should be simultaneously improved. To find the best lems in discrete-time systems. Recently, the intensive research compromise between the robustness and the sensitivity is on networked control systems (NCS) and embedded systems 2 Journal of Control Science and Engineering considerably stimulates the study on periodic, sampled-data (i) parity space approaches, which are specific for discrete systems [9]. The integration of data communication net- LTI systems and will be dealt to some details; works into control systems introduces natural periodic be- (ii) the parametrization of observer-based FD systems and havior in the system dynamics and the sampling effect is un- postfilter design schemes; derstood not only in view of the behavior of A/D and D/A (iii) fault detection filter schemes, which are mostly studied converters but also in the context of data transmission among and closely related to robust control theory. the subsystems. It can be observed that the recent studies on Thanks to the well-known relationships between the tech- FD in periodic and sampled-data systems are mainly based nical features of the discrete- and continuous-time systems, on the discrete-time model-based FD methods. It is this fact many well-established FD schemes for continuous LTI sys- that motivates us to give an overview of some standard FD tems can be directly applied to the latter two FD schemes. For methods for discrete-time systems and, based on it, to re- this reason, we will restrict ourselves to some representative view and present some recent results on FD in periodic and methods and give a brief view of the analog application of sampled-data systems. Bearing in mind that fault isolation the methods for continuous-time systems to the discrete FD problems can be principally reformulated as a robust fault systems. Another focus in this section is on the comparison detection problem [4, 5], our focus in this paper is on the and interpretation of the FD methods. robustness issues in designing model-based FD systems. The paper is organized as follows. In Section 2,wereview FD methods for discrete-time systems and address some im- 2.1. System models and problem formulation portant relations between different methods. Section 3 is de- Suppose that the discrete LTI systems are described by voted to FD in discrete-time periodic systems. In Section 4, FD in sampled-data systems is addressed. ⎧ ⎨x(k +1)= Ax(k)+Bu(k)+E d(k)+E f (k), Throughout this paper, standard notations of robust con- d f ΣLTI : ⎩ trol theory, for instance those used in [10], are adopted. We y(k) = Cx(k)+Du(k)+Fdd(k)+F f f (k), will use σ(X), σ(X) to denote the minimum and maximum (1) singular values of matrix X,respectivelyandσi(X)tode- n p note any singular value of X that satisfies σ(X) ≤ σi(X) ≤ where x ∈ R is the state vector, u ∈ R the vector of con- m nd σ(X). x E denotes the Euclidean norm of vector x, ξ 2 trol inputs, y ∈ R the vector of process outputs, d ∈ R n the l2-norm of discrete-time signal ξ or the L2-norm of the vector of unknown disturbances, and f ∈ R f the vec- continuous-time signal ξ, ξ 2,[a,b) the 2 norm of ξ over the tor of faults to be detected, A, B, Ed, E f , C, D, Fd,andF f are interval [a, b), and G∞ the H∞-norm of transfer function known constant matrices of appropriate dimensions. In the matrix G. The superscript T denotes the transpose of matri- frequency domain, system ΣLTI can be equivalently described ces and the superscript ∗ denotes the adjoint of operators. by RH∞ stands for the subspace that consists of all proper and real rational stable transfer function matrices. In this paper, y(z) = Gu(z)u(z)+Gd(z)d(z)+G f (z) f (z), (2) we call a state-space model (A, B, C, D) regular, if it is detectable and has no invariant zeros on the unit circle and no where Gu(z), Gd(z), and G f (z) denote, respectively, the unobservable modes at the origin. transfer function matrices from u, d,and f to y. Although the design of a model-based FD systems mainly consists of three tasks: (a) residual generation, (b) residual 2. FD OF DISCRETE LTI SYSTEMS evaluation, (c) threshold determination, major research attention has been focused on the residual generation with the Linear time-invariant (LTI) systems are the simplest class of following issues. systems. Although the handling of FD problems in discrete LTI systems can often be done along the well-established (i) Full decoupling problem, which deals with the design of framework of FD schemes for continuos LTI systems, study a residual generator, so that the residual signal r satis- on FD in discrete LTI systems is of primary importance from fies the following three aspects: ∀u, d,limr(k) = 0iff = 0, k→∞ (i) it gives insight and often motivates extensions to more (3) r(k) =0iff (k) =0, i = 1, ..., n . complex systems like periodic and sampled-data sys- i f tems addressed in the subsequent sections; If a full decoupling is realized, then the residual evalu- (ii) there are some methods that have been developed spe- ation reduces to detect the nonzeroness of the residual cially for discrete LTI systems; signal. (iii) due to its practical form for the direct online imple- (ii) Optimal FD problem, which is to design the residual mentation, the discrete-time system form is often fa- generator so that the residual signal r is as small as pos- vored in the applications. sible if f = 0anddeviatesfrom0asmuchaspossible if f (k) =0, i = 1, ..., n . In this section, basic ideas and solution procedures of ad- i f vanced FD methods for discrete LTI systems, divided into Considering that in the fault-free case the residual signal r three groups, will be reviewed: would, due to the existence of d,differ from zero, evaluation P. Zhang and S. X. Ding 3 of the size of r is necessary in order to distinguish the influ- coupling is not achievable or not desired, the FD problem is ence of the faults from that of the disturbances. In this paper, often formulated as to solve the optimization problem the norm-based evaluation of the residual signal, denoted by T T = sup = = r (k)r(k)/f fk,s J r and, based on it, threshold determination satisfying dk,s 0, fk,s 0 k,s max JPS(v ) = max = s = T T vs,vsHo,s 0 vs,vsHo,s 0 sup f =0,d =0 r (k)r(k)/dk,sdk,s = k,s k,s Jth sup r (4) T T f =0,d vsH f ,sH , vs = max f s = T T vs,vsHo,s 0 vsHd,sHd,svs will be briefly reviewed. (10)

2.2. Parity space approach whose solution can be obtained by solving a generalized eigenvalue-eigenvector problem [11]. The parity space approach is based on the so-called parity relation. Let s be an integer denoting the length of a moving Solution to optimization problem (10) time window. The output of system (1) over the moving window [k − s, k] can be expressed by the initial state x(k − s), Let Nbasis denote the basis of the left null space of Ho,s.As- the stacked control input vector uk,s, the stacked disturbance sume that λmax and ps,max are the maximal generalized eigenvector dk,s, and the stacked fault vector fk,s as value and the corresponding eigenvector to the generalized eigenvalue-eigenvector problem yk,s = Ho,sx(k − s)+Hu,suk,s + Hd,sdk,s + H f ,s fk,s,(5) T T − T T = ps,max NbasisH f ,sH f ,sNbasis λmax NbasisHd,sHd,sNbasis 0, where (11) ⎡ ⎤ ξ(k − s) then optimization problem (10)issolvedby ⎢ ⎥ ⎢ξ(k − s +1)⎥ = ⎢ ⎥ = (12) ξk,s ⎢ . ⎥ with ξ standing for y, u, d, f , vs ps,max Nbasis. ⎣ . ⎦ ξ(k) It is pointed out in [12] that the solutions of a full decou- ⎡ ⎤ pling or (10) are achieved at the cost of (considerably) re- ⎡ ⎤ DO··· O C ⎢ ⎥ duced fault detectability. This can be immediately seen with ⎢ ⎥ ⎢ . . ⎥ ⎢ CA⎥ ⎢ .. . ⎥ a look at the dynamics of the residual signal = ⎢ ⎥ = ⎢ CB D . ⎥ Ho,s ⎢ . ⎥ , Hu,s ⎢ ⎥ , ⎣ . ⎦ ⎣ . .. .. ⎦ . . . . O r(k) = vs yk,s − Hu,suk,s = vs H f ,s fk,s + Hd,sdk,s (13) s CA CAs−1B ··· CB D which shows that the influence of the fault expressed (6) by vsH f ,s is structurally reduced to a minimum, that is, rank (v H ) = 1. Reference [12] proposed the use of a par- H and H are constructed similarly as H and can be s f ,s d,s f ,s u,s ity matrix V , achieved by replacing , ,respectively,by , and , . s B D Ed Fd E f F f To satisfy the requirement on the residual signal, a residual r(k) = Vs yk,s − Hu,suk,s = Vs H f ,s fk,s + Hd,sdk,s (14) generator can be constructed as instead of a parity vector aiming at enhancing the influence r(k) = vs yk,s − Hu,suk,s ,(7)of the faults on the residual signal. To this end, the following optimization problems are formulated as where a design parameter vs called parity vector is introduced to modulate the residual dynamics and improve the sensitiv- max JPS,∞/∞ Vs Vs,VsHo,s=0 ity of the residual to the faults and the robustness to the dis- sup T ( ) ( ) T = dk,s=0, fk,s =0 r k r k /fk,s fk,s turbances and the initial state. Usually, vsHo,s 0isrequired = max = T T (15) to eliminate the influence of the initial state and the past in- Vs,VsHo,s 0 sup = = r (k)r(k)/d dk,s fk,s 0,dk ,s 0 k,s put signals (before the time instant k − s). 2 σ VsH f ,s If the existence condition = max , = 2 Vs,VsHo,s 0 σ VsHd,s rank Ho,s Hd,s H f ,s > rank Ho,s Hd,s (8) max JPS,−/∞ Vs V ,V H =0 s s o,s T T inf d =0, f =0 r (k)r(k)/f fk,s is satisfied, then a full decoupling from both the initial state = max k,s k,s k,s = T T (16) and the disturbances can be achieved by solving Vs,VsHo,s 0 sup = = r (k)r(k)/d dk,s fk,s 0,dk ,s 0 k,s 2 σ VsH f ,s vs Ho,s Hd,s = 0, vsH f ,s =0, (9) = max , = 2 Vs,VsHo,s 0 σ V H s d,s 2 for , that is, lies in the intersection between the left null σ VsH f ,s vs vs max JPS, ∞ V i = i/ s = max . (17) Vs,VsHo,s 0 = 2 space of [Ho,s Hd,s] and the image space of H f ,s.Ifafullde- Vs,VsHo,s 0 σ VsHd,s 4 Journal of Control Science and Engineering

The difference in optimization problems (15)-(16)con- In practice, false alarm rate and miss detection rate are sists in that the former considers the maximal influence of two important technical features for the performance eval- the faults on the residual amplitude, while the latter considers uation of a fault detection system. Below, we will introduce the minimal influence. Optimization problem (17)isagen- these two concepts in the context of the norm-based resid- eralization of (15)-(16) and takes into account the fault sen- ual evaluation (22) and briefly compare the above-presented sitivity in different directions. The achievable optimal perfor- parity space solutions. mance index of optimization problem (15) is the same with Jth setting under a given false alarm rate.Consider(23) that of (10). At the end of this subsection, we will show that and denote the upper bound of dk,s E by δd. In the con- the solution of (17) would lead to maximizing the fault de- text of norm-based evaluation, the objective of Jth setting is tectability in the context of a tradeoff between false alarm rate to ensure that any disturbance whose size is not larger than and fault detectability. the tolerant limit should not cause an alarm. To express the strongest disturbance that is allowed without causing a false Solution to optimization problems (15), (16),and(17) alarm in relation to δd, we define false alarm rate (FAR) as α α A solution to optimization problem (17) that also solves FAR = 1 − ,0≤ α ≤ δd =⇒ 0 ≤ 1 − ≤ 1, (25) (15)-(16) simultaneously is given in [12] as follows, which δd δd is derived based on the observation that for any matrices X1 that is, those disturbances whose size is not larger than α = and X2 of compatible dimensions, (1 − FAR)δd should not cause an alarm. Suppose that the allowable FAR is now given. It is straightforward that the σ X X ≤ σ X σ X , 1 2 1 2 threshold should be set as σ X X ≤ σ X σ X , (18) 1 2 1 2 Jth = ασ VsHd,s = (1 − FAR)δdσ VsHd,s . (26) σi X1X2 ≤ σ X1 σi X2 . Note that in the norm-based residual evaluation, Jth is often Assume that there is the following singular value decompo- set as δ σ(V H ) which leads to a zero FAR but may result sition (SVD): d s d,s in a very conservative Jth setting. T NbasisHd,s = U SOV , (19) To express the miss detection rate (MDR), we introduce the set of detectable faults. Note that a fault can be detected where U and V are unitary matrices, S = diag{σ1, ..., σγ}, if and only if then optimization problems (15), (16), and (17)aresolved ⇐⇒ by r E >Jth Vs Hd,sdk,s + H f ,s fk,s E >Jth. (27)

−1 T Vs = PsS U Nbasis, (20) Hence, the set of detectable faults (SDF) ΩDE(Vs, Jth, d)isde- ﬁned as follows: given Vs and Jth where P is any unitary matrix of compatible dimensions. s = | Note that the solutions to the above optimization prob- ΩDE Vs, Jth, d fk,s (27) is satisﬁed . (28) lems are not unique. For instance, an alternative optimal so- Given Jth, a parity space matrix V delivers a residual sig- lution for problem (16)is s,opt nal with the lowest MDR if

Vs = PsPNbasis, (21) ∀Vs, ΩDE Vs, Jth, d ⊆ ΩDE Vs,opt, Jth, d , (29) where P is the left inverse of NbasisH f ,s. On the other side, only solution (20)solves(15), (16), and (17) simultaneously. that is, ΩDE(Vs,opt, Jth, d) includes the largest number of de- For this reason, (20) is called unified parity space solution. tectable faults, which is equivalent with the lowest MDR. To detect the faults successfully, the generated residual The subsequent comparison study is done in the con- signal should be further evaluated. For a residual signal gen- text of maximizing SDF (i.e., minimizing MDR) under a given erated by means of the parity space approach, the Euclidean FAR. norm defined by Note that (27) can be, according to (19), rewritten into Vs Hd,sdk,s + H f ,s fk,s J = r(k) = rT (k)r(k) (22) E E > (1 − FAR)δ σ V H d s d,s is a reasonable evaluation function. It follows from (14)and T −1 T ⇐⇒ Q IOV dk,s + QS U NbasisH f ,s fk,s (4) that the corresponding threshold is determined by E (30) − T = = > (1 FAR)δdσ Q IOV Jth sup r(k) E σ VsHd,s max dk,s E. (23) f =0,d −1 T by setting Vs = QS U Nbasis,forsomeQ. Based on the decision logic It turns out that ∀Q =0, (30) holds only if ( ) ≤ th =⇒ fault-free, otherwise faulty, (24) r k E J T −1 T IOV dk,s + S U NbasisH f ,s fk,s > (1 − FAR)δd. E a decision for the occurrence of a fault can be finally made. (31) P. Zhang and S. X. Ding 5

It means that a parity matrix that ensures (31) would pro- (iv) The algebraic form of the parity-space-based FD sys- vide a maximal SDF. Note that the uniﬁed parity space solu- tem allows a statistic test and norm-based resid- tion (20)deliversexactly(31). Thus, theuniﬁedparityspace ual evaluation and threshold determination [19]. It solution maximizes SDF (i.e., minimizes MDR) under a given may well bridge the statistical methods [1] and the FAR. observer-based methods. For comparison, denote the SVD of NbasisH f ,s by (v) In the framework of parity-space-based FD system design, system dynamic features like transmission zeros, = T NbasisH f ,s U f S f O V f . (32) zeros in the right half plane (RHP), and so forth are not taken into account. This may cause trouble at the Then the vector-valued solution (12) to optimization prob- online implementation. Also for this reason, we are lem (10) and the matrix-valued solution (21) to optimization of the opinion that the strategy of parity space de- problem (16) can be, respectively, rewritten into sign, observer-based implementation would be helpful

−1 T to solve this problem. vs = psS U Nbasis,

−1 T 2 T −1 − = ps S U U f S f U f US λmax I 0, (33) 2.3. Parametrization of FD systems and

= −1 T −1 T postﬁlter design Vs PsS f U f US S U Nbasis.

−1 T Observer-based FD system design for continuous LTI sys- Since, generally, ps, PsS f U f US are not unitary matrices, we tems has been widely studied in the literature [3–6]. In this have finally and the next subsections, the analog form of those known results will be briefly reviewed. Attention will be paid to the Ω V , Jth, d ⊂ Ω V , Jth, d , V = p N , DE s DE s,opt s s,max basis comparison study when it is special for discrete LTI systems. −1 T Vs,opt = PsS U Nbasis, Let (Mu(z), Nu(z)) be a left coprime factorization pair of −1 ( ), that is, ( ) = ( ) ( ), ( ), ( ) ∈ RH∞ Ω V , Jth, d ⊂ Ω V , Jth, d , V = P PN , Gu z Gu z Mu z Nu z Mu z Nu z DE s DE s,opt s s basis [10]. In [20], a parametrization of all LTI residual generators −1 T Vs,opt = PsS U Nbasis. for system (1)describedby (34) r(z) = R(z) M (z)y(z) − N (z)u(z) (35) With the following remarks we would like to conclude this u u subsection. is presented, where R(z) ∈ RH∞ is the so-called post- (i) Parity-space-based FD system design is characterized filter that is arbitrarily selectable. Suppose that Gu(z) = by the simple mathematical handling. It only deals (A, B, C, D) is a detectable state space realization of Gu(z). with matrix- and vector-valued operations. This fact Then Mu(z), Nu(z) can be computed as follows [10]: attracts attention from the industry for the application of parity-space-based methods. −1 Mu(z) = I − C(zI − A + LC) L, (ii) There is a one-to-one relationship between the parity- (36) −1 space approach and the observer-based approach that Nu(z) = D + C(zI − A + LC) (B − LD). allows the design of an observer-based residual gen- eratorbasedonagivenparityvector[13, 14]. Based It is now a well-known result that on this result, a strategy called parity-space design, − = − observer-based implementation has been developed, (i) Mu(z)y(z) Nu(z)u(z) y(z) y(z), where y(z) is the which makes use of the computational advantage of output estimation delivered by a full-order observer; RH parity-space approaches for the FD system design (se- (ii) given L1 and L2, there exists an ∞-invertible post- = − −1 − lection of a parity vector or matrix) and then realizes filter Q(z) I + C(zI A + L1C) (L2 L1) so that the solution in the observer form to ensure a numer- − ically stable and less consuming online computation. Mu,L1 (z)y(z) Nu,L1 (z)u(z) This strategy has been successfully used in the sensor- (37) = Q(z) M (z)y(z) − N (z)u(z) , fault detection in vehicles [15]. u,L2 u,L2 (iii) In the parity-space approaches, a high order s will improve the optimal performance index JPS but, on where (Mu,L1 (z), Nu,L1 (z)) and (Mu,L2 (z), Nu,L2 (z)) are the other side, increase the online computational ef- the left coprime factorization pair of Gu(z), which are fort [16]. By introducing a low-order IIR (infinite im- computed according to (36)withL = L1 and L = L2, pulse response) filter, the performance of the parity- respectively. relation-based residual generator can be much im- (iii) all LTI residual generators can be expressed by a se- proved without significant increase of the order of ries connection of a full-order observer and a postfilter, the parity relation [17]. Similar effect can be achieved and are therefore called observer-based residual gener- by the closed-loop-observer-based implementation, as ators. Moreover, the selection of the postfilter can be pointed out by [18]. done independent of the observer design. 6 Journal of Control Science and Engineering

Due to the latter fact, we concentrate in this subsection on becomesmorepopular,whereγ, β are some constants. The the selection of R(z). The dynamics of a residual generator FD system design is often formulated as maximizing β under (35)isgovernedby agivenγ. The third index type is often met in the robust control theory and formulated as = r(z) R(z)Mu(z) Gd(z)d(z)+G f (z) f (z) . (38) J f −d = α f R(z)Mu(z)G f (z) − αd R(z)Mu(z)Gd(z) , The full decoupling problem is to ﬁnd the postﬁlter R(z)so (46) that where α f , αd > 0 are some given constants. The FD sys- R(z)M (z)G (z) = 0, R(z)M (z)G (z) =0. (39) tem design is then achieved by maximizing J f −d. In [22], it u d u f has been demonstrated that the above three types indices are

If the l2-norm of the residual signal is used as evaluation equivalent in a certain sense. With this fact in mind, in this function, then the optimal FD problem is formulated as op- paper we only consider optimizations under ratio-type in- timization problems dices (40)–(43). R(z)M (z)G (z) Solution to optimization problems – = u f ∞ (40) (42) sup JFRE,∞/∞(R) sup , R(z)∈RH∞ R(z)∈RH∞ R(z)Mu(z)Gd(z) ∞ Let Mu(z)Gd(z) = Gdo(z)Gdi(z) be a co-inner-outer factor- (40) RH ization of Mu(z)Gd(z)[10], where Gdo(z) is the ∞-left- R(z)Mu(z)G f (z) − invertible co-outer, Gdi(z) is the co-inner containing all the sup JFRE,−/∞(R) = sup , right half complex plane zeros of Mu(z)Gd(z) and satisfying R(z)∈RH∞ R(z)∈RH∞ R(z)Mu(z)Gd(z) ∞ ∗ Gdi(z)G (z) = I. Based on the relations (41) di G (z)G (z) ≤ G (z) G (z) , sup JFRE,i/∞(R) 1 2 ∞ 1 ∞ 2 ∞ R(z)∈RH∞ ≤ G1(z)G2(z) − G1(z) ∞ G2(z) − σ R e jω M e jω G e jω (42) = i u f σ G e jω G e jω ≤ G (z) σ G e jω , ∀i, sup i 1 2 1 ∞ i 2 R(z)∈RH∞ R(z)Mu(z)Gd(z) ∞ (47) sup JFRE,2/2(R) 1× ithasbeenprovenin[23, 24], similar to the results for con- R(z)∈RH∞ m tinuous LTI systems given in [22] and recently in [25], that 2π = jω jω jω ∗ jω optimization problems (40)–(42) are solved simultaneously sup R e Mu e G f e G f e 1× R(z)∈RH∞ m 0 by 2π = −1 × ∗ jω ∗ jω jω R(z) Gdo (z). (48) Mu e R e dω R e 0 For this reason, (48) is called unified solution. × M e jω G e jω G∗ e jω M∗ e jω u d d u Another solution to optimization problem (41), if G f (z) is RL∞-left-invertible, is × R∗ e jω dω , = −1 R(z) G fo(z), (49) (43) where G fo(z) is the co-outer of Mu(z)G f (z). jω jω jω The main purpose of the co-inner-outer factorization is where σi(R(e )Mu(e )G f (e )) represents the fault sensitivity at different levels at the frequency ω, to separate the nonminimum phase zeros so that the rest part RH of Mu(z)Gd(z)orMu(z)G f (z)is ∞-left invertible. Note jω jω jω R(z)Mu(z)G f (z) − = inf σ R e Mu e G f e that the co-inner-outer factorization is not unique. There- ω fore, the optimal postfilter R(z) is also not unique [26]. jω jω jω = inf σi R e Mu e G f e ω,i (44) Solution to optimization problem (43) though not a norm, it is interpreted as the worst-case fault The optimal solution to optimization problem (43)isafre- sensitivity. Optimization problems (40), (41), and (43)are quency selector as follows [27]: often called the H∞/H∞, H−/H∞,andH2/H2 optimization, = = R(z) fω0 (z)p(z), JFRE,2/2,opt sup λmax (ω), (50) respectively. ω The ratio-type performance index given in (40)and(43) where fω0 (z) is an ideal frequency-selective filter with the se- is the first one that was introduced for the FD purpose [11, lective frequency at ω0, which satisfies 21]. Currently, the index of the form jω jω = = fω0 e q e 0, ω ω0 R(z)Mu(z)Gd(z) <γ, R(z)Mu(z)G f (z) >β 2π jω jω ∗ jω ∗ jω (51) fω0 e q e q e fω0 e dω 0 (45) jω0 ∗ jω0 T = q e q e , ∀q z ∈ RH2, P. Zhang and S. X. Ding 7

jω λmax (ω), p(e ) are, respectively, the maximal generalized where the observer gain matrix L and the weighting matrix eigenvalue and corresponding eigenvector of the following W are design parameters. Due to its state space expression generalized eigenvalue-eigenvector problem: and close relation to the observer design, FDF study receives most research attention. The dynamics of residual generator jω jω jω ∗ jω ∗ jω p e λmax ω Mu e Gd e Gd e Mu e (57)isgovernedby (52) jω jω ∗ jω ∗ jω − Mu e G f e G e M e = 0 f u r(z) = Grd(z)d(z)+Grf(z) f (z),

−1 Grd(z) = W Fd + C(zI − A + LC) Ed − LFd , (58) and ω0 is the frequency at which λmax (ω) achieves its maxi- −1 mum, that is, Grf(z) = W F f + C(zI − A + LC) E f − LF f .

λmax (ω0) = sup λmax (ω). (53) In the FDF design, the full-decoupling problem is to design ω L and W such that In practice, usually a narrow bandpass filter is implemented G (z) = 0, G (z) =0 (59) as frequency selector. From the viewpoint of FAR and MDR, rd rf the frequency selector may cause loss of fault sensitivity and whiletheoptimalFDproblemsareformulatedsoasto restrict the application of the H2/H2 optimal residual gener- choose matrices L, W that solve the optimization problem ator. [5, 7, 31] Recently, [27] reported a very interesting result on the relationship between the parity-space vector and the solution Grf(z)∞ sup J ∞ ∞(L, W) = sup , (60) to optimization problem (43). It has been shown that OBS, / G (z) L,W L,W rd ∞ T T Grf(z) − vsH f ,sH vs f ,s sup JOBS,−/∞(L, W) = sup , (61) lim min = λmax ωopt (54) s→∞ v T T L,W L,W Grd(z) ∞ s vsHd,sHd,svs jω σi Grf e sup JOBS, ∞(L, W) = sup . (62) and lim s→∞vs correspond to a bandpass filter. This result not i/ L,W L,W Grd(z) ∞ only reveals the physical interpretation of the standard optimal selection of parity vectors but also provides us with Solution to optimization problems (60)–(62) an efficient tool to approximate the optimal solution to optimization problem (43).Moreover,basedonit,advanced Because the FDF (57)isaspecialcaseof(35), the optimal parity-space approaches using wavelet transform have been solutions to optimization problems (60)–(62)canbederived proposed [28, 29]. based on the state space realization of the optimal postfilter As to the residual evaluation and threshold determina- R(z)givenby(48), as shown in [24]. A unified optimal so- tion, the l2-norm is the mostly used evaluation function, lution to optimization problems (60)–(62) is associated to a which leads to discrete-time algebraic Riccati system (DTARS) [24, 32]. As- sume that (A, Ed, C, Fd) is regular, then J =r2, = = (55) =− T = Jth sup r 2 R(z)Mu(z)Gd(z) ∞ max d 2. L Ld , W Wd (63) f =0,d solve optimization problems (60)–(62) simultaneously, In case of applying the unified solution (48), we have where Wd is the left inverse of a full column rank matrix Hd T T T satisfying HdH = CXdC + FdF and (Xd, Ld) is the stabi- = = d d Jth sup r 2 max d 2. (56) lizing solution to the DTARS = f 0,d AX AT − X + E ET AX CT + E FT I Analog with the results in [30] and the discussion in the last d d d d d d d = 0. (64) CX AT + F ET CX CT + F FT L subsection, it can be proven that the unified solution (48) d d d d d d d minimizes MDR under a given FAR, where MDR and FAR An alternative solution to optimization problem (61), if are defined in the context of the norm-based residual evalu- (A, E , C, F )isregular,isgivenby ation. f f =− T = L L f , W W f , (65) 2.4. fault detection filter design where W f is the left inverse of a full column rank matrix H f fault detection filter (FDF) is a special kind of observer-based T = T T satisfying H f H f CXf C + F f F f and (X f , L f ) is the stabi- FD systems (35) with a constant postfilter and constructed as lizing solution to the DTARS

= − x(k +1) Ax(k)+Bu(k)+L y(k) y(k) , AX AT − X + E ET AX CT + E FT f f f f f f f I = = − T T T T 0. r(k) W y(k) y(k) , (57) CXf A + F f E f CXf C + F f F f L f y(k) = Cx(k)+Du(k), (66) 8 Journal of Control Science and Engineering

Recently, application of LMI-technique (linear matrix in- The FD problem of periodic systems has been considered in equality) to solve (60)and(61) for continuous LTI systems [24, 32, 43–45]. Basically, there are two ways to handle the has been reported [33–36]. The core of those approaches FD problem of LTP systems, as shown below. consists in formulating (60)or(61) as a multiobjective op- 3.1. FD schemes based on lifted LTI reformulation timization problem and solving them based on an iterative computation of two LMIs. It can be proven that these so- It is well known that there is a strong correspondence be- lutions can, in the ideal case, converge to the optimal solu- tween discrete LTP systems and discrete LTI systems [42]. tion (63). The extension of these results to the discrete FDF Therefore, FD system design for the LTP system (72)canbe is straightforward and will not be discussed in this paper. carried out as follows: At the end of this subsection, we would like to introduce (i) lift the LTP system (72) into a discrete LTI system, a very interesting result achieved by the comparison study (ii) design residual generator(s) based on the lifted LTI re- between the well-known Kalman-filter-based residual gener- formulation, ation [37] and the unified solution (63). Given system (iii) using either parallel residual generators or select the parameters of the residual generator to satisfy the x(k +1)= Ax(k)+Bu(k)+Edζ(k), (67) causality condition. y(k) = Cx(k)+Du(k)+Fdη(k), Let ΨA(k)(k1, k0)(k1 ≥ k0) denote the state transition where ζ(k), η(k) are independent zero-mean Gaussian white matrix of LTP system (72) noise processes with cov(ζ(k)ζT (k)) = I,cov(η(k)ηT (k)) = if = , I, then a Kalman filter with = I k1 k0 ΨA(k) k1, k0 A k1 − 1 A k1 − 2 ···A k0 if k1 >k0. x k+1 | k =Ax k | k−1 +Bu(k) +L y(k)− y k | k−1 , (73) (68)

y k | k − 1 = Cx k | k − 1 + Du(k), (69) Periodic system (72) can be lifted into a discrete LTI system described by [42] −1 L = APCT CPCT + R , R = F FT (> 0), (70) d d = − xτ (k +1)θ + τ Aτ xτ (kθ + τ)+Bτ uτ (kθ + τ) T − − T T 1 T T = APA P APC CPC +R CPA +EdEd 0, P>0, + Ed,τ dτ (kθ + τ)+E f ,τ fτ (kθ + τ), (71) (74) y (kθ + τ) = C x (kθ + τ)+D u (kθ + τ) delivers an innovation as residual signal, where x(k | k − 1) is τ τ τ τ τ a prediction of x(k) based on the data up to k−1. Comparing + Fd,τ dτ (kθ + τ)+F f ,τ fτ (kθ + τ), the above Kalman filter algorithm with the unified solution where τ is an integer between 0 and θ − 1 denoting the initial (63) makes it clear that both solutions are quite similar. In- time, the state vector of the lifted system is x (kθ+τ) = x(kθ+ deed, (67) can be brought into the general form of (1)by τ τ), η with η standing for u, y, d, f is the augmented signal = T T T τ letting d [ ζ η ] and, as a result, (71) can be regarded as a defined by special case of (64). Remember that the Kalman filter deliv- ⎡ ⎤ η(kθ + τ) ers, in the context of statistic tests, a minimum MDR under a ⎢ ⎥ given FAR. In comparison, in the context of norm-based def- ⎢ η(kθ + τ +1) ⎥ = ⎢ ⎥ inition of MDR and FAR, the unified solution (63)provides ητ (kθ + τ) ⎢ . ⎥ , ⎣ . ⎦ us with the same result. η(kθ + τ + θ − 1) 3. FD OF DISCRETE-TIME LINEAR PERIODIC SYSTEMS A = Ψ (τ + θ, τ), τ A(k) ! ··· In this section, we review some recent results on FD in dis- Bτ = X Y Z , crete linear time periodic (LTP) systems. LTP is a special kind ⎡ ⎤ C(τ) of linear time-varying systems described by ⎢ ⎥ ⎢ C(τ +1)Ψ (τ +1,τ) ⎥ ⎧ ⎢ A(k) ⎥ ⎪ Cτ = ⎢ . ⎥ , ⎪x(k +1) ⎣ . ⎦ ⎨⎪ . = A(k)x(k)+B(k)u(k)+E (k)d(k)+E (k) f (k), d f C(τ + θ − 1)ΨA(k)(τ + θ − 1, τ) ΣLTP : ⎪ ⎪y(k) ⎡ ⎤ ⎪ D O ··· O ⎩ = ⎢ τ,1,1 ⎥ C(k)x(k)+D(k)u(k)+Fd(k)d(k)+F f (k) f (k), ⎢ ⎥ ⎢ .. . ⎥ ⎢Dτ,2,1 Dτ,2,2 . . ⎥ (72) D = ⎢ ⎥ , τ ⎢ . . . ⎥ ⎣ . .. .. ⎦ where A(k), B(k), C(k), D(k), Ed(k), E f (k), Fd(k), and F f (k) . O are known bounded and real periodic matrices of period θ, D , ,1 ··· D , , −1 D , , ⎧ τ θ τ θ θ τ θ θ that is, ∀k, A(k + θ) = A(k), and so forth. There is not ⎪D(τ + i − 1) for i= j, only continuous interest and development of periodic con- ⎨ = − − Dτ,i,j ⎪C(τ + i 1)ΨA(k)(τ + i 1, τ + j) trol and filtering theory [38–42], but also increasing appli- ⎩⎪ cations of periodic control in practice like helicopter vibra- B(τ + j − 1) for i>j, tion control, satellite attitude control as well as wind turbine. (75) P. Zhang and S. X. Ding 9

where Bτ,1 = ΨA(k)(τ + θ, τ +1)B(τ), Bτ,2 = ΨA(k)(τ + θ, τ + r(kθ + τ + j) = − 2)B(τ +1),Bτ,θ B(τ + θ 1) ,andEd,τ , Fd,τ and E f ,τ , F f ,τ = [ Wτ,j+1,1 ··· Wτ,j+1,j+1 ] ⎛⎡ ⎤ ⎡ ⎤⎞ are deﬁned in a way similar to Cτ , Dτ . y(kθ + τ) y(kθ + τ) ⎜⎢ ⎥ ⎢ ⎥⎟ ⎜⎢ . ⎥ ⎢ . ⎥⎟ × ⎝⎣ . ⎦ − ⎣ . ⎦⎠ , 3.1.1. Observer-based FD system design and y(kθ + τ + j) y(kθ + τ + j) implementation y(kθ + τ + j) Assume that (A(k), C(k)) is detectable. Then (A , C )isde- = C(τ + j)Ψ ( )(τ + j, τ)x (kθ + τ) τ τ A k τ ⎡ ⎤ tectable and an observer-based LTI residual generator can be u(kθ + τ) designed based on lifted reformulation (74)as ! ⎢ ⎥ ··· ⎢ . ⎥ + Dτ,j+1,1 Dτ,j+1,j+1 ⎣ . ⎦ ,

u(kθ + τ + j) x τ (k +1)θ + τ = Aτ x τ (kθ + τ)+Bτ u τ (kθ + τ) = − j 0, 1, ..., θ 1. − + Lτ yτ (kθ + τ) yτ (kθ + τ) , (78) (76) r (kθ + τ) = W y (kθ + τ) − y (kθ + τ) , In this case, the state estimation is still updated at every τ τ τ τ θ time instants, but at each time instant kθ + τ + j, j = 0, 1, ..., θ − 1, a residual signal r(kθ + τ + j)is y (k) = C x (kθ + τ)+D u (kθ + τ), τ τ τ τ τ calculated from control input and measured outputs available up to the time instant kθ + τ + j. where Lτ and Wτ are constant matrices and can be designed with FD approaches for the discrete LTI systems intro- 3.1.2. Parity-relation-based FD system design and duced in the last section to realize full decoupling or optimal implementation FD. Observer (76) reconstructs the outputs over one period − y(kθ + τ), ..., y(kθ + τ + θ 1) based on the estimation of Similarly, a parity-relation-based LTI residual generator can state vector x(kθ + τ). Both the state vector of observer (76) be built as follows: and the residual signal are updated every θ time instants. In fault detection, the detection delay should be as small rτ (kθ + τ) = Vτ,s y τ,k,s − Hu,su τ,k,s , as possible. Therefore, it is advantageous if a residual signal ⎡ ⎤ y τ (k − s)θ + τ can be obtained at each time instant. To this aim, ⎢ ⎥ ⎢ − ⎥ ⎢yτ (k s +1)θ + τ ⎥ (i) a bank of LTI residual generators (76)canbeused,each ⎢ ⎥ y = ⎢ ⎥ , of which is designed for τ = 0, 1, ..., θ −1, respectively τ,k,s ⎢ . ⎥ ⎣ . ⎦ [43]. This scheme is characterized by a simple design but needs much online computational eﬀorts. yτ (kθ + τ)

(ii) If the weighting matrix Wτ is designed to satisfy the ⎡ ⎤ u τ (k − s)θ + τ causality constraint, that is, Wτ is a lower block trian- ⎢ ⎥ ⎢ − ⎥ ⎢uτ (k s +1)θ + τ ⎥ gular matrix in the form of ⎢ ⎥ (79) u = ⎢ ⎥ , ⎡ ⎤ τ,k,s ⎢ . ⎥ W O ··· O ⎣ . ⎦ ⎢ τ,1,1 ⎥ ⎢ ⎥ ⎢ . . ⎥ uτ (kθ + τ) ⎢W W .. . ⎥ ⎡ ⎤ = ⎢ τ,2,1 τ,2,2 ⎥ Wτ ⎢ ⎥ , (77) D O ··· O ⎢ . ⎥ ⎢ τ ⎥ ⎢ . .. .. ⎥ ⎢ ⎥ ⎣ . . . O ⎦ ⎢ . . ⎥ ⎢ .. . ⎥ ··· ⎢ Cτ Bτ Dτ . ⎥ Wτ,θ,1 Wτ,θ,θ−1 Wτ,θ,θ H = ⎢ ⎥ , u,s ⎢ ⎥ ⎢ . .. .. ⎥ ⎣ . . . O ⎦ then, for a given integer τ, the residual generator (76) s−1 ··· can be implemented as Cτ Aτ Bτ Cτ Bτ Dτ where is a constant parity matrix, Vτ,s x τ (k +1)θ + τ ⎡ ⎤ ⎢ Cτ ⎥ = ⎢ ⎥ Aτ xτ (kθ + τ)+Bτ uτ (kθ + τ) ⎢Cτ Aτ ⎥ V ⎢ ⎥ = 0. (80) ⎛⎡ ⎤ ⎡ ⎤⎞ τ,s ⎢ . ⎥ y(kθ + τ) y(kθ + τ) ⎣ . ⎦ ⎜⎢ ⎥ ⎢ ⎥⎟ s ⎜⎢ ⎥ ⎢ ⎥⎟ Cτ Aτ ⎜⎢ . ⎥ − ⎢ . ⎥⎟ + Lτ ⎜⎢ . ⎥ ⎢ . ⎥⎟ , ⎝⎣ ⎦ ⎣ ⎦⎠ To get a residual signal at each time instant, we can use a y(kθ + τ + θ − 1) y(kθ + τ + θ − 1) bank of parity-relation-based residual generators, each one 10 Journal of Control Science and Engineering

for τ = 0, 1, ..., θ − 1, respectively. Alternatively, we can also where Vk is a θ-periodic parity matrix (or vector) that sat- impose a structural constant on parity matrix Vτ,s as isfies VkHo,s,k = 0, equation (85) represents the residual dy- ··· namics. Vτ,s = Vτ,s,0 Vτ,s,1 Vτ,s,s−1 Vτ,s,s , ⎡ ⎤ If the rank condition (Vτ,s,s) O ··· O ⎢ 1,1 ⎥ ⎢ . . ⎥ ⎢ .. . ⎥ rank Ho,s,k Hd,s,k H f ,s,k > rank Ho,s,k Hd,s,k (86) = ⎢(Vτ,s,s)2,1 (Vτ,s,s)2,2 . ⎥ Vτ,s,s ⎢ ⎥ , ⎣ . .. .. ⎦ . . . O holds for any k, then a full decoupling can be achieved by ··· (Vτ,s,s)θ,1 (Vτ,s,s)θ,θ−1 (Vτ,s,s)θ,θ solving (81) = = that is, the last block in Vτ,s is a lower triangular matrix, then Vk Ho,s,k Hd,s,k 0, VkH f ,s,k 0 (87) for a fixed τ, residual generator (79) can be implemented in such a way that only control inputs and measured outputs for Vk over one period at k, k +1,..., k + θ − 1. The residual available up to the time instant kθ + τ + j are needed for the evaluation consists in detecting the deviation of residual r(k) calculation of r(kθ + τ + j), j = 0, 1, ..., θ − 1. from 0. Especially, if 3.2. FD schemes based on periodic model rank Ho,s,0···Ho,s,θ−1 Hd,s,0···Hd,s,θ−1 H f ,s,0···H f ,s,θ−1 In this subsection, we will show that the parity-space ap- > rank Ho,s,0 ··· Ho,s,θ−1 Hd,s,0 ··· Hd,s,θ−1 , proach and the observer-based FD approach can be directly (88) extended to periodic systems, which do not need the temporary step of lifted LTI reformulation and lead to a simplified then the full decoupling can be achieved by a constant par- design and implementation. ity matrix (or vector) Vk. However, condition (88) is rather restrictive in practice. 3.2.1. Periodic parity-space approach In case that a full decoupling is not achievable, optimization problems similar to (15)–(17) are formulated as The extension of the parity-space approach to periodic systems is straightforward, because the parity-space approach 2 can handle each time instant independently [45]. The input- σ VkH f ,s,k max JLTP,PS,∞ ∞ V = max , = / k = 2 output relation of periodic system (72) during the moving Vk,VkHo,s,k 0 Vk ,VkHo,s,k 0 σ VkHd,s,k window [ − , ] can be expressed by (89) k s k 2 σ VkH f ,s,k y , = H , , x(k − s)+H , , u , + H , , d , + H , , f , . (82) k s o s k u s k k s d s k k s f s k k s max JLTP,PS,− ∞ V = max , = / k = 2 Vk,VkHo,s,k 0 Vk ,VkHo,s,k 0 σ VkHd,s,k While the vectors yk,s, uk,s, dk,s,and fk,s in (82)arebuiltin (90) exactly the same way as in the LTI case according to (6), the 2 σ V H , , matrices H , , , H , , , H , , ,andH , , in (82)arenotcon- i k f s k o s k u s k d s k f s k max JLTP,PS, ∞ V = max , = i/ k = 2 stant matrices but the following periodic matrices: Vk,VkHo,s,k 0 Vk ,VkHo,s,k 0 σ VkHd,s,k ⎡ ⎤ (91) C(k − s) ⎢ ⎥ ⎢ − − ⎥ ⎢ C(k s +1)A(k s) ⎥ = ⎢ ⎥ which are solved over one period to get the optimal peri- Ho,s,k ⎢ . ⎥ , ⎣ . ⎦ odic parity matrix Vk. Because the parity-space approach handles each time instant independently and there is no sta- C(k)A(k − 1) ···A(k − s +1)A(k − s) ⎡ ⎤ bility problem, the solutions of problems (87)–(91)ateach D(k − s) O ··· O time instant are independent of each other and can be ob- ⎢ ⎥ ⎢ ⎥ tained following the procedures introduced in Section 2.2. ⎢ .. . ⎥ ⎢C(k − s +1)B(k − s) D(k − s +1) . . ⎥ The threshold Jth can be calculated by (23)or(26)accord- ⎢ ⎥ = ⎢ ⎥ Hu,s,k ⎢ . .. .. ⎥ , ing to the requirement on FAR, while the residual evaluation ⎢ . . . O ⎥ ⎢ ⎥ function is selected as the amplitude (22) of the residual sig- ⎣ C(k)A(k − 1) ··· ··· D(k)⎦ nal. A(k − s +1)B(k − s) If the order s of the parity relation (82) is an integer mul- (83) tiple of the period θ, then the periodic parity-space approach is equivalent with a bank of residual generators (79). In com- Hd,s,k,andH f ,s,k are similar as Hu,s,k with B(j), D(j)replaced, parison, the periodic parity space approach provides more = − respectively, by Ed(j), Fd(j), and E f (j), F f (j), j k s, ..., k. flexibility. The order of the parity relation s needs not to be A periodic residual generator can be built as related to the period .Moreover, may take different val- θ s ues at different time instants. In this case, the threshold for r(k) = Vk yk,s − Hu,s,kuk,s , (84) the residual evaluation may need to be chosen differently at (a) = Vk Hd,s,kdk,s + H f ,s,k fk,s , (85) different time. P. Zhang and S. X. Ding 11

3.2.2. Periodic observer-based approach where W f (k) is the left inverse of a full column rank ma- T = T trix H f (k) satisfying H f (k)H f (k) C(k)X f (k)C (k)+ Assume that (A(k), C(k)) is detectable. A periodic observer- T based residual generator can be constructed as F f (k)F f (k), and (X f (k), L f (k)) is the stabilizing solution to the DPRS x(k +1)= A(k)x(k)+B(k)u(k)+L(k) y(k) − y(k) , = − Ω f ,11 Ω f ,12 I r(k) W(k) y(k) y(k) , × = T 0, (99) y(k) = C(k)x(k)+D(k)u(k), Ω f ,12 Ω f ,22 L f (k) (92) = T − T where L(k)andW(k)areθ-periodic observer gain matrix where Ω f ,11 A(k)X f (k)A (k) X f (k +1)+E f (k)E f (k), = T T = and weighting matrix, respectively. The residual dynamics is Ω f ,12 A(k)X f (k)C (k)+E f (k)F f (k), and Ω f ,22 T T governed by C(k)X f (k)C (k)+F f (k)F f (k). It is interesting to note the following connections between different approaches. e(k +1)= A(k)−L(k)C(k) e(k)+ E (k)−L(k)F (k) d(k) d d (i) Periodic observer-based residual generator (92)canbe + E f (k) − L(k)F f (k) f (k), rewritten into the form of lifted reformulation-based = r(k) W(k) C(k)e(k)+Fd(k)d(k)+F f (k) f (k) , LTI observer (76)with (93) ··· where e(k) = x(k) − x(k). Lτ = Lτ,1 Lτ,2 Lτ,θ , To enhance the robustness of the FD system to the un- = − ( + , + ) ( + − 1), known disturbances without loss of the sensitivity to the Lτ,i ΨA(k) L(k)C(k) τ θ τ i L τ i ⎡ ⎤ faults, the optimal design problem is formulated as W O ··· O ⎢ τ,1,1 ⎥ ⎢ ⎥ sup J ∞ ∞ L(k), W(k) ⎢ . . ⎥ LTP,OBS, / ⎢ . . ⎥ L(k),W(k) ⎢Wτ,2,1 Wτ,2,2 . . ⎥ W = ⎢ ⎥ , (94) τ ⎢ . ⎥ sup d=0, f ∈l −{0} r 2/ f 2 ⎢ . .. .. ⎥ = 2 ⎣ . . . O ⎦ sup , L(k),W(k) sup f =0,d∈l2−{0} r 2/ d 2 W , ,1 ··· W , , −1 W , , τ θ τ θ θ τ θ θ sup JLTP,OBS,− ∞ L(k), W(k) / Wτ,i,j = W(τ + i − 1), if i = j, L(k),W(k) (95) =− − − inf d=0, f ∈l −{0} r2/ f Wτ,i,j W(τ + i 1)C(τ + i 1) = sup 2 2 . sup = ∈ −{ } r /d L(k),W(k) f 0,d l2 0 2 2 × ΨA(k)−L(k)C(k)(τ + i − 1, τ + j)L(τ + j − 1) The solutions of optimization problems (94)-(95)arede- if i>j, i = 1, 2, ..., θ, j = 1, 2, ..., θ. rived by solving an equivalent optimization problem for the (100) cyclically lifted LTI systems first and then recover the periodic matrices L(k)andW(k)[24]. Recalling the discussion in Section 3.1.1, the physical meaning is that the periodic observer-based residual Solution to optimization problems (94)-(95) generator naturally satisfies the causality condition. It is further proven that, if the parameters ( ( ), ( )) Assume that (A(k), Ed(k), C(k), Fd(k)) is regular. Then L k W k of the periodic observer-based residual generator (92) =− T = L(k) Ld (k), W(k) Wd(k) (96) solve optimization problems (94)or(95), then the parameters (L , W )oftheLTIobserver(76)gotby(100) solve optimization problems (94)-(95) simultaneously, τ τ will solve optimization problems in the form of (60)- where Wd(k) is the left inverse of a full column rank ma- T = T (61). trix Hd(k) satisfying Hd(k)Hd (k) C(k)Xd(k)C (k)+ T (ii) Similar as in LTI systems, the periodic parity-space Fd(k)Fd (k), and (Xd(k), Ld(k)) is the stabilizing solution to the difference periodic Riccati system (DPRS) approach and periodic observer-based approach are closely related. Assume that the periodic vector Ωd,11 Ωd,12 I × = 0 , (97) T ··· Ωd,12 Ωd,22 Ld(k) vk = vk,0 vk,1 vk,s (101) = T − T where Ωd,11 A(k)Xd(k)A (k) Xd(k +1)+Ed(k)Ed (k), = T T = satisfies vkHo,s,k = 0. Then a periodic functional Ωd,12 A(k)Xd(k)C (k)+Ed(k)Fd (k), and Ωd,22 T T observer-based residual generator in the form of C(k)Xd(k)C (k)+ Fd(k)Fd (k). An alternative solution to problem (95), if (A(k), E f (k), C(k), F f (k)) is regular, is given by z(k +1)= G(k)z(k)+H(k)u(k)+L(k)y(k), (102) =− T = L(k) L f (k), W(k) W f (k), (98) r(k) = w(k)z(k)+q(k)u(k)+p(k)y(k) 12 Journal of Control Science and Engineering

with z ∈ Rs, r ∈ R, can be readily obtained as [45] d(t) f (t) ⎡ ⎤ 00··· 0 g ⎢ k,1 ⎥ ⎢ ⎥ u(t) y(t) ⎢ . . ⎥ Continuous-time ⎢ . . ⎥ process ⎢10 . . gk,2 ⎥ ⎢ ⎥ = ⎢ ⎥ G(k) ⎢ ...... ⎥ , ⎢ . . . 0 . ⎥ ⎢ ⎥ ⎢ ⎥ ⎣0 ··· 10gk,s−1⎦ υ(k) ψ(k) D/AControl unit A/D 0 ··· 01gk,s ⎡ ⎤ ⎡ ⎤ vk+s,0 gk,1 ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢vk+s−1,1⎥ ⎢gk,2⎥ (103) Information FDI unit ⎢ ⎥ ⎢ ⎥ L(k) =−⎢ ⎥ − ⎢ ⎥ v , about fault ⎢ . ⎥ ⎢ . ⎥ k,s ⎣ . ⎦ ⎣ . ⎦ Computer

v − g k+1,s 1 k,s Figure 1: Schematic description of the application of an FDI system w(k) = 00··· 0 −1 , in a process control system.

p(k) = vk,s, H(k) = T(k +1)B(k) − L(k)D(k), 4.1. System description q(k) =−p(k)D(k), Assume that, in the SD systems, the process is a continuous LTI process represented by where periodic scalars gk,1, ..., gk,s appearing in ma- = trices G(k), L(k) are free parameters and should be x˙(t) Acx(t)+Bcu(t)+Edcd(t)+E fcf (t), (104) selected to guarantee the stability of G(k). More- y(t) = Cx(t), over, if vk realizes a full decoupling from the unknown disturbances, that is, vk[Ho,s,k Hd,s,k] = 0, then where Ac, Bc, Edc, E fc,andC are known constant matrices of the functional observer-based residual generator (102) appropriate dimensions. In single-rate sampled-data (SSD) also achieves a full decoupling, that is, r(k) = 0, systems, the A/D converter and the D/A converter are, re- ∀u(k), d(k). This provides an approach to design full spectively, described by decoupling observer-based residual generator. = (iii) We would like to point out that, for the LTI system ψ(k) y(kh), (105) (1), a residual generator with periodic gain matrix L(k) u(t) = υ(k), kh t<(k +1)h, (106) and periodic weighting matrix W(k) will not improve the FD performance under performance index (94). where h is the sampling period, ψ ∈ Rm is the sampled process output signal, υ ∈ Rp is the discrete-time control in- 4. FD OF SAMPLED-DATA SYSTEMS put sequence delivered by the controller program. In multirate sampled-data (MSD) systems, the A/D converters and The study on FD problems of sampled-data (SD) systems has the D/A converters may work with diﬀerent sampling rates been motivated by the digital implementation of controllers and thus modeled, respectively, by and monitoring systems. Figure 1 sketches a typical applica- l = l = l = tion of an FD system in a process control system. The pro- ψl(k ) yl(k Ty,l), l 1, 2, ..., m; k 0, 1, 2, ..., (107) cess under consideration is a continuous-time process. Both j j j the controller and the FD system are discrete-time systems uj (t) = υ j k , k Tu,j ≤ t< k +1 Tu,j , which are implemented on a computer system or on an em- (108) j = 1, 2, ..., p; k j = 0, 1, 2, ..., bedded microprocessor. The sensor output signals are dis- cretized by the A/D converters and then fed to the controller where Ty,l and Tu,j denote, respectively, the sampling peri- as well as to the FD system. The D/A converters convert the ods of the A/D converter in the lth output channel and the discrete-time control input signals into continuous-time sig- D/A converter in the jth input channel. A more general class nals. Since both continuous-time and discrete-time signals of systems are nonuniformly sampled-data (NSD) systems, exist in the system, the system design should be indeed con- where the sampling instants may be multirate, asynchronous, sidered from the viewpoint of an SD system [46, 47]. The and nonequidistantly distributed, that is, intersample behavior is the main factor that should be con- l l sidered in developing FD algorithms for the SD systems. In ψ k = y t l , l = 1, 2, ..., m; k = 0, 1, 2, ..., l l y,k practice, it happens often that the A/D and D/A converters = j ≤ are working at diﬀerent sampling rates [48–53]. In this sec- uj (t) υ j k , tu,k j t

where ty,kl represent the sampling instants in the lth output nal δ(t)withδ standing for d and f ,anoperatorisdefined channel and tu,k j the time instants at which the jth control as follows: input is updated. It is worth mentioning that a special kind ⎡ ⎤ − of NSD systems, where the sampling instants are nonequidis- ⎢ δ(k s) ⎥ ⎢ ⎥ tant spaced but periodic, has been studied in the literature ⎢δ(k − s +1)⎥ δ = ⎢ ⎥ Ψ δk,s(t) ⎢ . ⎥ rather intensively [54–57]. ⎣ . ⎦ δ(k) ⎡ ⎤ 4.2. FD of SSD systems h − Ac(h τ) − ⎢ 0e Eδc δ (k s)h + τ dτ ⎥ ⎢ h A (h−τ) ⎥ ⎢ e c Eδcδ (k − s +1)h + τ dτ⎥ Conventionally, an FD system can be designed for the SSD = ⎢ 0 ⎥ ⎢ . ⎥ . system by indirect approaches, that is, ⎣ . ⎦ . h Ac(h−τ) (i) analog design and SD implementation,or 0e Eδcδ(kh + τ)dτ (ii) discrete-time design based on the discretization of the (113) process model. The residual dynamics can be expressed with the help of op- Motivated by the development of sampled-data control [46, erators as 47], in the last years the FD problem of the SSD systems have d f been studied from the viewpoint of direct design to take into r(k) = VsH Ψ dk,s(t)+Ψ fk,s(t) , ⎡ ⎤ account the intersample behavior and eliminate the approxi- OO··· O ⎢ ⎥ mation made during the design [26, 58–60]. ⎢ . . ⎥ The dynamics of the SSD system at the sampling instants ⎢ CO.. . ⎥ (114) H = ⎢ ⎥ . can be described by ⎢ . . . ⎥ ⎣ . .. .. O⎦ CAs−1 ··· CO x(k +1)= Ax(k)+Bυ(k)+d(k)+ f (k), (110) ψ(k) = Cx(k), The influence of the continuous-time signal δ(t) over the time interval [(k − s)h,(k +1)h) on the discrete-time signal δ Ψ δk,s(t)ismeasuredby where ∗ rT (k)r(k) σ V HΨδ Ψδ HT V T = sup , h s s 2 δ∈L2,[(k−s)h,(k+1)h) δ 2,[(k−s)h,(k+1)h) = Ach = Act A e , B e Bcdt, ∗ T 0 δ δ T T = r (k)r(k) σ VsHΨ Ψ H Vs inf 2 , h δ∈L − − 2,[(k s)h,(k+1)h) δ 2,[(k−s)h,(k+1)h) = Ac(h τ) (111) d(k) e Edcd(kh + τ)dτ, (115) 0 h − ∗ = Ac(h τ) δ δ f (k) e E fcf (kh + τ)dτ. where (Ψ ) denotes the adjoint of the operator Ψ which 0 uniquely satisfies

∗ It is worth noticing that in SD systems there is a significant δ δ Ψ δk,s(t), β (k) = δk,s(t), Ψ β (k) (116) difference between u(t)andd(t), f (t). Due to the D/A con- s s verter (106), u(t) is a piecewise constant signal. The influ- for any vector βs(k) of compatible dimensions. The opti- ence of u(t)ony(t) is exactly known from the information mization problems are thus formulated as of υ(k) and can thus be completely compensated in residual ∗ generation. In comparison, d(t)and f (t) are unknown sig- f f T T σ VsHΨ Ψ H Vs max JSSD,PS,∞/∞ Vs = max ∗ , nals. Hence, the key is to study the influence of continuous- V ,V H =0 V ,V H =0 d d T T s s o,s s s o,s σ VsHΨ Ψ H Vs time signals d(t)and f (t) on the discrete-time sampled out- ∗ f f T T put signals ψ(k) and residual signals r(k). σ VsHΨ Ψ H Vs max JSSD,PS,−/∞ Vs = max ∗ , V ,V H =0 V ,V H =0 d d T T s s o,s s s o,s σ VsHΨ Ψ H Vs ∗ 4.2.1. Parity-relation-based FD scheme for SSD systems f f T T σi VsHΨ Ψ H Vs max JSSD,PS,i/∞ Vs = max ∗ . = = d d Vs,VsHo,s 0 Vs,VsHo,s 0 σ V HΨ Ψ HT V T A parity-relation-based residual generator s s (117)

∗ = − δ δ r(k) Vs ψk,s Hu,sυk,s (112) An analytical expression can be obtained for Ψ (Ψ ) as

∗ δ δ = T T T = Ψ Ψ diag EδEδ , EδEδ , ..., EδEδ , can be used for residual generation, where VsHo,s 0, h (118) ψk,s, υk,s, Ho,s,andHu,s are constructed according to (6). To T T = Acτ T Ac τ EδEδ e EδcEδce dτ. describe the intersample behavior, for a continuous-time sig- 0 14 Journal of Control Science and Engineering

As a result, optimization problems (117) are transformed 4.2.3. Inﬂuence of sampling on full decoupling into some equivalent optimization problems:

2 No matter which residual generation approach is adopted, σ VsH f ,s max JSSD,PS,∞ ∞ V = max , ff = / s = 2 due to the sampling e ect, the full decoupling becomes more Vs,VsHo,s 0 Vs,VsHo,s 0 σ V H s d,s difficult in SD systems than in the original continuous-time 2 σ VsH f ,s systems, because after sampling the dimension of the influ- max JSSD,PS,− ∞ V = max , (119) = / s = 2 Vs,VsHo,s 0 Vs,VsHo,s 0 σ V H ence space of the unknown disturbances becomes s d,s 2 σi VsH f ,s max JSSD,PS, ∞ V = max , = i/ s = 2 Vs,VsHo,s 0 Vs,VsHo,s 0 σ V H , h s d s T T = = Acτ T Ac τ rank Ed rank EdEd rank e EdcEdce dτ where H f ,s and Hd,s are built based on (A, E f , C, O)and 0 (125) (A, Ed, C, O) in a way similar to Hu,s in (6). The equivalent ≥ rank Edc, optimization problems (119) are of the standard form and can be solved as introduced in Section 2.2. that is, the equivalent number of the unknown disturbances 4.2.2. Observer-based FD scheme for SSD systems may increase [58]. An observer-based residual generator is constructed as 4.3. FD of MSD systems x(k +1)= Ax(k)+Bυ(k)+L ψ(k) − ψ(k) , (120) = − = r(k) W ψ(k) ψ(k) ψ(k) Cx(k). Under some assumptions, the FD problem of MSD systems To describe the influence of continuous-time signals d(t)and hasbeenconsideredin[61–64]. The MSD system is in na- f (t) on the discrete-time residual signal r(k) in the frequency ture a periodic system. The system period, denoted by T, domain, operator Γδ (δ standing for d or f ) is introduced as is the least common multiple of the sampling periods [52]. ∞ The maximal common multiplier of the sampling periods is 1 Γ δ(jω) = G jω + jkω δ jω + jkω , often called base period. From the FD viewpoint, in MSD δ h δ s s k=−∞ (121) systems only those time instants with sampled outputs are − 2π of interest. In [65], the basic idea of the proposed FD ap- G (s) = C(sI − A ) 1E , ω = . δ c δc s h proach is to get the input-output relations of the MSD at the base periods at first and then downsample them according Based on it, the residual dynamics can be expressed as ff to di erent sampling periods to get the parity relation of the jωh jωh r e = WMu e Γdd(jω)+Γ f f (jω) , MSD system. In [66], a so-called fast rate residual generator − (122) is proposed, which generates a residual signal as soon as a jωh = − jwh − 1 Mu e I C e I A + LC L. new measurement is available. The basic idea is to reformu- Let E be given by (118). Then late the MSD system as a system with periodic output equa- δ tions. The problem of fast rate residual generation is further − − ∗ = jωh − 1 T − jωh − T 1 T ΓδΓδ C e I A EδEδ e I A C . (123) pursued by [67, 68], where the basic ideas are, respectively, to compute the parity matrix Vs and the postfilter R(z)for Based on it, the H2/H2 optimal design problem is solved [59]. lifted system model. To satisfy the causality constraint, the Further, it was shown that the H∞/H∞, H−/H∞ and Hi/H∞ freedoms in matrix Ps and R(z) are used. Most recently, a design problems of the SSD system are equivalent to that of a unified and simplified approach to the FD of the MSD sys- discrete LTI system and can be obtained by solving equivalent tems is proposed by [69], which considers the special prob- optimization problems [26, 60]: lem formulation of fault detection and shows clearly the dif- sup = ∈L −{ } r / f ference between control problem and FD problem. The basic = d 0, f 2 0 2 2 sup JSSD,OBS,∞/∞(L, W) sup idea of [69] is to remodel the MSD system as a nonuniformly sup = ∈L −{ } r2/d2 L,W L,W f 0,d 2 0 sampled-data system and then use periodic or time varying G (z) = rf ∞ system theory to design the FD system. sup , { } G (z) Denote with tk the sequence of time instants at which L,W rd ∞ one or more sampled outputs are available, t0

− A(k) = eAc(tk+1 tk ), = = d f tk+1 r(k) VkHs,k d(k)+ f (k) VkHs,k Ψk dk(t)+Ψk fk(t) . Ac(tk+1−t) u(k) = e Bcu(t)dt, (132) tk tk+1 − (127) = Ac(tk+1 t) d(k) e Edcd(t)dt, The optimal selection of Vk can be formulated simi- ∗ ∗ tk d d f f tk+1 lar to (117)withΨ (Ψ ) and Ψ (Ψ ) substituted by ∗ ∗ Ac(tk+1−t) f f f (k) = e E fcf (t)dt. d d Ψk (Ψk ) and Ψk (Ψk ) , respectively. Using the same tech- tk ∗ δ δ nique, Ψk(Ψk) are derived to be Thenewdescriptionisdifferent from other descriptions available in the literature [66–68] and considers the transi- ∗ δ δ = δ δ tion of system dynamics only at the time instants with sam- Ψk Ψk diag Ψk,s, ..., Ψk,1 , pled outputs. The terms d(k)and f (k) characterize, respec- tk− j+1−tk− j T δ = Act T Ac t = tively, the influence of the disturbances and the faults on the Ψk,j e EδcEδce dt, j s, ...,1. 0 sampled outputs. As υ1, ..., υp are available and the models (133) of the D/A converters (108) are known, u(k) and thus the influence of the control input vector on the sampled out- ∗ puts can be completely reconstructed and easily compen- δ δ Due to the periodicity of Ψk(Ψk) , the optimization problem sated. The matrices A(k)andC(k) are time varying matrices, needs to be solved over one period. as tk+1 −tk is time-varying with respect to time k. In the MSD system, due to the periodicity of the sampling time sequence, A(k), C(k) are periodic matrices. FD systems can be designed 4.3.2. Observer-based FD scheme for MSD systems for the MSD system based on the time-varying model (126). For the aim of fault detection, a fast rate time-varying observer-based residual generator can be constructed as 4.3.1. Parity-relation-based FD scheme for MSD systems

The input-output relationship of (126) over the moving x(k +1)= A(k)x(k)+u(k)+L(k) ψ(k) − ψ(k) , horizon [tk−s, tk], where s denotes the length of the moving horizon, is r(k) = W(k) ψ(k) − ψ(k) , ψ(k) = C(k)x(k), (134) ψ(k) = Ho,s,kx(k − s)+Hs,k u (k)+d(k)+ f (k) , (128)

where the gain matrix L(k) and the weighting matrix W(k) where ψ (k), u (k), d(k), and f (k) are stacked vectors based on are time-varying matrices to be determined. The dimensions = − ψ(j), u(j), d(j), and f (j), j k s, ..., k,respectively,Ho,s,k of L(k)andW(k) may change with the number of available is constructed according to (83), sampled output signals. Considering the periodicity of the ⎡ ⎤ matrices A(k), C(k), (134) can be designed as a periodic ob- OO··· server. Deﬁne the state estimation error as ( ) = ( )−( ). ⎢ ⎥ e k x k x k ⎢ . . ⎥ Thedynamicsofresidualgenerator(134)isgovernedby ⎢ C(k − s +1) .. .. ⎥ H = ⎢ ⎥ . s,k ⎢ . . ⎥ ⎣ . .. O ⎦ e(k +1)= A(k) − L(k)C(k) e(k)+d(k)+ f (k), C(k)A(k − 1) ···A(k − s +1) ··· C(k) (135) (129) r(k) = W(k)C(k)e(k).

Build a parity-relation-based residual generator with Introduce linear time-varying operators δ ( standing for Γk δ d or ), r(k) = Vk ψ(k) − Hs,ku (k) , VkHo,s,k = 0, (130) f where is a periodically time-varying parity matrix (or tk+1 Vk − δ = Ac(tk+1 t) vector). To describe the inﬂuence of continuous-time sig- Γkδk(t) e Eδcδ(t)dt, (136) t nals d(t), f (t) on the multirate-sampled outputs, linear time- k varying operators Ψδ (δ standing for d or f ), k to rewrite the residual dynamics as ⎡ ⎤ t − − k s+1 eAc(tk−s+1 t)E δ(t)dt ⎢ tk−s δc ⎥ t − − f ⎢ k s+2 Ac(tk−s+2 t) ⎥ = − d ⎢ − e Eδcδ(t)dt⎥ e(k +1) A(k) L(k)C(k) e(k)+Γ dk(t)+Γ fk(t), = δ = ⎢ tk s+1 ⎥ k k δ(k) Ψkδk(t) ⎢ . ⎥ , (131) . = ⎣ . ⎦ r(k) W(k)C(k)e(k). tk Ac(tk−t) tk−1 e Eδcδ(t)dt (137) 16 Journal of Control Science and Engineering

To enhance the robustness of the FD system to the unknown period ρh,whereρ ≥ 1 is an integer. It is proven that the disturbances without loss of the sensitivity to the faults, the optimal performance indeces are related by design problem is formulated as ≥ ≥ JSSD,OBS,∞/∞,h JMSD,OBS,∞/∞ JSSD,OBS,∞/∞,ρh, (141) sup JMSD,OBS,∞ ∞ L(k), W(k) / JSSD,PS,∞/∞,h ≥ JMSD,PS,∞/∞ ≥ JSSD,PS,∞/∞,ρh. L(k),W(k)

That means that, with the increase of the sampling period, sup d=0, f ∈L −{0} r 2/ f 2 = sup 2 , the FD performance will become worse. It can be intu- sup = ∈L −{ } r /d L(k),W(k) f 0,d 2 0 2 2 itively interpreted as the consequence of information reduc- (138) tion caused by the increase of the sampling period. However, sup JMSD,OBS,−/∞ L(k), W(k) L(k),W(k) we would like to emphasize that such a conclusion does not hold for all performance indices, for instance, the H−/H∞ in- inf = ∈L −{ } r / f = d 0, f 2 0 2 2 dex. sup . L(k),W(k) sup f =0,d∈L2−{0} r 2/ d 2

∗ 5. CONCLUDING REMARKS δ δ By analyzing Γk(Γk) , optimization problems (138)are transformed into equivalent optimization problems of dis- In this paper, standard methods for FD in discrete LTI sys- crete LTP system tems have been reviewed and recent development in FD for discrete LTP and SD systems has been summarized. In case e(k +1)= A(k)−L(k)C(k) e(k)+Ed(k)deq(k)+E f (k) feq(k), of discrete LTI systems, the basic idea, full decoupling and optimization problems, and the corresponding solutions are r(k) = W(k)C(k)e(k), introduced. It can be seen that different FD approaches are (139) closely related to each other. The FD problem of discrete LTP systems can be handled either indirectly by lifting or directly where the l2-norms of deq(k)and feq(k)in(139) have the same upper bounds, respectively, with the L -norms of d(t) by considering the periodicity of the system matrices. In SD 2 systems the main problem is to take into account the inter- and f (t)in(104), the matrices Ed(k)andE f (k)aretime- varying matrices reflecting the sampling effect and satisfy sample behavior and to develop direct FD approaches. With the aid of operators, the FD problem of SSD, MSD, and NSD tk+1−tk T T systems can be transformed, respectively, into the FD prob- = Act T Ac t Eδ(k)Eδ (k) e EδcEδce dt. (140) 0 lem of discrete LTI, LTP,and linear time-varying systems. The methods introduced in this paper have found several inter- Then, optimization problems (138) can be solved with the esting applications in the emerging research area of embed- approaches introduced in Section 3.2.2. ded networked control systems (emNCS) [72, 73]. Because of the limited data rate, the sampling mechanisms become 4.4. FD of NSD systems an important design parameter in emNCS and have decisive influence on the real-time network and computing perfor- The same design procedures introduced in the last subsec- mance and FD performance. tion can be applied to the FD of NSD systems by reordering ff the sampling instants. The main di erence lies in that in gen- REFERENCES eral NSD systems, A(k), C(k), Ed(k), E f (k) are time-varying matrices but not periodic matrices. In consequence, for the [1] M. Basseville and I. Nikiforov, Detection of Abrupt Changes — NSD systems Theory and Application, Prentice-Hall, Englewood Cliffs, NJ, USA, 1993. (i) if the parity space approach is used, then the time- [2] J. Gertler, Fault Detection and Diagnosis in Engineering Systems, varying parity matrix V(k) needs to be calculated at Marcel Dekker, New York, NY, USA, 1998. each time instant, [3] R. Mangoubi, Robust Estimation and Failure Detection, (ii) if the observer-based approach is adopted, then the ob- Springer, New York, NY, USA, 1998. server gain matrix L(k) needs to guarantee the stability [4] J. Chen and R. J. Patton, Robust Model-Based Fault Diagno- of the resulting linear time-varying system. sis for Dynamic Systems, Kluwer Academic Publishers, Boston, Mass, USA, 1999. 4.5. Influence of sampling period on [5]R.J.Patton,P.M.Frank,andR.N.Clark,Issues of Fault Diag- nosis for Dynamic Systems, Springer, London, UK, 2000. optimal FD performance [6] M. Blanke, M. Kinnaert, J. Lunze, and M. Staroswiecki, Di- Sampling period is an important parameter in SD systems. agnosis and Fault-Tolerant Control,Springer,NewYork,NY, USA, 2003. Recently, the influence of the sampling period on the optimal [7] P. M. Frank, S. X. Ding, and T. Marcu, “Model-based fault di- FD performance has been investigated in [70, 71]. Suppose agnosis in technical processes,” Transactions of the Institute of ff that for a given continuous-time process (104) three di er- Measurement and Control, vol. 22, no. 1, pp. 57–101, 2000. ent sampling schemes are considered: single-rate sampling [8] E. Y. Chow and A. S. Willsky, “Analytical redundancy and the with sampling period h, single-rate sampling with sampling design of robust failure detection systems,” IEEE Transactions period ρh, multirate sampling with base period h and system on Automatic Control, vol. 29, pp. 603–614, 1984. P. Zhang and S. X. Ding 17

[9] H. Ishii and B. Francis, Limited Data Rate in Control Systems [26] P. Zhang, S. X. Ding, G. Z. Wang, D. H. Zhou, and E. L. Ding, with Networks, Springer, Berlin, Germany, 2002. “An H∞ approach to fault detection for sampled-data systems,” [10] K. Zhou, Essential of Robust Control, Prentice-Hall, Englewood in Proceedings of the American Control Conference (ACC ’02), Cliffs, NJ, USA, 1998. vol. 3, pp. 2196–2201, Anchorage, Alaska, USA, May 2002. [11] J. Wuennenberg, Observer-Based Fault Detection in Dynamic [27]P.Zhang,H.Ye,S.X.Ding,G.Z.Wang,andD.H.Zhou,“On Systems, Ph.D. thesis, University of Duisburg, Duisburg, Ger- the relationship between parity space and H2 approaches to many, 1990. fault detection,” Systems and Control Letters,vol.55,no.2,pp. [12] S. X. Ding, E. L. Ding, T. Jeinsch, and P. Zhang, “An approach 94–100, 2006. to a unified design of FDI systems,” in Proceedings of the 3rd [28] H. Ye, S. X. Ding, and G. Z. Wang, “Integrated design of fault Asian Control Conference, pp. 2812–2817, Shanghai, China, detection systems in time-frequency domain,” IEEE Transac- July 2000. tions on Automatic Control, vol. 47, no. 2, pp. 384–390, 2002. [13] S. X. Ding, E. L. Ding, and T. Jeinsch, “A numerical approach [29]H.Ye,G.Z.Wang,andS.X.Ding,“Anewparityspaceap- to optimization of FDI systems,” in Proceedings of the 37th proach for fault detection based on stationary wavelet trans- IEEE Conference on Decision and Control (CDC ’98), pp. 1137– form,” IEEE Transactions on Automatic Control,vol.49,no.2, 1142, Tampa, Fla, USA, December 1998. pp. 281–287, 2004. [14] S. X. Ding, E. L. Ding, and T. Jeinsch, “An approach to analysis [30] S. X. Ding, P. M. Frank, E. L. Ding, and T. Jeinsch, “Fault de- and design of observer and parity relation based FDI systems,” tectionsystemdesignbasedonanewtrade-off strategy,” in in Proceedings of the 14th Triennial World Congress of the Inter- Proceedings of the 39th IEEE Conference on Decision and Con- national Federation of Automatic Control, pp. 37–42, Beijing, trol (CDC ’00), vol. 4, pp. 4144–4149, Sydney, Australia, De- China, July 1999. cember 2000. [15] S. Schneider, N. Weinhold, S. X. Ding, and A. Rehm, “Parity [31] P. M. Frank and X. Ding, “Frequency domain approach to op- space based FDI-scheme for vehicle lateral dynamics,” in Pro- timally robust residual generation and evaluation for model- ceedings of the IEEE International Conference on Control Ap- based fault diagnosis,” Automatica, vol. 30, no. 5, pp. 789–904, plications (CCA ’05), pp. 1409–1414, Toronto, Canada, August 1994. 2005. [32] P. Zhang, S. X. Ding, G. Z. Wang, and D. H. Zhou, “Fault de- [16] X. Ding, L. Guo, and T. Jeinsch, “A characterization of par- tection for linear discrete-time periodic systems,” in Proceed- ity space and its application to robust fault detection,” IEEE ings of the 5th IFAC Symposium on Fault Detection, Supervision Transactions on Automatic Control, vol. 44, no. 2, pp. 337–343, and Safety of Technical Processes (SAFEPROCESS ’03), pp. 247– 1999. 252, Washington, DC, USA, 2003. [17] H. Ye, G. Z. Wang, S. X. Ding, and H. Y. Su, “An IIR filter based [33] M. Hou and R. J. Patton, “An LMI approach to H−/H∞ fault parity space approach for fault detection,” in Proceedings of the detection observers,” in Proceedings of the UKACC Interna- 15th Triennial World Congress of the International Federation of tional Conference on Control, vol. 1, pp. 305–310, Exeter, UK, Automatic Control, Barcelona, Spain, July 2002. September 1996. [18] P. Zhang and S. X. Ding, “Multi-objective design of robust [34] F. Rambeaux, F. Hamelin, and D. Sauter, “Robust residual gen- fault detection systems,” in Proceedings of the 6th IFAC Sym- eration via LMI,” in Proceedings of the 14th Triennial World posium on Fault Detection, Supervision and Safety of Technical Congress of the International Federation of Automatic Control, Processes (SAFEPROCESS ’06), pp. 1453–1458, Beijing, China, pp. 240–246, Beijing, China, July 1999. August-September 2006. [19] S. X. Ding, P. Zhang, B. Huang, E. L. Ding, and P. M. Frank, [35] D. Henry and A. Zolghadri, “Design and analysis of robust “An approach to norm and statistical methods based resid- residual generators for systems under feedback control,” Au- ual evaluation,” in Proceedings of the 10th IEEE International tomatica, vol. 41, no. 2, pp. 251–264, 2005. Conference on Methods and Models in Automation and Robotics [36] J. Liu, J. L. Wang, and G.-H. Yang, “An LMI approach to min- (MMAR ’04), pp. 777–780, Miedzyzdroje, Poland, August- imum sensitivity analysis with application to fault detection,” September 2004. Automatica, vol. 41, no. 11, pp. 1995–2004, 2005. [20] X. Ding and P. M. Frank, “Fault detection via factorization ap- [37] R. H. Chen, D. L. Mingori, and J. L. Speyer, “Optimal stochas- proach,” Systems and Control Letters, vol. 14, no. 5, pp. 431– tic fault detection filter,” Automatica, vol. 39, no. 3, pp. 377– 436, 1990. 390, 2003. [21] X. Ding and P. M. Frank, “Fault detection via optimally robust [38] S. Bittanti and P. Colaneri, “Analysis of discrete-time linear detection filters,” in Proceedings of the 28th Conference on De- periodic systems,” Control and Dynamics Systems, vol. 78, pp. cision and Control (CDC ’89), vol. 2, pp. 1767–1772, Tampa, 313–339, 1996. Fla, USA, December 1989. [39] P. Colaneri and V. Kucera, “The model matching problem for [22] S. X. Ding, T. Jeinsch, P. M. Frank, and E. L. Ding, “A unified periodic discrete-time systems,” IEEE Transactions on Auto- approach to the optimization of fault detection systems,” In- matic Control, vol. 42, no. 10, pp. 1472–1476, 1997. ternational Journal of Adaptive Control and Signal Processing, [40] B. P. Lampe, M. A. Obraztsov, and E. N. Rosenwasser, “Statis- vol. 14, no. 7, pp. 725–745, 2000. tical analysis of stable FDLCP systems by parametric transfer [23] P. Zhang, S. X. Ding, G. Z. Wang, and D. H. Zhou, “An ap- matrices,” International Journal of Control, vol. 78, no. 10, pp. proach to fault detection of sampled-data systems,” Tech. Rep., 747–761, 2005. submitted to IEEE Transactions on Automatic Control. [41] S. Bittanti and P. Colaneri, “Periodic Control,” in John Wiley [24] P. Zhang, S. X. Ding, G. Z. Wang, and D. H. Zhou, “Fault de- Encyclopaedia on Electrical and Electronic Engineering,J.Web- tection of linear discrete-time periodic systems,” IEEE Trans- ster, Ed., vol. 16, pp. 240–253, John Wiley & Sons, New York, actions on Automatic Control, vol. 50, no. 2, pp. 239–244, 2005. NY, USA, 1999. [25] N. Liu and K. Zhou, “Optimal and analytic solutions to robust [42] S. Bittanti and P. Colaneri, “Invariant representations of fault detection problems,” submitted to IEEE Transactions on discrete-time periodic systems,” Automatica, vol. 36, no. 12, Automatic Control. pp. 1777–1793, 2000. 18 Journal of Control Science and Engineering

[43] M. S. Fadali and S. Gummuluri, “Robust observer-based fault Conference on Decision and Control (CDC ’90), vol. 6, pp. detection for periodic systems,” in Proceedings of the Ameri- 3666–3671, Honolulu, Hawaii, USA, December 1990. can Control Conference (ACC ’01), vol. 1, pp. 464–469, Arling- [62] M.S.FadaliandW.Liu,“Faultdetectionforsystemswithmul- ton,Va, USA, June 2001. tirate sampling,” in Proceedings of the American Control Con- [44] A. Varga, “Design of fault detection filters for periodic sys- ference(ACC’98), pp. 3302–3306, Philadelphia, Pa, USA, June tems,” in Proceedings of the 43rd IEEE Conference on Decision 1998. and Control (CDC ’04), pp. 4800–4805, Atlantis, Bahamas, De- [63] M. S. Fadali and W. Liu, “Observer-based robust fault december 2004. tection for a class of multirate sampled-data linear systems,” [45] P. Zhang, S. X. Ding, and T. Jeinsch, “Study on full decoupling in Proceedings of the American Control Conference (ACC ’99), problem of linear periodic systems,” in Proceedings of the 16th vol. 1, pp. 97–98, San Diego, Calif, USA, June 1999. Triennial World Congress of the International Federation of Au- [64] M. S. Fadali and H. E. Emara-Shabaik, “Robust fault detection tomatic Control, Prague, Czech Republic, July 2005. for a class of multirate linear systems,” in Proceedings of the [46] T. W. Chen and B. Francis, Optimal Sampled-Data Control Sys- American Control Conference (ACC ’00), vol. 2, pp. 1210–1214, tems, Springer, London, UK, 1995. Chicago, Ill, USA, June 2000. [47] E. Rosenwasser and B. P. Lampe, Computer Controlled [65] P. Zhang, S. X. Ding, G. Z. Wang, and D. H. Zhou, “Fault de- Systems–Analysis and Design with Process-Orientated Models, tection for multirate sampled-data systems with time delays,” Springer, London, UK, 2000. International Journal of Control, vol. 75, no. 18, pp. 1457–1471, [48] G. M. Kranc, “Input-output analysis of multirate feedback sys- 2002. tems,” IRE Transactions on Automatic Control,vol.3,no.1,pp. [66]P.Zhang,S.X.Ding,G.Z.Wang,andD.H.Zhou,“Observer- 21–28, 1957. based approaches to fault detection in multirate sampled-data [49] R. E. Kalman and J. E. Bertram, “A unified approach to the systems,” in Proceedings of the 4th Asian Control Conference, theory of sampling systems,” Journal of the Franklin Institute, pp. 1367–1372, Singapore, September 2002. vol. 267, no. 5, pp. 405–436, 1959. [67] I. Izadi, Q. Zhao, and T. W. Chen, “An optimal scheme for fast [50] R. A. Meyer and C. S. Burrus, “A unified analysis of multirate fault detection based on multirate sampled data,” Journal rate and periodically time-varying digital filters,” IEEE Trans- of Process Control, vol. 15, no. 3, pp. 307–319, 2005. actions on Circuits and Systems, vol. 22, no. 3, pp. 162–168, [68] I. Izadi, Q. Zhao, and T. W. Chen, “An H∞ approach to fast rate 1975. fault detection for multirate sampled-data systems,” Journal of [51] M. Araki and T. Hagiwara, “Pole assignment by multirate Process Control, vol. 16, no. 6, pp. 651–658, 2006. sampled-data output feedback,” International Journal of Con- [69] P. Zhang and S. X. Ding, “Fault detection of multirate trol, vol. 44, no. 6, pp. 1661–1673, 1986. sampled-data systems based on periodic system theory,” in [52] L. Qiu and T. W. Chen, “Multirate sampled-data systems: all Proceedings of the European Control Conference, Kos, Greece, H∞ suboptimal controllers and the minimum entropy con- July 2007. troller,” IEEE Transactions on Automatic Control, vol. 44, no. 3, [70] P. Zhang, S. X. Ding, R. J. Patton, and C. Kambhampati, pp. 537–550, 1999. “Adaptive and cooperative sampling in networked control sys- [53] S. Lall and G. Dullerud, “An LMI solution to the robust syn- tems,” in Proceedings of the IEEE International Conference on thesis problem for multi-rate sampled-data systems,” Auto- Networking, Sensing and Control (ICNSC ’07), pp. 398–403, matica, vol. 37, no. 12, pp. 1909–1922, 2001. London, UK, April 2007. [54] J. Sheng, T. W. Chen, and S. L. Shah, “Generalized predictive [71] P. Zhang and S. X. Ding, “On monotonicity of a class of opti- control for non-uniformly sampled systems,” Journal of Process mal fault detection performance vs. sampling period,” in Pro- Control, vol. 12, no. 8, pp. 875–885, 2002. ceedings of the 46th IEEE Conference on Decision and Control [55] G. Kreisselmeier, “On sampling without loss of observabil- (CDC ’07), New Orleans, La, USA, December 2007. ity/controllability,” IEEE Transactions on Automatic Control, [72] S. X. Ding, P. Zhang, and E. L. Ding, “Observer-based moni- vol. 44, no. 5, pp. 1021–1025, 1999. toring of distributed net-worked control systems,” in Proceed- [56] W. Li, S. L. Shah, and D. Y. Xiao, “Kalman filters for non- ings of the 6th IFAC Symposium on Fault Detection, Supervision uniformly sampled multirate systems,” in Proceedings of the and Safety of Technical Processes (SAFEPROCESS ’06), pp. 337– 16th Triennial World Congress of the International Federation 342, Beijing, China, August-September 2006. of Automatic Control, Prague, Czech Republic, July 2005. [73] P.Zhang and S. X. Ding, “Fault detection of networked control [57] W. Li, Z. Han, and S. L. Shah, “Subspace identification for FDI systems with limited communication,” in Proceedings of the 6th in systems with non-uniformly sampled multirate data,” Au- IFAC Symposium on Fault Detection, Supervision and Safety of tomatica, vol. 42, no. 4, pp. 619–627, 2006. Technical Processes (SAFEPROCESS ’06), pp. 1135–1140, Bei- [58] P.Zhang, S. X. Ding, G. Z. Wang, and D. H. Zhou, “An FDI ap- jing, China, August-September 2006. proach for sampled-data systems,” in Proceedings of the Amer- ican Control Conference (ACC ’01), vol. 4, pp. 2702–2707, Ar- lington, Va, USA, June 2001. [59]P.Zhang,S.X.Ding,G.Z.Wang,andD.H.Zhou,“Afre- quency domain approach to fault detection in sampled-data systems,” Automatica, vol. 39, no. 7, pp. 1303–1307, 2003. [60] P. Zhang, S. X. Ding, G. Z. Wang, and D. H. Zhou, “An approach to fault detection of sampled-data systems,” Tech. Rep., Institute of Automatic Control and Complex Systems(AKS), University of Duisburg, Duisburg, Germany, 2003. [61] N. Viswanadham and K. D. Minto, “Fault diagnosis in multirate sampled data systems,” in Proceedings of the 29th IEEE Hindawi Publishing Corporation Journal of Control Science and Engineering Volume 2008, Article ID 829459, 16 pages doi:10.1155/2008/829459

Research Article Optimal Robust Fault Detection for Linear Discrete Time Systems

Nike Liu and Kemin Zhou

Department of Electrical and Computer Engineering, Louisiana State University, Baton Roug, LA 70803, USA

Correspondence should be addressed to Kemin Zhou, [email protected]

Received 30 December 2006; Accepted 7 October 2007

Recommended by Jakob Stoustrup

This paper considers robust fault-detection problems for linear discrete time systems. It is shown that the optimal robust detection filters for several well-recognized robust fault-detection problems, such as H−/H∞, H2/H∞,andH∞/H∞ problems, are the same and can be obtained by solving a standard algebraic Riccati equation. Optimal filters are also derived for many other optimization criteria and it is shown that some well-studied and seeming-sensible optimization criteria for fault-detection filter design could lead to (optimal) but useless fault-detection filters.

Copyright © 2008 N. Liu and K. Zhou. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION One of the particular interesting techniques among all the model-based techniques is observer-based fault- It is well recognized that many practical dynamical sys- detection filter design [1]. It has been shown in many tems are subject to various environmental changes, unknown theoretical studies and applications that suitably designed disturbances, and changing operating conditions, thus sen- observer-based fault-detection filters are easy to implement sors/actuators/components failure and faults in those sys- in discrete systems and can be very effective in detecting tems are inevitable. Since any faults/failures in a dynamical sensors, actuators, and system components faults. There are system may lead to significant performance degradation, se- significant amount of works addressing this problem using rious system damages, and even loss of human life, it is es- Kalman filter related techniques [7–9]. Nevertheless, find- sential to be able to detect and identify faults and failures in ing systemic design methods for systems subject to unknown a timely manner so that necessary protective measures can disturbances and model uncertainties have been proven to be taken in advance. To that end, fault diagnosis of dynamic be difficult. Since known/unknown disturbances, noise, and systems has received much attention and significant progress model uncertainties are unavoidable for any practical sys- has been made in recent years in searching for both data- tems, it is essential in the design of any fault-detection filter driven and model-based diagnosis techniques: see [1–5]and to take these effects into consideration so that fault detection the references therein. can be done reliably and robustly. To that effect, many robust Much attention has been devoted to the development filter design techniques, such as H∞ optimization, LMI, par- of robust fault-detection methods under external distur- ity space, and eigen-structure assignment techniques, have bances for continuous time systems. Since most (continu- been applied to fault detection filter design with limited suc- ous) dynamical systems are nowadays controlled using dig- cess [10–15]. The reason is that a fault detection filter design ital devices, it is also important to understand those theoret- is really a multiple objective design task. It needs not only ical development in the digital (sampled-data) setting. Fur- rejecting disturbance, noise and being insensitive to model thermore, it has been shown in [6] that sample-data fault- uncertainties, it also needs to be as sensitive as possible to detection problem can be converted to equivalent discrete possible faults so that early detection of faults is possible. time-detection problem using certain discretization method Unfortunately, these two design objectives are almost always and thus discrete time fault-detection is of great importance conflicting with each other. Hence a design tradeoff between and most nature for modern digital implementation. these two objectives is unavoidable and needs to be addressed 2 Journal of Control Science and Engineering explicitly in the design process. To do that, some suitable de- the largest eigenvalue of A and λ(A) represents the smallest sign criteria for both objectives have to be defined. It has been ∈ Cm×n = = eigenvalue value of A.ForA , σ(A) λ(AA ) widely accepted in the field that H2 norm and H∞ of the = transfer matrix from disturbances to fault detection residu- λ(A A) denotes the largest singular value of A and σ(A) als are good candidates for measuring up the disturbance re- λ(AA)( λ(AA)) denotes the smallest singular value of A jection capability of a fault detection system. In some cases, if m ≤ n (m ≥ n). The n × n identity matrix is denoted as In H 2 norm of the transfer function matrix from faults to fault and the m × n zero matrix is denoted as 0m,n, with the sub- detection residual signals is also suitable for evaluating the scripts dropped if they can be inferred from context. fault detection system’s sensitivity to faults. It has also been Discrete transfer matrices and Z-transforms of signals recognized that the H− index, first introduced by Hou and are represented using bold characters and sometimes in de- Patton [16] and further extended by Liu et al. [17], seems to pendence of the variable z. A state-space realization of a be a very appropriate measure of the fault-detection sensitiv- transfer matrix G(z)isdenotedas ity [1–3]. Although this concept was originally proposed for A B continuous time system, it is quite straightforward to extend G(z) = (1) this concept to discrete time systems. With such defined per- C D formance objectives, several discrete time fault detection de- − such that G(z) = D + C(zI − A) 1B. We define G∼(z):= sign problems can be formulated as multiple objective opti- GT (z−1) and denote G−1(z) as the inverse of G(z)ifG(z)is mization problems by minimizing the effects of disturbances H H square and invertible. Now suppose and maximizing the fault sensitivity, for example, −/ ∞ H H H H H H problem, ∞/ ∞ problem, 2/ ∞ problem, −/ 2 prob- A B H H G(z) = (2) lem, and 2/ 2 problem.Theseproblemshaveattracteda C C great deal of attention recently, [6, 18–25]. However, most of the results obtained in the existing literature are either con- is square and D is nonsingular, then we have from [29] servative or complicate to apply. Furthermore, they are usu- − − A − BD 1C −BD 1 ally not guaranteed to be optimal. A notable exception is the −1 = G −1 −1 . (3) work by Ding et al. in [26], where optimal solutions to some D C D formulations of continuous H−/H∞ and H∞/H∞ problems RLm×n × We use 2 to denote the set of m n real rational are given. Zhang et al. in [27] also give an optimal solution to transfer matrices with no poles on the unit circle. The super- H H ∞/ ∞ problem for linear discrete time periodic systems. scripts for dimensions will usually be dropped when they are We have developed a new technique to solve the above either not important or clear from context. RH2 (= RH∞) problems for continuous time systems in [28]. In this pais the set of all stable proper transfer matrices. per, we will carry out the parallel development for discrete For G(z) ∈ RH2 we define the H2 norm of G as time problems. Although there are considerable similarities between the continuous and the discrete time solutions, there 2π = 1 ∼ jθ jθ ff G 2 Trace G e G e dθ. (4) are also significant di erences in some cases where we can 2π 0 give more explicit solutions in discrete time cases that can- For G ∈ RH∞ we define the H∞ norm of G as not be done in continuous time cases. In addition, explicit jθ discrete time solutions have their own merits in applications. G∞ = sup σ G e . (5) It turns out that our solutions are surprising simple once the θ∈[0,2π] problems are suitably formulated. Similar to the H− definitions of continuous system in [16, The rest of this paper is organized as follows: Section 2 17], we define the H− index of a discrete transfer matrix G introduces the notations and summarizes some key facts that on the whole unit circle as will be used in the later sections. Section 3 gives the math- [0,2π] jθ ematical formulations of various fault-detection problems G− = inf σ G e . (6) ∈ to be solved in this paper. The analytic and optimal solu- θ [0,2π] H H H H tions for −/ ∞ problem and ∞/ ∞ problem are given The H− index of G over a finite frequency range [θ1, θ2]is in Section 4. The solution for H2/H∞ problem is given in defined as Section 5. The solutions for various H−/H2 problems are [θ1,θ2] = jθ discussed in Sections 6–8. Some numerical examples of our G − inf σ G e . (7) θ∈[θ1,θ2] fault detection designs are shown in Section 9. Some conclu- H = sions are given in Section 10. In particular the − index defined at θ 0is [0] G− = σ G 1 . (8) 2. NOTATIONS AND PRELIMINARY RESULTS If no superscript is added to the H− symbol, such as G−, The notations used in this paper are quite standard. The then it represents all possible H− definitions. In many litera- Rm×n set of m by n real (complex) matrices is denoted as tures H− index is also called H− norm, although it is actually × × (Cm n). For a matrix A ∈ Cm n we use AT to denote not a norm. its transpose and A for its complex conjugate transpose. It is easy to show from the definition of singular value of For a Hermitian matrix A = A ∈ Cm×n, λ(A) represents a matrix that we have the following result [30]. N. Liu and K. Zhou 3

× × Lemma 1. Let A ∈ Cm n and B ∈ Cn p be two matrices with f (k) ∈ Rn f denotes the process, sensor or actuator fault vec- appropriate dimensions, then σ(AB) ≤ σ(A)σ(B). tor. f (k)andd(k) can be modeled as different types of signals, depending on specific situations under consideration. The following transfer matrix factorizations will be fre- SeeChapters4and8of[29]and[1] for some detailed dis- quently used in this paper and can be found from [29]. cussions. Two frequently used assumptions on d(k)and f (k) are: Lemma 2 (left coprime factorization). Let G(z) be a proper real rational transfer matrix. A left coprime factorization (LCF) (i) unknown signal with bounded energy or bounded of G is a factorization power; (ii) white noise. = −1 G M N,(9)Different assumptions on d(k)and f (k)willleadtodifferent fault detection problem formulations and the solutions for where N and M are left-coprime over RH∞.Let all these problems will be discussed in this paper. ffi A B All coe cient matrices in (16) are assumed to be known G = (10) C D constant matrices. Furthermore, the following assumptions are made. be a detectable state-space realization of G and let L be a matrix with appropriate dimensions such that A + LC is stable, then a Assumption 1. (A, C)isdetectable. left coprime factorization of G is given by This is a standard assumption for all fault-detection problems. A + LC LB+ LD [MN] = . (11) C ID Assumption 2. Dd has full row rank. Lemma 3 (Spectral factorization). Let G(z) be a proper real This means that ny ≤ nd and every measurement of the rational transfer matrix and let output signals is either affected by some disturbance or corrupted with some measurement noise. We argue that this as- A B G = (12) sumption can be made without loss of any generality since C D it is impossible to take perfect measurement in any practical system and furthermore it is reasonable to assume that be a detectable realization of G. Suppose D has full row rank jθ the measurement noise is independent of each other. So it is and A−e IB has full row rank for all θ ∈ [0, 2π]. Let P ≥ CD reasonable to assume that D has full row rank. In the case 0 be the stabilizing solution to the following algebraic Riccati d of some simplified model where D does not have full row equation: d rank, we can simply add some columns to make it full row −1 rank. For example, suppose that D does not have full row APA − P − APC + BD DD + CPC d rank, then let (13) × DB + CPA + BB = 0 = d = = −1 d , Bd Bd 0n×ny , Dd Dd Iny such that A − (APC + BD )(DD + CPC ) C is stable and d let R := DD + CPC. Then the following spectral factorization (17) holds for a small > 0. Then D hasfullrowrank. ∼ = ∼ d WW GG , (14) − jθ Assumption 3. A e IBd has full row rank for all θ ∈ [0, 2π] −1 ∈ RH CDd where W ∞ and or, equivalently, the transfer function matrix A APC + BD R−1/2 W = . (15) = A Bd C R1/2 Gd : (18) C Dd

3. PROBLEM FORMULATION has no transmission zero on the unit circle.

Consider a discrete time invariant system with disturbance This assumption can be relaxed in the same way as in the and possible faults as: continuous time case [28].

x(k +1)= Ax(k)+Bu(k)+Bdd(k)+B f f (k), Remark 1. We want to point out that in several recent work (16) y(k) = Cx(k)+Du(k)+Ddd(k)+D f f (k), on continuous time fault detection problems [17, 19, 21, 22], it is assumed that D f has full column rank. We believe that where x(k) ∈ Rn is the state vector, y(k) ∈ Rny is this assumption is extremely restrictive. The assumption im- the output measurement, d(k) ∈ Rnd represents the un- plies that measurement y contains directly the independent known/uncertain disturbance and measurement noise, and information on every faulty component of f .Inparticular, 4 Journal of Control Science and Engineering

d Denote the transfer matrices from d and f to r by Grd and Grf, respectively, then

Gd Grd = QNd, Grf = QN f . (25) In general a good fault-detection filter must make a u f ff Gu G f tradeo between two conflicting performance objectives: robustness to disturbance rejection and sensitivity to faults. To achieve good robustness to disturbance, the influence of dis- y turbance must be minimized at the output of the residual sig- − + nals. On the other hand, the residual signal should be as sen- N M u sitive as possible to the faults. Therefore, we need to choose certain performance criteria for measuring these two aspects Q so that the fault-detection filter design has satisfactory fault detection sensitivity and guaranteed disturbance rejection ef- r fect. H Figure 1: General fault-detection filter structure. Since an − index is a good measurement for a transfer function’s smallest gain, Grf− is a reasonable performance criterion for measuring fault detection sensitivity if f (k)is modeled as unknown energy or power bounded signals. If this implies that D f cannot be zero which is usually not the case when there is only actuator/system component fault and d(k) is modeled as unknown energy or power bounded sig- H no sensor fault. Furthermore, we believe that the fault detec- nals, then ∞ norm is a widely accepted worst case measure tion for sensor fault is relatively easier than that for actua- and Grd ∞ is a good indicator of disturbance rejection per- tor/system fault. formance. On the other hand, if d(k) and/or f (k)arewhite H By taking Z-transform of (16) we have the system in- noise, the 2 norms of Grd and/or Grf seem to be more suit- put/output equation able criteria. See [29] for more detailed discussions and motivations on various performance measures. = y Guu + Gdd + G f f, (19) We will now formulate several fault-detection filter design problems. where Gu, Gd,andG f are ny ×nu, ny ×nd and ny ×n f transfer matrices, respectively and their state-space realizations are Problem 1 (H−/H∞ problem). Let an uncertain system be described by (16)–(20) and let γ>0beagivendisturbance A BBd B f × = ny ny Gu Gd G f . (20) rejection level. Find a stable transfer matrix Q ∈ RH∞ C DDd D f in (23)–(25) such that Grd∞ ≤ γ and Grf− is maximized, Since the state-space realization of Gu, Gd,andG f share the that is, same A and C matrices, applying Lemma 2 we can find an ≤ max × QN f − : QNd ∞ γ . (26) LCF for the system (20) ∈RHny ny Q ∞ −1 Gu Gd G f = M Nu Nd N f , (21) Problem 2 (H2/H∞problem). Let an uncertain system be de- where scribed by (16)–(20) and let γ>0 be a given disturbance re- ny ×ny jection level. Find a stable transfer matrix Q ∈ RH∞ in MNu Nd N f ≤ (23)–(25) such that Grd ∞ γ and Grf 2 is maximized, A + LC LB+ LD B + LD B + LD that is, = d d f f C ID Dd D f max QN f : QNd ∞ ≤ γ . (27) ny ×ny 2 (22) Q∈RH∞ and L is a matrix such that A + LC is stable. Problem 3 (H−/H2 problem). Let an uncertain system be de- It has been shown in [2] that, without loss of generality, scribed by (16)–(20) and let γ>0 be a given disturbance re- ny ×ny the fault detection filter can take the following general form: jection level. Find a stable transfer matrix Q ∈ RH∞ in ≤ y (23)–(25) such that Grd 2 γ and Grf − is maximized, r = Q My − N u = Q M − N , (23) u u u that is, × ≤ ny ny max × QN f − : QNd 2 γ . (28) ∈ RH ny ny where r is the residual vector for detection, Q ∞ is a Q∈RH∞ free stable transfer matrix to be designed. The filter structure is shown in Figure 1. Replacing y in (23) by the right-hand Remark 2. A more conventional formulation of the above side of (19)and(21)wehave problems is to optimize the following: d QN f X = N N = max , (29) r Q d f QNdd + QN f f. (24) ny ×ny f Q∈RH∞ QNd Y N. Liu and K. Zhou 5 where X and Y can be 2, ∞,or−. The problem that X = Y = Proof. Since Assumptions 1–3 are satisfied, Lemmas 3 and ∼ = ∼ ≥ 2 is classical and optimal solution is available [2]. The case 4 can be applied to Nd to get VV NdNd ,whereP 0 for X =−, ∞ and Y =∞has been solved recently in [26]for satisfies the following Riccati equation continuous-time systems. A discrete solution has also been −1 ALCPA − P − ALCPC + BLDD R obtained recently in [27] for the cases of X =∞and Y =∞. LC d d × = Before we proceed to the solutions of the above problems, DdBLD + CPALC + BLDBLD 0, (36) we will first establish some preliminary results. ALC := A + LC, BLD := B + LD.

Lemma 4. Suppose Assumption 3 is satisfied and let Gd = It is easy to show that the above algebraic Riccati equation −1 M Nd be any left coprime factorization over RH∞. Then Nd can be simplified to (35). The rest of the proof follows from has no transmission zero on the unit circle or, equivalently, for some simple algebraic manipulations. any appropriately dimensioned matrix L, The following lemma is the key to the solutions of all the A + LC − e jθIB+ LD above problems. d d (30) CD d Lemma 6. Suppose Assumptions 1–3 are satisfied. Let −1 V, V ∈ RH∞ be defined as in (32).Let has full row rank for all θ ∈ [0, 2π]. Q = ΨV−1 (37) Proof. The result follows by noting that ∈ RH = −1 ∈ RH for Ψ ∞ and denote N f V N f ∞. Then the − jθ − jθ fault-detection Problems 1–3 are equivalent to Problems 4–6 A + LC e IBd + LDd = IL A e IBd CDd 0 I CDd below, respectively. (31) Problem 4. ≤ and the fact that all coprime factors have the same unstable max ΨN f − : Ψ ∞ γ . (38) ny ×ny transmission zeros [29]. Ψ∈RH∞ Problem 5. An immediate consequence of the above result is the following spectral factorization formula. max ΨN f : Ψ∞ ≤ γ . (39) ny ×ny 2 Ψ∈RH∞ = Lemma 5. Suppose Assumptions 1–3 are satisfied and let Gd Problem 6. −1 RH M Nd be any left coprime factorization over ∞. Then ny ×ny ≤ −1 max × ΨN f − : Ψ 2 γ . (40) there is a square transfer matrix V∈RH∞ such that V ∈ ∈RHny ny Ψ 2 ny ×ny RH∞ and Proof. We will first show that Problems 1 and 2 are equivalent ∼ = ∼ to Problems 4 and 5,respectively. VV NdNd . (32) Note that by Lemma 6 there exists V ∈ RH∞ such that ∼ ∼ −1 VV = N N and V ∈ RH∞. Therefore, In particular, if a state-space representation of Nd is given as in d d (22),thenastatespacerepresentationofV is given by 2 = jθ jθ ∼ jθ ∼ jθ QNd ∞ sup σ Q e Nd e Nd e Q e θ∈[0,2π] −1/2 A + LC (A + LC)PC + B + LD D R ∼ ∼ = d d d d = sup σ Q e jθ V e jθ V e jθ Q e jθ (41) V 1/2 C0 R θ∈[0,2π] d (33) 2 = QV ∞, with that is, QNd∞ =QV∞. We can, therefore without loss = −1 − of generality, take Q in the form of Q ΨV for some V 1 ∈ RH = = Ψ ∞.Hence QNd ∞ QV ∞ Ψ ∞, so that − − − 1 − 1 − QN ∞ ≤ γ is equivalent to Ψ∞ ≤ γ. Moreover, QN = A APC + BdDd Rd C APC +BdDd Rd L d f = , −1 −1/2 −1/2 ΨV N f = ΨN f , hence Problem 1 is equivalent to Problem Rd C Rd (34) 4 and Problem 2 is equivalent to Problem 5. Next we show that Problem 3 is equivalent to Problem 6. ≥ Note that in Problem 3,wehaveQNd ∈ RH2.Hence, where P 0 is the stabilizing solution to the Riccati equation 2π 2 1 ∼ ∼ −1 = jθ jθ jθ jθ − − QNd 2 Trace Q e Nd e Nd e Q e dθ APA P APC + BdD DdD + CPC 2 d d π 0 (35) 2π × = 1 ∼ ∼ DdBd + CPA + BdBd 0 = Trace Q e jθ V e jθ V e jθ Q e jθ dθ 2π 0 − −1 = 2 such that A (APC + BdDd)(DdDd + CPC ) C is stable and QV 2 = Rd : DdDd + CPC . (42) 6 Journal of Control Science and Engineering

= ∈ RH −1 ∈ H = −1 such that QNd 2 QV 2. Since QV 2 and V, V − index criterion. For example, let Q γL(z)V where −1 RH∞, we can let Q = ΨV for some Ψ ∈ RH2. Therefore, L ∈ RH∞ is a low-pass filter with a very small bandwidth = = ≤ = = QNd 2 QV 2 Ψ 2 so that QNd 2 γ is equivalent so that L(z) ∞ 1andL(1) I. Then this Q is also an −1 to Ψ2 ≤ γ. Moreover, QN f = ΨV N f = ΨN f ,hence optimal solution for Problem 3 is equivalent to Problem 6. [0] ≤ max QN f − : QNd ∞ γ , (50) ny ×ny We will provide optimal solutions for each of the above Q∈RH∞ problems in the following sections. even though this is obviously a bad fault-detection filter because the low-pass filter L(z) would make the filter much less 4. H−/H∞ FAULT-DETECTION FILTER DESIGN sensitive to faults. In this section, we give a complete solution for the H−/H∞ Note also that the solution given in the above theorem fault-detection filter design problem, that is, Problem 1 or is completely general and it does not depend on specific Problem 4. state space representation of those coprime factorization and spectral factorization, which may be necessary in some fault Theorem 1. Suppose Assumptions 1–3 are satisfied. Let tolerant control applications [5, 31]. On the other hand, if those specific state-space coprime and spectral factorizations −1 Gu Gd G f = M Nu Nd N f (43) in the previous sections are used, the optimal filter can be written in a very simple form. be any left coprime factorization over RH∞ and let V ∈ RH∞ −1 ∼ be a square transfer matrix such that V ∈ RH∞ and VV = Theorem 2. Suppose Assumptions 1–3 are satisfied. Let P ≥ 0 ∼ NdNd . Then be the stabilizing solution to the Riccati equation − 1 −1 max QN : QN ∞ ≤ γ = γ V N (44) n ×n f − d f − − − + + ∈RH y y APA P APC BdDd DdDd CPC Q ∞ × = (51) DdBd + CPA + BdBd 0 and an optimal fault-detection filter for Problem 1 is given by − −1 such that A (APC + BdDd)(DdDd + CPC ) C is stable and y let Rd = DdD + CPC .Define r = Q M − N , (45) d opt u u =− −1 L0 APC + BdDd Rd . (52) where Then Q = γV−1. (46) opt ≤ = −1 max QN f − : QNd ∞ γ γ V N f − (53) RHny ×ny Proof. Note that by Lemma 6,weonlyneedtosolveProblem Q∈ ∞ 4: and an optimal H−/H∞ fault-detection filter has the following ≤ state space representation max ΨN f − : Ψ ∞ γ . (47) ny ×ny Ψ∈RH∞ y r = Q M − N , (54) From Lemma 1 we know that for every frequency θ ∈ opt u u [0, 2π], where jθ jθ jθ jθ σ Ψ e N f e ≤ σ Ψ e σ N f e (48) A + L0C −L0 B + L0D Q M − N = γ , so that opt u − −1/2 −1/2 − −1/2 Rd Ct Rd Rd D (55) ≤ ≤ A + L0C B f + L0D f ΨN f − Ψ ∞ N f − γ N f −. (49) −1 = V N f −1/2 −1/2 . Rd C Rd D f By letting Ψ = γI,wehaveΨ∞ = γ and ΨN = f − H H = In other words, the optimal −/ ∞ fault-detection filter is γ N f −, which means that Ψ γI is an optimal solution achieving the maximum. the following observer: x(k +1)= A + L0C x(k) − L0 y(t)+ B + L0D u(k) Remark 3. The optimal fault-detection filter given in = −1/2 − − Theorem 1 does not depend on B f and D f matrices. r(k) γRd y(k) Cx(k) Du(k) . (56) Remark 4. Note that the solution given in the above theorem does not depend on the specific definitions of H− in- Proof. Note that dex. Hence, the solution provided here is an optimal solution for all H− indices. However, it should be pointed out that A + LC LB+ LD MN = , (57) this optimal filter is not the only optimal solution for some u C ID N. Liu and K. Zhou 7

where L is a matrix with appropriate dimensions such that 5. H2/H∞ FAULT-DETECTION FILTER DESIGN A + LC is stable. Note from Theorem 1 and Lemma 5 that In this section, we give an optimal solution for the H2/H∞ + − −1 A L0C L0 L problem stated in Section 3 as Problem 2. Similar to the so- Qopt = γV = γ − − . (58) 1/2 1/2 H− H∞ Rd C Rd lution for / problem given in Theorems 1 and 2,we have the following parallel results for the H2/H∞ problem. Then − Theorem 3. Suppose Assumptions 1–3 are satisfied. Let Qopt M Nu −1 Gu Gd G f = M Nu Nd N f (63) A + L0C L0 − L A + LC L −(B + LD) = γ −1/2 −1/2 − Rd C Rd C I D be any left coprime factorization over RH∞ and let V ∈ RH∞ ⎡ ⎤ −1 ∼ be a square transfer matrix such that V ∈ RH∞ and VV = A + L0CL0C − LC L0 − L − L0 − L D ⎢ ⎥ N N∼. Then = ⎢ − ⎥ d d γ ⎣ 0 A + LC L (B + LD) ⎦ −1/2 −1/2 −1/2 −1/2 ≤ = −1 R CRC R −R D max QN f : QNd ∞ γ γ V N f (64) d d d d ny ×ny 2 2 ⎡ ⎤ Q∈RH∞ − ⎢ A + L0C 0 L0 B + L0D ⎥ ⎢ ⎥ and the optimal fault-detection filter for Problem 1 given in = γ ⎣ 0 A + LC L −(B + LD) ⎦ Theorems 1 and 2 is also the optimal filter for this problem. −1/2 −1/2 − −1/2 R C 0 Rd Rd D Proof. Note that by Lemma 6, we only need to solve Problem A + L0C L0 − B + L0D = 5: γ −1/2 −1/2 − −1/2 Rd C Rd Rd D max N : ∞ ≤ (65) − × Ψ f 2 Ψ γ . A + L0C L0 B + L0D RHny ny = γ . Ψ∈ ∞ −R−1/2C R−1/2 −R−1/2D d d d Note that (59) ΨN ≤Ψ∞ N ≤ γ N . (66) Similarly, we have f 2 f 2 f 2 −1 = ∞ = = V N f By letting Ψ γI,wehave Ψ γ and ΨN f 2 γN , which means that Ψ = γI is an optimal solution A + L C L − L A + LC B + LD f 2 = 0 0 f f achieving the maximum. −1/2 −1/2 Rd C Rd C D f ⎡ ⎤ − − 6. H−/H2 FAULT-DETECTION FILTER DESIGN: CASE 1 ⎢ A + L0C L0 L C L0 L D f ⎥ ⎢ ⎥ = ⎣ 0 A + LC B f + LD f ⎦ From Lemma 6 we know that the H−/H2 problem is equiv- −1/2 −1/2 −1/2 Rd CRd C Rd D f (60) alent to Problem 6, that is, ⎡ ⎤ A + L0C 0 B f + L0D f ≤ ⎢ ⎥ max × ΨN f − : Ψ 2 γ . (67) ⎢ ⎥ ∈RHny ny = ⎣ 0 A + LC B f + LD f ⎦ Ψ 2 −1/2 −1/2 Rd C 0 Rd D f Unlike the H−/H∞ problem studied in Section 4,wehave ff H H ff H A + L C B + L D di erent solutions for the −/ 2 problem if di erent − = 0 f 0 f −1/2 −1/2 . definitions are considered. In this section and the next two Rd C Rd D f sections we will illustrate this point and give solutions for all cases. Remark 5. Note that the optimal fault-detection filter − Qopt M Nu is independent of the choice of L matrix. Theorem 4. Suppose Assumptions 1–3 are satisfied. Then [0] ≤ =∞ Remark 6. It is easy to see that our optimal filter given in sup QN f − : QNd 2 γ . (68) ny ×ny Theorems 1 and 2 is also optimal for the so-called H∞/H∞ Q∈RH∞ problem Furthermore, for any given α>0,let2 > > 0 and ≤ max QN f ∞ : QNd ∞ γ (61) ny ×ny Q∈RH∞ γ (2 − ) Q = V−1. (69) sub z − 1+ and it turns out this filter is the same as the one given by Zhang et al. in [27] under the following equivalent optimiza- Then tion criterion: [0] ≤ QsubN f − >α, QsubNd 2 γ (70) QN f ∞ max . (62) ffi Q QNd ∞ is satisfied for a su ciently small > 0. 8 Journal of Control Science and Engineering

[0,2π] [0,2π] Proof. Again note that the equivalent Problem 6 in this case Therefore, WΨoptN f − > ΨoptN f − and Ψopt is is not an optimal solution. Hence, it must be true that [0] jθ jθ = ∈ ≤ σ(Ψopt(e )N f (e )) C for every θ [0, 2π]. sup ΨN f − : Ψ 2 γ . (71) × ∈RHny ny Next we show that Ψ 2 = − − jθ jθ Take Ψ(z) γ √(2 ) /(z 1+ )I such that 2 > > σ Ψopt e N f e 0. Then Ψ(1) = γ 2 − /I and Ψ = γ. Let →0, then (78) 2 = σ Ψ e jθ N e jθ for every θ ∈ [0, 2π]. Ψ(1)→∞, so that opt f jθ [0] − Suppose there exists a Ψ such that σ(Ψ (e 1 ) = = 2 −→ ∞ opt opt ΨN f − σ Ψ(1)N f (1) γ σ N f (1) . jθ jθ jθ N f (e 1 ))=/ σ(Ψopt(e 1 )N f (e 1 )) for some θ1 , that is, (72) jθ1 jθ1 jθ1 jθ1 σ Ψopt e N f e >σ Ψopt e N f e (79) = [0,2π] Remark 7. We should point out that an optimal filter de- ΨoptN f − . signed using Theorem 4 is not necessarily good for fault detection since this optimal filter can be extremely narrow- Then a Ψ1 can be selected such that banded near 0 frequency so that any higher frequency com- jθ jθ = jθ jθ ∀ ∈ ponent of fault may not be detected. σ Ψ1 e N f e σ Ψopt e N f e , θ [0,2π], σ Ψ e jθ1 N e jθ1 <σ Ψ e jθ1 N e jθ1 , 1 f opt f 7. H−/H2 FAULT-DETECTION FILTER DESIGN: CASE 2 Ψ1 2 < Ψopt 2. In this section, we will consider another special case where (80) the H− index is defined for all frequencies but with D f full jθ jθ column rank. As we have mentioned before, this is a very re- Since σ(Ψopt(e )N f (e )) = C for every θ ∈ [0, 2π], strictive case. We are interested in this case because an ana- [0,2π] = [0,2π] = Ψ1N f − ΨoptN f − . Let Ψ2 Ψopt 2/ Ψ1 2Ψ1, lytic solution is possible. = then Ψ2 2 Ψopt 2 and Lemma 7. Suppose D has full column rank. Then an optimal f Ψopt solution Ψopt to Problem 6 [0,2π] = 2 [0,2π] Ψ2N f − Ψ1N f − Ψ1 [0,2π] 2 ≤ max × ΨN f − : Ψ 2 γ (73) ∈RHny ny Ψopt 2 [0,2π] [0,2π] Ψ 2 = Ψ N > Ψ N . Ψ opt f − opt f − = 1 2 has the form Ψopt UΨo and (81) = αIn f ΨoN f , (74) Therefore, Ψopt is not optimal and by contradiction the as- 0(n −n )×n y f f jθ jθ jθ sumption is false. So σ(Ψopt(e )N f (e )) = σ(Ψopt(e ) where α is a positive scalar and U is an ny × ny all-pass stable jθ N f (e )) holds for every θ ∈ [0, 2π]. transfer matrix. jθ jθ jθ jθ Since σ(Ψopt(e )N f (e )) = σ(Ψopt(e )N f (e )) = C ∈ Proof. We will first show for every θ [0, 2π], and that D f hasfullcolumnrankim- plies ny ≥ n f , ΨoptN f has the form jθ jθ = ∈ σ Ψopt e N f e C for every θ [0, 2π], (75)

αIn f where C is a nonnegative scalar. ΨoptN f = U , (82) jθ 0(n −n )×n Suppose there exists a Ψopt such that σ(Ψopt(e ) y f f jθ N f (e )) = C does not hold. Let Θ1 denote the set of all [0,2 ] where U is an all-pass stable transfer matrix and α is a posi- jθ jθ = π θ values such that σ(Ψopt(e )N f (e )) ΨoptN f − is tive scalar. Let Ψopt = UΨo, then achieved. Let Θ2 := [0, 2π] − Θ1 such that jθ jθ jθ jθ αI σ Ψopt e N f e <σ Ψopt e N f e . = n f θ∈Θ1 θ∈Θ2 ΨoN f . (83) 0 − × (76) (ny n f ) n f

ny ×ny Then there exists a weighting function W ∈ RH∞ such = Lemma 8. Suppose D f has full column rank. Then Problem 6 that WΨopt 2 Ψopt 2 and jθ N jθ [0,2π] σ Ψopt e f e θ∈Θ1 ≤ max × ΨN f − : Ψ 2 γ (84) ∈RHny ny jθ jθ jθ Ψ 2 <σ W e Ψopt e N f e ∈ (77) θ Θ1 jθ jθ jθ ≤ σ W e Ψopt e N e . is equivalent to the following problem. f θ∈Θ2 N. Liu and K. Zhou 9

Problem 7. be any left coprime factorization over RH∞ and let V ∈ RH∞ −1 ∼ be a square transfer matrix such that V ∈ RH∞ and VV = + + min N : N N f = I . (85) ∼ + −1 + n ×ny f 2 f N N .Let(N ) = (V N ) be the optimal solution to +∈RH f d d f opt f opt N f 2 Problem 7. Then Proof. From Lemma 7 we know that the optimal solution to [0,2π] ≤ = γ Problem 6 has the form Ψopt = UΨ and max QN f − : QNd ∞ γ + o ny ×ny −1 Q∈RH V N f 2 opt 2 αIn f (92) ΨoN f = . (86) 0(ny −n f )×n f and an optimal fault detection filter is given by = Ψ1 × − × Let Ψo Ψ2 ,whereΨ1 is n f ny and Ψ2 is (ny n f ) ny. Ψ1N f = αI = = − y Then 0 so Ψ2 0and Ψo 2 Ψ1 2. Since r = Qopt M Nu , (93) Ψ2N f u Problem 6 needs to maximize ΨN f − with the constraint ≤ H Ψ 2 γ,itisequivalenttofindaΨ1 with the smallest 2 where = = + norm such that Ψ1N f I. Denote Ψ1 N f , then Problem 6 −1 + −1 is equivalent to Problem 7. γ V N f optV Qopt = . (94) V−1N + 0 In [32] the solution to a dual problem of Problem 7 is f opt 2 given. Similarly, we have the solution to Problem 7 given by the following lemma. Proof. Note that by Lemma 6, we only need to solve Problem 6 Lemma 9. Assume [0,2π] max ΨN : Ψ ≤ γ . (95) n ×n f − 2 A B Ψ∈RH y y H(z) = (87) 2 C D −1 Since G f has all zeros inside the unit circle and V ∈ RH∞, is strictly minimum phase and D has full column rank. Let N f is strictly minimum phase. From Lemmas 7–9 we know + −1 D = D(D D) , D⊥ is chosen such that D⊥D⊥ = I − − that the optimal solutionto Problem 6 is given by D(DD) 1D and A = A − B(D+) C, then the optimal so- 0 lution to problem N + γ f opt Ψopt = U , (96) + + + min H (z) : H (z)H(z) = I (88) N f 0 n ×ny 2 opt + ∈RH f 2 H (z) 2 where (N +) = (V−1N )+ is the optimal solution to Prob- is given by f opt f opt lem 7 and U is a unitary matrix. Take U = I,thenanoptimal A + KC K H+(z) = , (89) solution is given by opt RC R γ N + V−1 where Q ≥ 0 is the solution to the algebraic Ricatti equation = f opt Qopt + N f 0 −1 opt 2 Q = A QA0 − A QC D⊥ I + D⊥CQC D⊥ D⊥CQA0 (97) 0 0 γ V−1N + V−1 −1 = f opt . + B(D D) B , −1 + V N f 0 opt 2 + −1 K =−B D − A0QC D⊥ I + D⊥CQC D⊥ D⊥, + −1 R = D I + CQC D⊥D⊥ . Again the solution given in the above theorem is general (90) and it does not depend on specific state-space representation Proof. The equation H+(z)H(z) = I is equivalent to of those coprime factorization and spectral factorization. If specific state-space coprime and spectral factorization in the HT (z)(H+(z))T = I,soProblem7 is equivalent to find- previous section are used, the optimal filter can be written in ing an H(rinv)(z) with the smallest H norm such that 2 an explicit form. HT (z)H(rinv)(z) = I. Hence the conclusion in [32]canbe T (rinv) + applied to H (z) to get the optimal H (z)opt. H (z)opt is Theorem 6. Suppose Assumptions 1–3 are satisfied. Let G f has then obtained by taking transpose of H(rinv)( ) z opt. all zeros inside the unit circle and D f has full column rank. Let P ≥ 0 be the stabilizing solution to the Riccati equation Theorem 5. Suppose Assumptions 1–3 are satisfied. Let G f has all zeros inside the unit circle and D has full column rank. Let −1 f APA − P − APC + B D D D + CPC d d d d (98) = −1 × = Gu Gd G f M Nu Nd N f (91) DdBd + CPA + BdBd 0 10 Journal of Control Science and Engineering

− −1 such that A (APC + BdDd)(DdDd + CPC ) C is stable. Let where L is a matrix with appropriate dimensions such that = Rd DdDd + CPC and define A + LC is stable. From Theorem 1 − − =− 1 − A + L0C L0 L L0 APC + BdDd Rd . (99) V 1 = . (107) R−1/2C R−1/2 − d d + −1/2 −1 1 Let D = R D (D R D ) , D⊥ is chosen such that d f f d f From Theorem 2 −1/2 −1 −1 −1/2 D⊥D⊥ = I − R D (D R D ) D R and A = A + d f f d f f d 0 A + L C B + L D + −1/2 −1 0 f 0 f L0C − (B + L0D )(D ) R C.LetQ ≥ 0 is the solution to V N = − − , f f d f R 1/2C R 1/2 the algebraic Ricatti equation d d (108) − − A + L0C L0 B + L0D −1 1 − = = − V M Nu − − − . Q A0QA0 A0QC D⊥ I + D⊥CQC D⊥ D⊥CQA0 − 1/2 1/2 − 1/2 Rd C Rd Rd D −1 −1 + B f + L0D f D f Rd D f B f + L0D f From Lemma 9 (100) A + K C K − L −1 + = 0 0 0 V N f opt . (109) and define R0C R0 + K0 =− B f + L0D f D Therefore, −1/2 −1/2 −1/2 −1 − − A QC R D⊥ I + D⊥R CQC R D⊥ D⊥, Qopt M Nu 0 d d d − − + + −1/2 −1/2 1 1 = ⊥ γ V N f opt −1 R0 D I + Rd CQC Rd D⊥D . = V M − Nu −1 + 0 (101) V N f opt 2 ⎡ ⎤ A + K C K − L Then γ ⎢ 0 0 0 ⎥ = ⎣ R C R ⎦ γ −1 + 0 0 [0,2π] ≤ = V N f max QN f − : QNd ∞ γ + , opt 2 0 ny ×ny −1 Q∈RH V N f 2 opt 2 A + L C −L B + L D (102) × 0 0 0 − −1/2 −1/2 − −1/2 Rd C Rd Rd D where = γ V−1N + A + K C K − L f opt −1 + 0 0 0 ⎡ 2 ⎤ V N f = (103) ⎡ ⎤ opt R C R A + L0C 0 −L0 B + L0D 0 0 ⎢ ⎢ ⎥ ⎥ ⎢ ⎣ MN5 A + K0C MN7 MN8 ⎦ ⎥ H H × ⎢ ⎥ and an optimal −/ 2 fault-detection filter has the following ⎣ − −1/2 −1/2 − −1/2 ⎦ . R0Rd CR0C R0Rd R0Rd D state-space representation: 0 (110) − y r = Qopt M Nu , (104) u =− − −1/2 = − −1/2 where MN5 (K0 L0)Rd C, MN7 c(K0 L0)Rd , =− − −1/2 where and MN8 (K0 L0)Rd D. −1 + −1 Remark 8. Note that the optimal fault-detection filter γ V N f optV Qopt = , − −1 + Qopt M Nu] is independent of the choice of Lmatrix. V N f 0 opt 2 − γ Remark 9. Note that the strictly minimum phase assumption Qopt M Nu = −1 + V N f opt for N f is not needed. In general, if N f does not have any zeros ⎡ 2 ⎤ ⎡ ⎤ on the unit circle, one can always factorize N = N minN a A + L0C 0 −L0 B + L0D f f f ⎢⎢ ⎥⎥ min a ⎢⎣ KL5 A + K0C KL7 KL8 ⎦⎥ so that N is strictly minimum phase and N is a stable × ⎢ ⎥ , f f ⎣ − −1/2 −1/2 − −1/2 ⎦ all-pass matrix. Then the solution can be computed by using R0Rd CR0C R0Rd R0Rd D min 0 N f in place of N f . In the case when N f has zeros on the (105) unit circle, approximation factorization can also be carried out to obtain an approximation solution. =− − −1/2 = − −1/2 where KL5 (K0 L0)Rd C, KL7 (K0 L0)Rd ,and =− − −1/2 KL8 (K0 L0)Rd D. 8. H−/H2 FAULT-DETECTION FILTER DESIGN: CASE 3

Proof. Note that When Problem 3 is considered with the H− index deﬁned over a ﬁnite frequency range [θ , θ ], the solution becomes 1 2 A + LC LB+ LD much more complicated. We will now state this as a separate MN = , (106) u C ID problem as below. N. Liu and K. Zhou 11

Problem 8 (interval H−/H2 problem). Let an uncertain sys- Since Lo > 0, there exists a Cholesky factorization of Lo = tem be described by (16)–(20) and let γ>0 be a given dis- TT where T is invertible. Perform a similarity transforma- turbance rejection level. Find a stable transfer matrix Q ∈ tion on Ψ such that n ×n y y [θ1,θ2] ⎡ ⎤ RH∞ in (23)–(25) such that Grd2 ≤ γ and Grf− −1 is maximized, that is, TAψ T TBψ Aψ Bψ Ψ = ⎣ ⎦ = . (117) −1 Cψ T Dψ Cψ Dψ [θ1,θ2] ≤ max QN f − : QNd γ (111) ny ×ny 2 Q∈RH∞ − = = − 1/2 Thus, Aψ Aψ I + Cψ Cψ 0, so that Aψ O(I Cψ Cψ ) −1 − or, equivalently, let Q = ΨV and solve where O is an orthogonal matrix and I Cψ Cψ is a nonnegative definite. Since an orthogonal matrix O with no eigen- [θ1,θ2] − = − max N : ≤ (112) value equals 1canberepresentedasA (I + Aψk)(I × Ψ f − Ψ 2 γ . − ∈RHny ny 1 =− Ψ 2 Aψk) ,whereAψk Aψk is a skew-symmetric matrix, we have Remark 10. It is not hard to see that there is no rational function solution to the above problem. This is because an opti- −1 1/2 Aψ = I + Aψk I − Aψk I − C Cψ (118) mal Ψ must satisfy Ψ(e jθ) = 0 almost every where for any ψ θ/∈ [θ , θ ]. Hence, an analytic optimal solution seems to 1 2 and C ≤1. Consequently, Ψ2 = Trace(D D + B B ). be impossible. Nevertheless, it is intuitively feasible to find ψ 2 ψ ψ ψ ψ some rational approximations so that a rational Ψ has the form of a bandpass filter with the pass-band close to [θ1, θ2] = If we use directly the elements of Aψ , Bψ , Cψ ,andDψ as and Ψ 2 γ. 2 optimization variables the total number of variables is nψ + 2 Remark 11. When the condition that D f hasfullcolumn 2nynψ + ny. However, from Lemma 10 Aψ can be computed rank is not satisfied, the rational optimal solution to the from Cψ and Aψk so the elements Aψk, Bψ , Cψ ,andDψ are problem all (necessary) optimization variables. Using this technique, − the total number of optimization variables is nψ (nψ 1)/2+ [0,2π] ≤ 2n n + n2 and the reduction is n (n +1)/2. max QN f − : QNd γ (113) y ψ y ψ ψ ny ×ny 2 Q∈RH∞ In order to carry out the subsequent optimization effectively, we need an effective method of computing H− in- may not exist. In this case, we also need to find some rational dex fast and exactly. Enlightened by the bisection method approximate solutions. Moreover, this problem is a special of computing H∞ norm of a transfer matrix [34], we now = = case of Problem 8 by letting θ1 0andθ2 2π,wewillonly present a bisection algorithm to compute the H− index de- consider the solution to Problem 8. fined over [θ1, θ2]. The following result shows the main idea used in our al- In the following, we will describe an optimization ap- gorithm. proach to find a good rational approximation for the two cases above. To do that, we will need a state-space Lemma 11. Suppose H parametrization of a stable rational function with a given 2 norm [33]. A B G(z) = ∈ RH∞ (119) C D Lemma 10. Let ∈ Aψ Bψ n ×n and θ [θ1, θ2], then Ψ = ∈ RH y y (114) C D 2 ψ ψ min σ G e jθ >β (120) θ be an nψ th order proper stable transfer matrix. Then the state = − − space parameters of Ψ can be expressed as Aψ (I + Aψk)(I ifandonlyifσ[D + C(I − A) 1] >β,and −1 − 1/2 =− Aψk) (I Cψ Cψ ) for some Aψk Aψk and some Cψ sat- ≤ 2 = isfies Cψ 1. Furthermore, Ψ 2 Trace(Dψ Dψ + Bψ Bψ ). HK1 HK2 S= −1 −1 , − A + CDR−1B Cβ2R−1C A + CDR−1B Proof. Assume that (121) ⎡ ⎤ ⎣ Aψ Bψ ⎦ where HK1 = A + BR−1DC − BR−1B(A + CDR−1 Ψ = ∈ RH (115) − 2 −1 2 −1 = −1 −1 1 Cψ Dψ B ) C β R C and HK2 BR B (A + C DR B ) has no eigenvalues on the segment of unit circle between θ = θ1 and 2 is an nψ th order observable realization, then the Observabil- θ = θ2,whereR = β I − D D. ity Gramian Lo satisfies The detailed procedure of our algorithm for computing − = H Aψ LoAψ Lo + Cψ Cψ 0. (116) − index is summarized below. 12 Journal of Control Science and Engineering

(1) Give an initial guess on lower bound and upper bound For this optimization scheme we have developed a two- such that stage optimization algorithm which is a combination of genetic algorithm [35, 36] and Nelder-Mead simplex method ≤ ≤ jθ ≤ 0 β1 min σ G e β2 (122) θ∈[θ1,θ2] [10, 26]. Genetic algorithm is good at searching for the right direction for global optimum but has slow convergence, and give a tolerance > 0. while Nelder-Mead simplex method is good at searching for = (2) Let β (1/2)(β1 + β2). Compute the eigenvalues of small neighborhood. So the result obtained by genetic algo- 1 2 rithm is used as the starting point for the second-step op- = MP MP S − −1 −1 2 −1 −1 −1 timization by Nelder-Mead simplex method, the latter gives (A + C DR B ) C β R C (A + C DR B ) the final results of the optimization process. (123) Theoretically, Ψ can be a transfer matrix of any order. where MP1 = A + BR−1DCBR−1B(A + However, in practice we try to find a Ψ with low degree. Thus, CDR−1B)−1Cβ2R−1C and MP2 = R−1B(A + we run the optimization process as follows: first set Ψ with a CDR−1B)−1. given starting order, searching for the optimal value; then in- (3) If S has no eigenvalue on the segment of unit circle be- crease the order of Ψ, run the searching algorithm again and compare the results with the former one; if higher degree Ψ tween θ = θ1 and θ = θ2, which means that gives a better performance and the Ψ’s degree does not ex- min σ G e jθ >β (124) ceed the predefined limit, then keep increasing the degree ∈ θ [θ1,θ2] of Ψ and redo the searching process; else the optimization = = process ends. Example 4 will demonstrate the effectiveness of is true, then let β1 β; else let β2 β. − this optimization method. (4) Repeat steps (2) and (3) until β2 β1 < is satisfied. And the approximate value of 9. NUMERICAL EXAMPLES min σ G e jθ (125) θ∈[θ1,θ2] In this section, we give some numerical examples to show is given by (1/2)(β1 + β2)withtolerance . the effectiveness of our approaches for solving the fault- detection problems. With the state-space parametrization of Ψ on RH2 space and our bisection algorithm for computing H− index, the Example 1. We consider Problem 1 for a third-order system: optimization process for solving Problem 8, ⎡ ⎤ − − − [θ1,θ2] ⎢ 0.1964 0.3962 0.5884⎥ max ΨN f − , (126) = ⎣ ⎦ Ψ2≤γ A 123, −0.5428 −1.0879 −1.6291 can be performed as ⎡ ⎤ ⎡ ⎤ − ⎢0.01 0 ⎥ ⎢ 1 3⎥ max B = ⎣ 00.01⎦ , B = ⎣−0.51⎦ , 2 d f Aψk,Bψ ,Cψ ,Dψ ,Cψ ≤1,Trace(Dψ Dψ +Bψ Bψ )≤γ ⎡ ⎤ 00 0.50 (130) [θ ,θ ] − −1 − 1/2 1 2 ⎣ I + Aψk I Aψk I Cψ Cψ Bψ ⎦ −0.1964 −0.3962 −0.5884 N . C = , f −0.3650 −2.1320 −3.0951 Cψ Dψ − (127) 0.02 0 00.7 D = , D = . d 00.02 f 01 Furthermore, we introduce a penalty function Θ(Bψ , Cψ , Dψ ) to ensure the conditions H H ≤ 2 ≤ Let the pair (γ, β) represents the performance of an −/ ∞ Trace(Dψ Dψ + Bψ Bψ ) γ and Cψ 1. Θ is defined as [0,2π] fault-detection filter such that G ∞ ≤ γ and G − ≥ ⎧ rd rf ⎪ 2 β. Using our approach an optimal fault-detection filter has ⎨⎪C,ifTraceB Bψ + D Dψ >γ ψ ψ the form in Theorem 2 with , , = or C > 1; Θ Bψ Cψ Dψ ⎪ ψ ⎡ ⎤ ⎩ − 0 else, ⎢ 0.05 0 ⎥ − (128) L0 = ⎣ 0 0.05⎦ . (131) 00 where C is a large positive number. Therefore, the new optimization scheme is = = [0,2π] = Let γ 1, we have the optimal β γ N f − 0.7632. max The singular value plots of Grd and Grf are shown in Figures Aψk,Bψ ,Cψ ,Dψ 2 and 3,respectively. −1 1 2 [θ1,θ2] I+A I − A I −C C / B ψk ψk ψ ψ ψ N C D f ψ ψ − Example 2. We consider Problem 2 for the same system in − Θ Bψ , Cψ , Dψ . Example 1. Let the pair (γ, β) represents the performance of (129) an H2/H∞ fault-detection filter such that Grd∞ ≤ γ and N. Liu and K. Zhou 13

1.4 102

1.2

1 rd rf 1 G G 10 0.8

0.6 100 Singular value of Singular value of 0.4

0.2

0 10−1 00.511.522.53 00.511.522.53 Normalized frequency Normalized frequency

= [0,2π] Figure 2: The singular value plot of Grd, Grd ∞ 1, for Figure 3: The singular value plot of Grf, Grf− = 0.75, for Example 1. Example 1.

[0,2π] ≥ Grf 2 β.FromTheorem 3 the optimal fault-detection and the optimal filter filter in Example 1 is also optimal for this example. Let γ = 1, the optimal β = γN = 9.7591. Qopt f 2 Note that if the so-called H∞/H∞ problem is consid- γ −1 + −1 = V N f V −1 + opt ered for this system, the above fault-detection filter is also V N f opt 2 the optimal H∞/H∞ filter. Let G ∞ ≤ 1, then the optimal ⎡ ⎤ rd −0.0740 0.3126 −0.8467 −1.2003 0.3892 Grf∞ is 11.4598. ⎢ ⎥ ⎢ − − − ⎥ ⎢ 2.8761 1.3720 5.9237 5.7439 0.2946 ⎥ = ⎢ − − − ⎥ Example 3. We consider Problem 3 for the system ⎢ 0.4110 0.2304 0.9359 0.8321 0.0352 ⎥ . ⎣ 0.7188 −0.7509 2.5122 0.7430 −0.5201 ⎦ ⎡ ⎤ −1.7340 1.3456 −4.8682 00.7430 − − − ⎢ 0.1964 0.3962 0.5884⎥ (134) A = ⎣ 123⎦ , −0.5428 −1.0879 −1.6291 = ⎡ ⎤ ⎡ ⎤ Let γ 1 the optimal 0.01 0 10 ⎢ ⎥ ⎢ ⎥ γ Bd = ⎣ 00.01⎦ , B f = ⎣ 11⎦ , β = = 0.7430. (135) −1 + 00 0.50 (132) V N f opt 2 −0.1964 −0.3962 −0.5884 C = , The singular value plots of Grd and Grf are shown in Figures −0.3650 −2.1320 −3.0951 4 and 5,respectively. 0.02 0 10.7 D = , D = . d 00.02 f 01 Example 4. We consider Problem 8 for a system ⎡ ⎤ We let the pair ( , ) represents the performance of an − − − γ β ⎢ 0.1964 0.3962 0.5884⎥ H−/H2 fault-detection filter such that Grd2 ≤ γ and A = ⎣ 1.0000 2.0000 3.0000 ⎦ , [0,2π] ≥ −0.5428 −1.0879 −1.6291 Grf − β. Since this G f has all zeros inside the unit ⎡ ⎤ ⎡ ⎤ circle and D f has full column rank, we get from Theorem 6 ⎢0.01⎥ ⎢ 1.0 ⎥ B = ⎣0.01⎦ , B = ⎣−0.5⎦ (136) d f −1 + 0 0.5 V N f opt ⎡ ⎤ = − − − −0.2555 −1.4924 −2.1666 0.1900 −0.1400 C 0.1964 0.3962 0.5884 , ⎢ ⎥ ⎢ ⎥ = = ⎢ 1.3059 3.0358 4.5169 0.2000 0.0500 ⎥ Dd 0.02, D f 0, = ⎢ − − − − ⎥ ⎢ 0.5723 1.6360 2.4182 0.1000 0.0700 ⎥ ⎣ ⎦ − 0.0591 −1.0962 −1.5782 0.2000 −0.1400 where θ1 = 0andθ2 = π/2. 0.3650 2.1320 3.0951 00.2000 As discussed in Section 8 we use optimization method to (133) search for a good solution. Let us denote the maximum of 14 Journal of Control Science and Engineering

101 2 1.8 1.6 1.4 rd 0

G 10 1.2

rd 1 G 0.8 10−1

Singular value of 0.6 0.4 0.2

10−2 0 00.511.522.53 00.511.522.53 Normalized frequency Normalized frequency

= = Figure 4: Singular value plot of Grd, Grd 2 1, for Example 3. Figure 6: Singular value plot of Grd with a third order Ψ, Grd 2 1, for Example 4.

2 30

25 1.5

rf 20 G 1

rf 15 G

0.5 10 Singular value of

0 5

−0.5 0 00.511.522.53 00.511.522.53 Normalized frequency Normalized frequency

Figure 5: Singular value plot of Grf, Grf− = 0.7430, for Figure 7: Singular value plot of Grf with a third order Ψ, [0,π/2] Example 3. Grf− = 22.8182, for Example 4.

Table 1: Results for different Ψ’s order. ThesingularvalueplotsofGrd and Grf are shown in Fig- ures 6 and 7 for this third-order Ψ. Figure 8 demonstrates Ψ’s order First Second Third how the smallest singular value of Grf changes in the fre- β 14.2661 22.5345 22.8182 quency range of [0, π/2] with the order of Ψ.Itisseenthat the improvement on the performance with any Ψ of higher order than 3 is insignificant. It is interesting to note that the Ψ is trying to invert N f in [θ1,θ2] Grf− as β when Grd2 ≤ 1. In Table 1 the results ob- the frequency interval [0, π/2]. tained using our optimization algorithm with different predefined Ψ orders are given. It is clear that the results improve 10. CONCLUSION with the increasing order of Ψ. In particular, a third-order Ψ design achieving β = 22.8182 is given by In this paper, we have presented optimal solutions to vari- ⎡ ⎤ ous robust fault-detection problems for linear discrete time 0.1187 −0.0019 0.4270 −0.1424 systems in parallel with our continuous time results in [28]. ⎢ ⎥ ⎢ −0.8445 0.4220 0.3270 0.2363 ⎥ We have shown that an optimal filter for both H−/H∞ and Ψ = ⎢ ⎥ . (137) ⎣ −0.3536 −0.9012 0.2408 0.8865 ⎦ H2/H∞ can be obtained by solving one Riccati equation. It 0.3844 0.0988 0.8079 0.3714 is also interesting to note that we are able to give analytic N. Liu and K. Zhou 15

30 [5] K. Zhou and Z. Ren, “A new controller architecture for high performance, robust, and fault-tolerant control,” IEEE Trans- 25 actions on Automatic Control, vol. 46, no. 10, pp. 1613–1618, 2001. [6] I. Izadi, T. Chen, and Q. Zhao, “Norm invariant discretization 20 for sampled-data fault detection,” Automatica, vol. 41, no. 9, pp. 1633–1637, 2005.

rf 15 [7] F. Caliskan and C. M. Hajiyev, “EKF based surface fault detec- G tion and reconfiguration in aircraft control systems,” in Pro- ceedings of the American Control Conference (ACC ’00), vol. 2, 10 pp. 1220–1224, Chicago, Ill, USA, 2000. [8] B. Jiang and F. N. Chowdhury, “Fault estimation and ac- 5 commodation for linear MIMO discrete-time systems,” IEEE Transactions on Control Systems Technology,vol.13,no.3,pp. 493–499, 2005. 0 [9] Y. Zhang and J. Jiang, “Design of integrated fault detection, 00.511.522.53 diagnosis and reconfigurable control systems,” in Proceedings Normalized frequency of the 38th IEEE Conference on Decision and Control (CDC ’99), First order Ψ vol. 4, pp. 3587–3592, Phoenix, Ariz, USA, December 1999. Second order Ψ [10] G. P. Liu, J. B. Yang, and J. F. Whidborne, Multiobjective Op- Third order Ψ timization and Control, Research Studies Press, Baldock, UK, 2001. ff Figure 8: Singular value plot of Grf for di erent order of Ψ:firstor- [11] M. A. Sadrnia, J. Chen, and R. J. Patton, “Robust fault diagno- der (solid line), second order (dotted line), and third order (dashed sis observer design using H∞ optimisation and μ synthesis,” line), for Example 4. in IEE Colloquium on Modeling and Signal Processing for Fault Diagnosis, p. 9, Leicester, UK, September 1996. [12]R.J.Patton,J.Chen,andJ.H.P.Miller,“Arobustdisturbance H H decoupling approach to fault detection in process systems,” in solution to an −/ 2 problem defined on the entire fre- Proceedings of the 30th IEEE Conference on Decision and Con- quency range [0, 2π] when D f has full column rank. In control (CDC ’91), vol. 2, pp. 1543–1548, Brighton, UK, Decem- trast, the corresponding continuous time problem does not ber 1991. make any sense [28]. The critical reason for this difference is [13]P.Zhang,H.Ye,S.X.Ding,G.Z.Wang,andD.H.Zhou,“On because the entire frequency range in discrete time is finite the relationship between parity space and H2 approaches to (≤ 2π) while the entire frequency range in continuous time fault detection,” Systems and Control Letters,vol.55,no.2,pp. is infinite. We have also shown that many design criteria con- 94–100, 2006. sidered in the literature do not give desirable fault-detection [14] M. Zhong, S. X. Ding, B. Tang, P. Zhang, and T. Jeinsch, designs. “A LMI approach to robust fault detection filter design for discrete-time systems with model uncertainty,” in Proceedings of the 40th Conference on Desision and Control (CDC ’01), ACKNOWLEDGMENTS vol. 4, pp. 3613–3618, Orlando, Fla, USA, December 2001. [15] M. Zhong, S. X. Ding, J. Lam, and H. Wang, “An LMI ap- This work was supported in part by grants from NASA proach to design robust fault detection filter for uncertain LTI (NCC5-573), LEQSF (NASA/LEQSF(2001-04)-01), and the systems,” Automatica, vol. 39, no. 3, pp. 543–550, 2003. H H NNSFC Young Investigator Award for Overseas Collabora- [16] M. Hou and R. J. Patton, “LMI approach to −/ ∞ fault tive Research (60328304). detection observers,” in Proceedings of the UKACC Interna- tional Conference on Control, vol. 1, pp. 305–310, Exeter, UK, September 1996. REFERENCES [17] J. Liu, J. L. Wang, and G.-H. Yang, “An LMI approach to minimum sensitivity analysis with application to fault detection,” [1] J. Chen and R. J. Patton, Robust Model-Based Fault Diagnosis Automatica, vol. 41, no. 11, pp. 1995–2004, 2005. for Dynamic Systems, Kluwer Academic Publishers, Norwell, [18] I. Izadi, Q. Zhao, and T. Chen, “An H∞ approach to fast rate Mass, USA, 1999. fault detection for multirate sampled-data systems,” Journal of [2] P. M. Frank and X. Ding, “Survey of robust residual genera- Process Control, vol. 16, no. 6, pp. 651–658, 2006. tion and evaluation methods in observer-based fault detection [19] I. M. Jaimoukha, Z. Li, and V. Papakos, “A matrix factorization systems,” Journal of Process Control, vol. 7, no. 6, pp. 403–424, solution to the H− / H∞ fault detection problem,” Automatica, 1997. vol. 42, no. 11, pp. 1907–1912, 2006. [3] R. J. Patton, “Robustness in model-based fault diagnosis:the [20] B. Jiang, M. Staroswiecki, and V. Cocquempot, “H∞ fault 1995 situation,” Annual Reviews in Control, vol. 21, pp. 103– detection filter design for linear discrete-time systems with 123, 1997. multiple time delays,” International Journal of Systems Science, [4] Y. M. Zhang and J. Jiang, “Bibliographical review on reconfig- vol. 34, no. 5, pp. 365–373, 2003. urable fault-tolerant control systems,” in Proceedings of the 5th [21] F. Tao and Q. Zhao, “Fault detection observer design with un- IFAC Symposium on Fault Detection, Supervision and Safety of known inputs,” in Proceedings of the IEEE Conference on Con- Technical Processes (SAFEPROCESS ’03), pp. 265–276, Wash- trol Applications (CCA ’05), pp. 1275–1280, Toronto, Canada, ington, DC, USA, June 2003. August 2005. 16 Journal of Control Science and Engineering

[22] H. B. Wang, L. Lam, S. X. Ding, and M. Y. Zhong, “Iterative linear matrix inequality algorithms for fault detection with unknown inputs,” Journal of Systems and Control Engineering, vol. 219, no. 2, pp. 161–172, 2005. [23] H. Ye, S. X. Ding, and G. Wang, “Integrated design of fault detection systems in time-frequency domain,” IEEE Transactions on Automatic Control, vol. 47, no. 2, pp. 384–390, 2002. [24] P. Zhang, S. X. Ding, G. Z. Wang, and D. H. Zhou, “Fault detection for uncertain sampled-data systems,” in Proceedings of the World Congress on Intelligent Control and Automation (WCICA ’02), vol. 4, pp. 2728–2732, Shanghai, China, June 2002. [25] P. Zhang, S. X. Ding, G. Z. Wang, D. H. Zhou, and E. L. Ding, “An H∞ approach to fault detection for sampled-data systems,” in Proceedings of the American Control Conference (ACC ’02), vol. 3, pp. 2196–2201, Anchorage, Alaska, USA, May 2002. [26] S. X. Ding, T. Jeinsch, P. M. Frank, and E. L. Ding, “A uniﬁed approach to the optimization of fault detection systems,” In- ternational Journal of Adaptive Control and Signal Processing, vol. 14, no. 7, pp. 725–745, 2000. [27] P. Zhang, S. X. Ding, G. Z. Wang, and D. H. Zhou, “Fault detection of linear discrete-time periodic systems,” IEEE Trans- actions on Automatic Control, vol. 50, no. 2, pp. 239–244, 2005. [28] N. Liu and K. Zhou, “Optimal solutions to multi-objective robust fault detection problems,” in Proceedings of the 46th IEEE Conference on Decision and Control (CDC ’07), New Orleans, La, USA, December 2007. [29] K. Zhou, J. C. Doyle, and K. Clover, Robust and Optimal Con- trol, Prentice-Hall, Upper Saddle River, NJ, USA, 1996. [30]R.C.HornandC.R.Johnson,Topics in Matrix Analysis,Cam- bridge University Press, Cambridge, UK, 1991. [31] H. Niemann and J. Stoustrup, “An architecture for fault tolerant controllers,” International Journal of Control, vol. 78, no. 14, pp. 1091–1110, 2005. [32] L. Li and G. Gu, “Design of optimal zero-forcing precoders for MIMO channels via optimal full information control,” IEEE Transactions on Signal Processing, vol. 53, no. 8, pp. 3238–3246, 2005. [33] D. U. Campos-Delgado and K. Zhou, “A parametric optimization approach to H∞ and H2 strong stabilization,” Automatica, vol. 39, no. 7, pp. 1205–1211, 2003. [34] S. Boyd, V. Balakrishnan, and P. Kabamba, “A bisection method for computing theH∞ norm of a transfer matrix and related problems,” Mathematics of Control, Signals, and Sys- tems, vol. 2, no. 3, pp. 207–219, 1989. [35] M. Gen and R. W. Chenge, Genetic Algorithms and Engineering Optimization, John Wiley & Sons, New York, NY, USA, 2000. [36]R.J.Patton,J.Chen,andG.P.Liu,“Robustfaultdetection of dynamic systems via genetic algorithms,” in Proceedings of the 1st International Conference on Genetic Algorithms in Engi- neering Systems: Innovations and Applications (GALESIA ’95), no. 414, pp. 511–516, Sheﬃeld, UK, September 1995. Hindawi Publishing Corporation Journal of Control Science and Engineering Volume 2008, Article ID 790893, 12 pages doi:10.1155/2008/790893

Research Article Computation of a Reference Model for Robust Fault Detection and Isolation Residual Generation

Emmanuel Mazars, Imad M. Jaimoukha, and Zhenhai Li

Control and Power Group, Department of Electrical and Electronic Engineering, Imperial College, London SW7 2AZ, UK

Correspondence should be addressed to Imad M. Jaimoukha, [email protected]

Received 30 March 2007; Revised 31 August 2007; Accepted 3 November 2007

Recommended by Kemin Zhou

This paper considers matrix inequality procedures to address the robust fault detection and isolation (FDI) problem for linear time-invariant systems subject to disturbances, faults, and polytopic or norm-bounded uncertainties. We propose a design procedure for an FDI ﬁlter that aims to minimize a weighted combination of the sensitivity of the residual signal to disturbances and modeling errors, and the deviation of the faults to residual dynamics from a fault to residual reference model, using the H∞-norm as a measure. A key step in our procedure is the design of an optimal fault reference model. We show that the optimal design requires the solution of a quadratic matrix inequality (QMI) optimization problem. Since the solution of the optimal problem is intractable, we propose a linearization technique to derive a numerically tractable suboptimal design procedure that requires the solution of a linear matrix inequality (LMI) optimization. A jet engine example is employed to demonstrate the eﬀectiveness of the proposed approach.

Copyright © 2008 Emmanuel Mazars et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION Nielsen [15] give an algorithm to design a reference model and a robust FDI filter that fits into the framework of stan- In the past decade, great attention has been devoted to the dard robust H∞-filtering relying on established and efficient design of model-based fault detection systems and their ro- methods. However, their framework consists in solving two bustness [1, 2]. With the rapid development of robust con- optimization problems successively, which results in a sub- trol theory and H∞ optimization control techniques, more optimal solution. and more methods have been presented to solve the robust In this paper, we propose a performance index that cap- FDI problem. The H∞-filter is designed such that the H∞- tures the requirements of fault isolation and disturbance re- norm of the estimation error is minimized (see [3–5]and jection as well as the design of the optimal reference model. the references therein). Some of the approaches used for this The fault isolation performance is measured by the size of problem include frequency domain approaches [6], left and the deviation of the fault to residual dynamics from the ref- right eigenvector assignment [7], structure parity equation erence dynamics model, while the disturbance rejection per- [8], and an unknown input observer with disturbances de- formance is measured by the size of the input to residual coupled in the state estimation error [9]. Recently devel- and disturbance to residual dynamics. In all cases, the H∞ oped LMI approaches offer numerically attractive techniques norm is used as a measure. The design of the optimal ref- [10–12]. erence model is incorporated in the robust FDI framework. A reference residual model is an ideal solution for robust We consider systems subject to norm-bounded or polytopic FDI under the assumption that there are no disturbances or uncertainties. For systems described by polytopic and un- model uncertainty. The idea is to design a filter for the unstructured norm-bounded uncertainties, we derive an opti- certain system that approximates the solution given by the mal FDI filter obtained as the solution of a QMI optimiza- reference model [13]. In [14], a new performance index is tion. For systems described by structured uncertainties, we proposed using such a reference residual model. Frisk and derive a suboptimal QMI-based solution. Since the solution 2 Journal of Control Science and Engineering of a QMI optimization is, in general, intractable, we propose ator faults modeled as a linearization technique to derive a suboptimal design pro- M ⎡ ⎤ x(t) cedure that requires the solution of a numerically tractable ⎢ ⎥ ⎢ ⎥ x˙(t) ABBd B f ⎢u(t)⎥ LMI optimization. This note extends our work in [16]by = ⎢ ⎥ ,(4) proposing algorithms for the design of suboptimal reference y(t) CDDd D f ⎣d(t)⎦ dynamics. f (t) The structure of the work is as follows. After defining the notation, we review filter-based FDI techniques for resid- where x(t) ∈ Rn, u(t) ∈ Rnu ,andy(t) ∈ Rny are the process ual signal generation and give the problem formulation in state and input and output vectors, respectively, and where Section 2. Section 3 presents a matrix inequality formulation d(t) ∈ Rnd and f (t) ∈ Rn f are the disturbance and fault × × ∈ Rn n f ∈ Rny n f for the FDI problem, and gives the solution and the design vectors, respectively. Here, B f and D f of the optimal reference model for both norm-bounded and are the component and instrument fault distribution matri- × × ∈ Rn nd ∈ Rny nd polytopic uncertainties in a form of QMI’s. Section 4 gives a ces, respectively, while Bd and Dd are the suboptimal solution in both cases through the use of an al- corresponding disturbance distribution matrices [18]. gorithm that necessitates solving LMI’s. Finally, a numerical We consider two types of uncertainties: norm-bounded example is presented in Section 5,andSection 6 summarizes and polytopic uncertainties. In the case of norm-bounded our results. uncertainties, ⎧ × Mo The notation we use is fairly standard. The set of real n ⎪ Rn×m ∈ Rn×m ⎪ m matrices is denoted by .ForA , we use the ⎨⎪ o o o o × A B B B notation AT to denote transpose. For A = AT ∈ Rn n, A 0 M ∈ d f ⎪ o o ≺ ⎪ Co Do D D (A 0) denotes that A is positive (negative) definite, that is, ⎪ d f all the eigenvalues of A are greater (less) than zero. The n × n ⎩ × ⎫ identity matrix is denoted as In and the n m null matrix is ⎪ ⎪ denoted as 0n,m with the subscripts occasionally dropped if ⎬⎪ they can be inferred from context. FA + Δ E E E E : Δ ∈ Δ =: MΔ, L L H A B d f ⎪ Let 2 be the set of square integrable functions. The 2- FC ⎪ ∞ ⎭ ∈ L = T norm of u 2 is defined as u 2 0 u(t) u(t)dt.A −1 (5) transfer matrix G(s) = D + C(sI − A) B will be denoted as s = o −1 G(s) (A, B, C, D)or where M represents the nominal model, ΔH = Δ(I −HΔ) , where s A B = Δ := Δ = diag δ1Iq1, ..., δlIql, Δl+1, ..., Δl+ f : Δ≤1, G(s) ,(1) C D qi×qi nΔ×nΔ δi ∈ R, Δi ∈ R ⊂ R , (6) and dependence on the variable s will be suppressed. For a stable transfer matrix G,wedefine and where FA, FC, EA, EB, Ed, E f ,andH are known and constant matrices with appropriate dimensions. This linear frac- = = ∈ L tional representation of uncertainty, which is assumed to be G ∞ sup Gu 2/ u 2 :0/ u 2 , (2) well-posed over Δ (i.e., det (I − HΔ) =/ 0forallΔ ∈ Δ), has = = ∈ L G − inf Gu 2/ u 2 :0/ u 2 . great generality and is widely used in control theories. In the case of polytopic uncertainties, ⎧ ⎫ In section 3, we use the following result. ⎪ Mi ⎪ ⎪ ⎪ ⎪ ⎡ ⎤ ⎪ − ⎨⎪ p i i i i p ⎬⎪ = T − − T 1 A B B B Lemma 1 (see [17]). Let φ(s) R + B ( sI A ) C + M ∈ ⎣ d f ⎦ = ≥ = M − ξ : ξ 1, ξ 0 : ξ , T −1 T T 1 −1 ⎪ i i i i i i i ⎪ C (sI − A) B + B (−sI − A ) Q(sI − A) B with (A, B) ⎪ =1 C D D D =1 ⎪ ⎪i d f i ⎪ sign controllable, RT = R,andQT = Q. Then φ(s) has a spec- ⎩ ⎭ × RLm p = T − tral factor G(s) ∈ ∞ (i.e., φ(s) G ( s)G(s)) if and (7) only if there exists symmetric P that satisfies the following linear matrix inequality: where Mi, i = 1, ..., p, are known constant matrices with appropriate dimensions. PA + AT P + QPB+ C A residual signal in an FDI system should represent the inconsistency between the system variables and the T 0. (3) (PB + C) R mathematical model. The objective is to design an FDI filter of the form ⎡ ⎤ 2. PROBLEM FORMULATION x(t) ˙ ⎢ ⎥ x(t) Ak Bku Bky ⎢ ⎥ = ⎣u(t)⎦ ,(8) Consider a linear time-invariant dynamic system subject to r(t) Ck Dku Dky disturbances, modeling errors and process, sensor and actu- y(t) Emmanuel Mazars et al. 3

d f d f tries. Unfortunately, characterizing a general structured set S is intractable, and we will assume that we can deﬁne a subset Bd B f Dd D f s nref×nref S = Tref = Aref, Bref, Cref, Dref : Aref ∈ SA ⊆ R ,

× × B ∈ S ⊆ Rnref n f , C ∈ S ⊆ Rn f nref , u x˙ x ref B ref C B C × ∈ S ⊆ Rn f n f ⊆ S y Dref D A (11) D such that subsequent optimizations over the structured state- B ky space data sets SA, SB, SC,andSD are tractable. For example, S × Dky if denotes the set of all stable n f n f diagonal transfer ma- S x˙ x r trices with nonzero diagonal entries, we may define A as the Bku Ck set of all n f × n f diagonal matrices with negative entries, and SB, SC,andSD as the sets of all n f ×n f diagonal matrices. An Ak example of this simplification procedure is given in Section 5 Dku below. We also replace the requirement of nonzero diagonal entries for S by a condition of the form T − ≥ β>0for Filter ref all Tref ∈ S. Figure 1: Filter-based robust FDI scheme. Due to the presence of disturbances and modelling uncertainties, exact FDI is not possible. For robust FDI, we propose the following, more realistic, problem formulation. where x(t) ∈ Rnk is the filter state and r(t) ∈ Rn f is the residual signal. Figure 1 illustrates this filter in the robust resid- Problem 1. Assume that the system dynamics in (4)are ual generation scheme. quadratically stable. For any γ>0, find a stable fault ref- T s By defining an augmented state z(t) = [ x(t)T x(t)T ] the erence dynamics Tref = (Aref, Bref, Cref, Dref) ∈ S such that residual dynamics are given by Tref− ≥ 1 (to ensure the requirement of nonzero diagonal S ⎡ ⎤ entries for ), and find a stable filter of the form given in z(t) (8), if it exists, such that the residual dynamics in (10)are ⎡ ⎤ ⎢ ⎥ z˙(t) A B B B ⎢ f (t)⎥ quadratically stable and = ⎣ f d u ⎦ ⎢ ⎥ ⎢ ⎥ (9) r(t) C D D D ⎣d(t)⎦ M M M f d u T − T T T sup rf ref rd ru ∞ <γ, (12) u(t) M∈M or where M = MΔ for norm-bounded uncertainties and M = M M M M ξ for polytopic uncertainties. Trf Trd Tru ⎡ ⎤ Recall that quadratic stability for the dynamics in (4)is A B B B T T =s ⎣ f d u ⎦ equivalent to the existence of P = P 0 such that A P + ≺ C D f Dd Du PA 0forallA (see [19] for more details). ⎡ ⎤ A modified version of Problem 1 uses a weighted cost 0 ⎢ A B f Bd B ⎥ function, say, of the form ⎢ ⎥ = ⎣ BkyCAk BkyD f BkyDd Bku + BkyD ⎦ , M M T − T W T W TMW DkyCCk DkyD f DkyDd Dku + DkyD rf ref f rd d ru u ∞, (13) (10) where W f , Wd,andWu are constant or frequency-dependent M M M where Trf , Trd ,andTru denote the dynamics from faults, weighting functions that can vary the emphasis between fault M M disturbances, and inputs to the residual, respectively. Note detection (small Trd ∞ and Tru ∞) and fault isolation M − that dependence on the uncertain data is indicated by a su- (small Trf Tref ∞). In the sequel, we assume that any such perscript M. weighting functions are absorbed in the system data. Ideally, the residual signal is required to be sensitive only M = M = M = to faults. This corresponds to Trd 0, Tru 0, and Trf / 0. Remark 1. The objective is to find the smallest γ for which For fault isolation, it is further required that the fault signa- (12) is satisfied. Indeed, by minimizing γ, we will ensure M ture can be deduced from the residual. This corresponds to Trd ∞ (which measures the disturbance rejection level), M ∈ S S M ff Trf ,where is a set of transfer matrices with a spe- Tru ∞ (which measures the e ect of uncertainty), and M − cial structure that depends on the nature of the faults, for ex- Trf Tref ∞ (which measures the deviation of the fault to ample, if the faults can occur simultaneously, S is the set of residual dynamics from the reference dynamics, and hence is stable diagonal transfer matrices with nonzero diagonal en- a measure of fault isolation capability) to be small. 4 Journal of Control Science and Engineering

A poorly chosen reference model can result in a residual where generator with poor robustness. Here, we incorporate its de- o o sign into our scheme so as to improve the robustness of the Ac Bc o o FDI filter. Cc Dc In some approaches, a common assumption is that D f = ⎡ ⎤ A ref 00 B ref 00 0 and/or CBf has full rank [20, 21]; in others, the assump- ⎢ ⎥ ⎢ 0 Ao 0 Bo Bo Bo ⎥ tion D f has full rank and is widely used [22, 23]. Here, we do ⎢ f d ⎥ =⎢ o o o o ⎥, not impose any of these assumptions. Note, however, that if ⎣ 0 BkyC Ak BkyD f BkyDd Bku+BkyD ⎦ = − o o − o o D f does not have full column rank, for example, if D f 0, C ref DkyC Ck DkyD f D ref DkyDd Dku+DkyD then this will have an adverse effect on the minimum val- (17) ≥ M − M M ≥ M ∞ − ues of γ since γ [ Trf Tref Trd Tru ] ∞ Trf ( ) Δ Δ Ac Bc Fr1 Tref(∞)=DkyD f − Dref=Dref≥1. This would there- = ΔH Er1 Er2 CΔ DΔ Fr2 fore limit the overall performance of the filter, which is mea- c c ⎡ ⎤ sured by the value of γ. 0 ⎢ ⎥ ⎢ ⎥ ⎢ FA ⎥ := ⎢ ⎥ ΔH 0 EA 0 E f Ed EB . ⎣ BkyFC ⎦ 3. MATRIX INEQUALITY FORMULATION DkyFC (18) In this section, we derive a matrix inequality formulation of Problem 1. The main idea is to express (12)intermsofQMIs Using this separation, the inequality (15)canberewrittenas using the bounded real lemma and change of variables techniques, and then to derive necessary and sufficient conditions o Tc for solvability. ⎡ ⎤ o T o o o T The dynamics in (12)canbewrittenas ⎢ Ac Pc + PcAc PcBc Cc ⎥ ⎢ ⎥ ⎢ o T − o T ⎥ ⎣ Bc Pc γI Dc ⎦ o o − M M Cc Dc γI M M M s Ac Bc T − Tref T T = (19) rf rd ru M M TΔ Cc Dc c ⎡ ⎤ ⎡ ⎤ Δ T Δ Δ Δ T Aref 0 Bref 00 ⎢ Ac Pc + PcAc PcBc Cc ⎥ ⎢ ⎥ ⎢ T T ⎥ = ⎢ 0 A B f Bd Bu ⎥ ⎢ Δ Δ ⎥≺ : ⎣ ⎦ . + ⎣ Bc Pc 0 Dc ⎦ 0. − − Δ Δ Cref C D f Dref Dd Du Cc Dc 0 (14) Δ = T T A calculation shows that Tc FΔH E + E ΔH F ,where It follows from the bounded real lemma that there exists a T = T T = 0 (20) stable filter of the form given in (8) such that (12)issatisfied F PcFr1 0 Fr2 , E Er1 Er2 . = T if and only if there exists Pc Pc such that Pc 0and The next result uses the fact that Δ ∈ Δ to remove explicit dependence on Δ. ⎡ ⎤ M T M M M T ⎢ Ac Pc + PcAc PcBc Cc ⎥ Δ ⎢ ⎥ Lemma 2 (see [25]). Let be as described in (6) and define ⎢ M T − M T ⎥ ≺ ⎣ Bc Pc γI Dc ⎦ 0 (15) the subspaces M M − Cc Dc γI Σ = diag S1, ..., Sl, λ1Iql+1, ..., λsIql+ f : × = T ∈ Rqi qi ∈ R M Si Si , λj , for all (see [24, Theorem 3]). We deal separately with (21) norm-bounded and polytopic uncertainties. Γ = diag G1, ..., Gl,0ql+1, ...,0ql+ f : × =− T ∈ Rqi qi Gi Gi . 3.1. Solution with norm-bounded uncertainties Let R = RT , F, E,andH be matrices with appropriate dimen- −1 sions. We have det (I − HΔ) =/ 0 and R + FΔ(I − HΔ) E + For norm-bounded uncertainties, we separate the terms in- −1 volving modeling uncertainties from the other terms as ET (I − ΔT HT ) ΔT FT ≺ 0 for every Δ ∈ Δ if there exist S ∈ Σ and G ∈ Γ such that S 0 and M M M M = o Δ o Δ o Δ o Δ R + ET SE F + ET SH + ET G Ac , Bc , Cc , Dc Ac + Ac , Bc + Bc , Cc + Cc , Dc + Dc , ≺ 0. (22) (16) FT + HT SE + GE HT SH + HT G + GH − S Emmanuel Mazars et al. 5 ⎡ ⎤ × T Δ Δ ={ ∈ RnΔ nΔ ≤ } If is unstructured (i.e., if Δ : Δ 1 ), ⎢ DyC − CrefE2 + C ⎥ L = o T = ⎣ ⎦ then (22) becomes 13 : Cc Π1 , (29) − T DyC CrefE2 R + λET EF+ λET H ⎡ ⎤ ≺ 0 (23) ZFA FT + λHT EλHT H − I L = T = ⎣ ⎦ 14 : Π1 PcFr1 , (30) YFA + ByFC for some scalar λ ≥ 0. In this case, condition (23) is both neces- ⎡ ⎤ ffi T sary and su cient. EA L := ΠT ET = ⎣ ⎦ , (31) 15 1 r1 T When the uncertainty set is unstructured, then Lemma 2 EA implies that LT = o − o o 23 DyD f Dref DyDd DyD + Du , (32) (19) ⇐⇒ To + FΔ E + ET Δ T FT ≺ 0 c H H LT = ⎡ ⎤ 25 E f Ed EB , (33) To + λET E F + λET H (24) ⇐⇒ ⎣ c ⎦ ≺ 0 wherewehavedefined FT + λHT Eλ HT H − I ⎡ ⎤ 00Inref 0000 AE B B B F :=⎣ ⎦, ≥ 1 f d A o o o o for some λ 0. Using a Schur complement argument shows 0 A 0 B f Bd B FA that (19)isequivalentto (34) ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ o o T o o T T ⎢ C ⎥ ⎢ 0 C ⎥ ⎢ Ac Pc + PcBc Cc PcFr1 λEr1 ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢E ⎥ = ⎢I 0 ⎥ ⎢ − o T T ⎥ ⎣ 2 ⎦ : ⎣ nref ⎦ , (35) ⎢ γI Dc 0 λEr2 ⎥ ⎢ ⎥ T := ⎢ − ⎥ ≺ 0, EA 0 EA c ⎢ γI Fr2 0 ⎥ ⎢ − T ⎥ ⎡ ⎤ ⎡ ⎤ ⎣ λI λH ⎦ T A By Bu NAkM ZNBky NBku −λI ⎣ ⎦ = ⎣ ⎦ . (36) T (25) C Dy Du CkM ZDky Dku

If M and N are invertible, the variables Ak, Ck, Bky, Bku, Dky, where denotes terms readily inferred from symmetry. D can be replaced by the new variables A, B , B , C, D , D Next, we introduce a change of variables to linearize the ku y u y u without loss of generality. We can now rewrite (19)as above matrix inequality [26]. Assume that n = n + n, that k ref ⎡ ⎤ is, the filter order is equal to the order of the system plus the L + LT L L L λL ⎢ 11 11 12 13 14 15⎥ order of the reference model. Let ⎢ ⎥ ⎢ −γI L 0 λL ⎥ ⎢ 23 25⎥ ⎢ ⎥ YN XM ⎢ − ⎥ ≺ = −1 = ⎢ γI DyFC 0 ⎥ 0, (37) Pc T , Pc T , ⎢ ⎥ N Y M X ⎢ −λ λ T ⎥ (26) ⎣ I H ⎦ II −λI Π = , 1 MT Z 0 which is nonlinear in the variables. Note that the nonlineari- × ties involve the terms Aref and Bref only. The constraint Pc 0 where X, Y, X, Y ∈ Rnk nk are symmetric matrices, and −1 can be expressed as an LMI as follows: Z = X .DefineT = diag (Π1, I). Then Tc ≺ 0 if and only if ⎡ ⎤ T −1 T TcT ≺ 0. From PcP = I, we have the following calcula- ZZ c ⇐⇒ T ⇐⇒ ⎣ ⎦ tions, where boldface letters are used to indicate optimization Pc 0 Π1 PcΠ1 0 0. (38) ZY variables: The constraint T − ≥ 1 can be expressed as a quadratic L = T o ref 11 : Π1 PcAc Π1 matrix inequality using the next lemma. ⎡ ⎤ T T ZA + ZE1ArefE ZA + ZE1ArefE ⎣ 1 1 ⎦ Lemma 3. Let Tref be as defined above. Then Tref− ≥ 1 if and = , × T T only if there exists P = P T ∈ Rnref nref such that YA+YE1ArefE1 +A+ByC YA+YE1ArefE1 +ByC ref ref (27) Tro ⎡ ⎤ L = T o T T T 12 : Π1 PcBc PrefAref +Aref Pref +Cref Cref PrefBref +Cref Dref ⎡ ⎤ := ⎣ ⎦ T T T − ZB f + ZE1Bref ZBd ZB Bref Pref + Dref Cref Dref Dref In f =⎣ ⎦, o o o YB f +YE1Bref +ByD f YBd +ByDd YB+ByD +Bu 0. (28) (39) 6 Journal of Control Science and Engineering

= ∼ − ≺ ⇐⇒ Proof. Let φ(s) T ref (s)T ref (s) In f . Then φ(s) 0ifand TSG 0 TSG ≥ ⎡ ⎤ only if Tref − 1. It is easy to show that φ(s)canbewritten o T o o T T T ⎢ Ac Pc + PcBc Cc PcFr1 +Er1G Er1S⎥ as follows: ⎢ ⎥ ⎢ T ⎥ ⎢ −γI Do ET G ET S⎥ − ⎢ c r2 r2 ⎥ = T − T − − T 1 T ⎢ ⎥ φ(s) Dref Dref Inf +Bref sInf Aref Cref Dref :=⎢ − ⎥ ⎢ γI Fr2 0 ⎥ − ⎢ ⎥ T T − 1 ⎢ T T − T ⎥ + Cref Dref sInf Aref Bref ⎣ H G+G H S H S⎦ T T −1 T −1 −S + Bref − sInf − Aref Cref Cref sInf − Aref Bref. (40) ≺ 0. (43) The result then follows from Lemma 1.

As we did for unstructured uncertainties, we use the same = The next lemma summarizes our result so far by giv- matrix T diag (Π1, I) to allow to change variables, it fol- T ing necessary and suﬃcient conditions for the solution of lows that TSG ≺ 0 if and only if TSG := TTSGT ≺ 0. We T Problem 1, in the case that the uncertainty set is unstruc- multiply TSG by K = diag (I, S)andK from left and right, tured, in the form of a QMI feasibility problem. respectively, to get TSG ≺ 0 if and only if

Lemma 4. Assume that Δ is unstructured. Then there exist a ⎡ ⎤ L + LT L L L + L G L S stable filter of the form given in (8) and a stable fault refer- ⎢ 11 11 12 13 14 15 15 ⎥ s ⎢ ⎥ ence dynamics model Tref = (Aref, Bref, Cref, Dref) ∈ S,whereS ⎢ − L 0 L S⎥ ⎢ γI 23 25 ⎥ is defined in (11), such that T − ≥ 1, residual dynamics in ⎢ ⎥ ref ⎢ − ⎥ ≺ M = M ⎢ γI DyFC 0 ⎥ 0. (10) are quadratically stable, and (12) is satisfied for Δ ⎢ ⎥ ∈ S ∈ S ∈ S ⎢ T T T ⎥ if and only if there exist Aref A, Bref B, Cref C, ⎣ H G + G H − S H S⎦ ∈ S λ Dref D, A, By, Bu, C, Dy, Du, , and symmetric matrices −S P , Y,andZ such that (37), (38),and(39) are satisfied. If ref (44) such variables exist, the filter dynamics are obtained by solving (36) where M and N are chosen such that NMT = I − YZ−1. Therefore, when Δ is structured, we have the following suffi- Approximate solutions to these QMIs can be obtained cient condition for solvability. by using algorithms with guaranteed global convergence [27, 28], as well as local numerical search algorithms that Lemma 5. Suppose that Δ hasthestructuredefinedin converge (without a guarantee) much faster [29, 30]. A re- (6). Then there exist a stable filter of the form given in s lated discussion of the solution algorithms for QMIs can also (8) and a stable fault reference dynamics model Tref = be found in [31]. In Section 4 below, we develop an alterna- (Aref, Bref, Cref, Dref) ∈ S,whereS is defined in (11),such tive procedure for the approximate solution of these QMIs. that Tref− ≥ 1,theresidualdynamicsin(10) are quadratically stable, and (12) is satisfied for M = MΔ if there exist Remark 2. In the case that Tref is preassigned to a known Aref ∈ SA, Bref ∈ SB, Cref ∈ SC, Dref ∈ SD, A, By, Bu, C, Dy, value, (37) becomes linear and (39) becomes irrelevant, ∈ Σ ∈ Γ therefore, the optimal solution is given in a form of an LMI Du, S , G , and symmetric matrices Pref, Y,andZ such optimization. This case has been considered in [16]. that (38), (39),and(44) are satisfied. Δ When is structured, we proceed as follows. By using 3.2. Solution with polytopic uncertainties (22)fromLemma 2,weget In this section, we derive necessary and sufficient conditions ⇐⇒ o T T T ≺ (19) Tc + FΔH E + E ΔH F 0 for solvability of the robust FDI problem for a system subject (41) to polytopic uncertainties, in the form of LMIs. Now, ⇐= ∃ S ∈ Σ & G ∈ Γ s.t. S 0&TSG ≺ 0, ⎡ ⎤ ⎧ ⎡ ⎤ ⎫ M M ⎨p i i p ⎬ where Ac Bc Ac Bc ⎣ ⎦ ∈ ⎣ ⎦ , = 1, ≥ 0 , M M ⎩ ξi i i ξi ξi ⎭ ⎡ ⎤ Cc Dc i=1 Cc Dc i=1 o T T ⎣ Tc F + E G ⎦ E (45) TSG = + S E H . FT + GT EH T G + GT H − S HT (42) i i i i where (Ac, Bc, Cc, Dc)areasdefinedin(17),butwithsuper- script (o)replacedby(i). We assume that the polytopic sys- Using a Schur complement argument and the expression of tem is quadratically stable. Recall that (12) is satisfied if and E and F in (20), we get only if (15) is satisfied for all M.Now, Emmanuel Mazars et al. 7

Ti M = T T pol (Q, R) S + QR + RQ , ⎡ ⎤ T T N Ai P + P Ai P Bi Ci (Q, R) p ⎢ c c c c c c c ⎥ ⎡ ⎤ ⎢ ⎥ T − − T − − T (15) ⇐⇒ ξ ⎢ i T − i T ⎥≺ 0, ⎢S + EoEo (Q R)Eo Eo(Q R) RQ⎥ i ⎣ Bc Pc γI Dc ⎦ ⎢ ⎥ i=1 = ⎣ RT −I 0 ⎦ , Ci Di −γI c c QT 0 −I p O(Q, R) ∀ = ξi s.t. ξi 1, ξi 0, ⎡ ⎤ − T T T i=1 ⎢S FoFo +(Q + R)Fo + Fo(Q + R) RQ⎥ = ⎢ T ⎥ ⇐⇒ i ≺ = ⎣ R I 0 ⎦ . Tpol 0, i 1, ..., p. T (46) Q 0 I (48) Noting that the change of variable defined in (36) is in- Then Mi dependent of , we can therefore use it in this scheme as N (Q, R) ≺ 0 =⇒ M(Q, R) ≺ 0, (49) well. Letting T = diag (Π1, I), it follows that M Qo, Ro ≺ 0 =⇒ N Qo, Ro ≺ 0, (50) i ≺ ⇐⇒ i = i T O =⇒ M Tpol 0 Tpol : TTpolT (Q, R) 0 (Q, R) 0, (51) ⎡ ⎤ M =⇒ O Li Li T Li Li Qo, Ro 0 Qo, Ro 0. (52) ⎢ 11 + 11 12 13 ⎥ ⎢ ⎥ (47) J = T T T − − T − = ⎢ − Li ⎥ ≺ Proof. Let (Q, R) S + QQ + RR + EoEo (Q R)Eo ⎣ γI 23 ⎦ 0, T Eo(Q − R) . Then by using a Schur complement argument, −γI we get N (Q, R) ≺ 0 ⇐⇒ J(Q, R) ≺ 0. (53) where the (Li )T s are as defined in (27)–(33)and(34)-(35), jk Let ξ(Q, R) = (Q − R − E )(Q − R − E )T .Now, but with the nominal model data Mo replaced by Mi. There- o o = − − T − − T fore, for polytopic uncertainties, we can derive necessary and S + ξ(Q, R) S +(Q R)(Q R) (Q R)Eo (54) sufficient conditions for solvability of Problem 1 in the form T T − Eo(Q − R) + EoE , of a QMI feasibility problem as follows. o and it follows that Lemma 6. Let M = Mξ . Then there exist a stable filter of T T = T T T − − T S + QR + RQ S + QQ + RR + EoEo (Q R)Eo the form given in (8) and a stable fault reference dynamics T s − E (Q − R) − ξ(Q, R). model T = (A , B , C , D ) ∈ S,whereS is defined in o ref ref ref ref ref (55) (11), such that Tref− ≥ 1,theresidualdynamicsin(10) are quadratically stable, and (12) is satisfied for M = MΔ if and That is, ∈ S ∈ S ∈ S ∈ S only there exist Aref A, Bref B, Cref C, Dref D, M(Q, R) = J(Q, R) − ξ(Q, R). (56) A, B , B , C, D , D , S ∈ Σ, G ∈ Γ, and symmetric matrices y u y u = i ≺ Using (53) and noting that ξ(Q, R) 0andξ(Qo, Ro) 0, Pref, Y,andZ such that (38), (39),andTpol 0 are satisfied we have for i = 1, ..., p. N (Q, R) ≺ 0 =⇒ J(Q, R) ≺ 0 =⇒ M(Q, R) ≺ 0, M Q , R ≺ 0 =⇒ J Q , R ≺ 0 =⇒ N Q , R ≺ 0. 4. ROBUST FDI FILTER DESIGN USING LMIS o o o o o o (57) In this section, we give a suboptimal solution to Problem 1. A similar proof can be used to derive (51)and(52). An optimal solution would necessitate the solution of a quadratic matrix inequality and is in general intractable. In order to simplify the subsequent analysis, we adopt the Here, we propose a linearization procedure to derive an up- convention that variables appended with a subscript “x”denote feasible values of the variables for the QMIs (37)and per bound on the optimal solution that requires solving an (39). LMI optimization problem. T In (37), the only nonlinear terms are ZE1ArefE1 , The following general result demonstrates that if we have T YIE1Aref E , ZE1Bref,andYE1Bref. We denote the matrix in one feasible solution to a QMI optimization, then we can 1 (37)byTrfw, and set Srfw to be the matrix Trfw, with the construct an LMI optimization problem whose solution gives nonlinear terms removed. × × an upper bound on the QMI problem. = T ∈ Rnk nk = T ∈ Rnk nk ∈ Let Zx Zx , Yx Yx , Arefx × × Rnref nref ∈ Rnref n f m×n T m×m ,andBrefx be given. We use Lemma 7 to Lemma 7. Let Qo, Ro ∈ R and S = S ∈ R be given m×n derive an LMI formulation. We can write Trfw as and let Eo = Qo − Ro and Fo = Qo + Ro.ForQ, R ∈ R , = T T define Trfw Srfw + QcRc + RcQc , (58) 8 Journal of Control Science and Engineering

T − T − T T where Drefx Cref Brefx (Prefx + Arefx ) Drefx Crefx + Bref(Prefx + Arefx )+ ⎡ ⎤ ⎡ ⎤ T } ={ T T − T − T Brefx (Pref + Aref) , V Dref Drefx + Drefx Dref Brefx Brefx ZE1 0 E1Aref 0 T T ⎢ ⎥ ⎢ ⎥ D Dref − I + B Bref + }. The next lemma summarizes ⎢ ⎥ ⎢ T T ⎥ refx x ref x ⎢ 0 YE1⎥ ⎢E1Aref E1Aref ⎥ ⎢ ⎥ ⎢ ⎥ the results of this section by giving a linearized formulation ⎢ ⎥ ⎢ T T ⎥ ⎢ 00⎥ ⎢ B B ⎥ of the optimization problem defined in Lemma 4 using (60) ⎢ ⎥ ⎢ ref ref ⎥ ⎢ ⎥ ⎢ ⎥ and (64). ⎢ 00⎥ ⎢ 00⎥ Qc = ⎢ ⎥ , Rc = ⎢ ⎥ · (59) ⎢ 00⎥ ⎢ ⎥ Δ = T ∈ ⎢ ⎥ ⎢ 00⎥ Lemma 9. Assume that is unstructured. Let Zx Zx ⎢ ⎥ ⎢ ⎥ n ×n T n ×n T n ×n ⎢ 00⎥ ⎢ ⎥ R k k , Yx = Y ∈ R k k , Pref = P ∈ R ref ref , Aref ∈ ⎢ ⎥ ⎢ 00⎥ x x refx x ⎢ ⎥ ⎢ ⎥ S , B ∈ S , C ∈ S ,andD ∈ S be given. Then ⎣ 00⎦ ⎣ 00⎦ A refx B refx C refx D there exist a stable filter of the form given in (8) and a stable 00 00 s fault reference dynamics model Tref = (Aref, Bref, Cref, Dref) ∈ S,whereS is defined in (11), such that T − ≥ 1, residual Let Q denote the value of Q when Z and Y are replaced ref cx c dynamics in (10) are quadratically stable, and (12) is satisfied by Zx and Yx, respectively, let Rc denote the value of Rc when x for M = MΔ if there exist A ∈ S , B ∈ S , C ∈ S , A and B are replaced by A and B ,respectively,and ref A ref B ref C ref ref refx refx ∈ S λ = − Dref D, A, By, Bu, C, Dy, Du, , and symmetric matrices define Ex Qcx Rcx . Using (49)fromLemma 7,weget Pref, Y,andZ such that lin ≺ =⇒ ≺ Trfw 0 Trfw 0, (60) lin ≺ Trfw 0, (66) where lin Tro 0, (67) lin Trfw ⎡ ⎤ ZZ T − − T − − T 0. (68) ⎢Srfw + ExEx Qc Rc Ex Ex Qc Rc Rc Qc ⎥ ZY = ⎢ T − ⎥ ⎣ Rc I 0 ⎦ . T − Qc 0 I Remark 3. This scheme can also be applied to Lemmas 5 and (61) 6 to obtain a suboptimal solution involving linear matrix inequalities. To linearize the matrix inequality in (39), we need Lemma 7 and the following lemma, whose proof is similar Next, we need to choose the initial parameters (Zx, Yx, to that of Lemma 7 and is therefore dropped. Prefx , Arefx , Brefx , Crefx ,andDrefx )toreduceγ. The idea is to derive an algorithm where at each iteration, we solve the op- m×n T m×m Lemma 8. Let Uo ∈ R and S = S ∈ R .ForU ∈ timization problem given in Lemma 9, using the solution of Rm×n,define this problem at the previous iteration, for initial parameters. init init init init The algorithm will use initial values Zx , Yx , Pref , Aref , T x x M(U) = S + UUT = M(U) , Binit , Cinit ,andDinit , which must guarantee that the LMI con- (62) refx refx refx N = T T − T = N T straints (66)and(67) will be feasible. (U) S + UUo + UoU UoUo (U) . From the above discussion, an algorithm for choosing the Then initial parameters can be listed as follows.

N (U) 0 =⇒ M(U) 0, Algorithm 1. (1) Set initial values Ainit , Binit , Cinit ,andDinit (63) refx refx refx refx init s init init init init init M Uo 0 =⇒ N Uo 0. = ≥ such that Tref (Arefx , Brefx , Crefx , Drefx )satisﬁes Tref − 1 init ∈ S × × and Tref . = T ∈ Rnref nref ∈ Rn f nref ∈ Let Prefx Pref , Crefx ,andDrefx × x (2) Find the solutions Z, Y,andPref of the optimiza- Rn f n f be given. Using (51) from Lemmas 7 and 8,itiseasy tion derived from Lemmas 3 and 4, which is linear since the to get matrix inequalities (37), (38), and (39) become linear when = init lin =⇒ Tref : Tref is ﬁxed. (The matrices Z, Y,andPref always ex- Tro 0 Tro 0, (64) ist since the cost function in (12)isboundedbecauseΔ is bounded). where init init init (3) Set Z := Z, Y := Y,andP := Pref. ⎡ ⎤ x x refx V (4) Start loop. ⎢ ⎥ (5) Since the initial values are feasible for (37), (38), and ⎢ V V ⎥ lin = ⎢ ⎥ (39), the LMIs (66)to(68) have feasible solutions from (50) Tro ⎢ ⎥ , (65) ⎣Pref 0 I ⎦ and (63) in Lemmas 7 and 8. Compute solutions (Z, Y,etc.) Aref Bref 0 I of (66)to(68) to minimize γ. init = init = init = init = (6) Rename Zx Z, Yx Y, Prefx Pref, Arefx Aref, ={ T − T init init init where V (Pref + Aref )(Prefx + Arefx )+ C Crefx + = = = refx Brefx Bref, Crefx Cref,andDrefx Dref,andgotoStep5. T − T } ={ T Cref Crefx + (Prefx +Arefx )(Prefx +Arefx ) , V DrefCrefx + (7) End loop. Emmanuel Mazars et al. 9

Algorithm 1 is convergent, possibly to a local minimum, where in the sense that the quantity γ is nonincreasing after each ⎡ ⎤ −0.9835 −0.0110 −0.0039 iteration. This can be easily shown using (50)and(52)from ⎢ ⎥ o ⎢ ⎥ Lemma 7,and(63)fromLemma 8. A = ⎣−0.0004 −0.9858 −0.0026⎦ , 00.0002 −0.9891 Remark 4. Lemmas 7, 8,andAlgorithm 1 can also be ap- ⎡ ⎤ 0.0080 0.2397 −0.0383 plied to other problems involving QMIs and bilinear matrix ⎢ ⎥ ⎢ ⎥ inequalities (BMIs). The procedure potentially gives an im- Bo = ⎣0.0068 0.1565 0.0248 ⎦ , provement and seems to work well in practice. 0.0003 −0.0003 0.0003 ⎡ ⎤ (71) Remark 5. In the case that we choose a diagonal structure for 0.2383 0.4871 0.1390 ⎢ ⎥ ⎢ ⎥ Tref,wemayuse Co = ⎣ 0 −.0008 0.0004⎦ , 0.00002 −0.00004 0 init init ⎡ ⎤ =− = × Aref Inref , Bref 0nref n f , 0.4171 −4.4920 0.4875 (69) ⎢ ⎥ init init o ⎢ − ⎥ = × = D = ⎣0.0008 0.0050 0.0003 ⎦ . Cref 0n f nref , Dref In f , 00.0005 −0.0021 as initial values. This will ensure that Tref is stable and The system is subject to three disturbances and three poten- Tref− = 1. We can solve the LMI optimization problem tial faults. Here, the setup is given by given in Lemma 4. This will give Zinit, Y init, Pinit, and so forth. ⎡ ⎤ x x refx 0 10 0 These initial values are not unique and can be chosen using ⎢ . ⎥ ⎢ ⎥ other criteria. Bd = ⎣ 00.10⎦ , 000.01 Remark 6. A more systematic technique for generating valid ⎡ ⎤ init init init 0.0080 0.2397 −0.0383 initial values is as follows: first, generate any Bref , Cref , Dref , ⎢ ⎥ init ⎢ ⎥ and a stable Aref with the structure chosen, then, compute B f = ⎣0.0068 0.1565 0.0248 ⎦ , = init init = init α Tref −.Ifα>0, redefine the matrices as Aref Aref /α, 0.0003 −0.0003 0.0003 (72) init = init init = init init = init Bref Bref /α, Cref Cref /α,andDref Dref /α, which ful- = × fill that the conditions Tinit are stable and Tinit = 1. Dd 0.1 I3, ref ref − ⎡ ⎤ −0.0205 0.6217 0.8115 Remark 7. The requirement for Tref to be diagonal is to en- ⎢ ⎥ = ⎢ − ⎥ sure fault isolability in the case that all faults may occur si- D f ⎣ 0.2789 1.7506 0.6363⎦ . multaneously. If we ignore disturbances and uncertainty, and 1.0583 0.6973 1.3101 assuming perfect fault isolation, then r = Tref f so that fault Since no uncertainty parameters were given in this exam- fi only affects residual ri. If none of the faults can occur simultaneously, then we need only to impose the constraint ple, we assume an unstructured norm-bounded uncertainty, with matrices , , , ,and randomly generated as that Tref is upper (or lower) triangular. While it is not diffi- FA FC EA EB H cult to modify our analysis under these conditions, we only ⎡ ⎤ −0.319 −0.080 0.142 consider the case when T is diagonal so that all faults may ⎢ ⎥ ref ⎢− ⎥ occur simultaneously since our contribution is focussed on H = ⎣ 0.288 0.138 0.258⎦ , reducing the effect of disturbances and uncertainties under 0.114 0.163 0.133 the most stringent fault scenarios. ⎡ ⎤ −0.060 −0.008 −0.135 ⎢ ⎥ ⎢− ⎥ EA = ⎣ 0.015 0.154 0.047 ⎦ , 5. NUMERICAL EXAMPLE −0.044 −0.061 −0.090 ⎡ ⎤ 0 134 0 630 0 451 In order to illustrate the efficiency of Algorithm 1 and the im- ⎢ . . . ⎥ ⎢ ⎥ portance of the choice of Tref, we consider a jet engine state- EB = ⎣0.207 0.371 0.044⎦ , (73) space model [32] supplied by NASA Glenn Research Center 0.607 0.575 0.027 given as ⎡ ⎤ −0.055 0.066 −0.012 ⎢ ⎥ ⎢− − − ⎥ FC = ⎣ 0.085 0.085 0.007⎦ , x˙(t) = Ao + F Δ E x(t)+ Bo + F Δ E u(t) A H A A H B −0.025 −0.120 0.049 ⎡ ⎤ + Bdd(t)+B f f (t), (70) 0.148 −0.129 −0.084 o o ⎢ ⎥ y(t) = C + FCΔH EA x(t)+ D + FCΔH EB u(t) ⎢ − ⎥ FA = ⎣ 0.114 0.007 0.050 ⎦ . + Ddd(t)+D f f (t), −0.068 −0.033 0.149 10 Journal of Control Science and Engineering

Residual responses and the values given below for Z, Y,andPrefx ,whichwillbe 6 used to initialize the main loop of the algorithm as follows.

5 Zref ⎡ ⎤ 0.5010 −0.4385 0.0309 0.6192 −0.4313 0.4861 ⎢ ⎥ 4 ⎢ ⎥ ⎢−0.4385 0.8184 0.0844 −0.3629 −0.6083 −0.8105⎥ ⎢ ⎥ ⎢ ⎥ 3 ⎢ 0.0309 0.0844 0.0651 0.0986 −0.3323 −0.1397⎥ =⎢ ⎥ ⎢ ⎥, ⎢ 0.6192 −0.3629 0.0986 1.4722 −1.2716 0.9082 ⎥ ⎢ ⎥ 2 ⎢ ⎥ Magnitude ⎣−0.4313 −0.6083 −0.3323 −1.2716 5.7926 −1.5337⎦ − − − 1 0.4861 0.8105 0.1397 0.9082 1.5337 2.5593

Yref 0 ⎡ ⎤ 5.0059 19.1311 2.7518 0.1860 3.0607 0.7016 ⎢ ⎥ − ⎢ ⎥ 1 ⎢19.1311 165.3233 12.5435 −13.2886 32.4525 −15.3595⎥ 0 5 10 15 20 25 30 35 ⎢ ⎥ ⎢ ⎥ ⎢2.7518 12.5435 7.7249 −4.8209 0.6873 −3.4439⎥ Time (second) =⎢ ⎥ ⎢ ⎥, ⎢0.1860 −13.2886 −4.8209 7.4800 −5.3595 4.9329 ⎥ Opt r1 ⎢ ⎥ 1 ⎢ − − ⎥ Opt2 r2 ⎣3.0607 32.4525 0.6873 5.3595 22.7920 4.1575⎦ Opt3 r3 0.7016 −15.3595 −3.4439 4.9329 −4.1575 8.6769 ⎡ ⎤ Figure 2: Time response of the residual before the optimization. −0.0492 1.4322 −0.1444 ⎢ ⎥ = ⎢ − ⎥ Prefx ⎣ 1.4322 63.1246 8.1628 ⎦ . −0.1444 8.1628 −1.2084 A square and diagonal structure for Tref is necessary to (77) get fault isolation in the case that the faults occur at the same time. Taking into account Remark 8, we implemented Algo- rithm 1 in Matlab to minimize γ. Table 1 shows the evolution Remark 8. If Aref, Bref,andCref are chosen diagonal, then of the optimization following Algorithm 1. Algorithm 1 can clearly improve the result in a few iter- = − −1 Tref(s) Cref sI Aref Bref + Dref ations; γ is reduced by 33% compared to the one obtained (74) −1 with a fixed T . This shows that the choice of T is essential = Cref Bref sI − Aref + Dref. ref ref in our FDI scheme. We get ⎡ ⎤ The terms in Bref can be incorporated in Cref. It follows that −18.1665 0 0 we can set B = I. Therefore, the nonlinearity in (37)comes ⎢ ⎥ ref ⎢ − ⎥ T T Aref = ⎣ 0 9.2781 0 ⎦ , only from bilinear terms ZE1Aref E1 and YE1Aref E1 . 00−6.0914 To initialize Algorithm 1, Tinit is generated following ref = Remark 6 as Bref I3, ⎡ ⎤ ⎡ ⎤ 0.0007 0 0 −1.60 0 0 ⎢ ⎥ (78) ⎢ ⎥ = ⎢ − ⎥ init = ⎢ − ⎥ Cref ⎣ 0 0.3959 0 ⎦ , Aref ⎣ 0 1.44 0 ⎦ , − 000.0572 000.57 ⎡ ⎤ 1.2438 0 0 init = ⎢ ⎥ Bref I3, ⎢ ⎥ ⎡ ⎤ Dref = ⎣ 04.3768 0 ⎦ . 0.71 0 0 ⎢ ⎥ 001.8216 ⎢ ⎥ (75) Cinit = ⎣ 01.29 0 ⎦ , ref Remark 9. In our numerical experimentation, other choices 000.67 init ⎡ ⎤ for Tref have been used; however, all converged to the same 1 40 0 0 solution but with different numbers of iterations. ⎢ . ⎥ init = ⎢ 01.69 0 ⎥ Dref ⎣ ⎦ . In order to show that our filter is robust against distur- 001.81 bances and model uncertainties, we introduce a randomly generated Δ given by Then, by following the first two steps of Algorithm 1,weget ⎡ ⎤ − − the optimal γ as ⎢ 0.4058 0.0534 0.3600⎥ Δ = ⎣−0.4097 −0.5466 0.4822 ⎦ , (79) γ = 0.6273 (76) −0.0067 0.0877 −0.2743 Emmanuel Mazars et al. 11

Table 1 Iterations 0 1 2 5 10 20 50 100 γ 0.6273 0.6248 0.5791 0.5476 0.5253 0.4739 0.4641 0.4641

Residual responses Figure 3 also justifies the efficiency of Algorithm 1 to im- 6 prove the design of the reference model and therefore the overall performance of our filter. 5

4 6. CONCLUSION This paper has addressed the problem of fault detection 3 and isolation for linear time-invariant systems subject to faults, disturbances, and model uncertainties. We proposed 2 Magnitude a performance index that captures the FDI requirements. 1 Through QMI formulations, we gave the design of an optimal filter for polytopic or unstructured norm-bounded 0 uncertainties, and a suboptimal filter for structured norm- bounded uncertainties. Suboptimality in the latter case is −1 inherited from the bounded real lemma, which gives only 0 5 10 15 20 25 30 35 sufficient LMI conditions for structured uncertainties (see Time (second) Lemma 2). By allowing the reference model Tref to be variable in our formulation, we get its optimal design, which can Opt r 1 1 be used in other schemes dedicated to fault isolation. The Opt r2 2 optimal design of this reference model is initially given in a Opt3 r3 form of a QMI optimization, then a suboptimal solution is Figure 3: Time response of the residual after the optimization. obtained by using a linearization procedure which derives an upper bound on the optimal solution of the QMI formulation that requires the solution of an LMI optimization. Note, as well as three disturbances. Simulated through MATLAB however, that we have no indication concerning the deviation and SIMULINK, these disturbances are three-band-limited of our design from the optimal filter. We have also illustrated white noises with mean 0 and standard deviation 2. Faults f1 the effectiveness of our algorithm using a jet-engine example. and f2 are both simulated by a unit positive jump connected from the 14th second. Fault f3, simulated by a soft bias (slope ACKNOWLEDGMENT = 0.2), is connected from the 20th second. Figure 2 gives the residual responses before the algorithm, where each residual This work was partially supported by the Ministry of Defence is dedicated to a particular fault, while Figure 3 gives the op- through the Data and Information Fusion Defence Technol- timized residual response using our algorithm. ogy Centre. The lines opt1,opt2,andopt3 represent the optimal trajectories that each residual must follow REFERENCES ⎡ ⎤ ⎡ ⎤ ⎢opt1(s)⎥ ⎢ f1(s)⎥ [1] Z. Gao and H. Wang, “Descriptor observer approaches for ⎢ ⎥ ⎢ ⎥ multivariable systems with measurement noises and applica- ⎢opt (s)⎥ = T ⎢ f2(s)⎥ . (80) ⎣ 2 ⎦ ref ⎣ ⎦ tion in fault detection and diagnosis,” Systems and Control Let- opt3(s) f3(s) ters, vol. 55, no. 4, pp. 304–313, 2006. [2] C. Jiang and D. H. Zhou, “Fault detection and identifica- In both figures, each fault can be distinguished from the tion for uncertain linear time-delay systems,” Computers and others and the disturbances; however, in Figure 3, the faults Chemical Engineering, vol. 30, no. 2, pp. 228–242, 2005. can be more easily distinguished and each residual follows [3] M. Fu, C. E. De Souza, and Z.-Q. Luo, “Finite-horizon robust its optimal trajectory (green line) with more accuracy. Fur- kalman filter design,” IEEE Transactions on Signal Processing, thermore, the disturbances are more attenuated compared vol. 49, no. 9, pp. 2103–2112, 2001. [4] K. M. Nagpal and P. P. Khargonekar, “Filtering and smooth- to Figure 2, and the jumps that indicate faults are clearer in H Figure 3 since their amplitudes are bigger and therefore allow ing in an ∞ setting,” IEEE Transactions on Automatic Control, vol. 36, no. 2, pp. 152–166, 1991. a better fault detection using thresholds [33, 34]. The isola- ff [5] A. H. Sayed, “A framework for state-space estimation with tion performance is clearly e ective as each fault produces a uncertain models,” IEEE Transactions on Automatic Control, deviation of its residual only, without modifying the trajec- vol. 46, no. 7, pp. 998–1013, 2001. tory of the others. This example illustrates that the designed [6] S. H. Zad and M.-A. Massoumnia, “Generic solvability of filter satisfies the performance requirement of FDI which is the failure detection and identification problem,” Automatica, sufficiently robust against disturbances and modeling errors. vol. 35, no. 5, pp. 887–893, 1999. 12 Journal of Control Science and Engineering

[7] R. J. Patton and J. Chen, “On eigenstructure assignment for ro- [24] H. D. Tuan, P. Apkarian, and T. Q. Nguyen, “Robust filtering bust fault diagnosis,” International Journal of Robust and Non- for uncertain nonlinearly parameterized plants,” IEEE Trans- linear Control, vol. 10, no. 14, pp. 1193–1208, 2000. actions on Signal Processing, vol. 51, no. 7, pp. 1806–1815, [8]P.Zhang,H.Ye,S.X.Ding,G.Z.Wang,andD.H.Zhou,“On 2003. the relationship between parity space and H2 approaches to [25] L. El Ghaoui and J. P. Folcher, “Multiobjective robust control fault detection,” Systems and Control Letters, vol. 55, no. 2, pp. of LTI systems subject to unstructured perturbations,” Systems 94–100, 2006. and Control Letters, vol. 28, no. 1, pp. 23–30, 1996. [9] J. Chen, R. J. Patton, and H.-Y. Zhang, “Design of unknown in- [26] C. Scherer, P. Gahinet, and M. Chilali, “Multi-objective put observers and robust fault detection filters,” International output-feedback control via LMI optimization,” IEEE Trans- Journal of Control, vol. 63, no. 1, pp. 85–105, 1996. actions on Automatic Control, vol. 42, no. 7, pp. 896–911, 1997. [10] I. M. Jaimoukha, Z. Li, and E. F.M. Mazars, “Linear matrix in- [27] K.-C. Goh, M. G. Safonov, and G. P. Papavassilopoulos, equality solution to the H-/H∞, fault detection problem,” in “Global optimization approach for the BMI problem,” in Pro- Proceedings of the 7th International Conference on Control and ceedings of the IEEE Conference on Decision and Control (CDC Applications, the International Association of Science and Tech- ’94), vol. 3, pp. 2009–2014, Lake Buena Vista, Fla, USA, 1994. nology for Development (IASTED ’05), pp. 183–188, Cancun, [28] Yamada, Hara, and Fujioka, “Global optimization for con- Mexico, May 2005. stantly scaled H∞ control problem,” in Proceedings of the [11] I. M. Jaimoukha, Z. Li, and E. Mazars, “Fault isolation filter American Control Conference (ACC ’95), vol. 1, pp. 427–430, with linear matrix inequality solution to optimal decoupling,” Seattle, Wash, USA, June 1995. in Proceedings of the American Control Conference (ACC ’06), [29] J. C. Geromel, P. L. D. Peres, and S. R. De Souza, “Output feed- vol. 2006, pp. 2339–2344, Minneapolis, Minn, USA, 2006. back stabilization of uncertain systems through a min/max [12] Z. Li, E. Mazars, and I. M. Jaimoukha, “State space solution problem,” in Proceedings of the 12th World Congress Interna- to the H-/H∞ fault detection problem.,” in Proceedings of the tional Federation of Automatic Control (IFAC ’93), vol. 6, pp. IEEE 45th Conference on Decision and Control (CDC ’06),pp. 35–38, The Institute of Engineers, Sydney, Australia, July 1993, 2177–2182, San Diego, Calif, USA, December 2006. in preprints of papers. [13] E. Frisk and L. Nielsen, “Robust residual generation for di- [30] E. Beran and K. Grigoriadis, “A combined alternating projec- agnosis including a reference model for residual behavior,” in tions and semidefinite programming algorithm for low-order Proceedings of the 14th World Congress International Federation control design,” in Proceedings of the 13th World Congress, In- of Automatic Control (IFAC ’99), pp. 55–60, Beijing, China, ternational Federation of Automatic Control (IFAC ’96), pp. 85– July 1999. 90, San Francisco, Calif, USA, July 1996.

[14] M. Zhong, S. X. Ding, J. Lam, and H. Wang, “An LMI ap- [31]A.Saberi,P.Sannuti,andB.M.Chen,H2 optimal control sys- proach to design robust fault detection filter for uncertain LTI tem and control engineering, Prentice Hall, London, UK, 1995. systems,” Automatica, vol. 39, no. 3, pp. 543–550, 2003. [32] T. D. Curry and E. G. Collins Jr., “Robust fault detection and [15] E. Frisk and L. Nielsen, “Robust residual generation for diag- isolation using robust 1 estimation,” Journal of Guidance, nosis including a reference model for residual behavior,” Au- Control, and Dynamics, vol. 28, no. 6, pp. 1131–1139, 2005. tomatica, vol. 42, no. 3, pp. 437–445, 2006. [33] X. C. Ding and P. M. Frank, “Frequency domain ap- [16] E. Mazars, I. M. Jaimoukha, and Z. Li, “Linear matrix solu- proach and threshold selector for robust model-based tions to a robust fault detection and isolation problem,” under fault detection and isolation,” in IFAC/IMACS Symposium review in European Journal of Control. on Fault Detection, Supervision and Safety for Technical [17] D. J. Clements, B. D.O. Anderson, A. J. Laub, and J. B. Mat- Processes—SAFEPROCESS ’91 (IFAC ’92), vol. 6, pp. 271–276, son, “Spectral factorization with imaginary-axis zeros,” Linear Baden-Baden, Germany, 1992. Algebra and Its Applications, vol. 250, pp. 225–252, 1997. [34] F. Rambeaux, F. Hamelin, and D. Sauter, “Optimal threshold- [18] P. M. Frank and X. Ding, “Survey of robust residual genera- ing for robust fault detection of uncertain systems,” Interna- tion and evaluation methods in observer-based fault detection tional Journal of Robust and Nonlinear Control, vol. 10, no. 14, systems,” Journal of Process Control, vol. 7, no. 6, pp. 403–424, pp. 1155–1173, 2000. 1997. [19] S. P. Boyd, L. El Ghaoui, E. Feron, and V. Balakrishnan, Lin- ear Matrix Inequalities in Systems and Control Theory,SIAM, Philadelphia, Pa, USA, 1994. [20] W. H. Chung and J. L. Speyer, “A game theoretic fault detection filter,” IEEE Transactions on Automatic Control,vol.43,no.2, pp. 143–161, 1998. [21] R. K. Douglas and J. L. Speyer, “Robust fault detection filter design,” in Proceedings of the American Control Conference (ACC ’95), vol. 1, pp. 91–96, Seattle, Wash, USA, June 1995. [22] I. M. Jaimoukha, Z. Li, and V. Papakos, “A matrix factorization solution to the H-/H∞ fault detection problem,” Automatica, vol. 42, no. 11, pp. 1907–1912, 2006. [23] H. B. Wang, L. Lam, S. X. Ding, and M. Y. Zhong, “Iterative linear matrix inequality algorithms for fault detection with unknown inputs,” Journal of Systems and Control Engineering, vol. 219, no. 2, pp. 161–172, 2005. Hindawi Publishing Corporation Journal of Control Science and Engineering Volume 2008, Article ID 853275, 15 pages doi:10.1155/2008/853275

Research Article Fault Detection, Isolation, and Accommodation for LTI Systems Based on GIMC Structure

D. U. Campos-Delgado,1 E. Palacios,1 and D. R. Espinoza-Trejo2

1 Facultad de Ciencias, Zona Universitaria, Universidad Autonoma de San Luis Potos´ı, 78290 San Luis Potos´ı, SLP, Mexico 2 Facultad de Ingenier´ıa, Universidad Autonoma de San Luis Potos´ı, Av. Dr. Manuel Nava 8, Zona Universitaria, 78290 C.P., SLP, Mexico

Correspondence should be addressed to D. U. Campos-Delgado, [email protected]

Received 31 December 2006; Revised 28 July 2007; Accepted 13 November 2007

Recommended by Kemin Zhou

In this contribution, an active fault-tolerant scheme that achieves fault detection, isolation, and accommodation is developed for LTI systems. Faults and perturbations are considered as additive signals that modify the state or output equations. The accommodation scheme is based on the generalized internal model control architecture recently proposed for fault-tolerant control. In order to improve the performance after a fault, the compensation is considered in two steps according with a fault detection and isolation algorithm. After a fault scenario is detected, a general fault compensator is activated. Finally, once the fault is isolated, a speciﬁc compensator is introduced. In this setup, multiple faults could be treated simultaneously since their eﬀect is additive. De- sign strategies for a nominal condition and under model uncertainty are presented in the paper. In addition, performance indices are also introduced to evaluate the resulting fault-tolerant scheme for detection, isolation, and accommodation. Hard thresholds are suggested for detection and isolation purposes, meanwhile, adaptive ones are considered under model uncertainty to reduce the conservativeness. A complete simulation evaluation is carried out for a DC motor setup.

Copyright © 2008 D. U. Campos-Delgado et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION research community in control theory and signal processing [1–4]. In the early stages of control applications, closed-loop per- In any process, the faults can be classified in two sets: formance was the main objective for the control engineer. unrecoverable and recoverable. The unrecoverable ones rep- To achieve this goal, the implementations of these feedback resent all faults that cannot be compensated or accommo- configurations involved sensors, actuators, electronic instru- dated while the system is running. On the other hand, the mentation, and signal processors. However, during a normal recoverable faults comprise any fault whose outcome can operation, these parts could fail in some degree, and the re- still be safely compensated by the control algorithm with a sulting performance of the closed-loop will be largely deteri- possible deterioration of performance, but still allowing the orated, or even instability can be observed. In fact, for some necessary conditions to maintain closed-loop stability. Ob- processes besides performance, safety is also a necessary and viously, this classification depends on the problem at hand, important objective. Therefore, it is desirable to detect these and requires knowledge about the operation of the system. malfunctions to take proper action in order to avoid a dan- From a control point of view, the focus is on the recoverable gerous situation. Nowadays, the advance in electronics has faults, where a degree of robustness or reconfigurability in made possible to have digital signal processors as microcon- the control scheme is desirable to accommodate these faults trollers, DSP’s and FPGA boards that can perform, in real and still preserve closed-loop performance. These ideas have time, very complex algorithms. Hence this extra processing triggered a research line called fault-tolerant control (FTC) capacity could be applied to perform in parallel fault diag- [5–9]. nosis strategies to the nominal control schemes. The prob- FTC can be approached from two perspectives: passive lem of fault diagnosis is indeed a challenging one, and its and active. In the passive approach, the faults are treated as importance in applications has attracted the attention of the disturbances into the closed-loop system. As a result, a single 2 Journal of Control Science and Engineering controller is designed to achieve stability and performance cessity of fault identification. The paper is structured as against all studied faults. The main drawback of this scheme follows. Section 2 describes the problem formulation. The is the conservativeness that can be incorporated, however, FTC scheme is presented in Section 3. First, the general no extra complexity in the control implementation is car- methodology is introduced, and the design criteria for di- ried out. For LTI systems, the passive approach can be treated agnostic, isolation, and accommodation are detailed next. as a simultaneous stabilization or robust H∞ design [9]. Section 4 analyzes the effect of model uncertainty in the FTC Meanwhile, for nonlinear systems, a variable structure con- scheme. Finally, Section 5 presents an illustrative example, trol (sliding mode) methodology can be applied [10]. On and Section 6 gives some concluding remarks. the other hand, the active approach relies on a fault diagnosis stage, followed by a controller reconfiguration or accom- 2. PROBLEM FORMULATION modation [6]. Compared to the passive approach, the active one requires more computational power during implemen- The problem addressed in this paper is fault detection, iso- tations, but it can provide less conservative results and better lation, and accommodation for LTI systems under additive closed-loop performance after faults. Applications of the ac- faults and perturbations. In this way, consider a system P(s) tive approach have been suggested for LTI [7, 8, 11, 12], LPV affected by disturbances d ∈ Rr and possible faults f ∈ Rl, [13, 14], and nonlinear systems [15, 16]. Three major trends as shown in Figure 1,describedby are devised in active FTC according to the required informa- x˙ = Ax + Bu + F1 f + E1d, tion of the FDI stage as follows. P(s) (1) y = Cx + Du + F2 f + E2d, (A) Estimate the faults profiles and update the nominal control law to cancel completely their effect (fault de- where x ∈ Rn represents the vector of states, u ∈ Rm the coupling). Therefore, this idea requires a reliable fault vector of inputs, and y ∈ Rp the vector of outputs. Thus n×l isolation and identification scheme. matrix F1 ∈ R stands for the distribution matrix of the p×l (B) Design a compensation signal for the nominal con- actuator or system faults, and F2 ∈ R for sensor faults. ff i ∈ Rn i ∈ Rp = trol law that depends on the fault a ecting the system. Denote as F1 and F2 with i 1, ..., l the columns Hence according to the transfer function from a spe- of the fault signature matrices F1 and F2, respectively, that is, cific fault to the output measurements or input con- = 1 ··· l = 1 ··· l trol signal (fault signature transfer matrices), an accom- F1 F1 F1 , F2 F2 F2 . (2) ff modation control law is designed to reduce its e ect i i into the closed-loop system. Alternatively, the nomi- Thus matrices (F1, F2) will represent the signature of the ith nal control law can be reconfigurated according to the component fi in the fault vector f . The nominal system isolated fault, for example, using reconfigurable con- (A, B, C, D) is considered controllable and observable. On trol gains under a state-feedback control law. As a re- the other hand, the system response y can be analyzed in a sult, these approaches rely on the information from the transfer matrix form (frequency domain) as follows: fault isolation stage to properly operate. y(s) = Puyu(s)+P fyf (s)+Pdyd(s), (3) (C) Switch to a robust control law that maintains closed- loop stability for a studied set of faults. In conse- where − quence, this scheme depends just on the information P = C(sI − A) 1B + D, of a fault detection block. However, the post-fault per- uy = − −1 formance can be pretty conservative. Pdy C(sI A) E1 + E2, (4) = − −1 This work looks to extend the ideas initially presented in P fy C(sI A) F1 + F2. [12, 17, 18]. Hence fault detection, isolation, and accommo- A left coprime factorization for each transfer matrix can be dation are discussed in a more general framework under the n×p derived by obtaining matrix L ∈ R such that R{λi(A + GIMC control structure for additive faults. The contribution LC)} < 0[19, 20], as it is shown next: of this paper lies in the following lines. N M Nd N f (i) A two-step active FTC scheme is proposed for LTI systems under an additive fault scenario. A + LC B + LD L E + LE F + LF = 1 2 1 2 . (ii) Design strategies are proposed for diagnosis and ac- C DI E2 F2 commodation based on general optimization criteria. (5) (iii) Performance indices are suggested in order to evaluate the active FTC from a worst-case perspective. Consequently, the LTI systems in (4)canbewrittenas (iv) A complete analysis is introduced for the synthesis al- = −1 = −1 = −1 gorithms under model uncertainty. Hard and adap- Puy M N, Pdy M Nd, P fy M N f , tive thresholds are provided for detection and isolation (6) purposes. where M, N, Nd, N f ∈ RH∞. An initial question about the Consequently, the FTC philosophies (B) and (C) are fault diagnosis and isolation process relies on the neces- adopted in this work, looking to reduce the conservative- sary conditions to achieve this objective, hence the condition ness in the post-fault performance, but avoiding the ne- originally presented in [1, 4] are assumed as follows: D. U. Campos-Delgado et al. 3

d f The deﬁnition of the following system performance indexes will be very important for the synthesis and analysis of the fault detection, isolation, and accommodation algo- y rithms [19–21]: ref P Controller − u m ∞ G1 = max gij(t) dt, 1≤i≤n q j=1 0 ∞ 1 ∗ G2 = Trace G (jω)G(jω) dω, 2π −∞ Figure 1: Problem formulation for control. G ∈ RH , 2 G∞ = sup σ G(jω) , G ∈ RH∞, ∈R (1) for isolation of the fault vector f , ω G− = inf σ G(jω) , ω∈R F1 = [ω1,ω2] rank l;(7) − = inf ( ) ,0≤ ∞, F2 G σ G jω ω1 <ω2 < ω∈[ω1,ω2] (10) (2) for the simultaneous isolation of faults under unknown perturbations, where G is a n × m Hurwitz matrix transfer function, and g (t) = L−1{G (s)} (1 ≤ i ≤ n,1≤ j ≤ m) are the impulse normrank N N ≥ normrank (N )+l,(8) ij ij d f d responses corresponding to every component in the transfer matrix G. The next inequalities will be useful to derive where normrank stands for the normal rank of the corre- thresholds for residual evaluation: sponding transfer matrix [20]. Now, it is assumed that a nominal controller K stabilizes y∞ ≤G1u∞, the nominal plant Puy, and it provides a desired closed-loop ≤ (11) performance in terms of robustness, transient, and steady- y 2 G ∞ u 2, state responses. The controller K is considered observable, = and consequently, it can also be expressed by a left coprime where y Gu, the signal norms are deﬁned as −1 factorization, that is, K = V U where U, V ∈ RH∞, y∞ = sup y(t) , t∈[0,∞) Ak Bk Ak +LkCk Bk +LkDk Lk K = =⇒ U V = . (12) Ck Dk Ck Dk I ∞ = 2 (9) y 2 y(t) dt, 0

The nominal controller can be synthesized following classi- · cal techniques or optimal control: lead/lag compensator, PI, and denotes the Euclidean norm. PID, LQG/H2, H∞ loop shaping design, and so on. Conse- quently, the control objective is presented as follows. Design 3. FAULT-TOLERANT CONTROL SCHEME an active fault-tolerant scheme such that it detects and isolates the occurrence of a fault in the closed-loop system, and provides The proposed FTC scheme relies on a fault diagnosis and an appropriate compensation signal q to the controller in order isolation (FDI) algorithm, followed by a fault accommoda- to maintain closed-loop performance (see Figure 1). tion into the nominal controller. For LTI systems and additive faults, several FTC control structures have been sug- Remark 1. The problem formulation in (1) assumes no pre- gested [12, 22–24] departing from the Youla parametriza- vious knowledge of the time profiles of the fault components tion of all stabilizing controllers [20]. In this configuration, ∈ RH fi i = 1, ..., l. Thus the fault vector f is modeled as an un- a free parameter Q ∞ is selected to achieve the fault known exogenous input for the system P(s). However, if ex- compensation, with the assurance that closed-loop stability plicit knowledge about the faults time profiles is available, is achieved after the fault accommodation. In this fashion, then this information can be incorporated at the FDI stage to the accommodation scheme adopted in this work is moti- improve the residual design and evaluation. Nonetheless, the vated by a new implementation of the Youla parametrization fault-accommodation scheme presented in the next section called generalized internal model control (GIMC) [7, 12]. In is consistent with this assumption, and it does not require an this configuration, the nominal controller K is represented explicit identification of the faults affecting the system. Fur- by its left coprime factorization, that is, K = V −1U. In addi- thermore, the additive faults representation in (1)mightbe tion, the GIMC configuration allows to perform the FDI pro- able to describe some common faults that cause changes on cess and accommodation in the same structure, where these system parameters or loss of effectiveness in actuators, but in two processes are carried out by selecting two design param- those cases, the faults time profiles will be related to states or eters Q, H ∈ RH∞ (see Figure 2). Consequently, the resid- control inputs (as it will be shown in Section 5). ual r is generated by selecting the detection/isolation filter 4 Journal of Control Science and Engineering

d f

Pdy P fy Nominal controller

y ref e u u − − U V 1 Puy q

Q N

r fe −H M residual −

Fault accommodation

Figure 2: GIMC with additive perturbations and faults.

H, and the accommodation signal q by the compensator Q, maximizing the faults f effect. Hence the following design using the filtered signal fe with the following criteria. criteria are suggested: (1) H(s): the fault detection/isolation filter must diminish H N the effect of the disturbances or uncertainty into the D f k sup or residual signal, and maximize the effect of the faults. ∈RH∞ HD HDNd j (15) (2) Q(s): the robustification controller must provide ro- sup H N s.t. H N ≤ γ, bustness into the closed-loop system in order to main- D f k D d j HD∈RH∞ tain acceptable performance against faults. where γ>0 denotes a desired attenuation factor for the 3.1. Fault detection and isolation unknown perturbations contribution, and k, j represent the performance indexes in (10). In [21, 25], the previous mul- p From Figure 2, it can be observed that fe ∈ R contains in- tiobjective optimizations have been studied where optimal formation of perturbations d and faults f as follows: and approximation solutions are provided. Alternatively, the ∞/∞ and 2/2 optimizations can be solved using well-known fe(s) =−Ndd(s) − N f f (s). (13) algorithms through a characterization by a linear fractional transformation (LFT) [20]; Hence a residual r is naturally constructed by using the information of the coprime factorization of the nominal plant min 0 h − HD Nd N f HD∈RH∞ j through fe [1]; (16) = min F G , H , j = 2, ∞, ∈RH l HD D j HD ∞ r(s) =−Hfe(s) = H Ndd(s)+N f f (s) . (14) where h ∈ RH∞ is a 1 × l transfer matrix that describes the In order to improve the accuracy of the FDI stage, it is pro- faults frequency bandwidth, Fl (·, ·) represents a lower LFT posed to carry out this task in two consecutive steps: (a) first, [20], and GHD the generalized plant (see Figure 3)givenby fault detection, and next, (b) fault isolation. This idea is also appealing for fault accommodation, and its benefits will be 0 −1 = h GHD . (17) explained in the next section. As a result, the FDI algorithm Nd N f 0 is designed in two parts as follows. One advantage of the LFT characterization is that it can be (1) A detection filter HD is first synthesized to determine a general fault scenario. augmented to include model uncertainty in the problem formulation. Meanwhile, the isolation filter HI (l × p transfer (2) Next, an isolation filter HI is computed to identify the faults affecting the system. matrix) is designed to isolate the fault vector f and decouple the perturbations d, that is, First, the detection filter HD is constructed to obtain a scalar ≈ residual, that is, HD is a 1 × p transfer matrix such that it (i) HI Nd(s) 0, attenuates the contribution from the perturbations d while (ii) HI N f (s) ≈ T, D. U. Campos-Delgado et al. 5

d where To is the window length or evaluation horizon. Hence e f f to avoid a false alarm in the evaluation due to perturbations GH D [27], a threshold value is selected such that

r f e Jth = sup r (22) f =0,∀d HD in the case of the windowed 2 norm, and considering d Figure 3: LFT formulation for detection filter HD. bounded energy perturbations, that is, d 2,t,To <γ2, then an initial detection threshold can be calculated by applying (11)as where T ∈ RH∞ is a diagonal transfer matrix. Transfer ma- D = d Jth γ2 HDNd ∞. (23) trix T is a design parameter, and it should be chosen according to the frequency response of N f , in order to achieve the On the other hand, if the perturbations are now assumed d isolation and decoupling objectives. Nevertheless, nonmin- bounded for all time, that is, d ∞ <γ∞, then a new detection threshold can be employed as follows: imum phase zeros of N f could limit the resulting performance [26]. Once more, the design criterion can be proposed D = d (24) by combining both objectives measured by a system norm Jth γ∞ HDNd 1. = ∞ j 2, as follows: The hard thresholds in (23)and(24) are conservative starting values since they are derived from the norms inequalities in min 0 T −H N N = min F G , H , (11). Nevertheless, they have to be adjusted online for proper ∈RH I d f ∈RH l HI I j HI ∞ j HI ∞ fault detection. Now, with respect to the isolation stage, a (18) hard threshold has to be obtained for each output of the filter HI that represents the estimated fault. However, if the prod- ff where GHI stands for the generalized plant associated to the uct HI N f is not diagonal, then each output is a ected at some LFT formulation given by degree by all faults and perturbations. Assuming that the ith output is evaluated, then the following thresholds are pro- 0 − posed: = T I GHI . (19) Nd N f 0 l r Ii = i d Jth [HI N f ]ij ∞γ2 + [HI Nd]ik ∞γ2, (25) Hence once a fault is detected, in the isolation stage, the filter j=1 k=1 j=/ i HI has to provide a good estimate of the fault affecting the system. Therefore, it is fundamental that HI could render di- or agonally the product HI N f , or at least diagonally dominant. l r In fact, this issue has to be verified after HI is designed for a Ii = i d Jth [HI N f ]ij 1γ∞ + [HI Nd]ik 1γ∞, (26) correct fault identification. j=1 k=1 j=/ i Remark 2. Assumptions (7)and(8) about the rank prop- = · erties of the perturbations and faults transfer matrices pro- where i 1, ..., l,[]ij denotes the ij term in the transfer i ∞ i vide necessary conditions to achieve the decoupling objec- matrix, fi 2,t,To <γ2,and fi <γ∞. Consequently, some tive. Therefore, it is expected that the optimal filters obtained information about the energy or time upper-bound on each through (16)and(18) will guarantee good fault detection fault is necessary to compute (25)and(26). Once more, it and isolation properties of the residuals. is important to point out that (25)and(26) are just starting values for the threshold selection during the residual evalua- Now, perfect disturbance decoupling is hard to achieve in tion, since they rely on inequalities that involve some inherit a general scenario. As a result, the residuals will not be zero conservativeness. in a fault-free condition. Two possible techniques can be followed in order to detect a fault: hard or adaptive thresholds 3.2. Fault accommodation [3, 27, 28]. Since the perturbations are considered unknown and no uncertainty is assumed at this stage, hard thresholds In order to derive the fault accommodation scheme, the ef- are adopted. Departing from the signal norms in (12), a win- fect of the compensation signal q in the GIMC structure of dowed residual evaluation criteria can be chosen as follows: Figure 2 is analyzed. Define the following nominal closed- loop transfer matrices: t −1 = = (i) input sensitivity: Si (I + KPuy) , r r 2,t,T r(τ) dτ, (20) − o − 1 t To (ii) output sensitivity: So (I + PuyK) , = = (iii) complementary output sensitivity: To I − So = (I + r r ∞,t,To sup r , − ≤ ≤ (21) −1 t To τ t PuyK) PuyK. 6 Journal of Control Science and Engineering

The next lemma originally presented in [17] character- Therefore, the accuracy in the perturbations and faults esti- izes the dynamic behavior of the compensated control input mations (d(s)−d(s)and f (s)− f(s)) will dictate the resulting u and output y of the closed-loop system. performance deterioration. However, in a practical scenario, it is difficult to have these estimations available or to have a Lemma 1. In the GIMC configuration of Figure 2 considering stable plant. Hence it is important that the compensator Q additive faults, the resulting closed-loop characteristics for the could simultaneously attenuate perturbations and faults into control signal u and output y are given by the closed-loop system. On the other hand, if Puy has also − − a stable inverse, a complete output decoupling for perturba- u(s) = S K ref (s) − S V 1(UM 1 + Q) N d(s)+N f (s) , i i d f tions and faults can be achieved. y(s) = T ref (s)+S M−1(I − NV −1Q) N d(s)+N f (s) . o o d f Corollary 2 (see [17]). If the nominal plant satisfies P , (27) uy −1 ∈ RH −1 ∈ RH = −1 ∈ Puy ∞, then N ∞ and with Q VN The resulting closed-loop system is stable, provided that Q ∈ RH∞, the resulting output is decoupled perfectly from the per- RH∞, since the nominal controller K internally stabilizes the turbations and faults, that is, nominal plant Puy (proof in Appendix B). −1 u(s) = SiK ref (s) − N Ndd(s)+N f f (s) , By a simple inspection of (27), two results can be con- (32) cluded by considering the complete decoupling of perturba- y(s) = To ref (s). tions d and faults f from the control input u and output y of the system. Note that the compensation proposed in Corollary 2 is particularly useful for an actuator or system fault, since the Corollary 1 (see [17]). If the nominal plant P ∈ RH∞, uy output is perfectly decoupled from faults and perturbations. −1 ∈ RH then M ∞, and the complete disturbance and fault However, it should be avoided in a sensor fault scenario. In decoupling can be achieved at the control signal u by letting fact, the decoupling conditions of Corollaries 1 and 2 could −1 Q =−UM ∈ RH∞.Asaresult,itisobtainedthat be very restrictive. For this reason, by analyzing (27), if it is desired to minimize the faults effect at the control signal, u(s) = SiK ref (s), (28) while reducing the perturbations contribution at the output, −1 y(s) = To ref (s)+M Ndd(s)+N f f (s) . (29) the compensator Q should be designed by following the optimization strategy Therefore, if the nominal plant Puy is stable by properly choosing the compensator Q, the control signal is not af- = min Z1Z2 j min Z3Z4 j , (33) fected by faults and perturbations. The compensation sug- Q∈RH∞ Q∈RH∞ gested in Corollary 1 is particularly useful under a sensor fault scenario [24] since it is not desirable to adjust the con- where trol signal dynamics against erroneous information given by a sensor. Note that from (29), perturbations and faults = −1 − −1 are decoupled from the closed-loop feedback dynamics since Z1 αdSoM I NV Q Nd, they appear in an open-loop fashion at the output. How- Z =−α S V −1 UM−1 + Q N , ff 2 f i f ever, the perturbations are a ecting the outputs with a feed- (34) ff −1 forward structure, which is an undesirable e ect of this Z3 = αdSo Pdy − PuyV QNd , compensation. Consequently, as it was suggested in [18], if =− −1 some estimation of the perturbations d could be deduced Z4 α f Si KPfy+ V QN f , by steady-state relations of the system or by an observer using state-augmentation, the compensation q could incorpo- j represents the H2 or H∞ norms in (10), αd, α f ∈ [0, 1] are rate this new information to improve the closed-loop per- two weighting factors to balance the tradeoff between performance. In general, if the FDI stage could provide a re- turbations and faults reduction, and the normalized coprime liable identification of the fault vector f, then this estima- factors relations in (6) are applied. However, the optimization can be also applied under the compensation suggested in tion problem in (33) cannot be solved using standard robust Corollary 1 to decouple the faults from the closed-loop sys- control algorithms [19, 20]. Therefore, it is proposed to ex- tem. The compensation including perturbations and faults tend the cost function to have a feasible problem as follows: estimations will be given by =− −1 − αdSoPdy 0 q(s) UM [Nu(s)+Ndd(s)+N f f (s) My(s)], min − Q∈RH∞ 0 α f SiKPfy (30) − −1 and the resulting output dynamics are given now by αdSoPuyV (35) + − −1 Q Nd N f α f SiV j y(s)=T ref (s)+M−1 N d(s)−d(s) +N f (s)− f(s) . o d f = min Fl GQu , Q j , (31) Q∈RH∞ D. U. Campos-Delgado et al. 7

d y d (i) actuator or system faults: y f u f GQu GQy −1 − −1 i min SoM I NV Qi αdNd α f N f ; Qi∈RH∞ j q fe q fe (39)

Q Q (ii) sensor faults: (a) (b) αdSoPdy 0 min i ∈RH − Figure 4: LFT formulations for compensator Q: (a) Control signal Qi ∞ 0 α f SiKPfy and output attenuation, and (b) output signal attenuation. (40) − −1 αdSoPuyV i + − −1 Qi Nd N f , α f SiV j where GQu represents the generalized plant (see Figure 4) where given by i i ⎡ ⎤ i = A + LC F1 + LF2 0 − −1 N f i (41) ⎢αdSoPdy αdSoPuyV ⎥ C F2 ⎢ ⎥ = ⎢ − − −1 ⎥ GQu ⎢ 0 α f SiKPfy α f SiV ⎥ . (36) i = −1 i ⎣ ⎦ and P fy M N f . In this way, the fault accommodation Nd N f 0 scheme of Figure 5 is proposed, and the overall active FTC algorithm consists of three stages according to the informa- Meanwhile, if it is desired to attenuate both faults and pertur- tion of the FDI block as follows: bations at the output y, then the next optimization scheme (1) in the fault-free case, just the nominal control loop is is suggested: active; −1 −1 (2) after a fault scenario is detected into the system, a gen- min SoM I − NV Q αdNd α f N f Q∈RH∞ j eral compensator Q designed by (35)isactivated; (37) (3) finally, after the fault is classified and isolated, an spe- = min Fl GQy , Q , Q∈RH∞ j cific compensator Qi designed by (39)or(40)isse- lected. where GQy is given by ⎡ ⎤ In a general fault condition, it is then decided to decouple (if −1 possible) or attenuate the effect of faults at the control sig- αdSoPdy α f SoP fy −SoPuyV G = ⎣ ⎦ . (38) nal u, until the fault is well-characterized during the isola- Qy αdNd α f N f 0 tion stage. As a result, after the fault is isolated, the specific compensation is injected into the closed-loop configuration to improve the postfault performance. Remark 3. The optimization criteria for Q in (35)and(37) can be interpreted as approximation or normalization prob- Remark 5. Since the fault accommodation is based on the lems with certain postweighting and preweighting given by Youla parametrization, and since the faults are additive, the the frequency content of the perturbations Nd or faults N f . closed-loop stability after each reconfiguration is guaranteed, In fact, (35) introduces a combined optimization: (i) a nor- provided that Q, Qi ∈ RH∞, and any nonlinear behavior − malization process of NV 1 by Q with a frequency post- is avoided into the closed-loop system, like saturations, rate weighting given by the nominal output sensitivity So and limiters, and so on. However, if the fault profile depends on M−1, and (ii) an approximation problem to −UM−1 with a the states or outputs then closed-loop stability could not be frequency postweighting given by the nominal input sensi- assured after all. −1 tivity Si and V . Remark 6. In the proposed configuration, multiple and in- Remark 4. Note that the compensators Q designed by the cri- termittent faults could be handled. Once they are identified teria in (35)and(37) can be conservative since it is required by the FDI scheme, the corresponding compensator should to attenuate the effect of all types of faults analyzed in (1), be activated to perform its accommodation. However, if FDI and it is also assumed that all of them have the same struc- algorithm detects that the fault is no longer present, the com- ture. pensation is removed.

To improve the post-fault performance, it is then pro- 3.3. Performance evaluation posed to design specific compensators Qi ∈ RH∞ for i = 1, ..., l for every studied fault, depending if their effect is One important question, after the design stage is completed, on the state (actuator or system faults) or the output (sen- is the resulting performance of the fault detection, isolation sor faults) equations in (1), using the previous optimization and accommodation algorithms. To address this problem, algorithms as follows: different quantification indices will be proposed using the 8 Journal of Control Science and Engineering

d f

Pdy P fy Nominal controller y ref u u e − U V 1 Puy − q

Fault Fault isolation detection N Ql r residuals Fault . . . . accommodation −HI −HD Q1 fe − M

Figure 5: GIMC accommodation setup.

i system performance indexes in (10) of the resulting transfer where the weighting WA is selected according to the fault ef- functions. The selection of the applied performance index in fect: (10) will depend on the a priori faults information, for ex- ⎧ ⎨ −1 − −1 ample, the faults frequency content, or the desired interpre- SoM I NV Qi actuator/system fault, Wi tation of the quantification index, for example, the worst case A ⎩ −1 −1 SiV UM + Qi sensor fault, condition in the evaluation. The next indices are motivated (45) from the optimization algorithms used for synthesis in the previous sections. where (αd, α f ) are the positive weighting factors to judge the (1) Fault evaluation. The capability of the detection fil- importance of perturbations or faults attenuation. Now, a ter HD of reducing the perturbations frequency content com- i small value of IFA will indicate good fault accommodation. pared to increasing the faults sensitivity is evaluated by Note that this value is related to a worst-case performance degradation level expected in the FTC scheme [29]. H N D f k The overall synthesis algorithms for fault detection, iso- IFD . (42) HDNd j lation, and accommodation including performance evaluation are described in Appendix A. The synthesis procedure HencealargevalueofIFD will indicate good evaluation char- includes samples of MATLAB commands that could be used acteristics. for numerical calculations. (2) Fault isolation. This index is constructed by analyzing the property of HI of diagonalizing N f while attenuating the 4. FAULT TOLERANT APPROACH UNDER disturbances frequency content: MODEL UNCERTAINTY During the implementation of any control strategy, there is HI N f diag k always some model uncertainty in the mathematical descrip- IFI , (43) tion used for design. If the characterization of this uncer- HI N f nondiag + HI Nd k j tainty could be obtained during the problem formulation, · this information could be used at the design stage to improve where [ ]diag denotes the diagonal part of the transfer matrix, · ff the closed-loop performance, and understand also the prac- and [ ]nondiag the o diagonal structure. In fact, IFI is usually denoted as signal-to-noise and interference ratio (SNIR) in tical limitations. In this work, additive model uncertainty is considered [19, 20] as shown in Figure 6, that is, the actual the signal processing community. Thus if IFI is large, then fault isolation can be achieved. nominal plant Puy is given by (3) Fault accommodation. The fault accommodation is = quantified in terms of the property of reducing the effect of Puy Puy + Δuy, Δuy W2ΔW1, (46) faults and perturbations simultaneously into the closed-loop ∈ RH system. The accommodation performance criteria is defined where W1, W2 ∞ represent pre- and post-uncertainty weighting functions, and Δ ∈ RH∞ a normalized uncertain for the ith fault fi as transfer matrix Δ∞ < 1. As presented in [18], other uncer- − − tainty representations (parametric, multiplicative, etc.) could Ii α Wi N i + α S M 1 I − NV 1Q N , FA f A f k d o i d j be also fitted under an additive uncertainty structure, but at (44) the price of introducing some conservativeness in the design. D. U. Campos-Delgado et al. 9

d f

Nd N f Nominal controller y ref e u u −1 −1 − U V N M

q z w W1 Δ W2

Model uncertainty Fault Q accommodation N

r fe −H − M

Figure 6: GIMC with additive perturbations, faults, and model uncertainty.

First of all, note that under model uncertainty, the signal condition can be extended for robust fault isolation, consid- fe in the GIMC configuration is no longer decoupled from ering the worst-case uncertainty as the control signal u (see Figure 6). The results are summarized as follows [17]. normrank MW2W1 Nd N f (51) Lemma 2. Considering additive model uncertainty in the ≥ normrank MW2W1 Nd + l. GIMC configuration of Figure 2, the resulting closed-loop characteristics are given by Since the description of the uncertainty is posed in terms of the ∞ norm, the optimization problems for the detection H and isolation H filters are also proposed in terms of this fe(s) =−MΔuyu(s) − Ndd(s) − N f f (s), (47) D I norm. As a result, the following robust performance criteria = −1 − −1 −1 u(s) Wu K ref (s) V UM +Q Ndd(s)+N f f (s) , are adopted for both synthesis procedures: (48) (i) fault detection: = −1 y(s) Puy + Δuy Wu K ref (s) min 00h − H MW ΔW N N ∈RH D 2 1 d f ∞ HD ∞ − −1 −1 −1 − −1 Δ∞<1 Puy + Δuy Wu V UM + Q M (52) = min F F GΔ , Δ , H , × ∈RH l u HD D ∞ Ndd(s)+N f f (s) , HD ∞ (49) Δ ∞<1 (ii) fault isolation: where 00T − min HI MW2 ΔW1 Nd N f ∞ HD∈RH∞ Δ∞<1 −1 Wu I + K Puy + Δuy + V QMΔuy = min F F GΔ , Δ , H , (50) ∈RH l u HI I ∞ = −1 HD ∞ I + KPuy + V (U + QM Δuy. Δ∞<1 (53) (Proof is in Appendix C) where Fu(·, ·) stands for an upper LFT [20], and the respec- Δ Δ tive generalized plants GHD and GHI are given by 4.1. Robust fault isolation ⎡ ⎤ 0 W1 000 ⎢ ⎥ Δ = ⎢ 000h −1⎥ Note that by including additive uncertainty, an extra require- GHD ⎣ ⎦ , ment is evident, the detection/isolation filter H should can- MW2 0 Nd N f 0 cel or diminish the uncertainty contribution at the resid- ⎡ ⎤ (54) ual output r for a robust detection and isolation, that is, 0 W1 000 ≈ ⎢ ⎥ HMΔuy 0. As described in Section 2, there are necessary Δ = ⎢ 000T −I⎥ GHI ⎣ ⎦ . conditions related to the rank of the involved transfer matrices to guarantee proper fault isolation. Consequently, this MW2 0 Nd N f 0 10 Journal of Control Science and Engineering

results in Lemma 2, it can be seen that for a special case (sta- w Δ z w Δ z ble nominal plant), the uncertainty can be decoupled from the control signal as in Corollary 1, and closed-loop stability can be deduced if the nominal controller internally stabilizes d y d Δ Δ y the nominal plant. f GQu u f GQy

Corollary 3. If the nominal plant satisﬁes Puy ∈ RH∞, then

q fe q fe complete disturbance, fault, and uncertainty decoupling can be achieved at the control signal u by letting Q =−UM−1,and Q Q consequently

(a) (b) u(s) = SiK ref (s), = −1 Figure 7: LFT formulations for compensator Q under model un- y(s) Puy + Δuy SiK ref (s)+M Ndd(s)+N f f (s) . certainty: (a) control signal and output attenuation, and (b) output (57) signal attenuation. Moreover, the closed-loop is stable if K internally stabilizes Puy.

The optimization problems in (52)and(53)canbesolved Similarly to the result in Corollary 1, with the compensa- by using μ-synthesis design or LMI’s [19, 20]. On the other tion suggested in Corollary 3, the perturbations d and faults hand, at the residual evaluation, it is observed that the un- f affect the output in an open-loop fashion. Therefore, if an certainty Δuy is affected by the control signal u at (47). Thus estimation of the perturbations d and faults f are available, the residual is directly dependent on the control signal u,and then the feedforward structure in (30)couldbefollowedto its profile will appear in the resulting dynamic behavior, but attenuate their effect at the output. On the other hand, for a since this signal is known, an adaptive threshold [3, 28]can general design case by looking at (48)and(49), a robust crite- be used in order to reduce the conservativeness in the fault ria (performance and stability) should be targeted to reduce detection process introduced by the uncertain term as the faults effects at the control signal u and the perturbations D d contribution at the output y by J (t) = HDMW1W2 ∞ u + γ HDNd ∞, (55) th 2,t,To 2 ⎡ ⎤ − −1 − d ⎣ αd PuyWu K I Pdy 0 ⎦ where γ2 is the bound on the windowed energy of the pertur- min − bations, and the inequalities in (11) are applied. This charac- Q∈RH∞ 0 −α W 1KP ∞ 1 f u fy Δ < terization is appropriate since the uncertainty Δ is quantified − −1 −1 in terms of the ·∞ norm. Similarly, an adaptive threshold αdPuyWu V + − −1 −1 Q Nd N f can be formulated for fault isolation as α f Wu V ∞ l = min F F GΔ , Δ), Q , Ii i ∈RH l u Qu ∞ J (t) = HI N f ∞γ Q ∞ th ij 2 Δ∞<1 j=1 j=/ i (58) m (56) where is defined in (50), and the generalized plant Δ + Wu GQu HI MW1W2 ik ∞ uk 2,t,To k=1 (see Figure 7) including uncertainty information is given by r d Δ + H N γ , GQu I d ir ∞ 2 ⎡ ⎤ k=1 − − − −1 ⎢ W1SiKW2 W1SiKPdy W1SiKPfy W1SiV ⎥ = ⎢ ⎥ where i 1, ..., l. As mentioned in the previous section, the ⎢ −1⎥ ⎢ αdSoW2 αdSoPdy 0 αdSoPuyV ⎥ thresholds in (55)and(56) are derived from norms inequali- = ⎢ ⎥ . ⎢ − − −1 ⎥ ties, so their values could be conservative and they have to be ⎣ α f SiKW2 0 α f SiKPfy α f SiV ⎦ tuned online to optimize the fault detection capabilities. −MW2 −Nd −N f 0 Remark 7. It is clear that hard thresholds could lead to a con- (59) servative fault diagnosis stage, or fault misdetection due to Meanwhile, if robust attenuation is now looked at the output a change in the operating conditions or model uncertainty. y, the following robust performance problem is formulated: However, adaptive thresholds require a prior knowledge of the possible uncertainty or maximum variability of the resid- − −1 −1 −1 − −1 min PuyWu V UM + Q M ) uals in nominal conditions for a correct implementation. Q∈RH∞ Δ ∞<1 × 4.2. Robust fault accommodation αdNd α f N f ∞ (60) In general, no guarantee of closed-loop stability is granted al- = Δ min Fl Fu GQy , Δ , Q ∞, ∈ RH Q∈RH∞ though Q ∞ as in the uncertainty free case. From the Δ∞<1 D. U. Campos-Delgado et al. 11

Δ where the corresponding generalized plant GQy is given by (3) Fault accommodation. The fault accommodation performance is evaluated in terms of the faults and perturba- Δ GQ tions attenuation subject to model uncertainty. For this pur- ⎡y ⎤ − − − −1 pose, a robust performance analysis is carried out by using ⎢ W1SiKW2 αdW1SiKPdy α f W1SiKPfy W1SiV ⎥ ⎢ ⎥ the structured singular value μΔ [19, 20]. Then the fault ac- =⎢ −1⎥ ⎣ SoW2 αdSoPdy α f SoP fy SoPuyV ⎦ . commodation performance with respect to the ith fault is de- − − − fined by MW2 αdNd α f N f 0 Ii = sup μ M (jω) , (66) (61) RFA Δp i ω∈R As in the nominal case, in order to improve the closed-loop where Δp = diag(Δ, Δ f ) is an augmented uncertainty block performance after the fault has been isolated, a specific com- to address the performance specifications. Thus internal sta- pensator Qi ∈ RH∞ can be designed using the optimization i bility is guaranteed for Δ ∞ < 1/IRFA, and the worst-case criteria in (58)and(60), depending if the fault is affecting ≤ i performance is bounded Fu(Mi, Δ) IRFA. As a result, if the the state or output equations on the state-space representa- index Ii is lower than one, then robust stability is granted. Δ Δ RFA tion (1). For these cases, in the generalized plants (GQu , GQy ) presented in (59)and(61), N f is replaced by the information 5. ILLUSTRATIVE EXAMPLE of the analyzed fault N i for i = 1, ..., l. f In order to illustrate the ideas presented in the paper, the de- The robust stability condition is very important since it sign of an active FTC scheme for a separately excited DC mo- is needed that the fault accommodation scheme will preserve tor is considered. The dynamics of a second-order actuator closed-loop stability after the compensation despite model are appended to the motor description. To have a more real- uncertainty. However, the size of the uncertainty and its fre- istic simulation, the actuator gain is limited by a saturation quency content will dictate the degree of conservativeness in- function. Hence the control signal u is limited to the interval troduced. Assume that the ith fault f is analyzed, then define i [0, 10] V. Thus a system with one input and three outputs the transfer matrix M (s) by closing the lower feedback path i (armature voltage V and current i , and angular velocity ω) with its specific compensator Q in the LFT configuration, a a i is studied [30]. The load torque is modeled as an unknown that is, constant or slowly time-varying external disturbance d into M11 M12 the system. The control objective is defined as the regulation = = i i Mi(s) Fl Pi, Qi , (62) of the angular velocity to a prescribed reference. Note that M21 M22 i i since there are three measurements and one unknown perturbation, then only the effect of two different faults could where Pi represents the generalized plant in (59)(sensor be analyzed simultaneously [4]. The studied faults are actu- faults)or(61)(actuator or system fault) by replacing N f with i ator f1 (gain of the dc drive) and sensor f2 (angular velocity N f . Then robust stability with respect to the ith compensator measurement). The parameters of the dc motor are shown Qi is tested by the condition [20] as follows: in Table 1. The mathematical model of the studied system is 11≤ presented next: Mi 1. (63) ⎡ ⎤ Ra Kb 1 ⎢− − 0 ⎥ ⎡ ⎤ ⎢ ⎥ ⎡ ⎤ 4.3. Robust performance evaluation ⎢ La La La ⎥ x˙1 ⎢ ⎥ x1 ⎢ ⎥ ⎢ Kb B ⎥ ⎢ ⎥ ⎢x˙2⎥ ⎢ − ⎥ ⎢x2⎥ Finally, some indices are suggested to evaluate the robust per- ⎢ ⎥ = ⎢ 00⎥ ⎢ ⎥ ⎣x˙ ⎦ ⎢ J J ⎥ ⎣x ⎦ formance of the resulting FTC structure. 3 ⎢ ⎥ 3 ⎢ − ⎥ (1) Fault evaluation. The size of the worst-case uncer- x˙4 ⎣ 000 1 ⎦ x4 tainty is applied to obtain an estimate of the evaluation per- 2 − 00ωa 2ζaωa formance as ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ 0 0 ⎢ ⎥ 00 H N ⎢ ⎥ ⎢ 1 ⎥ ⎢ ⎥ ⎡ ⎤ (67) D f k ⎢ ⎥ ⎢− ⎥ ⎢ ⎥ IRFD . (64) ⎢ 0 ⎥ ⎢ ⎥ ⎢ 00⎥ ⎣ f1⎦ HDNd + HDMW2W1 ∞ + ⎢ ⎥ u + ⎢ J ⎥ d + ⎢ ⎥ , j ⎢K ⎥ ⎢ ⎥ ⎢K 0⎥ ⎣ a⎦ ⎣ 0 ⎦ ⎣ a ⎦ f2 Consequently, if I is large, then good evaluation charac- RFD 0 0 00 teristics are devised. ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ x ⎡ ⎤ (2) Fault isolation. The structure of the index (43)is ⎢ 1⎥ ⎢ ia ⎥ ⎢1000⎥ ⎢ ⎥ ⎢00⎥ maintained, but the worst-case uncertainty information is ⎣ ⎦ = ⎣ ⎦ ⎢x2⎥ ⎣ ⎦ f1 ω 0100 ⎣ ⎦ + 01 . appended as x3 f2 Va 0001 00 x4 HI N f diag k In fact, the model described in (67), with the parameters in IRFI . Table 1, is stable and satisfies the isolation conditions pre- HI N f + HI Nd + HI MW2W1 nondiag k j ∞ sented in (7)and(8). The nominal controller is designed fol- (65) lowing a PI structure with respect to the velocity reference 12 Journal of Control Science and Engineering

error ωref − ω, plus a constant feedback from ia and Va, that Table 1: DC motor parameters. is, Parameter Description R = 0.699 Ω Armature resistance ˙ = − , a xk ωref ω = (68) La 0.297 H Armature inductance = ω − i V −3 u Kixk + Kp ωref ω + Kpia + Kp Va, B = 4.544 × 10 Nm/rad/sFrictioncoefficient J = 2.79 × 10−3 kg m Inertia = ω = i = V =− = 0 746 V rad s Electromagnetic constant where Ki 0.5, Kp 0.1, Kp 0.2, and Kp 0.01. Kb . / / This control law satisfies the performance specifications by Ka = 40 Actuator gain achieving internal stability and asymptotic tracking. Now, ωa = 2π × 360 rad/s Actuator natural frequency = the detection and isolation filters (HD, HI ) were designed fol- ζa 0.7 Actuator damping factor lowing the optimization indices (16)and(18)withj =∞, and selecting Table 2: FTC performance indices.

Index Value = × 1 h(s) 11 , × 3 s/100 + 1 IFD 6.17 10 (69) IFI 106.5 1 10 = IFA 0 T(s) 4 . s/10 +1 01 1 IFA 0 2 IFA 0 All the numerical calculations were carried out in MATLAB IRFD 1.63 by using two toolboxes: (i) control system, and (ii) LMI con- IRFI 1.05 trol (see Appendix A). The transfer matrix T(s)wascho- sen as a diagonal low-pass filter since the frequency content of N f allows perfect decoupling in the low frequency. tialized to 1 Nm. The following scenario is tested under nu- The residual evaluation was computed by the windowed 2 merical simulation: norm in (20). Consequently, assuming a time window To and (i) at 2.5 s, there is a perturbation step change from 1 Nm d∞ ≤ dmax , then a hard threshold for fault evaluation is calculated by to 2 Nm; (ii) from 4 to 8 s, fault f2 is active as a complete sensor out- age, that is, f2 =−ω; D = Jth HDNd ∞ Todmax , (70) (iii) from 10 to 14 s, fault f1 is triggered as a 50% reduction in the actuator gain, that is, f =−0.5 u; 1 ≤ (iv)finally,from16to20s,fault f2 is once more active. since d 2,t,To dmax To. Meanwhile, for isolation purposes, two new thresholds are also computed as follows: The results are presented in Figures 8 and 9.Forcompari- son, the nominal controller (without compensation) and the active FTC are plotted simultaneously in Figure 8. From the JI1 = H N T d + H N T f , th I d 1 ∞ o max I f 12 ∞ o 2max simulation results, the nominal controller saturates the control signal u when f is triggered, and the actuator delivers its JI2 = H N T d + H N T f , 2 th I d 2 ∞ o max I f 21 ∞ o 1max maximum output voltage to the motor. As a result, the angu- (71) lar velocity is dangerously raised to ≈ 500 rad/s. This behavior could induce severe mechanical stresses in the motor, and where f1∞ ≤ f1max,and f2∞ ≤ f2max. Next, the fault ac- practically, an instability scenario is faced, but limited by the commodation compensators Q, Q1,andQ2 were synthesized actuator saturation. Meanwhile, the active FTC scheme can by (35), (39), and (40)withα f = 1.0andαd = 0.0. The per- accommodate effectively this fault, with some transient oscil- formance indices in (42), (43), and (44)werecomputedtak- lation due to the control switching. However, for fault f1, the ing the ∞ norm (k = j =∞), and they are listed in Table 2. nominal controller and the FTC scheme can compensate its The weight αd is chosen null since the perturbation is as- appearance by the integral action in the nominal controller, sumed constant or slowly time varying, so the integral part of but although the nominal control law can inherently accom- the nominal controller can compensate effectively its effect. modate this fault, there is no record of this faulty condition Hence the results in Table 2 reflect that the active FTC will in the closed-loop system. Now, the results of the fault detec- provide good performance in the detection, isolation, and tion and isolation stages are illustrated in Figure 9. Faults f1 accommodation stages. Furthermore, no degradation should and f2 are correctly isolated, and the disturbance step change = 1 = 2 = be expected in a steady state since IFA IFA IFA 0. How- is not mistaken by a fault in the FDI stage. In fact, f1 and ever, some transient changes have to be anticipated due to f2 are almost instantaneously isolated. Note that the active control switching (see Figure 5). The velocity reference ωref FTC scheme is able to maintain good performance after both is defined as a square wave that oscillates between 75 and faults, and also when the faults are removed from the system, 125 rad/satafrequencyof4Hz.Theloadtorqued is ini- the nominal performance is recovered. D. U. Campos-Delgado et al. 13

×102 6 Nominal 5 controller 4 3 f2 active f1 active f2 active FTC Velocity (rad/s) 2 scheme reference 1 Angular velocity 0 0 2 4 6 8 10121416182022 Time (seconds) (a) 10 8 Compensation Compensation Compensation 6 active active active u 4 2 0 0 2 4 6 8 10121416182022 Time (seconds) (b)

Figure 8: Simulation evaluation of FTC scheme: (a) angular velocity, and (b) control signal.

10 5 0 −5 −10 − 15 f2/10 f1 Fault signals −20 −25 0 2 4 6 8 10121416182022 Time (seconds) (a)

1 0.8 Afaultisdetected Afaultisdetected Afaultisdetected 0.6 f2 is isolated f1 is isolated f2 is isolated 0.4 Diagnostics 0.2 0 0 2 4 6 8 10121416182022 Time (seconds) (b)

Figure 9: Simulation evaluation of FTC scheme: (a) fault signals, (b) detection and isolation results.

Now, in order to evaluate the fault diagnosis and isolation rent measurement, and there is a 15% error in the measure- under model uncertainty, the performance of the previously ment of the angular velocity sensor over the whole frequency designed ﬁlters HD and HI under uncertainty in the measure- bandwidth. The robust performance indices in (64)and(65) ments ia and ω is analyzed. So, consider the following output were calculated (k = j =∞), and the results are presented in uncertainty weight W2 as follows: Table 2. The results show that there is a severe deterioration ⎡ ⎤ 0.2 in the diagnosis and isolation capabilities under that uncer- ⎢ ⎥ tainty proﬁle, but there are still some degree of separability ⎢ 10 + 1 ⎥ ⎢ s/ ⎥ = ⎢ ⎥ to achieve the diagnosis and isolation stage. W2(s) ⎢ 0.15 ⎥ . (72) ⎣ ⎦ s/1000 + 1 0 6. CONCLUSIONS

The interpretation of W2 is the following: (a) there is a maxi- In this paper, a control methodology for fault detection, iso- mum error of 20% at the low frequency of the armature cur- lation, and accommodation to address LTI systems has been 14 Journal of Control Science and Engineering detailed. The FTC scheme is based on the GIMC configura- Octave [32]. In fact, freely in the web, there are toolboxes tion [12] which extends the use of the Youla parametrization for these two programs that implement the same synthesis to FTC. Design strategies were presented for the FDI pro- algorithms as in MATLAB. cess and accommodation. Multiple and intermittent faults can be treated in this FTC scheme. Closed-loop stability is B. PROOF OF LEMMA 1 always guaranteed after each configuration but only if the additive faults profiles do not depend on the states or outputs. From the block diagram in Figure 2, it is observed that the Moreover, the analysis of the design schemes under model internal signal fe is given by (13), and as a result, the internal uncertainty was carried out. For detection and isolation pur- control signal u is constructed as poses, a hard threshold is suggested for the nominal case, and = = − an adaptive one is considered when model uncertainty af- u(s) q(s)+Ue(s) Qfe(s)+U ref (s) y(s) fects the output measurements. Performance indices are also (B.1) =−Q N d(s)+N f (s) + U ref (s) − y(s) . suggested to evaluate the detection, isolation, and accommo- d f dation schemes. The FTC structure was tested in numerical Thus the control signal u contains information from the simulation over a DC motor setup, and the advantages over faults, perturbations, references, and outputs: a nominal control law were clearly presented. u(s) = V −1u(s) = K ref (s) − y(s) (B.2) APPENDICES −1 − V Q Ndd(s)+N f f (s) . A. FAULT TOLERANT SYNTHESIS ALGORITHMS Finally, by a direct substitution of (3) into (B.2), the results The synthesis algorithm for fault diagnosis, isolation, and ac- in (27) are deduced. commodation in the nominal case is presented in this section. The algorithm follows the ideas exposed in Section 3. C. PROOF OF LEMMA 2 The synthesis procedure is based on MATLAB, and it could be implemented using the next toolboxes: (i) control system, From the block diagram of Figure 6 under additive uncer- (ii) LMI control, (iii) μ analysis and synthesis, and (iv) ro- tainty, (47) is obtained directly to describe fe by recalling bust control. After each step in the algorithm, the MATLAB (13). Next, the control signal u is derived as commands used for numerical synthesis are introduced in- = −1 − side parentheses as follows. u(s) V Qfe(s)+U(ref (s) y(s)) ,(C.1) (1) Define the state-space description of the plant and and by a substitution of (3)and(46) into the previous equa- nominal controller in (1)and(9)(ss, ltisys, pack and tion, the effects of the reference, perturbations, and faults can mksys). be isolated from the control signal u : (2) Construct the left coprime factorizations of plant (5) −1 and controller (9)(lqr, place and acker), in order to I + V QMΔuy + K Puy + Δuy u(s) avoid numerical problems, use a balance realization = K ref (s)+V −1 UM−1 + Q N d(s)+N f (s) . for all the coprime factors (balreal, sbalanc, sysbal and d f (C.2) obalreal).

(3) Check conditions (7)and(8) to verify the solvability Hence by defining the term Wu in (50), the result in (48)is of the synthesis schemes. obtained. Finally, substituting (48)and(46) into the output ∈ RH (4) Define the filters h, T ∞, and obtain HD, HI by equation (3), the contributions of the references, perturba- solving the optimization problems (16)and(18)(hin- tions, and faults into the output are described by (49). flmi, hinfric, hinfsyn, h2syn, hinfopt,andh2lqg). (5) Evaluate the fault diagnosis performance through (42), ACKNOWLEDGMENTS and isolation property by extracting the diagonal and nondiagonal parts of the product HI N f using the state- This research is supported in part by grants from FAI (Grant space realization and computing (43)(norm, norminf, no. C06-FAI-11-34.71) and CONACYT (Grant no. C07- norm2, h2norm, hinfnorm, normh2, normhinf, ssdata, ACIPC-08.4.4, no.52314). D. R. Espinoza-Trejo acknowl- ltiss, unpck,andbranch). edges the support provided by CONACYT through a doc- (6) Obtain the general accommodation compensator Q toral scholarship (no. 166718). using (35), and the specific compensators Qi by (39) or (40)(hinflmi, hinfric, hinfsyn, h2syn, hinfopt,and REFERENCES h2lqg). (7) Evaluate the fault accommodation performance by [1] J. Chen and R. J. Patton, Robust Model-Based Fault Diagno- (44)(norm, norminf, norm2, h2norm, hinfnorm, sis for Dynamic Systems, Kluwer Academic, Dordrecht, The normh2,andnormhinf ). Netherlands, 1999. [2] R. Isermann and P. Balle,´ “Trends in the application of model- Alternatively, the synthesis procedure can be computed based fault detection and diagnosis of technical processes,” usingopensourcenumericalprogramsasScilab[31]and Control Engineering Practice, vol. 5, no. 5, pp. 709–719, 1997. D. U. Campos-Delgado et al. 15

[3] R. Isermann, Fault-Diagnosis Systems: An Introduction from ternational Journal of Adaptive Control and Signal Processing, Fault Detection to Fault Tolerance, Springer, New York, NY, vol. 14, no. 7, pp. 725–745, 2000. USA, 2006. [22] B. Marx, D. Koenig, and D. Georges, “Robust fault-tolerant [4] A. Saberi, A. A. Stoorvogel, P.Sannuti, and H. Niemann, “Fun- control for descriptor systems,” IEEE Transactions on Auto- damental problems in fault detection and identification,” In- matic Control, vol. 49, no. 10, pp. 1869–1875, 2004. ternational Journal of Robust and Nonlinear Control, vol. 10, [23] H. Niemann and J. Stoustrup, “Fault tolerant controllers for no. 14, pp. 1209–1236, 2000. sampled-data systems,” in Proceedings of the American Control [5] M. Blanke, R. Izadi-Zamanabadi, S. A. Bøgh, and C. P. Lunau, Conference, vol. 4, pp. 3490–3495, 2004. “Fault-tolerant control systems—a holistic view,” Control En- [24] S. S. Yang and J. Chen, “Sensor faults compensation for MIMO gineering Practice, vol. 5, no. 5, pp. 693–702, 1997. fault-tolerant control systems,” Transactions of the Institute of [6] M. Blanke, M. Kinnaert, J. Lunze, and M. Staroswiecki, Di- Measurement and Control, vol. 28, no. 2, pp. 187–205, 2006. agnosis and Fault-Tolerant Control,Springer,NewYork,NY, [25] N. Liu and K. Zhou, “Optimal solutions to multi-objective ro- USA, 2003. bust fault detection problems,” in Proccedings of the 2007 IEEE [7] D. U. Campos-Delgado and K. Zhou, “Reconfigurable fault- Conference on Decision and Control,NewOrleans,LA,USA, tolerant control using GIMC structure,” IEEE Transactions on December 2007. Automatic Control, vol. 48, no. 5, pp. 832–838, 2003. [26] H. Niemann and J. Stoustrup, “Fault diagnosis for non- [8] H. Noura, D. Sauter, F. Hamelin, and D. Theilliol, “Fault- mininum phase systems using H∞ optimization,” in Proceed- tolerant control in dynamic systems: application to a winding ings of the American Control Conference, vol. 6, pp. 4432–4436, machine,” IEEE Control Systems Magazine,vol.20,no.1,pp. 2001. 33–49, 2000. [27] A. Emami-Naeini, M. M. Akhter, and S. M. Rock, “Effect of [9] J. Stoustrup and V.D. Blondel, “Fault tolerant control: a simul- model uncertainty on failure detection: the threshold selector,” taneous stabilization result,” IEEE Transactions on Automatic IEEE Transactions on Automatic Control, vol. 33, no. 12, pp. Control, vol. 49, no. 2, pp. 305–310, 2004. 1106–1116, 1988. [10] D. Kim and Y. Kim, “Robust variable structure controller de- [28] M. G. Perhinschi, M. R. Napolitano, G. Campa, B. Seanor, sign for fault tolerant flight control,” Journal of Guidance, Con- J. Burken, and R. Larson, “An adaptive threshold approach trol, and Dynamics, vol. 23, no. 3, pp. 430–437, 2000. for the design of an actuator failure detection and identifica- [11] P. Zhang, S. X. Ding, G. Z. Wang, T. Jeinsch, and D. H. Zhou, tion scheme,” IEEE Transactions on Control Systems Technol- “Application of robust observer-based FDI systems to fault tol- ogy, vol. 14, no. 3, pp. 519–525, 2006. erant control,” in Proceedings of the 15th Triennial IFAC World [29] J. Jiang and Y. Zhang, “Accepting performance degradation Congress, Barcelona, Spain, 2002. in fault-tolerant control system design,” IEEE Transactions on [12] K. Zhou and Z. Ren, “A new controller architecture for high Control Systems Technology, vol. 14, no. 2, pp. 284–292, 2006. performance, robust, and fault-tolerant control,” IEEE Trans- [30] R. Krishnan, Electric Motor Drives: Modeling, Analysis, and actions on Automatic Control, vol. 46, no. 10, pp. 1613–1618, Control, Prentice Hall, Upper Saddle River, NJ, USA, 2001. 2001. [31] http://www.scilab.org/. [13] J.-Y. Shin, N. E. Wu, and C. Belcastro, “Adaptive linear param- [32] http://www.octave.org/. eter varying control synthesis for actuator failure,” Journal of Guidance, Control, and Dynamics, vol. 27, no. 5, pp. 787–794, 2004. [14] J.-Y. Shin and C. M. Belcastro, “Performance analysis on fault tolerant control system,” IEEE Transactions on Control Systems Technology, vol. 14, no. 5, pp. 920–925, 2006. [15] M. Ji, Z. Zhang, G. Biswas, and N. Sarkar, “Hybrid fault adaptive control of a wheeled mobile robot,” IEEE/ASME Transac- tions on Mechatronics, vol. 8, no. 2, pp. 226–233, 2003. [16] X. Zhang, T. Parisini, and M. M. Polycarpou, “Adaptive fault-tolerant control of nonlinear uncertain systems: an information-based diagnostic approach,” IEEE Transactions on Automatic Control, vol. 49, no. 8, pp. 1259–1274, 2004. [17] D. U. Campos-Delgado, E. R. Palacios, and D. R. Espinoza- Trejo, “Fault accommodation strategy for LTI systems based on GIMC structure: additive faults,” in Proceedings of the 44th IEEE Conference on Decision and Control, and the European Control Conference (CDC-ECC ’05), vol. 2005, pp. 6292–6297, Seville, Spain, December 2005. [18] D. U. Campos-Delgado, S. Mart´ınez-Mart´ınez, and K. Zhou, “Integrated fault-tolerant scheme for a DC speed drive,” IEEE/ASME Transactions on Mechatronics,vol.10,no.4,pp. 419–427, 2005. [19] G. E. Dullerud and F. Paganini, ACourseinRobustControl Theory, Springer, New York, NY, USA, 2000. [20] K. Zhou, J. C. Doyle, and K. Glover, Robust and Optimal Con- trol, Prentice Hall, Upper Saddle River, NJ, USA, 1996. [21] S. X. Ding, T. Jeinsch, P. M. Frank, and E. L. Ding, “A unified approach to the optimization of fault detection systems,” In- Hindawi Publishing Corporation Journal of Control Science and Engineering Volume 2008, Article ID 231697, 11 pages doi:10.1155/2008/231697

Research Article A Method for Designing Fault Diagnosis Filters for LPV Polytopic Systems

Sylvain Grenaille, David Henry, and Ali Zolghadri

Université Bordeaux 1, Approche Robuste et Intégrée de l’Automatique, Laboratory IMS, 351 Cours de la Libération, 33405 Talence Cedex, France

Correspondence should be addressed to David Henry, [email protected]

Received 30 March 2007; Accepted 25 September 2007

Recommended by Kemin Zhou

The work presented in this paper focuses on the design of robust Fault Detection and Isolation (FDI) filters for dynamic systems characterized by LPV (Linear Parameter Varying) polytopic models. A sufficient condition is established to guarantee sensitivity performance of the residual signal vector to faults. Robustness constraints against model perturbations and disturbances are also taken into account in the design method. A key feature of the proposed method is that the residual structuring matrices are optimized as an integral part of the design, together with the dynamic part (i.e. the filter). The design problem is formulated as a convex optimization problem and solved using LMI (Linear Matrix Inequalities) techniques. The proposed method is illustrated on the secondary circuit of a Nuclear Power Plant.

Copyright © 2008 Sylvain Grenaille et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION AND MOTIVATIONS timate of the fault signal, and residual generation methods where the residuals are synthesized to be robust against mod- The issue of Fault Detection and Isolation (FDI) in dy- eling errors and unknown inputs, while being sensitive to the namic systems has been an active research area in the last faults. In this context, a geometric approach is proposed in two decades. Model-based FDI techniques use mathematical [6] to design a LPV observer in a Luenberger form. A pro- models of the monitored process and extract features from cedure is derived to obtain the observer parameters via the measured signals, to generate fault indicating signals, that construction of a suitable family of invariant subspaces (pais, the residuals. LTI models have been widely used to solve rameter varying (C, A)-invariant and un-observability sub- the problem of FDI. Tools are now available to enhance ro- spaces). In [7], a multi-model approach is used to solve the bustness against small parameter variations and other dis- FDI problem for nonlinear systems. The nonlinear system is turbances (see, [1–3] for surveys). The resulting robust FDI modeled using polytopic models and a robust polytopic un- problem is generally formulated as a min-max optimization known input observer is then synthesized by means of pole setting to maximize fault sensitivity performance and at the assignment. The method uses LMI optimization techniques same time, to minimize the influence of unknowns inputs. to synthesize the observer gain. The major limitation of this More recently, some research works have appeared that approach is that sensitivity of the residual signal against faults consider Linear Parameter Varying (LPV) modeling of the can only be checked a posteriori. More precisely, if the distri- monitored system to take into account wider and more rapid bution matrices of the fault model and the effects that faults parameters variations. Such models can be used efficiently to could have on the decoupled state is not of full column rank, represent some nonlinear systems (see, e.g., [4, 5]). This mo- then faults could go undetectable. To overcome this problem, tivatessomeresearchersfromtheFDIcommunitytodevelop asolutionisprovidedin[8] where the main idea is to build a model-based methods using LPV models (see [6–8]among fault estimate using a LPV filter such that the worst-case gain others). The two commonly used approaches are fault esti- (i.e., the H∞ performances measure for LPV systems) from mation methods where the fault indicating signal is an es- disturbances and faults to the estimation error, is minimized. 2 Journal of Control Science and Engineering

In this paper a different approach based on residual gen- The underlying LPV system is modeled by the following eration is considered for LPV systems that can be modeled state space representation within a LPV polytopic setting. Robustness against exogenous disturbances and sensitivity against faults are consid- x˙ = A θ(t) x + B θ(t) u (3) ered in a framework similar to the well-known H∞/H− set- y = C θ(t) x + D θ(t) u ting for LTI systems. The robustness objectives are expressed in terms of a minimization problem using the H∞ norm for which is denoted in a compact form as LPV systems, and the sensitivity requirement is formulated in terms of a maximization constraint using also the H-index A(θ) B(θ) M(θ) = . (4) for LPV systems. The main difference between this problem C(θ) D(θ) and the standard H∞ problem for LPV systems is that it involves the residual structuring matrices that are unknown. x is the state vector, u is the input vector, y is the output vec- The paper is organized as follows: In Section 2, the gen- tor and θ(t) is a varying parameter vector. It is assumed that eral FDI filter design problem and the corresponding solu- all parameters θi(t), i = 1, ..., r are bounded, measurable (or tion are presented. In Section 3, the proposed method is ap- estimated) in real time and take their values in the domain plied to real data set coming from the secondary circuit of a Θ, so that Θ is a convex polytope. nuclear power plant in France. Finally, some concluding re- The LPV system (3) admits a (non-conservatism) poly- marks are made in a final section. topic model if it is possible to determine a set of matrices Mi, i = 1, ..., N, constituting the vertices of a polytope defined Preliminaries by The Euclidean norm is always used for vectors and is writ- N N Co , , = , ≥ 0, = 1 (5) ten without a subscript; for example x. Similarly in the β1 ... βN βiM Πi βi βi i=1 i=1 matrix case, the induced vector norm is used: A=σ(A) where σ(A) denotes the maximum singular value of A.Sig- and such that it corresponds to the image by M of the domain nals, for example w(t)orw,areassumedtobeofbounded Θ: = energy, and their norm is denoted by w 2, that is, w 2 +∞ 2 1/2 ∈ ≡ ( −∞w(t) dt) < ∞. LTI models, for example, P(s)or M(θ), θ Θ Co M Π1 , ..., M ΠN . (6) simply P,areassumedtobeinRH∞, real rational func- = ∞ Then, β , i = 1, ..., N define barycentric coordinates of Θ tions with P ∞ supωσ(P(jω)) < . P ∞, that is, the i largest gain of P, is accompanied by the smallest gain of and the following convex decomposition yields: P, inf σ(P(jω)),whichmaybeequaltozeroforsomeP ω N (e.g., strictly proper systems), if the frequency range of in- = ··· ≥ = θ(t) β1Π1 + + βN ΠN , βi 0, βi 1. (7) terest is infinite. This motivated [1, 9–12] to define the non- i=1 zero smallest gain of P, that is, the H-index, as the restriction of inf ωσ(P(jω)) to a finite frequency domain Ω, that is, Referring to the LPV system (3), the worst-case RMS gain P− = inf ω∈Ωσ(P(jω)). from u to y which is known as the H∞-norm for LPV systems is defined by: In [1, 9], an evaluation function •e which is a restriction of the H2 signal norm to Ω, is defined by the authors y2 ω2 2 1/2 = = as w =w2, = ( w(jω) dω) . Then, given P so M(θ) ∞ sup . (8) e Ω ω1 2 ∀ ∈ u = θ Θ 2 that y Pu, it follows that u2 =/ 0 ω2 2 = 1 2 Following the definition of the index • of a LTI transfer y e P(jω)u(jω) 2dω sens 2π ω1 given by (2), we will introduce the following evaluation func- (1) tion, that will be useful in the following to formulate fault ω2 2 = 1 u(jω) 2 ≥ 2 2 sensitivity requirements for LPV fault detection schemes: P(jω) u 2dω P − u e 2π ω1 u 2 2 y M(θ) = inf = e (9) sens ∀ ∈ and thus that P− ≤y /u . This motivates the intro- θ Θ u e e e ue =/ 0 duction of an evaluation function, denoted •sens,whichis defined according to: M(θ) sens is also a generalization of (2) to LPV case.

ye P = inf ≥P−. (2) 2. FDI FILTERS FOR LPV SYSTEMS sens = u e / 0 u e 2.1. Problem setting From (2), it follows that Psens takes the sense of the smallest value of a singular value of P(jω)evaluatedonΩ. Then it Consider the general FDI design problem for LPV systems follows that P− ≤Psens ≤P∞. represented on Figure 1. G(θ) is a polytopic LPV model. Sylvain Grenaille et al. 3

y d y d f z f P(θ) F(θ) G(θ) F(θ) z My + − u u r K + + Mu

Figure 1: The general FDI ﬁlter design problem. Figure 2: General setup for FDI/LPV ﬁlter design problem.

q K is a known controller. d ∈ R d represents exogenous dis- Of course, the smaller γ1 and the bigger γ2 are the better turbances and f ∈ Rq f represents the faults to be detected. the fault detection performance will be. F(θ) is the FDI LPV filter to be designed. z ∈ Rqr is an es- Remark 1. In Problem 1 formulation, it is assumed that the timation of z = My y + Muu, a subset of the measurements × m p qr m structuring matrices M and M do not depend on θ. If this y ∈ R and the controlled inputs u ∈ R . My ∈ R and y u × M ∈ Rqr p are the two residual structuring matrices to be assumption vanishes, it can be verified that the following the- u ff designed. oretical developments still yields. The only di erence in such It is assumed that the problem depicted on Figure 1 a case is that, if we consider My(θ)andMu(θ)inProblem1,a is well posed and thus the lower fractional transformation set of structuring matrices My(Πi)andMu(Πi)foreachver- tex of the polytope would be obtained rather than constant F1(G(θ), K) always exists. Θ The FDI design problem we are interested in can then be matrices. formulated as follows. 2.2. Design of the FDI filter Problem 1. Assume that the faults f are detectable (the interested reader can refer to [13] for a discussion on fault de- In this section, a solution is provided to compute simulta- tectability). neously My, Mu and F(θ) so that the requirements (11)and The goal is to find the state space matrices AF (θ) ∈ (12) are satisfied. It is straightforward to verify that the major n ×n n ×(m+p) q ×n ffi R F F , BF (θ) ∈ R F , CF (θ) ∈ R r F and DF (θ) ∈ di culty in this problem is related to the fault sensitivity re- × Rqr (m+p) of the (stable) polytopic LPV filter F(θ) and the quirement (12) since (11) can be solved using the techniques × × residual structuring matrices M ∈ Rqr m and M ∈ Rqr p developed in the robust control community (see, e.g., [14] y u ffi defining the residual vector or [15]). To overcome this problem, a su cient condition is established in terms of a fictitious H∞ problem. It is then y shown in the following that a solution to this fictitious prob- r = z − z = M y + M u − F(θ) , r ∈ Rqr (10) y u u lem is a solution of the original one. such that the residual vector meets the following require- 2.2.1. Standard setup for the filter design problem ments: To proceed, let T (θ) ∞ <γ (11) rd 1 A(θ) Bd(θ) B f (θ) Trf(θ) sens >γ2 (12) P(θ) = . (13) C(θ) Dd(θ) D f (θ) where Trd and Trf denote the looped transfers between d and r and f and r, respectively. This problem can be represented Using some algebra manipulations, the filter design problem illustrated on Figure 2, can be re-casted into the setup by the block diagram illustrated on Figure 2,where P(θ)is y = d depicted in Figure 3,whereP(θ, My, Mu) is deduced from derived from F1(G(θ), K) so that u P(θ) f . In this P(θ), My and Mu, according to: formulation, γ1 and γ2 are two positive constants referring respectively to the robustness and sensitivity performances P θ, My, Mu = levels. ⎛ ⎞ A(θ) B (θ) B (θ)0× ⎜ d f n qr ⎟ Equation (11) represents the worst-case robustness of the ⎜ ⎟ ⎜ − ⎟ residual to disturbances d for all θ ∈ Θ, in the H∞-norm ⎝ My Mu C(θ) My Mu Dd(θ) My Mu D f (θ) Iqr ⎠ sense. Under plant perturbation, the effect that the exoge- C(θ) Dd(θ) D f (θ)0(m+p)×qr nous disturbances have on the residuals, can greatly increase (14) and the fault detection performance may then be considerably degraded. A robust fault sensitivity specification is then where Iqr and 0i× j denote respectively the identity matrix of needed to maintain a detection performance level of the FDI dimension qr and the null matrix of dimension i× j. n is also n×n unit. Here the sensitivity measure (9) for LPV fault detection the order of P(θ, My, Mu), that is, A(θ) ∈ R . scheme is used to guarantee the worst-case sensitivity of the Following the method proposed in [10, 11], the require- residual to faults. ments (11)and(12) are now expressed in terms of loop 4 Journal of Control Science and Engineering

r d Now consider the weighting function WF defined in Lemma f 1. Since, W is supposed to be invertible, we get P(θ, My, Mu) F y 1 = + z u WF ∞,Ω, (22) WF − F(θ) + = + · + where WF ∞,Ω supω∈Ωσ(WF (jω)) WF denotes the inverse of WF which always exists by assumption (see Figure 3: FDI/LPV filter design problem. Lemma 1). Then, factorizing the right term of (21)by WF − gives T (θ) shapes, that is, of desired gain responses for the appropri- ≥ − rf ∞ Trf(θ) sens 1 WF − (23) ate closed-loop transfers. These shaping objectives are then WF − turned into uniform bounds by means of the shaping filters. that can be done since, by definition, WF − =/ 0. With (22), Let Wd and W f denote the (dynamical) shaping filters asso- it then follows that: ciated with (11)and(12) respectively, so that: + T (θ) ≥ 1 − T (θ ∞ W ∞ W −. (24) rf sens rf F ,Ω F Wd ∞ ≤ γ (15) 1 ≥ Now, since by construction WF − >λ,itisstraightforward W f − γ2 (16) to verify that the following relation yields: Wd∞ and W f − denote respectively the H∞ and H− + 1 WF ∞,Ω < . (25) norm of the LTI transfer Wd and W f (see preliminaries). λ Assume that Wd is invertible (this can be done without Suppose now that inequality (18) yields, that is, Trf (θ)∞ < loss of generality because it is always possible to add zeros 1. From (25), it follows that in Wd to make it invertible). Wd and W f are also defined in 1 order to tune the gain responses for, respectively, Trd(θ)and + Trf (θ) ∞ WF ∞,Ω < (26) Trf(θ). Then it is straightforward to verify that the specifica- λ tion (11) yields if the following constraint is satisfied: and with (24), we get λ − 1 T (θ) ∞ < 1. (17) T (θ) > W . (27) rd rf sens λ F −

q = = In this formulation, d ∈ R d is a fictitious signal generating Thus, if W f − (γ2/γ) WF − with λ 1+γ2, then (27) d through W (see Figure 4(a) for easy reference) and T implies that d rd denotes the looped transfer between r and d. Trf(θ) sens > W f − (28) The following lemma allows the sensitivity constraint (12) to be transformed into a fictitious H∞ one. which terminates the proof. Following (17)and(18), the design problem can be Lemma 1. Consider an invertible transfer matrix WF such that = = re-casted in a fictitious LPV H∞-framework as depicted in W f − (γ2/λ) WF − and WF − >λwhere λ 1+γ2. q Figure 4(a),whered and r are two fictitious signals, so that Define the (fictitious) signal r ∈ R r such that r = r−WF f (see = = − Figure 4(a)). Then a sufficient condition for the specification d Wdd and r r WF f . Then, including γ1, λ, WF and −1 (12) to hold, is: Wd into the model P(θ, My, Mu) leads to the equivalent block diagram of Figure 4(b),whereP(θ, M , M )isdefined y u Trf (θ) ∞ < 1, (18) according to: r d where Trf denote the looped transfer between r and f . = F P θ, M , M , F(θ) . (29) r 1 y u f Proof of Lemma 1. Consider the signal rintroduced in Figure 4, that is, The residual generation problem can now be formulated in a framework which looks like a standard H∞ problem for LPV systems, by combining both requirements (17)and(18) into r = r − WF f , (19) a single H∞ constraint. Using Lemma 1, it can be verified that where W isdefineasinLemma 1. Then it can be verified asufficient condition for (17)and(18) to hold, is F that the following relation yields: F1 P θ, My, Mu , F(θ) ∞ < 1. (30) ≥ − − Trf(θ) sens WF − Trf(θ) WF ∞ (20) As mentioned above, this equation seems to be similar to a standard H∞ LPV problem. In fact, this is not the case since that can be re-written due to the definition of r given by (19): the transfer P(θ, My, Mu) depends on My and Mu that are unknown. In the following section, a procedure is given to ≥ − Trf(θ) sens WF − Trf (θ) ∞. (21) overcome this problem. Sylvain Grenaille et al. 5

B(θ), C(θ)andD(θ) of the state-space representation of d −1 r Wd d + P(θ, My, Mu) are deﬁned according to: f P(θ, My, Mu) r − ⎛ ⎞ y A(θ) B (θ)C 0 z u ⎜ d wd ⎟ ⎜ ⎟ F(θ) A(θ) = ⎝ 0 Awd 0 ⎠ ,

00AwF (31) WF × A(θ) ∈ R(n+nwd+nwF ) (n+nwd+nwF ), (a) ⎛ ⎞ Bd(θ)Dwd B f (θ)0 ⎜ ⎟ d r = | = ⎝ B 00⎠ B(θ) B1(θ) B2 wd , f P(θ, My, Mu) r 0 BwF 0 (32)

(n+n +n )×(q +q +q ) B(θ) ∈ R wd wF d f r , F(θ) (b) = C1(θ) C(θ) C2(θ) Figure 4: Fictitious quadratic H∞ formulation for the ﬁlter design ⎛ ⎞ M M C(θ) M M D (θ)C 0 problem. ⎜ y u y u d wd ⎟ ⎜ ⎟ = ⎝ My Mu C(θ) My Mu Dd(θ)Cwd −CwF⎠ ,

C(θ) Dd(θ)Cwd 0

× C(θ) ∈ R(2qr +m+p) (n+nwd+nwF ), Remark 2. It is clear that a key feature in the proposed for- (33) mulation is the a priori choice of the shaping filters and Wd W . From a practical point of view, it is required that the D(θ) f ⎛ ⎞ residuals r are as “big” and as “fast” as possible, when a fault D (θ) D occurs. Then, if the considered faults manifest themselves in = ⎝ 11 12⎠ low frequencies, this leads to select W f as a low pass filter D21(θ) D22 with the static gain and the cutting frequency, the highest ⎛ ⎞ M M D (θ)D M M D (θ) −I possible. With regards to the robustness objectives, it is re- ⎜ y u d wd y u f qr ⎟ ff =⎜ − − ⎟ quired that the e ects of the disturbances on the residuals ⎝ My Mu Dd(θ)Dwd My Mu D f (θ) DwF Iqr ⎠, are as “small” as possible. This implies to choose the gain of Dd(θ)Dwd D f (θ)0 Wd as “small” as possible in the frequency range where the (2q +m+p)×(q +q +q ) energy content of the disturbances is located. In other words, D(θ) ∈ R r d f r . it is required a high attenuation level of the disturbances on (34) the residuals in the appropriate frequencies (see Section 3 where a practical case is presented). However, both sensitiv- Having in mind the definition of A(θ), B(θ), C(θ), and D(θ), ity to faults and robustness against disturbances might be not it can be noted that the H∞ optimization problem formu- achieved in some cases. Faults having similar frequency char- lated by (30) is non convex since it involves simultaneously acteristics as those of disturbances might go undetected. In the residual structuring matrices M and M and the filter such cases, the proposed formulation provides a framework y u state-space matrices A (θ), B (θ), C (θ), and D (θ). A solu- to find a good balance between fault sensitivity and robust- F F F F tion to this problem may consist in chosen heuristically M ness via the construction of the shaping filters W and W . y d f and M .However,asithasbeenoutlinedin[10], there is no Finally, note that the work reported in [16, 17]couldbean u guarantee to the optimal solution. interesting method to select W and W . d f The following lemma which is an adaptation of Proposi- tion 1 in [8] for our purpose, gives the solution to this problem. The proof is omitted here as it can be found in [8]. 2.2.2. Synthesis of the FDI filter Lemma 2. Let A(Πi), B(Πi), C(Πi), D(Πi) ∀i = 1, ..., N be In the following, a solution is derived in terms of a SDP the evaluation of A(θ), B(θ), C(θ), D(θ) at each vertex Πi of (Semi Definite Programming) problem. To proceed, let the polytope Θ. Assume that C2(θ) and D21(θ) do not depend {Awd, Bwd, Cwd, Dwd} and {AwF, BwF, CwF, DwF} be the state- of θ (see Remark 3 for a discussion about this assumption) and −1 = ⊥ space representations of Wd and WF respectively, and de- let Ns (C2 D21) . Then, there exists a solution of (31) if × × × ∈ nwd nwd qr m qr p note nwd and nwF the associated order, that is, Awd R and only if there exists γ<1 and My ∈ R and Mu ∈ R × ∈ nwF nwF (n+n +n )×(n+n +n ) and AwF R . Using some linear algebra manipula- and two symmetric matrices R ∈ R wd wF wd wF > 0 × tions, it can be verified from (14) that the matrices A(θ), and S ∈ R(n+nwd+nwF ) (n+nwd+nwF ) > 0 solving the following SDP 6 Journal of Control Science and Engineering problem involving 2N +1 LMI constraints: Qext (l/s) 1100 min γ 1050 T A Πi R + RA Πi B1 Πi = 1000 s.t. T < 0, i 1, ..., N B Πi −γI 1 950 (35) 900 ⎛ ⎞ T T 850 T⎜A Πi S + SA Πi SB1 Πi C1 Πi ⎟ 60 70 80 90 100 110 120 130 NS 0 ⎜ ⎟ NS 0 ⎜ T − T ⎟ Time (hours) B1 Πi S γI D11 Πi 0 I ⎝ ⎠ 0 I C1 Πi D11 Πi −γI Figure 5: The time varying parameter Qext(t). < 0, i = 1, ..., N y (36) d P(θ) F(θ) fNH3 z RI + ≥ 0. (37) − r IS u My − Moreover, F(θ) is a full order filter if nF = n + nwd + nwF.The state space realization of the LPV filter F(θ) is then computed Mu using the barycentric coordinates of Θ given by (7),sothat: Figure 6: Filter F(θ(t)) synthesized scheme. A (θ) B (θ) N A Π B Π F F = F i F i βi (38) CF (θ) DF (θ) i=1 CF Πi DF Πi ter 2002, and thanks to a mandatory period of maintenance ∀ = AF (Πi), BF (Πi), CF (Πi),andDF (Πi) i 1, ..., N are the operations, it has been possible to measure and record a set ∀ = state space matrices of the N LTI filters F(Πi) i 1, ..., N of experimental data on the secondary circuit. The aim was that are deduced from the unique solution (R, S, My, Mu, γ) fol- to optimally control hydrazine and pH through an adaptive lowingtheproceduredescribedin[14]. LQG control scheme. The designed controller has been successfully tested under real operational conditions [18]. Remark 3. As it is outlined in Lemma 2, it is required that The dynamics of hydrazine and ammoniac concentra- C2 and D21 do not depend on θ. This assumption is also tions behavior in the secondary circuit of the NPP can be done for NS to be computed. If, by construction, such an expressed as follows: assumption is not verified, the solution consists in post fil- T T T d tering (y u ) by a LTI filter at a high cutting frequency. V N H =−Q (t)· N H + u(t − τ) This solution has already been proposed in [14]. dt 2 4 ext 2 4 d 4 V NH3 = Qext(t) N2H4 − O2 − β· NH3 3. APPLICATION: THE SECONDARY CIRCUIT OF A NPP dt 3 (39) To illustrate the benefits of the proposed approach, experimental results obtained from the secondary circuit of a Nu- V is the circuit’s water volume, Qext the water extraction clear Power Plant (NPP) are provided in this section. flow rate of the condenser and β is a parameter depending In a NPP, the secondary circuit erosion can occur in the of the NPP operating conditions. [N2H4], [NH3], and [O2] steam generators, releasing radio nuclides into the secondary represent hydrazine, ammoniac and oxygen concentrations coolant. This problem is now well understood and has been respectively. u is the flow rates of the pumps used to inject the subject of some studies initiated by EDF (Electricit´ eDe´ hydrazine in the circuit. Moreover, the system present a time France) for its pressurized water reactors (PWR) to overcome delay (τ = 560 s) corresponding to the chemical reaction af- and master the steam generator corrosion problems. The ter the introduction of hydrazine in the circuit. It is assumed main degradation process is to be controlled by careful opti- that the pH is measured, that is, mization of the secondary water chemistry. There is a need to 1 ensure that the optimum secondary chemistry regime is se- pH = 14 + log K NH3 + K [Mo] + npH, (40) 2 b Mo lected and maintained. So, the process of erosion—corrosion of steel piping and other components is of critical impor- where npH denotes the measurement noise, [Mo] also de- tance during operation of a NPP. Feed water pH is adjusted notes the morpholine concentration, Kb and KMo are the ba- by hydrazine, so that the pH is maintained within the limits sicity constants of the ammoniac and morpholine respec- specified by the nuclear authority (norm ISO-14253-1). tively. The NPP under consideration is a 900 MW pressurized Taken into account the dynamical equations (39), it fol- water reactors (PWR), located in France. During the win- lows that Sylvain Grenaille et al. 7

⎛ ⎞ ⎛ ⎞ β 4Qext(t) ⎜− ⎟ 0 f NH3 represent ammoniac sensor faults and f N2H4 hydrazine ⎜ ⎟ ⎝ ⎠ x˙(t) = ⎝ V 3V ⎠ x(t)+ 1 u(t − τ) sensor faults. In this model, the time delay due to actuators Qext(t) 0 − V is approximated using a first order Pade approximation. The V ⎛ ⎞ model (44) corresponds to the model described in Figure 1, ≤ = ≤ 4Qext(t) (41) where 878 θ(t) Qext(t) 1097. It follows that the con- ⎝− ⎠ ={ ≤ ≤ } + 3V O2 (t) sidered polytope Θ θ : 878 θ 1097 becomes a 0 simple segment since dim (θ) = 1. For the FDI purpose, two filters F1(θ)andF2(θ)arecom- 10 nNH (t) y(t) = x(t)+ 3 , puted such that the two residuals r1(t)andr2(t) satisfy the 01 nN2H4 (t) following requirements: (i) r (t) is sensitive to pH sensor faults through the (ficti- where x = ([NH ][NH ])T represents the state vector. 1 3 2 4 tious) ammoniac sensor and robust to hydrazine sen- n represents the measurement noise of the hydrazine sen- N2H4 sor faults. sor. n is the image of the measurement noise of the pH NH3 (ii) r (t) is sensitive to hydrazine sensor faults and robust sensor via the relation (40). Then, since (40)isstaticwewill 2 to ammoniac sensor faults. consider that an ammoniac concentration measure is available through the pH sensor. Characteristics of nNH3 are then This method allows to isolate sensor faults uniquely. deduced from the following equation, which is the inverse of Therefore, we consider a different model for each filter to be (40): synthesized. For the design of F1(θ), the following model is used − − 2[pH 14 npH] − ⎧ ⎛ ⎞ = 10 KMo[Mo] ⎪ β 4θ(t) ⎛ ⎞ NH3 + nNH3 . (42) ⎪ − K ⎪ ⎜ 0 ⎟ 0 b ⎪ ⎜ V 3V ⎟ ⎜ ⎟ ⎪ ⎜ ⎟ ⎜ ⎟ ⎪ ⎜ θ(t) 2 ⎟ ⎜ 1 ⎟ ⎪x˙ = ⎜ 0 − ⎟ x + ⎜− ⎟ u Figure 5 presents the behavior of the time varying param- ⎪ ⎜ ⎟ ⎝ ⎠ ⎪ ⎝ V τV ⎠ V eter Qext(t) during a period of 3 days. We assume here that ⎪ 2 ⎪ − 2 Q (t)isnotaffected by the considered faults. As it can be ⎪ 00 ext ⎪ ⎛ V ⎞ ⎛ ⎞ seen on Figure 5, ( )variesbetween and with: ⎪ 4θ(t) Qext t Qmin Qmax ⎪ ⎜− 000⎟ 0 ⎨ ⎜ ⎟ ⎜ ⎟ ⎜ 3V ⎟ ⎜ ⎟ G (θ): + d1 + ⎝0⎠ f NH3 Q = 878 l/s 1 ⎪ ⎝ 0000⎠ min ⎪ (43) ⎪ 0 Q = 1097 l/s. ⎪ 0000 max ⎪ ⎪ ⎪ 100 0 ⎪y = x + The considered faults are hydrazine sensor faults and pH ⎪ ⎪ 010 0 sensor faults. Note that monitoring of pH sensors is a key ⎪ ⎛ ⎞ ⎪ ⎪ 1 feature for well functioning the overall system. ⎪ 0100 ⎝ ⎠ ⎩⎪ u + d1 + f NH3 , The relation between the ammoniac measurement and 0011 0 the pH measurement is only algebraic (see (41)), then the (45) pH sensor fault is directly transmitted to the ammoniac measurement. Therefore, we can consider an ammoniac sensor where the disturbances vector d1 includes the oxygen con- fault in place of a pH sensor fault. Consequently, the follow- centration, the measurement noises and the hydrazine sensor ing state space representation derived from (42) models the T fault, that is, d1 = [[O2] nNH nN H f N H ] . For the design failing behavior of the secondary circuit (the notations are 3 2 4 2 4 of F2(θ), the following model is retained chosen to be consistent with those used in Section 2): ⎧ ⎛ ⎞ ⎪ β 4θ(t) ⎛ ⎞ ⎧ ⎛ ⎞ ⎪ ⎜− 0 ⎟ ⎪ β 4θ(t) ⎛ ⎞ ⎪ ⎜ 3 ⎟ 0 ⎪ − ⎪ ⎜ V V ⎟ ⎜ ⎟ ⎪ ⎜ 0 ⎟ 0 ⎪ ⎜ ⎟ ⎜ 1 ⎟ ⎪ ⎜ V 3V ⎟ ⎜ ⎟ ⎪ = ⎜ − θ(t) 2 ⎟ ⎜− ⎟ ⎪ ⎜ ⎟ ⎜ ⎟ ⎪x˙ ⎜ 0 ⎟ x + ⎝ ⎠ u ⎪ ⎜ ( ) 2 ⎟ ⎜ 1 ⎟ ⎪ ⎜ V τV ⎟ V ⎪x˙ = ⎜ − θ t ⎟ x + ⎜− ⎟ u ⎪ ⎝ ⎠ ⎪ ⎜ 0 ⎟ ⎝ ⎠ ⎪ 2 2 ⎪ ⎜ V τV ⎟ V ⎪ − ⎪ ⎝ ⎠ ⎪ 00 ⎪ 2 2 ⎪ ⎛ V⎞ ⎛ ⎞ ⎪ 00− ⎪ ⎪ ⎪ 4θ(t) 0 ⎪ ⎛ ⎞ V ⎪ ⎜ 000⎟ ⎜ ⎟ ⎪ 4θ(t) ⎨ ⎜ 3V ⎟ ⎜ ⎟ ⎨ ⎜− ⎟ ⎜ ⎟ ⎜ ⎟ G (θ): + ⎝ 0000⎠ d2 + ⎝0⎠ f N2H4 (46) ( ): ⎜ 3V ⎟ (44) 2 ⎪ G θ ⎪ + ⎜ ⎟ O2 ⎪ ⎪ ⎝ 0 ⎠ ⎪ 0000 0 ⎪ ⎪ ⎛ ⎞ ⎪ ⎪ ⎛ ⎞ ⎪ 0 ⎛ ⎞ ⎪ ⎪ ⎪ 100 ⎜0⎟ ⎪ ⎪ ⎝ ⎠ ⎪ 100 0 nNH3 (t) ⎪ = + ⎝ ⎠ ⎪ = ⎝ ⎠ ⎪y x ⎪y x + u + d1 ⎪ 010 ⎪ 010 0 ⎪ 0 ⎪ nN2H4 (t) ⎪ ⎛ ⎞ ⎪ ⎪ ⎪ ⎪ ⎪ 10 n (t) ⎪ ⎝0101⎠ 1 ⎪ NH3 ⎪ u + d + f , ⎩ + ⎩ 2 1 N2H4 01 nN2H4 (t) 0010 8 Journal of Control Science and Engineering

where the augmented disturbances vector takes into account My1 and My2 are the two components of the structuring ma- T = trix My. the ammoniac sensor faults; d2 O2 nNH3 nN2H4 f NH3 . According to the methodology developed in the Section As it is outlined in Remark 2 an important step in the 2, two polytopic models P1(θ)andP2(θ)arebuiltasillus- proposed method is the choice of the shaping filters Wd and trated on Figure 2. To save place and for a better understand- W f . Similarly to the developments presented in Section 2, ing, the different steps are only detailed for F1(θ). Here, be- Wd is refereed to the robustness objectives against d and W f cause the system is placed in an open-loop control law, it to the sensitivity requirements against f NH3 . Here, due to the follows from G1(θ) that (for clarity the index “1” is ignored definition of d, it is natural to choose Wd such as: from now): W = diag W , W , W , W , W . (50) ⎧ ⎛ ⎞ d u [O2] nNH3 nN2H4 [N2H4] ⎪ ⎪ − β 4θ(t) ⎪ ⎜ 0 ⎟ The weighting functions W , W , W , W , W ⎪ ⎜ V 3V ⎟ u [O2] nNH3 nN2H4 [N2H4] ⎪ ⎜ ⎟ ⎪ ⎜ ⎟ and W f allow to manage separately the robustness objectives ⎪ = ⎜ θ(t) 2 ⎟ ⎪x˙ ⎜ 0 − ⎟ x against u,[O ], n , n , f and f respectively. The ⎪ ⎜ ⎟ 2 NH3 N2H4 N2H4 NH3 ⎪ ⎝ V τV ⎠ ⎪ 2 interested reader can refer to [10]or[19] if necessary. These ⎪ 00− ff ⎪ weighting functions are deduced from an o line spectral ⎪ V ⎪ analysis procedure of available measurements according to: ⎪ ⎛ ⎞ ⎪ ⎛ ⎞ ⎪ − 4θ(t) ⎪ ⎜ 0 000⎟ 3 2 ⎪ ⎜ 3V ⎟ ⎜0⎟ 1+1,7· 10 s ⎪ ⎜ ⎟ ⎜ ⎟ W = γ ⎨ ⎜ 1 ⎟ u u 3 2 + ⎜− 0000⎟ d + ⎝0⎠ f NH3 1+10 s P(θ): ⎝ V ⎠ ⎪ 0 4 ⎪ 20000 1+1,5· 10 s ⎪ W[O ] = γ ⎪ ⎛ ⎞ ⎛ ⎞ 2 [O2] 2 ⎪ 1+10 s ⎪ 100 − ⎪ ⎜ ⎟ ⎜00100⎟ s+2· 10 2 ⎪ y ⎜ ⎟ ⎜ ⎟ = ⎪ = 010 WnNH γn −5 ⎪ ⎝ ⎠ x + ⎝00011⎠ d 3 NH3 s+1· 10 ⎪ u (51) ⎪ · −2 ⎪ 000 10000 s+2 10 ⎪ W = γ − ⎪ nN2H4 nN H 5 ⎪ ⎛ ⎞ 2 4 s+1· 10 ⎪ ⎪ 1 1+103 s ⎪ ⎜ ⎟ W = γ ⎪ ⎜ ⎟ [N2H4] [N2H4] −3 ⎪ + ⎝0⎠ f NH3 , 1+10 s ⎩⎪ 0 = 1 W f γ2 3 . (47) 1+10 s

The parameters γu, γ[O ], γn , γn , γ[N H ] and γ2 allow where d = [u [O ] n n f ]T . Following 2 NH3 N2H4 2 4 2 NH3 N2H4 N2H4 to manage the gain of the weighting functions separately. the developments in Section 2, the fault detector design They are optimized by performing an iterative refinement. problem turns out to be the design of (F(θ), M , M )satis- y u Remember that the goal is to minimize the effects of distur- fying the following objectives: bances on the residual r(t) and maximize the effects of faults on r(t).Thenumericalvaluesofthemhavebeenfixedto Trd(θ) ∞ <γ 1 (48) T (θ) >γ = = −4 = = rf sens 2 γu 0.025, γ[O ] 10 , γn γn 0.1, 2 NH3 N2H4 (52) γ = 2 · 10−5, γ = 2. Figure 6 givesanillustrationofthisproblem. [N2H4] 2 Finally, following the method describes in Section 2, the problem is recasted into the setup depicted in Figure 3 where The method described in Section 2.2.2 is then used to synthesize the filter F(θ), and the structuring matrices M and M . the model P(θ, My, Mu) is defined according to: y u For the SDP optimization problem computation, the SDPT3 solver is used. P θ, My, Mu ⎛ ⎞ To analyze the computed solution, the principal gains k β 4θ(t) 4θ(t) σ(T (jω)) and σ(T f r (jω)) of the closed loop transfers ⎜− 00− 00000⎟ dr NH3 ⎜ V 3V 3V ⎟ k k ⎜ ⎟ T (jω)andT f r (jω) are plotted versus the objectives W ⎜ ⎟ dr NH3 d ⎜ θ(t) 2 1 ⎟ ∈ ⎜ 0 − 0 00000⎟ and W f for some θ Θ (see Figure 7). The notation “k” ⎜ V τV V ⎟ ⎜ ⎟ is introduced to outline that the analysis is performed with ⎜ 2 ⎟ = ⎜ 00− 2 0 00000⎟ respecttoeachcomponentofd. As it can be seen on the fig- ⎜ ⎟ k k ∀ ⎜ τ ⎟ ures, for each synthesis, σ(Tdr(jω)) < σ(Wd (jω)) ω and ⎜ − ⎟ −4 ⎜My1 My2 0 Mu 0 My1 My2 My2 My1 1⎟ σ(T f r (jω)) >σ(W f (jω)) ∀ω ∈ Ω ≈ [0; 10 [rd/s for ⎜ ⎟ NH3 ⎜ ⎟ ⎜ 1 0 00 0 10010⎟ all considered values of θ(t). This indicates that the require- ⎝ 0 1 00 0 01100⎠ ments (48) are satisfied for the considered values of θ and by 0 0 01 0 00000 virtue of Lemma 2, we know that it still yields for all values (49) of θ. Sylvain Grenaille et al. 9

90 −40 80 σ(W[o2](jω)) −60 70 ( ( )) σ WnNH3 jω −80 60 50 − 100 40 −120 30 20 −140 10 σ(Tn r (jω)) σ(T[o ]r (jω)) NH3 −160 2 0 − −180 10 10−4 10−2 10−5 10−4 10−3 Frequency (rd/s) Frequency (rd/s) (a) (b)

−80 40

σ(WnN H (jω)) − 30 2 4 100 σ(W[N2H4](jω)) 20 −120

10 −140 0 −160

−10 σ(TnN H r (jω)) 2 4 σ(T f r (jω)) −180 N2H4 −20 − −30 200 10−4 10−2 10−5 10−4 10−3 Frequency (rd/s) Frequency (rd/s) (c) (d)

10 σ(T (jω)) fNH3 r 5

0 σ(W f (jω))

−5

−10

−15

10−5 10−4 10−3 Frequency (rd/s) (e)

k Figure 7: Behavior of the principal gains of the closed loop transfers T (jω)andT f r (jω) versus the shaping objective ﬁlters (in dB). dr NH3

Simulation results and t = 125 hours for the hydrazine sensor is made. Figures 8, 9 and 10 illustrate the behavior of the residual signals r1(t) The FDI unit is implemented within the simulator of the and r2(t) in both fault free and faulty situations for the afore- secondary circuit. For simulating faults, a variation of ten mentioned period of 3 days. As expected, it can be seen from percent of sensors measurements between t = 80 hours and ﬁgures that r1(t) is only sensitive to pH sensor faults and r2(t) t = 85 hours for the pH sensor and between t = 120 hours is only sensitive to hydrazine sensor faults. 10 Journal of Control Science and Engineering

× −5 × −5 10 Fault free situation 10 Hydrazine sensor fault 1 1 0 0 ) )

t − t − ( 1 ( 1 1 1 r −2 r −2 −3 −3 60 70 80 90 100 110 120 130 60 70 80 90 100 110 120 130 Time (hours) Time (hours) (a) (a)

×10−7 −9 ×10 3 4 2 )

2 t (

) 1 2 t r ( 0 2 0 r −2 −4 60 70 80 90 100 110 120 130 60 70 80 90 100 110 120 130 Time (hours) Time (hours) (b) (b) Figure 10: Behavior of r (t), i = 1, 2 and the decision test-hydrazine = i Figure 8: Behavior of ri(t), i 1, 2 and the decision test-fault-free sensor fault (120 h–125 h). situation.

− ×10 5 pH sensor fault 1 bustness speciﬁcations and a new index, that is, the Hsens 0 index, which is deduced from the H-norm for LTI systems, )

t − is introduced for fault sensitivity speciﬁcations. As a result,

( 1 1 r −2 various design goals and trades-oﬀ can be formulated and −3 managed in a systematic way by means of some high level 60 70 80 90 100 110 120 130 design parameters formulated in terms of dynamic weight- Time (hours) ing functions. A key feature of the proposed technique is (a) that the remaining control and measurement canals are optimally merged to build the fault indicating signals. The re- ×10−9 sulting static matrices are also optimized via LMI together 4 with the dynamic FDI ﬁlter. The proposed technique is also 2 appropriate for fault diagnosis in nonlinear systems which ) t

( 0 ﬃ

2 can be approximated e ciently by LPV models to cover a r −2 wider range of operating, and to cope with rapid parameter −4 60 70 80 90 100 110 120 130 variations. The method has been successfully applied to ex- Time (hours) perimental data set coming from the secondary circuit of a nuclear power plant in France. (b)

Figure 9: Behavior of ri(t), i = 1, 2 and the decision test-pH sensor ACKNOWLEDGMENT fault (80 h–85 h). The authors would like to thank Prof. Kemin Zhou for his valuable comments and suggestions that help us to clarify Finally, a sequential Wald decision test is also imple- some key features. mented within the simulator to make a final decision about the faults. The probabilities of non-detection and false alarms REFERENCES have been fixed to 0.1%. The results are presented in Figures 8, 9 and 10. As it can be seen, all faults are successfully de- [1] J. Chen and R. J. Patton, Robust Model-Based Fault Diagnosis tected and isolated. for Dynamic Systems, Kluwer Academic, Norwell, Mass, USA, 1999. [2] P. Frank, S. Ding, and B. Koppen-Seliger,¨ in Proceedings of the 4. CONCLUSION 4th Symposium on Fault detection, Safety and Supervision of Technical Processes (SAFEPROCESS ’00), pp. 16–27, Budapest, The problem which is addressed in this paper is that of de- Hungary, June 2000, IFAC. signing FDI filters for dynamic systems that can be described [3] V. Venkatasubramanian, R. Rengaswamy, K. Yin, and S. N. by LPV polytopic models. The method can be seen as a gen- Kavuri, “A review of process fault detection and diagnosis— eralization of the well known H∞/H− setting for LTI systems. part I: quantitative model-based methods,” Computers & The H∞ norm for LPV systems is used to formulate the ro- Chemical Engineering, vol. 27, no. 3, pp. 293–311, 2003. Sylvain Grenaille et al. 11

[4] A. E. Marcos, A linear parameter varying model of the boeing 747-100/200 longitudinal motion, Ph.D. thesis, University of Minesota, Minneapolis, Minn, USA, 2001. [5] F. Bruzelius, S. Pettersson, and C. Breitholtz, “Linear parameter-varying descriptions of nonlinear systems,” in Proceedings of the American Control Conference, vol. 2, pp. 1374–1379, Boston, Mass, USA, June-July 2004. [6] J. Bokor and G. Balas, “Detection filter design for LPV systems—a geometric approach,” Automatica,vol.40,no.3, pp. 511–518, 2004. [7] M. Rodrigues, D. Theilliol, and D. Sauter, “Design of a robust polytopic unknown input observer for FDI: application for systems described by a multi-model representation,” in Pro- ceedings of the 44th IEEE Conference on Decision and Control and European Control Conference (CDC-ECC ’05), pp. 6268– 6273, Seville, Spain, December 2005. [8] D. Henry and A. Zolghadri, “Robust fault diagnosis in uncertain linear parameter-varying systems,” in Proceedings of the IEEE International Conference on Systems, Man and Cybernet- ics (SMC ’04), vol. 6, pp. 5165–5170, The Hague, The Nether- lands, October 2004. [9] S. X. Ding, T. Jeinsch, P. M. Frank, and E. L. Ding, “A unified approach to the optimization of fault detection systems,” In- ternational Journal of Adaptive Control and Signal Processing, vol. 14, no. 7, pp. 725–745, 2000. [10] D. Henry and A. Zolghadri, “Design and analysis of robust residual generators for systems under feedback control,” Au- tomatica, vol. 41, no. 2, pp. 251–264, 2005. [11] D. Henry and A. Zolghadri, “Design of fault diagnosis filters: a multi-objective approach,” Journal of the Franklin Institute, vol. 342, no. 4, pp. 421–446, 2005. [12] M. L. Rank and H. Niemann, “Norm based design of fault detectors,” International Journal of Control,vol.72,no.9,pp. 773–783, 1999. [13] A. Saberi, A. A. Stoorvogel, P.Sannuti, and H. Niemann, “Fun- damental problems in fault detection and identification,” In- ternational Journal of Robust and Nonlinear Control, vol. 10, no. 14, pp. 1209–1236, 2000. [14] P. Apkarian, P. Gahinet, and G. Becker, “Self-scheduled H ∞ control of linear parameter-varying systems: a design example,” Automatica, vol. 31, no. 9, pp. 1251–1261, 1995. [15] J. M. Biannic, Commande robuste des systèmes a` paramètres variables. Application en aéronautique, Ph.D. thesis, Centre d’etudes´ et de Recherche de Toulouse, Department DERA, Toulouse, France, 1996. [16] E. Frisk and L. Nielsen, “Robust residual generation for diagnosis including a reference model for residual behavior,” Au- tomatica, vol. 42, no. 3, pp. 437–445, 2006. [17] A. Varga, “Numerically reliable methods for optimal design of fault detection filters,” in Proceedings of the 44th IEEE Con- ference on Decision and Control and European Control Confer- ence (CDC-ECC ’05), pp. 2391–2396, Seville, Spain, December 2005. [18] F. Marshall, A. Zolghadri, and S. Ygorra, “Mise en œuvre d’une commande optimale en vue de controlerˆ le pH et les parametres` chimiques qui participent au maintien des conditions de corrosion minimum dans le circuit secondaire d’une centrale nucleaire´ de type REP,” Internal Report, LAPS-EDF, Bordeaux, France, 2002. [19] D. Henry and A. Zolghadri, “Norm-based design of robust FDI schemes for uncertain systems under feedback control: comparison of two approaches,” Control Engineering Practice, vol. 14, no. 9, pp. 1081–1097, 2006. Hindawi Publishing Corporation Journal of Control Science and Engineering Volume 2008, Article ID 152030, 10 pages doi:10.1155/2008/152030

Research Article Design and Assessment of a Multiple Sensor Fault Tolerant Robust Control System

S. S. Yang1 and J. Chen2

1 Department of Electrical Engineering, University of Malaya, 50603 Kuala Lumpur, Malaysia 2 School of Engineering and Design, Brunel University West London, Uxbridge, Middlesex UB8 3PH, UK

Correspondence should be addressed to J.Chen, [email protected]

Received 29 December 2006; Revised 21 September 2007; Accepted 12 December 2007

Recommended by Jakob Stoustrup

This paper presents an enhanced robust control design structure to realise fault tolerance towards sensor faults suitable for multi- input-multioutput (MIMO) systems implementation. The proposed design permits fault detection and controller elements to be designed with considerations of stability and robustness towards uncertainties, besides multiple faults environment on a common mathematical platform. This framework can also cater to systems requiring fast responses. A design example is illustrated with a fast, multivariable, and unstable system, that is, the double inverted pendulum system. Results indicate the potential of this design framework to handle fast systems with multiple sensor faults.

Copyright © 2008 S. S. Yang and J. Chen. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION 1.1. Integrating control and fault detection in FTCS

An integrated approach [8–11] where fault detection and Growing demands for plant or system availability, reliability, controller elements are designed with consideration to the and survivability have prompted active research in fault tol- overall system stability or interaction is favourable as the re- erant control systems (FTCSs) [1, 2]. FTCSs are designed to liability of operation can be determined in a mathematically accommodate component faults automatically by ensuring sound setting oﬀering fast control responses in addition to overall system stability and acceptable performance. A typi- the availability of the established solution for incorporating cal FTCS design incorporating separate control and fault de- robustness towards uncertainties. tection elements can achieve fault tolerance objectives, but In this paper, a robust controller-based MIMO FTCS without due considerations given to signiﬁcant interactions which integrates the fault detection and controller elements between the elements such as those described in [3, 4]. In in a single design is presented. A fault indicating residual addition, addressing issues concerning uncertainties is cru- is utilised as a function of control. The residual signals act cial as practical problems associated with variations in actual as weighting factors, which put corresponding emphasis on plant operating range are undesirable. nominal controller and fault accommodating controller. The Fault detectors are typically based upon the use of pro- FTCS structure proposed allows the plant to be controlled cess models [5–7]. Data from the monitored plant is input by a nominal controller that ensures the achievement of best to these algorithms and the outputs are compared with the performance objectives, when sensor faults and uncertainties corresponding plant outputs. If there are discrepancies, then are not present, while preserving the stability at a lower de- it is an indication that at least one fault has occurred. The gree of system performance in the presence of major sensor model-based approach to designing sensor FTCS employs faults [11, 12]. The proposed structure can handle systems mathematical manipulation of available signals, that is, an- with fast responses, multiple sensor faults, and modelling un- alytical redundancy, via suitably designed controllers to ac- certainties. commodate for faults rather than using extra hardware (sen- Note that purely robust control-based FTCS such as de- sors/actuators). scribed in [13, 14] ensures robustness towards minor faults 2 Journal of Control Science and Engineering only; faults are modelled as very small perturbations on the The variable y(s) denotes all available sensor outputs. When system. As demonstrated by [13, 14], it is not possible for output sensor faults occur in the plant as shown in (5), the a purely robust control structure to maintain high perfor- measured outputs become mance, when faults are not present as they are designed using = worst case criterion. y (s) y(s)+ fs(s). (7)

Due to the existence of fault represented by fs(s), a conven- 2. PROBLEM STATEMENT tional controller cannot usually satisfy required performance and the closed-loop control system may even become un- Assuming that the MIMO plants and controllers are de- stable. A sensor fault-compensating controller can be intro- scribed mathematically in state-space form as follows: duced to augment a nominal controller designed for best per- x˙(t) = Ax(t)+Bu(t), formance. However, since the structure of the system as seen in Figure 1 is virtually an internal model controller [15], con- = (1) y(t) Cx(t)+Du(t), ditions for physical realizability need to be observed. To ensure that the fault-compensating controller, Q is well defined where x ∈ Rn is state vector, u ∈ Rl is the input vector, while and proper, the transfer matrix representation from f (s)to y ∈ Rm is the measured output vector. s controller output u(s) must exist and is also proper. There- A, B, C,andD are known matrices with appropriate di- fore, mensions related to the system dynamics. In addition, σ(M) denotes the largest singular value of M. H∞ denotes the Ba- = fs(s) Ws(s) fs (s). (8) nach space of bounded analytic functions with the ∞ norm = ∈ By appropriate use of input weight, W (s), the input f (s)can defined as F ∞ supωσ(F(jω)) for any F H∞. s s be normalised and transformed into the physical input, fs(s). Definition 1. All MIMO transfer matrix representations have Consideration of such sensor fault models has been shown to appropriate dimensions and are proper real-rational matri- be suitable for use in formulating the FTCS objectives for the ces, stabilisable, and detectable. A state space rational proper rejection of sensor faults as an optimisation problem. Uncer- transfer function is denoted by tainties affecting the sensors can also be classified as a subset of fs(s). Figure 1 shows the block diagram illustrating the AB − G(s) = = C(sI − A) 1B + D. (2) interconnections assumed for the formulation H∞ problem CD associated with the proposed FTCS design. Furthermore, let P be a block matrix, 2.2. Fault indicating residuals P P P = 11 12 . (3) The presence of sensor faults and uncertainty vectors defined P P 21 22 in Section 2.1 can be reflected by a fault indicating residual, Therefore, the linear fractional transformation of P over F is since a filtered estimation can be obtained via coprime fac- defined as torisation of the plant model, Gp(s)[11, 12]. Let −1 = −1 Fl(P, F) = P11 + P12F(I − P22F) P21,(4) Gp(s) M (s)N(s). (9) where F is assumed to have appropriate dimensions and Hence, from (8)and(9), the fault indicating residual denoted −1 (I − P22F) is well defined. by fr (s) can be defined as fr (s) = N(s)u(s) − M(s)y (s) 2.1. Sensor faults defined = N(s)u(s) − M(s) y(s)+ fs(s) (10) Sensor fault symptoms can be observed as measurements =− that are unavailable, incorrect, or unusually noisy. These M(s)Ws(s) f (s). faults may occur individually or concurrently or simultaneously, resulting in total system failure or degradation in 2.3. Integrating the controller element performance. Significant information about the influence of Now, since f (s) reflects the presence of faults and uncer- faults on a process cannot be known without the inclusion r tainty, it can be utilised as an input to the fault compensating of its model in the design. Additive faults provide a suitable controller. The perturbations caused can then be minimised framework for sensor faults and are modelled as additional by control actions due to the nominal controller and fault input signals to a system [5], compensating controller. The control signal vector can be ex- x˙(t) = Ax(t)+Bu(t), pressed as follows: = (5) y (t) Cx(t)+Du(t)+ fs(t), u(s) = uk(s)+uq(s), (11) m where fs(t) ∈ R denote sensor faults. Hence where

y(s) = Gp(s)u(s). (6) uk(s) = K(s)e(s) (12) S. S. Yang and J. Chen 3

and uk(s) denotes nominal controller (K(s)) output, and fs (s) z(s) uq(s) denotes sensor fault compensator (Q(s)) output. Error Ws(s) W ftc(s) from feedback is denoted by e(s)wherebyr(s) denotes input r(s) + fs(s) demand. Thus, from (10), fr (s) is utilised in the following uk(s) u(s) y(s) K(s) Gp(s) + manner: + + u (s) q y (s) = =− uq(s) Q(s) fr (s) Q(s)M(s)Ws(s) fs (s). (13) Q(s)

From (6), (7), and (8), e(s) can be expressed as N (s) + fr (s) − e(s) = r(s) − y (s) M(s)

= r(s) − y(s) − fs(s) (14) = − − r(s) Gp(s)u(s) Ws(s) fs (s). Figure 1: Block diagram representation of H∞ problem formulation for the proposed FTCS design. By substituting (12), (13), and (14) into (11), the following is derived: z(s) −1 u(s) = I + K(s)G (s) fs (s) p P f (s) × − K(s)r(s) K(s)+[Q(s)M(s)] Ws(s) f s(s) . (15) uq(s) fr (s)

Thus, Q(s)

−1 y (s) = Gp(s)(I + K(s)Gp(s)) Figure 2: The LFT representation of the proposed FTCS. × − K(s)r(s) K(s)+[Q(s)M(s)] Ws(s) f s(s) . (16)

The plant output expression in (16) shows that in the absence stable with respect to norm-bounded matrix perturbation of sensor faults and uncertainties, the output closed-loop sys- [16]. The equivalent linear fractional transformation (LFT) tem is only reliant on the nominal controller K(s), allowing block diagram for the H∞ problem stated above is shown in for high performance during healthy operation. Note that the Figure 2. fault detection scheme generating the above-mentioned fault Thus, indicating residual does not need to be made robust, since the fault indicating residual is mainly used as an activating signal z(s) P (s) P (s) f (s) = 11 12 s . (18) for Q(s). It is thus not essential to identify nor to estimate the f (s) P (s) P (s) u (s) r 21 22 q source of the faults, hence even if the presence of fr (s)isdue to uncertainties and not faults in the sensors, Q(s)willstill Ps(s) provide the necessary control signals to compensate for such perturbations thereby introducing robustness to the system. From (10), P21 and P12 can be derived as

2.4. Sensor fault compensator realisation P (s) =−M(s)W (s), 21 s (19) P (s) = 0. The sensor fault compensator Q(s) is integrated into the 12 framework by utilising fr (s) as a function of control. The design Q(s) is achieved with the H∞ technique. A perfor- Now, note that mance weights Wftc(s) can be defined to establish postfault performance requirements, which emphasise on stabil- u (s) = K(s) r(s) − y(s) k ity rather than high performance. The corresponding solu- = K(s) r(s) − G (s)u(s) − W (s) f (s) tion for achieving Q(s) is by minimising the following opti- p s s = − − misation criterion: K(s)r(s) K(s)Gp(s) uk(s)+uq(s) K(s)Ws(s) fs (s), (20) = γ min Fl[P f (s), Q(s)] ∞. (17) Q(s) and thus, Therefore, the standard H∞ problemisspecifiedin(17)for which the corresponding transfer functions from fs (s)to −1 uk(s) = I + K(s)Gp(s) K(s)r(s) z(s) must satisfy. If the controller Q(s)in(17) is found, then the closed-loop system is said to have robust performance − −1 I + K(s)Gp(s) K(s)Ws(s) fs (s) (21) towards uncertainty and sensor faults; it is well known that a − −1 system satisfies robust performance if and only if it is robustly I + K(s)Gp(s) K(s)Gp(s)uk(s). 4 Journal of Control Science and Engineering

Also θ1 θ2 z(s) = Wftc(s)y (s) θ1 = Wftc(s) Gp(s)u(s)+Ws(s) fs (s) Upper arm = Wftc(s)Gp(s)uk(s) (22) Lower arm

+ Wftc(s)Gp(s)uq(s) Servo motor Cart u + Wftc(s)Ws(s) fs (s).

Substituting (21) into (22), Track

−1 z(s) = Wftc(s)Gp(s) I+K(s)Gp(s) K(s)r(s) xc − −1 Wftc(s)Gp(s)(I+K(s)Gp(s)) K(s)Gp(s)uq(s) Figure 3: Schematic diagram of the pendulum system. −1 + Wftc(s)Gp(s)uq(s) − Wftc(s)Gp(s)(I + K(s)Gp(s)) × K(s)Ws(s) fs (s)+Wftc(s)Ws(s) fs (s). (23) ear, and unstable process. The pendulum system is a standard classical control test rig for the verification of different Ignoring the reference input r(s),wehave control methods, and is among the most difficult systems to −1 control in the field of control engineering. Similar to the sin- P11(s) =−Wftc(s)Gp(s) I + K(s)Gp(s) gle inverted pendulum problem, the control task for the dou- × ( ) ( )+ ( ) ( ) K s Ws s Wftc s Ws s ble inverted pendulum is to stabilise the two pendulums. The −1 = Wftc(s) I − Gp(s) I + K(s)Gp(s) K(s) Ws(s) position of the carriage on the track is controlled quickly and − accurately, so that the pendulums are always erected in their = 1 Wftc(s) 1+Gp(s)K(s) Ws(s), inverted position during such movements. −1 P12(s) =−Wftc(s)Gp(s) I + K(s)Gp(s) The double inverted pendulum system is made up of two × K(s)G (s)+W (s)G (s) aluminium arms connected to each other with the lower arm p ftc p attached to a cart placed on a guiding rail, as illustrated in −1 = Wftc(s) I − Gp(s) I + K(s)Gp(s) K(s) Gp(s) Figure 3. Data used in this case study has been obtained from −1 [9]. The aluminium arms are constrained to rotate within a = W (s) 1+G (s)K(s) G (s). ftc p p single plane and the axis of rotation is perpendicular to the (24) direction of the force acting on the cart motion f .Thecart Note that the following matrix operation (Zhou, Doyle & can move along a linear low-friction track and is moved by a Glover, 1996, page 23) has been used in the derivation of belt driven by a servo motor system. Sensors providing mea- (24): surements of cart position xc, the pendulums angles θ1 and θ2, controller output, u, and motor current i are assumed −1 −1 − −1 −1 −1 A11 + A11 A12(A22 A21A11 A12) A21A11 available for the purpose of control. The control law has to (25) regulate the lower-arm angle and upper-arm angle, θ1 and = − −1 −1 (A11 A12A22 A21) . θ2, respectively, from an initial condition, and the control of the position of the cart xc from an initial position. With the conditions laid out, the closed-loop system shown above is guaranteed to be tolerant to sensor faults and modelling uncertainty, stable for any nonlinear, time varying, and 3.2. Nominal high-performance controller stable K(s)andQ(s) due to the minimisation of the transfer An H∞ loop shaping controller, as high-performance nomi- matrix between fault-generating signal fs (s) to the performance evaluation signal z(s). nal controller K for the MIMO system, is designed using the MATLAB command ncfsyn.m. The specification function Wp 3. A NUMERICAL SIMULATION EXAMPLE is augmented to K in the manner shown in Figure 4.Sensors for detecting ex (cart positional error), θ1 and θ2,arefault An experimental study of the FTCS implementation on a prone sensors. Motor voltage and current are denoted by u double inverted pendulum system for tolerance towards sen- and i, respectively. The controller output variable is the cor- sor faults is shown next to illustrate the feasibility of the pro- responding motor voltage demand u. The controller perfor- posed design method. The implementation is tested for fault mance was tested on the SIMULINK model of the double tolerance towards sensors in nominal and under plant uncer- inverted pendulum. Initial conditions are with θ1 = 0.05 rad tainty conditions. and θ2 =−0.04 rad. The cart movement command signal rc is initiated at 0.5mandat−0.5 m after 50 seconds, is shown 3.1. The double inverted pendulum system in Figure 5, while system responses are shown in Figure 6. It is observed that the output responses are within limits The double inverted pendulum system is an example of a of specifications, and the cart position set points have been chaotic system. The system is a fast, multivariable, nonlin- achieved in a stable and smooth manner. S. S. Yang and J. Chen 5

ex 1 θ1 u ( ) θ1 − θ2 Wp s K (m) 0

u c i x −1 Figure 4: The H∞ loop-shaping controller K with speciﬁcation function. 0.2

1 (rad) 0 1 θ

0.5 −0.2 0.1 (m) 0 c r

(rad) 0

− 2

0.5 θ

−0.1 −1 0102030405060708090100 0 20 40 60 80 100 Time (s) Time (s) Figure 6: System responses with K implementation (position of Figure 5: Command signal requiring the cart to move from 0.5 m cart xc is shown instead of cart position error ex). to −0.5m.

u 3.3. FTCS design and implementation

The nominal model of the double inverted pendulum model Left comprimes is described by its left coprime factors to ensure well posed- of nominal fex ness. The double inverted pendulum model without mod- double inverted Sensor fault pendulum f elling uncertainty is considered for the representation of θ1 compensator model Q the nominal plant in the fault indicating residual generator N, M fθ2 setup. Fault indicating residuals are denoted by fθ1, fθ2 and fex for faults in the corresponding sensors. The interconnection of the system is setup and the design of the controller sensor fault compensating controller, u Q is automated with the command hinfsyn.m provided in ex q θ1 ∞ + MATLAB’s μ-analysis and synthesis toolbox [17], which itera- H loop uk u tively solves the optimisation criterion set out in (17). When shaping θ2 + controller γ value of below 1 is obtained, the solution of a satisfactory u is used. This condition is only met with relaxations to the Q i effects of additive faults, as it is obvious that total failure cannot be handled. Note that the performance weights Wftc(s) Figure 7: Block diagram of sensor fault compensator Q augmented (shown in the appendix) to establish postfault performance to nominal controller K in the FTCS structure. requirements reuse the elements in the original specification function Wp, which are related to the fault prone sensors, that is, sensors providing measurements of cart position xc, Nominal response, without modelling uncertainties and the pendulums angles θ1 and θ2. The block diagram showing sensor faults the augmentation of Q to nominal controller K is illustrated in Figure 7. Nominal performances of all controllers for healthy system are recorded in Figure 8. Apparently the proposed FTCS pro- 3.4. Tests and results duces faster cart positioning response compared to all other control system responses, initiating slightly higher over- The following responses have been recorded from testing the shoots in θ1 and θ2. FTCS by simulating the occurrence of faults in the relevant sensors. Sensor effectiveness indicating faults are simulated Multiple sensor faults without plant uncertainty as deterioration of performance; 0%: no fault, 100%: total failure. Results are shown for conditions with and with- Multiple sensor faults are assumed to occur at 2, 4, and 6 out modelling uncertainty. Responses of the inverted dou- seconds after the simulation has been initiated (ex at 90% ble pendulum system performances with the proposed FTCS, deterioration, θ1 at 20% deterioration, and θ2 at 10% deteri- H∞,andμ controllers are recorded for comparison purposes. oration, resp.). The output responses are shown in Figure 9. 6 Journal of Control Science and Engineering

1 Observe that the proposed FTCS and the μ controller handled the faults and managed to achieve satisfactory control

(m) 0

c responses. However, stability could not be maintained by the x H∞ controller. −1 0.2 Multiple sensor faults with plant uncertainty Tests for control systems to handle system uncertainty and

(rad) 0 1

θ multiple sensor faults were also performed. Conditions were −0.2 made similar to the tests performed for the nominal system with multiple sensor faults. The supremacy of the proposed 0.1 FTCS to accommodate for faults even under the inﬂuence of system uncertainties is seen in Figure 10.

(rad) 0 2 The H∞ controller could not handle this mode of fault θ and oscillates beyond control as shown. Meanwhile, both the −0.1 0102030405060708090100 proposed FTCS and the μ controller handled the fault satis- Time (s) factorily. (a) Further discussion 1 Overall, the proposed FTCS has managed to handle all pre-

(m) 0

c and postfault conditions satisfactorily, while maintaining the x highest level of stability in all test scenarios. Although it −1 seems that the μ controller could handle faults and modelling 0.2 uncertainty as well as the proposed FTCS, it could not handle certain cases of single faults such as the cases shown in ﬀ (rad) 0 Figure 11 for the e ect of θ2 sensor fault at 10% deteriora- 1 θ tion. Responses of μ control system is too oscillatory and un- −0.2 stable. 0.1 4. CONCLUSION

(rad) 0 2

θ The proposed FTCS has been observed to have managed all faults simulated in the nominal performance tests, while the −0.1 0102030405060708090100 two other control systems could not consistently maintain Time (s) stability in a majority of fault scenario. Robust performance (b) assessments showing the performance of the control systems when faced with system uncertainty in addition to sensor 1 faults were also simulated. Again, it is observed that fault tolerance capability of the proposed FTCS has been maintained. (m) 0 c

x The proposed improvement to the model-based FTCS structure provides a potential framework for the realisation of an −1 integrated MIMO FTCS. This design framework is suitable as 0.2 it inherently incorporates fault residuals as feedback and allows the application of established robust MIMO control de-

(rad) 0 sign concept. The test results show the capability of the pro- 1 θ posed FTCS to maintain availability and an acceptable level −0.2 of performance for multiple deteriorated sensor conditions. 0.1 APPENDIX

(rad) 0 2 θ Transfer matrix of Q: −0.1 uq(s) α 0102030405060708090100 = 1 , Time (s) fex(s) β1 uq(s) uq(s) α (c) = = 2 , (A.1) fθ1−θ2(s) fθ3(s) β2 Figure 8: Nominal double inverted pendulum system responses of uk(s) α3 all controllers under healthy conditions. (a) —- FTCS, (b) ... H∞ = , controller, and (c) ---μ controller. fex(s) β3 S. S. Yang and J. Chen 7

1 1 (m) (m) 0 0 c c x x

−1 −1 0.2 0.2 (rad) (rad) 0 0 1 1 θ θ

−0.2 −0.2 0.1 0.1 (rad) (rad) 0 0 2 2 θ θ

−0.1 −0.1 0 20 40 60 80 100 120 140 160 180 200 0 20 40 60 80 100 120 140 160 180 200 Time (s) Time (s) (a) (a) 1 1 (m) (m) 0 0 c c x x

−1 −1 0.2 0.2

(rad) 0

(rad) 0 1 1 θ θ

−0.2 −0.2 0.1 0.1 (rad) (rad) 0 0 2 2 θ θ

−0.1 −0.1 0 20 40 60 80 100 120 140 160 180 200 0 20 40 60 80 100 120 140 160 180 200 Time (s) Time (s) (b) (b) 1 1 (m) (m) 0 0 c c x x

−1 −1 0.2 0.2 (rad) (rad) 0 0 1 1 θ θ

−0.2 −0.2 0.1 0.1 (rad) 0 (rad) 0 2 2 θ θ

−0.1 −0.1 0 20 40 60 80 100 120 140 160 180 200 0 20 40 60 80 100 120 140 160 180 200 Time (s) Time (s) (c) (c)

Figure 9: System responses of all controllers under multiple sensor Figure 10: System responses of all controllers under multiple sensor fault condition, without modelling uncertainty. (a) —- FTCS, (b) fault condition with modelling uncertainty. (a) —- FTCS, (b) ...H∞ ...H∞ controller, and (c) ---μ controller. controller, and (c) ---μ controller. 8 Journal of Control Science and Engineering

7 6 5 4 1 where α1 = (0.0001s + 0.0025s + 0.0465s + 0.3162s + 3 2 7 1.5660s + 2.5422s + 1.0939s − 0.1242), β1 = 0.0004s +

(m) 0 6 5 4 3 2

c 0.0088s +0.1299s +0.6940s +2.8528s +3.3483s +2.4253s+ x −3 7 6 5 0.1423, α2 = 10 ( − 0.0001s − 0.0032s − 0.0603s − − 4 3 2 1 0.3832s − 1.8085s − 2.176s − 0.9779s + 0.0841), β2 = 7 6 5 4 3 2 0.2 0.0004s +0.0088s +0.1299s +0.6940s +2.8528s +3.3483s + 7 6 5 2.4253s + 0.1423, α3 = (0.0001s + 0.0016s + 0.0223s + 4 3 2 =

(rad) 0 0.1791s +0.8204s +1.9258s + 1.7793s + 0.2839), β3

1 7 6 5 4 3 2 θ 0.0006s +0.0137s +0.1474s +0.8104s +2.8431s +4.6326s + −0.2 3.8566s +1.5476. Transfer matrix of K: 0.1 u (s) α k = 4 , (rad) 0

2 ex(s) β4 θ uk(s) α5 −0.1 = , 0 20 40 60 80 100 120 140 160 180 200 θ1(s) β5 Time (s) u (s) α k = 6 , (A.2) (a) θ3(s) β6 1 u (s) α k = 7 , u(s) β7

(m) 0 c u (s) α8 x k = , i(s) β8 −1 7 6 5 4 0.2 where α4 = (0.0001s + 0.0016s + 0.0223s + 0.1791s + 3 2 7 0.8204s +1.9258s + 1.7793s + 0.2839), β4 = 0.0006s + 6 5 4 3 2 (rad) 0 0.0137s +0.1474s +0.8104s +2.8431s +4.6326s +3.8566s+ 1

θ 7 6 5 4 3 1.5476, α5 = (0.003s +0.061s +0.740s +4.942s +17.436s + − 2 7 6 5 0.2 26.050s +16.23s+4.898), β5 = 0.0006s +0.0137s +0.1474s + 4 3 2 = − 0.1 0.8104s + 2.8431s +4.6326s +3.8566s +1.5476, α6 ( 0.005s7 − 0.115s6 − 1.333s5 − 8.249s4 − 25.938s3 − 35.97s2 − 21 914 − 6 633), = 0.0006 7 + 0.0137 6 + 0.1474 5 + (rad) 0 . s . β6 s s s

2 4 3 2 θ 0.8104s + 2.8431s +4.6326s +3.8566s +1.5476, α7 = − 7− 6− 5− 4− 3− −0.1 ( 0.00006s 0.00149s 0.01616s 0.08897s 0.30832s 0 20 40 60 80 100 120 140 160 180 200 2 7 6 0.49612s − 0.40571s − 0.16099), β7 = 0.0006s + 0.0137s + Time (s) 0.1474s5 + 0.8104s4 + 2.8431s3 +4.6326s2 +3.8566s +1.5476, 7 6 5 4 (b) α8 = ( − 0.00006s − 0.00159s − 0.01862s − 0.06867s − 3 − 2 − − = 7 1 0.10104s 0.04271s 0.01119s 0.01105), β8 0.0006s + 0.0137s6 +0.1474s5 +0.8104s4 +2.8431s3 +4.6326s2 +3.8566s+

(m) 0 1.5476. c x Postfault performance weight matrix: −1 ⎡ ⎤ We 00 0.2 ⎢ ⎥ Wp = ⎣ 0 Wθ1 0 ⎦ ,(A.3) 00Wθ2

(rad) 0 1 θ where −0.2 (i) We = 25/(50s + 1) denotes the performance weight 0.1 related to ex; (ii) Wθ1 = 50/(s + 10) denotes the performance weight re-

(rad) 0

2 lated to θ1; θ (iii) Wθ2 = 45/(s + 10) denotes the performance weight re- −0.1 0 20 40 60 80 100 120 140 160 180 200 lated to θ2. Time (s) The performance function of the signals provided is (c) weighted to characterise the following limits:

Figure 11: System responses of all controllers under θ2 sensor fault (i) limiting cart position tracking error ex at 0 m at high at 10% deterioration, without uncertainties. (a) —- FTCS, (b) ... frequency and relaxed for low frequency at a maxi- H∞ controller, and (c) ---μ controller. mum error of 0.04 m; S. S. Yang and J. Chen 9

fs (s) z(s) Finally, the closed-loop interconnection with Q(s) is P f (s) shown as in Figure 14.

uq(s) fr (s) ACKNOWLEDGMENTS Figure 12 The authors gratefully acknowledge funding from Brunel fs (s) z(s) University and the University of Malaya in order to complete this work. Ws(s) Wftc(s)

+ fs(s) uk(s) u(s) y(s) REFERENCES K(s) Gp(s) + + + u (s) q y (s) [1] M. Blanke, M. Staroswiecki, and N. E. Wu, “Concepts and methods in fault-tolerant control,” in Proceedings of the Amer- ican Control Conference (ACC ’01), vol. 4, pp. 2606–2620, Ar- N (s) lington, Va, USA, June 2001. fr (s) + − [2] R. J. Patton, “Fault-tolerant control: the 1997 situation,” in M(s) Proceedings of the IFAC Symposium on Fault Detection, Super- vision and Safety for Technical Processes (SAFEPROCESS ’97), vol. 2, pp. 1033–1055, Hull, UK, August 1997. Figure 13 [3] M. Gopinathan, R. K. Mehra, and J. C. Runkle, “Hot isostatic pressing furnaces: their modeling and predictive fault-tolerant z(s) control,” IEEE Control Systems Magazine,vol.20,no.6,pp. fs (s) P f (s) 67–82, 2000. [4] M. R. Napolitano, Y. An, and B. A. Seanor, “A fault tolerant

uq(s) fr (s) ﬂight control system for sensor and actuator failures using neural networks,” Aircraft Design, vol. 3, no. 2, pp. 103–128, Q(s) 2000. [5] J. Chen and R. J. Patton, Robust Model Based Fault Diagnosis Figure 14 for Dynamic Systems, Kluwer Academic Publishers, Dordrecht, The Netherlands, 1999. [6] R. Isermann, “Supervision, fault-detection and fault-diagnosis (ii) limiting the vertical to lower arm angle θ1 at 0 radians methods—an introduction,” Control Engineering Practice, at high frequency and relaxed for low frequency at a vol. 5, no. 5, pp. 639–652, 1997. maximum angle of 0.20 radians; [7] R. J. Patton and J. Chen, “Observer-based fault detection and (iii) limiting the vertical to upper arm angle θ2 at 0 radians isolation: robustness and applications,” Control Engineering at high frequency and relaxed for low frequency at a Practice, vol. 5, no. 5, pp. 671–682, 1997. maximum angle of 0.22 radians. [8] H. Niemann and J. Stoustrup, “Integration of control and fault detection: nominal and robust design,” in Proceedings of the IFAC Symposium on Fault Detection, Supervision and Safety for System interconnection and synthesis of Q(s) Technical Processes (SAFEPROCESS ’97), vol. 1, pp. 341–346, Hull, UK, August 1997. The appropriate system interconnection structure of P(s) [9] H. Niemann and J. Stoustrup, “Passive fault tolerant control of which is the outer loop of the FTCS inclusive of the nomi- a double inverted pendulum—a case study,” Control Engineer- nal controller, K(s),and fault indicating generation elements ing Practice, vol. 13, no. 8, pp. 1047–1059, 2005. needs to be formed using MATLAB μ-toolbox instruction [10] J. Stoustrup, M. J. Grimble, and H. Niemann, “Design of inte- sysic.m [17]. Hence, Figure12 is equivalent to Figure13. grated systems for the control and detection of actuator/sensor faults,” Sensor Review, vol. 17, no. 2, pp. 138–149, 1997. Following that, the sensor fault compensating controller, ∞ [11] K. Zhou and Z. Ren, “A new controller architecture for high Q(s), which is an H controller closing the inner loop of performance, robust, and fault-tolerant control,” IEEE Trans- the FTCS (i.e., closing the loop for the system interconnec- actions on Automatic Control, vol. 46, no. 10, pp. 1613–1618, tion obtained from P(s) shown above), can be solved with 2001. the MATLAB instruction, hinfsyn.m [17]. Since [12] D. U. Campos-Delgado and K. Zhou, “Fault tolerant control of a gyroscope system,” in Proceedings of the American Control [k] = hinfsyn(p,nmeas,ncon,gmin,gmax, Conference (ACC ’01), vol. 4, pp. 2688–2693, Arlington, Va, (A.4) tol,ricmethd,epr,epp), USA, June 2001. [13] M. Akesson, “Integrated control and fault detection for a me- hence, in this case, chanical servo process,” in Proceedings of the IFAC Symposium ∞ on Fault Detection, Supervision and Safety for Technical Pro- (i) k denotes the calculated H controller, that is, Q(s); cesses (SAFEPROCESS ’97), vol. 2, pp. 1252–1257, Hull, UK, (i) p denotes system interconnection P(s) as shown above; August 1997. (iii) nmeas denotes number of fault indicating signals; [14] J. Eich and B. Sattler, “Fault tolerant control system design us- (iv) ncont denotes the number of control inputs; ing robust control techniques,” in Proceedings of the IFAC Sym- (v) gmin, gmax, tol, and so on are as denoted in [17]. posium on Fault Detection, Supervision and Safety for Technical 10 Journal of Control Science and Engineering

Processes (SAFEPROCESS ’97), vol. 2, pp. 1246–1251, Hull, UK, August 1997. [15] M. Morari and E. Zafiriou, Robust Process Control, Prentice- Hall, Englewood Cliffs, NJ, USA, 1989. [16] K. Zhou, J. C. Doyle, and K. Glover, Robust and Optimal Con- trol, Prentice-Hall, Englewood Cliffs, NJ, USA, 1996. [17] G. J. Balas, J. C. Doyle, K. Glover, A. Packard, and R. Smith, μ- Analysis and Synthesis Toolbox, The Mathworks, Natick, Mass, USA, 2001. Hindawi Publishing Corporation Journal of Control Science and Engineering Volume 2008, Article ID 274313, 18 pages doi:10.1155/2008/274313

Research Article Design and Analysis of Robust Fault Diagnosis Schemes for a Simulated Aircraft Model

M. Benini,1 M. Bonfe,` 1 P.Castaldi,2 W. Geri,2 and S. Simani1

1 Department of Engineering, University of Ferrara, Via Saragat 1, 44100 Ferrara, Italy 2 Aerospace Engineering Faculty, University of Bologna, Via Fontanelle 40, 40136 Forl`ı, Italy

Correspondence should be addressed to S. Simani, [email protected]

Received 30 March 2007; Revised 27 September 2007; Accepted 20 December 2007

Recommended by Jakob Stoustrup

Several procedures for sensor fault detection and isolation (FDI) applied to a simulated model of a commercial aircraft are presented. The main contributions of the paper are related to the design and the optimisation of two FDI schemes based on a linear polynomial method (PM) and the nonlinear geometric approach (NLGA). The FDI strategies are applied to the aircraft model, characterised by tight-coupled longitudinal and lateral dynamics. The robustness and the reliability properties of the residual generators related to the considered FDI techniques are investigated and verified by simulating a general aircraft reference trajectory. Extensive simulations exploiting the Monte Carlo analysis tool are also used for assessing the overall performance capabilities of the developed FDI schemes, in the presence of turbulence, measurement, and model errors. Comparisons with other disturbance- decoupling methods for FDI based on neural networks (NNs) and unknown input kalman filter (UIKF) are finally reported.

Copyright © 2008 M. Benini et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION geometric method [8] was successfully extended to nonlinear systems [9, 10].AcrucialissuewithanyFDIschemeis Increasing demands on reliability for safety critical systems its robustness properties and a viable procedure for practical such as aircraft or spacecraft require robust control and application of FDI techniques is really necessary. Moreover, fault diagnosis capabilities as these systems are potentially robust FDI for the case of aircraft systems and applications is subjected to unexpected anomalies and faults in actuators, still an open problem for further research. input-output sensors, components, or subsystems. Conse- The first part of this work deals with the residual gen- quently, fault diagnosis capabilities and requirements for erator design for the FDI of input-output sensors of a gen- aerospace applications have recently been receiving a great eral aviation aircraft subject to turbulence, wind gust distur- deal of attention in the research community [1, 2]. A fault bances, and measurement noises. The developed PM scheme diagnosis system needs to detect and isolate the presence and belongs to the parity space approach [5] and it is based on location of the faults, on the basis also of the control sys- an input-output polynomial description of the system under tem architectures. Development of appropriate techniques diagnosis. In particular, the use of input-output forms allows and solutions for these tasks are known as the fault detec- to easily obtain the analytical description for the disturbance- tion and isolation (FDI) problem. There are, broadly speak- decoupled residual generators. These dynamic filters, organ- ing, two main approaches for addressing the FDI problem, ised into bank structures, are able to achieve fault isolation namely, hardware-based and model-based techniques [3, 4]. properties. An appropriate choice of their parameters allows A common and important approach in model-based tech- to maximise robustness with respect to both measurement niques is known as the residual-based method. A number of noise and modelling errors, while optimising fault sensitiv- researchers have developed residual-based methods for dy- ity characteristics. The development of NLGA methodology namic systems such as the parity space [5], state estimation is based on the works by De Persis and Isidori [10]. It was [6], unknown input observer (UIO), Kalman filters (KFs) shown that the problem of the FDI for nonlinear systems is [3], and parameter identification [6].Intelligent techniques solvable if and only if there is an unobservability distribu- [7] can be also exploited. Furthermore, the Massoumnia’s tion that leads to a quotient subsystem which is unaffected 2 Journal of Control Science and Engineering by all faults but one. If such a distribution exists, an appro- Table 1: Nomenclature. priate coordinate transformations in the state space can be α Angle of attack exploited for designing a residual generator only for the observable subsystem. This technique was applied for the first β Angle of sideslip time to a vertical takeoff and landing (VTOL) aircraft with pω Roll rate reference to a reduced-order model [11]. The NLGA resid- qω Pitch rate ual generators have been designed in order to be analytically r Yaw rate decoupled from the vertical and lateral components of the ω wind (gusts and turbulence). Moreover, a new full analyt- φ Bank angle ical developed mixed H−/H∞ optimisation is proposed in θ Elevation angle order to design the NLGA residual generators so that a good ψ Heading angle tradeoff between the fault sensitivity and the robustness with respect to measurements and model errors is achieved. The n⎡e ⎤ Engine shaft angular rate Ix 0 −Ixz designed residual generators have been tested on a PIPER PA- ⎣ ⎦ 0 Iy 0 Inertia moment matrix 30 aircraft flight simulator that was implemented in Matlab- −Ixz 0 Iz Simulink environments. With respect to the related works V True airspeed (TAS) by the same authors [12, 13], the main contribution of δ Elevator deflection angle this paper regards the enhancement in the designs of the e proposed FDI schemes. Moreover, the final performances δa Aileron deflection angle have been evaluated by adopting a typical aircraft reference δr Rudder deflection angle trajectory embedding several steady-state flight conditions, δth Throttle aperture percentage such as straight flight phases and coordinated turns. Com- parisons with different disturbance-decoupling methods for H Altitude FDI based on neural networks (NNs) and unknown input γ Flight path angle Kalman filter (UIKF) have been also provided. Finally, exten- m Airplane mass sive experiments exploiting Monte Carlo analysis are used for ω , ω , ω Wind gust components assessing the overall capabilities of the developed FDI meth- u v w ods, in the presence of uncertainty, measurement, and modelling errors. dynamics and the engine model completed with the model of input-output sensors, the servo actuators, the atmosphere 2. AIRCRAFT MODEL OVERVIEW turbulence Dryden description, the wind gust disturbances, and a classical autopilot. Moreover, the sensor models embed This section recalls briefly the description of the monitored all the possible sources of disturbance (calibration and align- aircraft whose main parameters and variables are reported in ment errors, scale factor, white and coloured noises, limited Table 1. bandwidth, g-sensitivity, gyro drift, etc.). The considered aircraft simulation model consists of a The linear model used by the proposed PM FDI approach PIPER PA-30, based on the classical nonlinear 6 degrees described in Section 3 embeds the linearisation both of the 6 of freedom (DoF) rigid body formulation [14] whose mo- DoF model and of the propulsion system as follows: tion occurs as a consequence of applied forces and moments (aerodynamic, propulsive, and gravitational). A set of lo- x˙(t) = Ax(t)+Bc(t)+Ed(t)(1) cal approximations for these forces has been computed and scheduled depending on the values assumed by true airspeed with (TAS), curvature radius, flight path angle, altitude, and flap x(t) = [ΔV(t)Δα(t)Δβ(t)Δpω(t)Δqω(t)Δrω(t) deflection. In this way, it is possible to obtain a mathemati- ··· T cal model for each flight condition. This model is suitable for Δφ(t)Δθ(t)Δψ(t)Δne(t)] , a state-space representation, as it can be made explicit. The (2) = [Δδ (t)Δδ (t)Δδ (t)Δδ (t)]T , parameters in the analytic representation of the aerodynamic c(t) e a r th actions have been obtained from wind tunnel experimen- T d(t) = [wu(t)wv(t)ww(t)] , tal data, and the aerodynamic actions are expressed along the axes of the wind reference system. It should be observed where Δ denotes the variations of the considered variables that aerodynamic forces and moments are not implemented while c(t)andd(t) are the control inputs and the distur- by the classical linearised expressions (stability derivatives) bances, respectively. The disturbance contribution of the but by means of cubic splines approximating the nonlinear wind gusts as air velocity components, wu, wv,andww,along experimental curves. The nonlinear 6 DoF model has been body axes was also considered. The output equation associ- completed by means of the PIPER PA-30 propulsion system ated with the model (1)isofthetypey(t) = Cx(t), where consisting of two 4-pistons aspirated engines, with the throt- the rows of C correspond to rows of the identity matrix, de- tle valve aperture δth as input and the overall thrust intensity pending on the measured variables. as output. The overall simulation model, used to perform On the other hand, regarding the NLGA FDI scheme all the following tests, consists of the aircraft 6 DoF flight described in Section 4, it requires a nonlinear input affine M. Benini et al. 3 system [10], but the adopted simulation model of the aircraft z-body axis wind components. Finally, the rudder effect in does not fulfil this requirement. For this reason, the follow- the equation describing the β dynamics has been neglected. ing simplified aircraft model is used: It is worth noting that Section 5 has shown that the designs and the simulations of the NLGA residual generators are ro- 2 bust with respect to the last approximation. In fact, the model CD0 + CDαα + CDα2 α V˙ =− V 2 of the β dynamics will never be used. m + g(sin α cos θ cos φ − cos α sin θ) 3. PM RESIDUAL GENERATORS cos α tp + t + t n δ + w sinα, Let us consider the input-output representation of a m V 0 1 e th v continuous-time, time-invariant linear dynamic system af- C + C α g fected by faults and disturbances in the form α˙ =− L0 Lα V + (cos α cos θ cos φ+sinα sin θ) m V P(s)y(t) = Qc(s)c(t)+Qd(s)d(t)+Q f (s) f (t), (4) sin α tp cos α ∈ Rm ∈ Rlc + qω + 2 t0 + t1ne δth + wv, where y(t) is the output vector, c(t) is the input m V V l l vector, d(t) ∈ R d is the disturbance vector, and f (t) ∈ R f 2 is the fault vector; P(s), Qc(s), Qd(s), and Q f (s) are known CD0 + CDαα + CDα2 α sin β + CYβ β cos β β˙ = V polynomial matrices of proper dimensions. m Models of type (4) can be frequently found in prac- cos θ sin φ tice by applying well-known physical laws to describe the + g + p sin α − r cos α V ω ω input-output dynamical links of various systems. Algorithms to transform multivariable state-space models to equivalent cos α sin β tp 1 + t + t n δ + w , multiple-input-multiple-output (MIMO) polynomial repre- m V 2 0 1 e th V sentations and vice versa are available [15]. Suitable software − Clβ β + Clppω 2 Iy Iz Cδa 2 routines for multivariable system transformations have been p˙ω = V + qωrω + V δa, Ix Ix Ix implemented by the authors in the Matlab environment. In fact, the Matlab software for state-space and transfer func- − Cm0 + Cmαα + Cmqqω 2 Iz Ix tion conversions is not able to manage directly MIMO mod- q˙ω = V + pωrω Iy Iy els, since they are considered as concatenations of single- input-single-output (SISO) systems. Cδe 2 td tp + V δe + t0 + t1ne δth, An important aspect of the residual generator design Iy Iy V concerns the decoupling properties of the disturbance d(t). C β + C r I − I The decoupling can be obtained premultiplying all the terms = nβ nr ω 2 x y Cδr 2 r˙ω V + pωqω + V δr , of (4) by the matrix L(s) ∈ Nl(Qd(s)), that is, the left null- Iz Iz Iz space of the matrix Qd(s): φ˙ = pω + qω sin φ + rω cos φ tan θ, L(s)P(s)y(t) − L(s)Qc(s)c(t) = L(s)Q f (s) f (t). (5) ˙ = − θ qω cos φ rω sin φ, Hence, the residual generator for the system of (4)isrepre- sented by = qω sin φ + rω cos φ ψ˙ = − cos θ R(s)r(t) L(s)P(s)y(t) L(s)Qc(s)c(t) (6) t = = 3 f L(s)Q f (s) f (t), n˙ e tnne + t0 + t1ne δth, ne ∈ R (3) where it is assumed that r(t) and L(s)isapolyno- mial row vector. The polynomial R(s) can be arbitrarily se-

· ffi · lected among the polynomials with degree greater than or where C( ) are the aerodynamic coe cients; t( ) are the en- ∗ ∗ gine parameters; and wv, wl are the vertical and lateral wind equal to nr ,wherenr is the maximum row-degree of the pair { } disturbance components. In particular, the model of (3)has L(s)P(s), L(s)Qc(s) . Moreover, if all the roots of R(s) lie in been obtained on the basis of some assumptions.In particu- the open left-half s-plane, it assures the stability of the filter lar, the expressions of aerodynamic forces and moments have of (6). Without loss of generality, it is assumed that R(0) = 1. been represented by means of series expansions in the neighbourhood of the steady-state flight condition, then only the Remark 1. If the matrix Qd(s) is of full-column rank (i.e., = N − main terms are considered. The engine model has been sim- rank Qd(s) ld), l(Qd(s)) has dimension m ld. There- plified by linearising the power with respect to the angular fore, a polynomial matrix B(s),whoserowsrepresentsamin- N − rate behaviour in the neighbourhood of the trim point. The imal polynomial basis of l(Qd(s)), has m ld rows and m second-order coupling between the longitudinal and lateral- columns. directional dynamics have been neglected. The x-body axis This work is focused on the problem of detecting and iso- component of the wind has been neglected. In fact, the air- lating additive faults acting on the input and output sensors craft behaviour is much more sensitive to the y-body and of the monitored system. If the input-output measurements 4 Journal of Control Science and Engineering are modelled by the relations of (7): If the following real vectors are defined as

∗ ⎡ ⎤ ⎡ ⎤ c (t) = c(t)+ f (t), k1 a1 c ⎢ ⎥ ⎢ ⎥ (7) ⎢ ⎥ ⎢ ⎥ ∗ = ⎢k2⎥ ⎢a2⎥ y (t) y(t)+ fo(t), ⎢ ⎥ ⎢ ⎥ k = ⎢ ⎥ , a = B(0)Q (0) = ⎢ ⎥ , (14) ⎢ . ⎥ f ⎢ . ⎥ the system of (4)becomes ⎣ . ⎦ ⎣ . ⎦ ∗ ∗ kq aq P(s) y (t) − fo(t) = Qc(s) c (t) − fc(t) + Qd(s)d(t), (8) the problem of the maximisation of the residual fault sensitivity can be recast as follows. under the assumptions that Q f (s) f (t) = [−Qc(s), P(s)] · T T T [ fc (t), fo (t)] . Thus, the residual generator of (6)iswrit- Proposition 1. Given the vector a,thevectork that maximises ten as the steady-state fault sensitivity, that is, the function W given ∗ ∗ by the expression R(s)r(t) = L(s)P(s)y (t) − L(s)Qc(s)c (t) (9) q = L(s)P(s) fo(t) − L(s)Qc(s) fc(t). T W = a k = aiki, (15) i=1 Remark 2. Theresidualgeneratordescribedby(7)and(9) canbeseenasanerrors-in-variables(EIV)model[16]with under the constraint of (12),canbefoundbysolving respect the input and output variables, as the measurements that feed the residual function are affected by additive faults. k = arg max W(k). (16) This description highlights the importance of the residual The solution to the problem described by Proposition 1 generator in the form of (9). can be derived as follows. The constraint of (12) describes a hypersphere, whilst the expression of the function of (15) Remark 3. The diagnostic capabilities of the residual genera- ffi tor of (6) strongly depend on the choice of the terms L(s)and is a hyperplane. The unknown coe cients k must belong R(s). This paper proposes a method for the design of these to both the hyperplane and the hypersphere. Therefore, the polynomials, under the assumption that f (t) is a scalar and, points of tangency between the hypersphere and the hyperplane represents the solutions that maximise or minimise W. consequently, Q f (s) is a vector. The rationale of this assumption is commented in Section 3.2 where the fault isolation As shown below, the solution of the problem described by method is proposed. Proposition 1 exists and is unique. Proof. From (12), k is expressed as a function of k , In the following, the freedom design in the selection of 1 2 k3, ..., kq, and it is substituted into (15): the rows of the polynomial matrix L(s) is investigated when q = m − l ≥ 2. These degrees of freedom are used to opti- d W = a 1 − k2 − k2 −···−k2 + a k + ···+ a k . mise the sensitivity properties of r(t) with respect to the fault 1 2 3 q 2 2 q q f (t), for example, by maximising the steady-state gain of the (17) = transfer function G f (s) L(s)Q f (s)/R(s). By computing ∇W = 0, that is, If bi(s)(i = 1, ..., q) are the row vectors of the basis B(s), − L(s) can be expressed as linear combination of these vectors: ∂W 1 2k2 = a1 + a2 = 0, ∂k 2 − 2 − 2 −···− 2 q 2 1 k2 k3 kq = L(s) kibi(s), (10) − = ∂W 1 2k3 i 1 = a1 + a3 = 0, ∂k 2 − 2 − 2 −···− 2 3 1 k2 k3 kq where ki are real constants maximising: (18) . q q . 1 . lim kibi(s) Q f (s) = kibi(0) Q f (0) (11) s→0 R(s) − i=1 i=1 ∂W 1 2kq = a1 + aq = 0, ∂k 2 − 2 − 2 −···− 2 with the constraint q 1 k2 k3 kq q and squaring the expression, after algebraic manipulation: 2 = ki 1. (12) = 2 = 2 2 2 2 2 ··· 2 2 i 1 a2 a2 + a1 k2 + a2k3 + + a2kq, 2 = 2 2 2 2 2 ··· 2 2 Under these assumptions, when the fault f (t) is a step- a3 a3k2 + a3 + a1 k3 + + a3kq, function of magnitude F,the steady-state residual value is (19) . q . L(s)Q f (s) F limr(t) = lims = kibi(0) Q f (0)F. (13) t→∞ s→0 2 = 2 2 2 2 ··· 2 2 2 R(s) s i=1 aq aqk2 + aqk3 + + aq + a1 kq, M. Benini et al. 5 an expression in the form of Ax = b is obtained, where (i.e., k = k). The design of the filter of (6)hasbeencom- ⎡ ⎤ pleted here by introducing a method for assigning both the 2 + 2 2 ··· 2 ⎢ a2 a1 a2 a2 ⎥ zeros and the poles of the continuous-time transfer function ⎢ ⎥ ⎢ 2 2 2 ··· 2 ⎥ ⎢ a3 a3 + a1 a3 ⎥ G f (s). The zeros and poles location influences the transient = ⎢ ⎥ A ⎢ . . . . ⎥ , characteristics (maximum overshoot, delay time, rise time, ⎢ . . .. . ⎥ settling time, etc.) of the filter of (6). In many applications, ⎣ ⎦ 2 2 ··· 2 2 these characteristics must be kept within tolerable or pre- aq aq aq + a1 ⎡ ⎤ ⎡ ⎤ (20) scribed limits in order to guarantee good performances of 2 2 the filter in terms, for example, of fault detection times and ⎢k2⎥ ⎢a2⎥ ⎢ ⎥ ⎢ ⎥ ⎢ 2⎥ ⎢ 2⎥ false-alarm probabilities. ⎢k3⎥ ⎢a3⎥ = ⎢ ⎥ = ⎢ ⎥ x ⎢ . ⎥ , b ⎢ . ⎥ . = = ⎢ . ⎥ ⎢ . ⎥ Remark 7. When k k, the polynomial L(s)Q f (s) ⎣ . ⎦ ⎣ . ⎦ T k B(s)Q f (s) is fixed and no freedom degree is left to arbitrar- 2 2 kq aq ily assign the zeros. In order to solve this problem, a polynomial vector k(s) can be considered. Under this assumption, The unknown vector x, under the constraint of (12), can be L(s) still belongs to the subspace Nl(Qd(s)), where the terms expressed as follows: ffi ⎡ ⎤ ki are polynomial coe cients. q −1 ⎢ − −1 ⎥ ⎢1 A b i⎥ The previous consideration leads to introduce the poly- x = ⎢ ⎥ , (21) T ⎣ i=1 ⎦ nomial E(s) = k (s)B(s)Q f (s), where k(s)isaq-dimensional A−1b polynomial vector whose ith element has the form

−1 −1 where (A b)i is the ith element of the vector A b.Thevec- nk tor x represents the squares of the solution of the problem of = j j ki(s) ki s . (23) Proposition 1. j=0 Let us indicate Ω the set of the vectors k whose elements are the square roots of the elements of . As every element x × ffi j can be taken both with signs “+” and “−”, s u c h v e c t o r s a r e The degree nk and the q nk coe cients ki are freedom design (j =/ 0) that are exploited for obtaining the desired roots 2q. Therefore, the solution of Proposition 1 can be refor- k of the polynomial E(s). However, in order to maximise the mulated as steady-state gain, as shown in Section 3, the following condi- k = arg maxW(k). (22) tion must hold: k∈Ω ⎡ ⎤ ⎢k1⎥ = 2 ⎢ ⎥ Remark 4. The matrix A can be expressed as A E + a1Iq−1, ⎢ ⎥ = ⎢k2⎥ where E is a matrix with equal columns. If a1 / 0, this as- ⎢ ⎥ 0 −1 k(0) = k = ⎢ ⎥ ⇐⇒ k = k , i = 1, ..., q. (24) sumption guarantees the existence of A , and consequently ⎢ . ⎥ i i − ⎢ . ⎥ the existence and the uniqueness of the solution A 1b.Ob- ⎣ . ⎦ = = ffi viously, if a1 0andaj / 0, it is su cient to express kj as kq function of the remaining variables and to reapply the same procedure. Definition 1. H(s) is the reference polynomial whose roots Remark 5. The same solution can be found by maximising are the zeros to be assigned: the function |W|. Due to the symmetry properties, the maximisation of |W| admits two solutions corresponding to the nh = j j maximum and the minimum of the function W.Moreover, H(s) h s . (25) = the choice of the quadratic constraint of (12) guarantees the j 0 unicity of the solution to the problem of Proposition 1. Since the constraint of (24)musthold,H(0) = kT B(0) · Remark 6. The problem described by Proposition 1 could Q f (0). Obviously, this assumption does not provide any re- have been solved also in a numerical way, that is, by searching striction on the roots assignable. Under the previous consid- k that maximises W on the surface of the q-dimensional hy- erations, the zero assignment and pole placement problem is persphere. However, the computational cost of this numeri- formulated as follows. cal solution can be a drawback when q is big. ffi j Proposition 2. The degree nk and the coe cients ki have to 3.1. PM residual design be determined under the constraint of (24) in order to obtain E(s) = H(s). Section 3 has shown how to maximise the steady-state gain of the continuous-time transfer function G f (s) = Proof. In Section 3, the polynomial vector a(s) = B(s)Q f (s) L(s)Q f (s)/R(s) trough a suitable choice of the real vector k was defined. Its ith element is a known polynomial of a 6 Journal of Control Science and Engineering

⎡ ⎤ 1 certain degree, .If is defined as follows: k1 nai na ⎢ ⎥ ⎢ ⎥ ⎢ . ⎥ = ⎢ . ⎥ na max nai , (26) ⎢ ⎥ ⎡ ⎤ =1, , ⎢ ⎥ i ... q ⎢ 1 ⎥ q ⎢ kq ⎥ ⎢ 1 0 1 ⎥ ⎢ ⎥ ⎢ h − k a ⎥ ⎢ 2 ⎥ ⎢ i i ⎥ the ith element of a(s) can be always written as a polynomial ⎢ k1 ⎥ ⎢ i=1 ⎥ ⎢ ⎥ ⎢ . ⎥ of degree na: ⎢ ⎥ ⎢ . ⎥ ⎢ . ⎥ ⎢ . ⎥ ⎢ . ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ q ⎥ na ⎢ 2 ⎥ ⎢ ⎥ k 0 na = j j x = ⎢ q ⎥ , b = ⎢hna − k a ⎥ . ai(s) ai s (27) ⎢ ⎥ ⎢ i i ⎥ ⎢ ⎥ ⎢ = ⎥ j=0 ⎢ . ⎥ ⎢ i 1 ⎥ ⎢ . ⎥ ⎢ na+1 ⎥ ⎢ . ⎥ ⎢ h ⎥ ⎢ ⎥ ⎢ ⎥ j ⎢ . ⎥ ⎢ . ⎥ by imposing that = 0 when . ⎢ . ⎥ ⎢ . ⎥ ai j>nai ⎢ . ⎥ ⎣ . ⎦ = T ⎢ ⎥ As E(s) k (s)a(s), by multiplying (23)and(27), it re- ⎢ nk ⎥ n +n ⎢k1 ⎥ h a k sults ⎢ ⎥ ⎢ . ⎥ ⎢ . ⎥ q n k+na n k+na ⎣ . ⎦ β = α j = j j nk E(s) ki ai s e s , (28) kq i=1 j=0 α+β= j j=0 (31) where The degree nk of the polynomials ki(s)hastobecho- sen in order to obtain a solvable system (i.e., rank A = q rank [Ab]). j = α β e ki ai . (29) i=1 α+β= j In order to understand the proposed solution, the following points should be considered. α = Equations (28)and(29) assume that ki 0 when α>nk and (i) The choice of n must guarantee that the relations n ≤ β k h = ffi 1 nk+na ai 0 when β>na. Note that the coe cients e , ..., e nk + na are satisfied. 1 nk depend on the freedom design ki , ..., ki . On the other hand, (ii) When q ≥ 2, the difference between the number of 0 ffi 0 e is fixed as the coe cients ki are assigned by (24). unknown terms and the number of equations, that is, ≤ = Let us suppose that nh nk + na. By imposing E(s) (q − 1) × nk − na, is greater than zero if nk is selected H(s), from (29)and(25), the following expressions are com- sufficiently high. puted: (iii) Even if the system admits solutions, the inverse of the matrix A may not exist; in such case there are infinite q q solutions and the one associated to the pseudoinverse α β = j − 0 j = ki ai h ki ai , j 1, ..., nk + na. of A, that is, A+b can be computed. i=1 α+β= j (α =/ 0) i=1 (30) Remark 8. Theuseofapolynomialvectork(s) instead of a real vector k has the drawback of increasing the complexity Equations (24)and(30) represent a linear system with nk +na of the residual generator. Many FDI applications require that equations and q × nk unknowns, which can be expressed in the classical form Ax = b,where G f (s) F(0) = , (32) ⎡ ⎤ G f (0) F(s) 0 ··· 0 ··· ··· ⎢ a1 aq 0 00 0 ⎥ ⎢ ⎥ where F(s) is an arbitrary polynomial. These cases do not ⎢ . . . ⎥ ⎢ . . . 0 ··· 0 ⎥ require a ( ) such that ( ) = (0), but it is enough con- ⎢ . . . a1 aq ⎥ k s E s G f ⎢ ⎥ ⎢ ⎥ sidering k = k and imposing ⎢ n n . . . ⎥ ⎢a a ··· a a . .. . ⎥ ⎢ 1 q ⎥ ⎢ ⎥ E (s)F(s) ⎢ . . . ⎥ R(s) = 0 , (33) ⎢ ··· na ··· na . . . ⎥ ⎢ 0 0 a1 aq . . . ⎥ G f (0)F(0) ⎢ ⎥ ⎢ ··· ··· ⎥ ⎢ 0 00 0 ⎥ A = ⎢ ⎥ , where E (s) = kB(s)Q (s). However, there is a restriction on ⎢ ⎥ 0 f ⎢ .. ⎥ ⎢ . ⎥ the choice of F(s). In fact, due to the realisability condition, ⎢ ⎥ { } ∗ − { } ⎢ ⎥ deg F(s) >nr deg E0(s) . Moreover, the method cannot ⎢ ...... ⎥ ⎢ ...... ··· ⎥ be applied if E0(s) admits one or more roots with positive real ⎢ . . . .0 0 ⎥ ⎢ ⎥ part, as the residual generator would become unstable. These ⎢ 0 ··· 0 ⎥ ⎢ a1 aq ⎥ ⎢ ⎥ cases require an approximate solution. ⎢ . . ⎥ ⎢ . .. . ⎥ ⎣ . . . ⎦ Remark 9. This section is focused on the design of residual ··· ··· na ··· na 0 00 0 a1 aq generators on the basis of a given reference function with M. Benini et al. 7

disturbance-decoupling and fault sensitivity maximisation In more detail, as shown in Section 3, Loi (s) is chosen to properties. The pole location influences the transient dy- maximise the steady-state gain in the presence of the fault namics of the designed residual filters, while the steady-state foj (t). Moreover, as shown in Section 3.1, Roi (s) is chosen to properties depend on the PM residual design, as it maximises obtain a fixed behaviour of the transfer function due to the the residual steady-state values with respect to step faults af- fault foj (t). fecting input and output sensors. The poles of the residual It is worth noting that the similar design technique can functions could be optimised with respect to both fault and be used for input sensor fault isolation. disturbance terms, as shown, for example, in a work by the The problem requirements determine the selection of the same authors [17]. specific fault with respect to which the design depends. Most often in practice, it is important to obtain good performance 3.2. PM fault isolation with respect to all possible faults rather than optimal behaviour with respect to one specific fault. In this situation, This section addresses the design problem of residual gener- adifferent design of the filter behaviour for each fault situa- ator banks for the isolation of faults affecting the input and tion is needed. the output sensors. This design is performed by using the disturbance-decoupling method suggested in Section 3. 4. NLGA RESIDUAL GENERATORS To univocally isolate a fault concerning one of the output sensors, under the hypotheses that the input sensors and the TheconsideredNLGAtotheFDIproblemissuggestedin remaining output sensors are fault-free, a bank of residual [18]andformallydevelopedin[10]. It consists in finding, by generator filters is used. The number of these generators is means of a coordinate change in the state space and in the equal to the number m of the system outputs, and the ith output space, an observable subsystem which, if possible, is device (i = 1, ..., m) is driven by all but the ith output and affected by the fault and not affected by disturbance. In this all the inputs of the system. In this case, a fault on the ith way, necessary and sufficient conditions for the FDI problem output sensor affects all but the ith residual generator. to be solvable are given. Finally, a residual generator can be In presence of a fault on the jth output sensor, the mea- designed on the basis of the model of the observable subsys- sured output y∗(t) can be expressed as follows: tem. More precisely, the approach considers a nonlinear sys- ∗ = tem model in the form y (t) y(t)+ foj (t), (34) x˙ = n(x)+g(x)c + (x) f + p(x)d, with (38) y = h(x) = ··· ··· T foj (t) 0 0 hoj (t)0 0 , (35) in which the state vector x ∈ X (an open subset of R n ), ∈ R c ∈ R where hoj (t) represents the jth output fault function. c(t) is the control input vector, f (t) is the fault, In these conditions, the system of (4)becomes d(t) ∈ R d the disturbance vector (embedding also the faults which have to be decoupled), and y ∈ R m the output vector; ∗ − = whilst n(x), (x), the columns of g(x)andp(x) are smooth P(s)y (t) pj (s)hoj (t) Qc(s)c(t)+Qd(s)d(t), (36) vector fields; and h(x) is a smooth map. where pj (s) is the jth column of the matrix P(s). Therefore, if P represents the distribution spanned by the column of p(x), the NLGA method can be devised as it fol- Let us indicate Loi (s) a polynomial row vector belonging to the basis of the left null space of the matrix [ ( ) | ( )]. lows: first, determine the largest observability codistribution Qd s pi s ⊥ ∗ The expression of the ith filter when a fault is acting on the contained in P ,denotedwithΩ [10]. If (x) ∈/ Ω∗, the design procedure can continue, other- jth output sensor is obtained by multiplying (36)byLoi (s): wise, the fault is not detectable; whenever the previous con- R (s)r (t) = L (s)Pi(s)y∗i(t) − L (s)Q (s)c(t) dition is satisfied, it can be found a surjection Ψ1 and a func- oi oi oi oi c ∗ ∩ { }= { ◦ } tion Φ1 fulfilling Ω span dh span d(Ψ1 h) and ∗ = { } L (s)p (s)h (t)forj = i, (37) Ω span d(Φ1) , respectively. The functions Ψ(y)and = oi j oj / 0forj = i, Φ(x)definedas ⎛ ⎞ ⎛ ⎞ x1 Φ1(x) i where P (s) is the matrix obtained by deleting from P(s) the y Ψ1(y) ⎜ ⎟ ⎜ ⎟ = 1 = = ⎜ ⎟=⎜ ⎟ ith column, and y∗i(t) represents the (m − 1)-dimensional Ψ(y) , Φ(x) ⎝x2⎠ ⎝H2h(x)⎠ ∗ y2 H2 y vector obtained by deleting from y (t)itsith component. x3 Φ3(x) From the comparison between (37)and(6)with f (t) ∈ (39)

R if q = m − ld − 1 ≥ 2, the methods shown in Sections 3 and 3.1 can be exploited for the design of the ith filter. In are (local) diffeomorphisms, where H2 is a selection matrix particular, the parameters of this filter can be properly chosen (i.e., a matrix in which any row has all 0 entries but one, in order to optimise its performances when a fault is acting which is equal to 1), Φ1(x) represents the measured part of on the jth output sensor. the state which is affected by f and not affected by d,and 8 Journal of Control Science and Engineering

Φ3(x) represents the not measured part of the state which is The aileron residual generator rδa (t), with kδa > 0, has the aﬀected by f and by d. form In the new (local) coordinate deﬁned previously, the sys- − ˙ Clββ + Clppω 2 Iy Iz tem of (38) is described by the relations in the form ξ2 = V + qωrω Ix Ix Cδa 2 − (43) + V δa + kδa pω ξ2 , x˙ 1 = n1 x1, x2 + g1 x1, x2)c + 1 x1, x2, x3) f , Ix = − rδa pω ξ2. x˙ 2 = n2 x1, x2, x3 + g2 x1, x2, x3 c The rudder residual generator rδr (t), with kδr > 0, is written + 2 x1, x2, x3 f + p2 x1, x2, x3 d, in the form x˙ 3 = n3 x1, x2, x3 + g3 x1, x2, x3 c (40) C β + C r I − I ˙ = nβ nr ω 2 x y ξ3 V + pωqω Iz Iz + 3 x1, x2, x3 f + p3 x1, x2, x3 d, Cδr 2 − (44) = + V δr + kδr rω ξ3 , y1 h x1 , Iz = − = rδr rω ξ3. y2 x2

The throttle residual generator rδth (t), with kδth > 0, has the form with (x , x , x ) not identically zero. Denoting x with y 1 1 2 3 2 2 t and considering it as an independent input, it can be singled ˙ = 3 f − ξ4 tnne + t0 + t1ne δth + kδth ne ξ4 , out the x1-subsystem: ne (45) = − rδth ne ξ4. ˙ = Remark 10. It is worth observing that each residual genera- x1 n1(x1, y2)+g1(x1, y2)c + 1(x1, y2, x3) f , (41) tor is affected by a single input sensor fault and is decoupled = y1 h(x1), from the wind components and the faults affecting the remaining input sensors. This feature can be obtained by defining a different p(x) for each residual generator design [19]. which is affected by the single fault and decoupled from the f In this way, the tuning of the residual generator gains kδ , kδ , disturbance vector. This subsystem has been exploited for the e a kδr ,andkδth can be carried out independently. Finally, by a design of the residual generator for the FDI of the fault f . straightforward analysis, the positive sign of each gain is a As already described in Section 2, the proposed NLGA necessary and sufficient condition for the asymptotic stabil- FDI scheme is designed on the basis of a model structure of ity of the dynamics (42)–(45). the input affine type as described in [10]. For this reason, the aircraft simulation model has been simplified and the non- A procedure optimising the tradeoff between the fault linear model of (3) has been considered for the NLGA de- sensitivity and the robustness to the modelling errors and sign. disturbances of the generic residual generator is proposed in Under these assumptions, by means of computations de- the next section. tailed in [19], the residual generators for detecting the faults ff a ecting the aircraft input sensors are obtained. In particu- 4.1. NLGA robustness improvement lar, the residual generator for the elevator rδe (t), with kδe > 0, is described by the relation The proposed NLGA-based scheme consists of two design steps:

2 (1) the structural decoupling of critical disturbances ˙ = V − 2 ξ1 CD0 + CDαα + CDα2 α cos α (wind gust and turbulence) and critical modelling er- m rors can be obtained as described in Section 4; V 2 + C + C α sinα − g sin θ (2) the nonlinear residual generators robustness is im- m L0 Lα proved by minimising the eﬀects of both noncritical disturbances and modelling errors, whilst maximising Cm0 + Cmαα + Cmqqω 2 + Vqωsin α − V the fault eﬀects on the residual signals. mtd (42) In order to apply the robustness improvement procedure − Iz Ix Cδe 2 − pωrω − V δe presented in this section, the considered framework is re- mtd mtd stricted to suitable scalar components of the x -subsystem 1 I (41). In particular, the vectors x1 and y are decomposed as − y − 1 + kδe Vcos α qω ξ1 , follows: mtd x11 y Iy 11 = − − x1 = , y = , (46) rδe V cos α qω ξ1. 1 mtd x1c y1c M. Benini et al. 9

∈ R ∈ R where x11 , y11 , and, correspondingly, it follows which allows to write the following equivalent residual that model: · · · ˙ n11( ) g11( ) 11( ) x f = n11 x11, y , y − n11 y , y , y n (·) = , g (·) = , (·) = 1c 2 11 1c 2 1 · 1 · 1 · n1c( ) g1c( ) 1c( ) − + g11 x11, y1c, y2 c g11 y11, y1c, y2 c (47) + 11 x11, y , y , x3 f + e x11, y , y , x3 ζ (53) Let us consider the following conditions: 1c 2 1c 2 − k x − k ν, = = · = f f f y11 h11(x11) y1c h1c(x1c) 11( ) / 0 , (48) r f = xf + ν. where h11(·) is a smooth map and h1c(·)isaninvertible smooth map. It is important to highlight that if the con- Inordertoapplytheeffective mixed H−/H∞ approach straints (48) are satisfied, the decomposition (46)-(47)can [3, 20]totunek f , the system (53) has to be linearised in always be applied to obtain the following x11-subsystem: the neighbourhood of a stationary flight condition, as suggested in [2] with reference to the H∞ optimisation of non- x˙ 11 = n11 x11, y , y + g11 x11, y , y c linear unknown input observers. It is worth observing that 1c 2 1c 2 the considered aircraft application is characterised by small + 11 x11, y , y , x3 f , (49) 1c 2 excursions of the state, input, and output variables with re- = y11 h11 x11 . spect to their trim values x10, x30, c0, y10,andy20, hence the Ascanbeseenin[19], the conditions (48) are satisfied for robustness of the nonlinear residual generator is achieved. the considered aircraft application, hence, from now on, the The linearisation of (53) is the following: scalar x11-subsystem (49) is referred to in place of the x1- ˙ ˘ x f =−k f xf − k f ν +mf+q˘ζ, subsystem (41). (54) It can be noted that the tuning of the residual generator r f = xf + ν, gains, in the framework of the x11-subsystem (49), cannot where be properly carried out. In fact, the critical disturbances are · structurally decoupled but the noncritical ones are not con- ∂n11( ) a = , b = g11(·)| , sidered. For this reason, to achieve robustness of the residual (x10,y20) ∂x11 (x10,y20) generators, the tuning of the gains is performed by embed- (55) ding the description of the noncritical disturbances in the m = 11(·)| , q = e(·)| , (x10,y20,x30) (x10,y20,x30) -subsystem as follows: x11 ˘ ˘ = − ν qζ qζ a . x˙ = n x , y , y + g x , y , y c 11 11 11 1c 2 11 11 1c 2 Now, it is important to note that in place of the residual gen- + 11 x11, y1c, y2, x3 f + e x11, y1c, y2, x3 ζ, (50) erators in the filter form (51), the following observer form of = ν the residual generators can be used: y11 x11 + , ˙ = − where, to simplify the treatment without loss of generality ξo n11 ξo, y1c, y2 + g11 ξo, y1c, y2 c + ko y11 ξo , (accordingly to the considered aircraft application), the state r = y − ξ . variable x is supposed to be directly measured. Moreover, o 11 o 11 (56) the variable ν ∈ R is the measurement noise on x11. Finally, R · the variable ζ ∈ and the related scalar field e( )represent For the same reasons previously described, the estimation er- the noncritical effects which have not been considered in the ror xo is introduced: simplified aircraft model (3) used for the NLGA scheme. The following system, which is referred to as filter form, xo = x11 − ξo, (57) represents a generic scalar residual generator (based on the hence subsystem (50)) to which (42)–(45) belong as a particular ˙ case xo = n11 x11, y , y − n11(ξo, y , y 1c 2 1c 2 ˙ ξ f = n11 y , y , y + g11 y , y , y c + k f y − ξ f , − 11 1c 2 11 1c 2 11 + g11(x11, y1c, y2 c g11(ξo, y1c, y2 c r f = y − ξ f , 11 + 11 x11, y1c, y2, x3 f + e x11, y1c, y2, x3 ζ (58) (51) − koxo − koν, where the gain k has to be tuned in order to minimise the f = ν effects of the disturbances ζ and ν whilst maximise the effects ro xo + . of the fault f on the residual r f . The quantification both of ff The linearisation of (58)is the disturbances and of the fault e ects on the residual can ˙ be obtained by defining the estimation error xo = a − ko xo − koν +mf+qζ, (59) = − x f x11 ξ f , (52) ro = xo + ν. 10 Journal of Control Science and Engineering

Both the linearised models (54)and(59) of the residual gen- Proof. From the definition (64) erators in the filter form and observer form,respectively,can e s − a be represented by the following general form: G (s) = 11 , (68) rε s − a + k s − a + k ˙ = − − x (a k)x + E1 kE2 ε +mf, hence it is possible to write (60) r = x + E2ε % & 2 2 2 2 e a + ω σ G (jω) = 11 + rε − 2 2 − 2 2 = (k a) + ω (k a) + ω with E1 [cce11 0] as well as the following positions: (69) 2 2 2 e11 + a + ω = general form xεrake11 E2 (k − a)2 + ω2 ⎡ ⎤ so that it follows ζ˘ ! " ⎣ ⎦ filter form x f r f 0 k f q˘ 01 (61) # # 2 2 ν # #2 = e11 + a + ξ Grε ∞ sup 2 . (70) ξ≥0 k − a + ξ ζ ! " observer form x r ak q 01. o ν o o From the last expression, it is straightforward to obtain (66) and (67). On the basis of (60)and(61), the mixed H−/H∞ [3, 20] procedure is developed for the robustness improvement of Proposition 4. The set the residual generators both in the filter and observer form. % # # & K = ∈ R − # # Since the considered NLGA residual generators are scalar, the γ k :(a k) < 0, Grε ∞ <γ, γ>1 (71) H H −/ ∞ procedure leads to a new analytical solution. is given by The following definition will be used throughout the section. 2 2 e11 + a k>k with k = a + . (72) Definition 2. The norms H∞ and H− of a stable transfer γ function G are defined as Proof. By means of Proposition 3, it is possible to write = = G ∞ sup σ[G(jω)], G − σ[G(j0)], (62) 2 2 ≥ e + a ω 0 11 <γ2, (73) (k − a)2 where σ represents the maximum singular value, whilst σ the minimum singular value. The problem of the tradeoff be- which holds for tween disturbances robustness and fault sensitivity is stated 2 2 as follows. e11 + a k>a+ . (74) γ Problem 1 (Mixed H−/H∞ residual robustness improvement). Given two scalars β>0andγ>0, find the set K { } defined as: Proposition 5. If γ>1, then Grf − : Grε ∞ <γ is given by K ={ ∈ R − } k :(a k) < 0, Grε ∞ <γ, Grf − >β , = mγ (63) 0 < Grf − <βmax(γ) where βmax(γ) . 2 2 e11 + a where (75) −1 = − Grε(s) = (s − a + k) E1 − kE2 + E2, (64) Proof. From the definition (65), it results Grf(s) m/(s a + k) and assuming, without loss of generality, that m>0, it −1 follows G = m/(k − a). By imposing G >βwith G (s) = (s − a + k) m. (65) rf − rf − rf β>0, the constraint k

Theorem 1. Given γ>1 and β ∈]0, βmax(γ)[, the set K ful- On the basis of Theorem 1, k can be designed by means of ﬁlling the constraints of Problem 1 is given by the following procedure. ' ( m m Procedure 1. (1) Choose γ>1toobtainadesiredlevelof K = k ∈ R : k ∈]k, k[, k = a + , k = a + . β (γ) β disturbance attenuation. max ∈ (78) (2) Compute βmax(γ)andchooseβ ]0, βmax(γ)[ to obtain a desired level of fault sensitivity. ∈ = = Proof. The proof of the theorem is not reported, as it is (3) Choose k ]k, k[, with k a + m/βmax(γ)andk straightforward from Propositions 3, 4,and5. a + m/β. (4) Apply the chosen gain k to the k f of (51) or to the ko Remark 11. Let us consider the following performance index of (56) if the NLGA residual generator is in the ﬁlter form or to maximise in the observer form,respectively.

Grf − 5. FDI PERFORMANCE ESTIMATION J = . (79) Grε∞ To show the diagnostic characteristics brought by the appli- From (66), it follows cation of the proposed FDI schemes to general aviation aircrafts, some numerical results obtained in the Matlab and ⎧ ⎪ Simulink environments are reported. The final performances ⎪ 2 2 ⎨⎪1, k> a + e11 + a that are achieved with the developed FDI schemes are finally = Grε ∞ ⎪ (80) reported. These performances are evaluated by means of ex- ⎪ 2 2 ⎪ e11 + a tensive simulations applied to the aircraft simulation model. ⎩ , a a + e11 + a , ⎨ k − a put vector y(t) acquired from the simulation aircraft model = J ⎪ (81) ⎪ m ≤ 2 2 previously described. In particular, a bank of 4 residual gen- ⎪ , a a + e11 + a . (82) ously, the residual generator bank has been designed to be k − a 2 2 e11 + a decoupled from the 3 component wind disturbance vector T d(t) = [wu(t), wv(t), ww(t)] . As to the NLGA residual gen- In this way, the maximum value of the performance index J erator filters, the aircraft synthesis model of (3), adopted for is the design, is simplified with respect to the simulation model. Analogously to the PM, the approximations of the NLGA = m ∀ ∈K = ∈ R ≤ 2 2 Jmax k J k :aβif β ≥ m/ e + a2. rε rf − 11 It is worth noting that the aircraft reference trajectories ≥ 2 2 In fact, from β m/ e11 + a it follows are typically made up of a sequence of steady-state flight conditions, each one described by the associated input state = m ≥ m output set point and the linearised model of (1). As a con- Grf − >β , (84) k − a 2 2 sequence, all the FDI linear techniques are usually imple- e11 + a mented by switching among the residual generators related to the different steady-state flight conditions. The target of 2 2 hence k<(a + e11 + a ). this work is to reduce the switching by adopting robust PM Finally, from (75) it is always possible to find a β such that residual generators. In particular, the robustness is achieved by using the same residual generators for a large set of flight m ≤ β ≤ βmax(γ) ∀γ>1. (85) conditions. The chosen single steady-state flight condition 2 2 e11 + a for designing both of the PM and of the NLGA residual 12 Journal of Control Science and Engineering generators is a coordinated turn characterised as follows: Table 2: PM FDI technique: minimal step faults with ν = 4.

(i) the true airspeed is 50 m/s; ci(t) Variable Fault size Delay time ◦ (ii) the curvature radius is 1000 m; Elevator δe 2 18 s ◦ ◦ (iii) the flight-path angle is 0 ; Aileron δa 3 6s ◦ (iv) the altitude is 330 m; Rudder δr 4 8s ◦ (v) the flap deflection is 0 . Throttleaperture% δth 2% 15 s This represents one of most general flight condition due to the coupling of the longitudinal and lateral dynamics. More- Table 3: PM FDI technique: minimal ramp faults with ν = 4. over, it is used in simulation to highlight the performances of ci(t) Variable Fault size Delay time the proposed methods in the nominal flight condition. ◦ Regarding the PM, the detection properties of the filters Elevator δe 0.11 /s26s ◦ in terms of fault sensitivity and disturbance rejection can Aileron δa 0.50 /s11s ◦ be achieved according to Section 3. The synthesis of the dy- Rudder δr 0.49 /s12s ◦ namic filters for FDI has been performed by choosing a suit- Throttleaperture% δth 0.13 /s19s able linear combination of residual generator functions. This choice has to maximise the steady-state gain of the transfer Table 4: NLGA FDI technique: minimal step faults with ν = 8. functions between input sensor fault signals. The roots of the R(s) polynomial matrix have been optimised for maximis- ci(t) Variable Fault size Delay time ◦ ing the fault detection promptness, as well as to minimise Elevator δe 2 5s ◦ the occurrence of false alarms. In order to assess the PM di- Aileron δa 2 3s agnosis technique, different fault sizes have been simulated ◦ Rudder δr 2 6s on each sensor. Single faults in the input sensors have been Throttleaperture% δ 6% 3 s generated by producing abrupt (step) and ramp (slowly de- th veloping) faults in the input signals c(t). The residual signals ν = indicate fault occurrence according to whether their values Table 5: NLGA FDI technique: minimal ramp faults with 8. are lower or higher than the thresholds fixed in fault-free ci(t) Variable Fault size Delay time conditions. The residual processing methods can be based ◦ Elevator δe 0.21 /s11s on simple residual geometrical analysis or comparison with ◦ Aileron δa 0.45 /s12s fixed thresholds [3]. More complex residual evaluation can ◦ Rudder δr 0.32 /s10s rely on statistical properties of the residuals and hypothesis ◦ testing [6], or based on adaptive thresholds, that is, the so- Throttleaperture% δth 0.15 /s15s called threshold selector [21]. In this paper, the threshold test for FDI is performed with the logic described by (86): Concerning the NLGA, the synthesis of the residual generators has been performed by using filter gains that optimise the fault sensitivity and reduce as much as possible the oc- r − νσr ≤ r(t) ≤ r + νσr for f (t) = 0, (86) currence of false alarms due to model uncertainties and to − ν ν = r(t) < r σr or r(t) > r + σr for f (t) / 0, disturbances not completely decoupled. This robustness requirement has been fulfilled by designing the residual gains that is, the comparison of r(t) with respect its statistical nor- according to the Procedure 1. For example, with reference to 2 = mal characteristics. r and σr are the normal values for the the fourth residual generator, Procedure 1 has led to Kδth 1 mean and variance of the fault-free residual, respectively. In which satisfies the norm bounds γ = 1.2andβ = 400. order to separate normal from faulty behaviour, the tolerance This guarantees a good separation of the residual signal with parameter ν (normally ν ≥ 3) is selected and properly tuned. ≥ 0 05 and L ≤ 10, where L -norm is consid- f L2 . d 2 2 Hence, by a proper choice of the parameter ν, a good trade- ered. off can be achieved between the maximisation of fault detec- In order to assess the NLGA diagnosis technique, single tion probability and the minimisation of false-alarm proba- step and ramp faults have been used. Moreover, also in this bility. In practice, the threshold values depend on the residual case the threshold values have been chosen in simulation ac- error amount due to measurement errors, linearised model cording to (86). A suitable value of ν = 8 for the computation approximations, and disturbance signals that are not com- of the positive and negative thresholds in (86)hasbeencon- pletely decoupled. sidered. For what concern NLGA FDI scheme, the minimal Thus, in this case, a suitable value of ν = 4 for the com- detectable step faults on the various input sensors are sum- putation of the positive and negative thresholds in (86)has marised in Table 4. been considered. To summarise the performances of the PM On the other hand, the minimal detectable input sensor FDI scheme, the minimal detectable step faults on the vari- ramp faults are reported in Table 5. ous input sensors are collected in Table 2. The minimal detectable step fault values in Tables 2, 3, On the other hand, the minimal detectable ramp faults 4,and5 are expressed in the unit of measure of the sensor are reported in Table 3. signals. The fault step sizes and ramp slopes are relative to the M. Benini et al. 13

δe PM residuals δa PM residuals 1.5

0.01 1

−0.005 0.5

−0.02 0

−0.035 −0.5 0 100 200 300 400 0 100 200 300 400 Time (s) Time (s) (a) (b)

δr PM residuals δth PM residuals 0 15

10 −0.2 4

−0.4 −2

−8 −0.6 −14

−0.8 −20 0 100 200 300 400 0 100 200 300 400 Time (s) Time (s) (c) (d)

ν = Figure 1: PM residuals for the 1st input sensor ramp fault fc1 (t) isolation with 4.

case in which the occurrence of a fault is detected and isolated sign technique, only the 1st residual related to the δe signal as soon as possible. The detection delay times represent the of the filter bank is sensitive to a ramp fault affecting the 1st worst case results, as they are evaluated on the basis of the input sensor. time taken by the slowest residual function to cross the settled threshold. These experiments represent a further validation 5.1. Reliability and robustness evaluation of the residual generator robustness with respect to the fault type, as the the residual function sensitivity was optimised In this section, the robustness characteristics of the proposed only with respect to step faults. PM and NLGA FDI schemes have been evaluated and com- As an example, Figure 1 shows the 4 PM residual func- pared also with respect to the UIKF scheme [3] and the NN tions generated for the complete trajectory. On the basis of technique [7]. In particular, a bank of UIKF has been ex- the fault-free and faulty conditions, this bank provides the ploited for diagnosing faults of the monitored process. This correct isolation of the considered input sensor ramp fault. technique seems to be robust with respect to the modelling The horizontal lines represent the levels of the fault-free uncertainties, the system parameter variations, and the mea- thresholds that are settled according to test (86)withν = surement noise, which can obscure the performance of an 4. The first residual function depicted in Figure 1,provides FDI system by acting as a source of false faults. The procedure also the isolation of the fault fc(t) regarding the 1st input recalled here requires the design of a UIKF bank and the basic sensor. scheme is the standard one: a set of measured variables of the The second example of Figure 2 shows the 4 residual system is compared with the corresponding signals estimated functions generated by the NLGA filter bank applied to the by filters to generate residual functions. The diagnosis has complete aircraft trajectory. The horizontal lines represent been performed by detecting the changes of UIKF residuals the thresholds with ν = 12. Note that, due to the NLGA de- caused by a fault. The FDI input sensor scheme exploits a 14 Journal of Control Science and Engineering

δe NLGA residuals δa NLGA residuals 40 0.2

25 0.1

10 0

−5 −0.1

−20 −0.2 0 100 200 300 400 0 100 200 300 400 Time (s) Time (s) (a) (b)

δr NLGA residuals δth NLGA residuals 0.1 100

0.05 50

0 −0.05

−0.1 −50 0 100 200 300 400 0 100 200 300 400 Time (s) Time (s) (c) (d)

Figure 2: NLGA residuals for the 1st input sensor fault isolation with ν = 12. number of KF equal to the number of input variables. Each cess outputs. The FDI is therefore achieved by monitoring filter is designed to be insensitive to a different input sensor residual changes. The NN learning is typically an offline proof the process and its disturbances (the so-called unknown cedure. Normal operation data are acquired from the mon- inputs). Moreover, the considered UIKF bank was obtained itored plant and are exploited for the NN training. Regard- by following the design technique described in [3, Section ing the NN FDI method and according to a generalised ob- 3.5, pages 99–105], whilst the noise covariance matrices were server scheme (GOS) [3], a bank of 4 time-delayed three- estimated as described in [22, Section 3.3, pages 70–74 and layers multilayer perceptron (MLP) NN with 15 neurons in Section 4.6, pages 130-131]. Each of the 4 UIKF of the bank the input layer, 25 neurons in the hidden layer, and 1 neuron was decoupled from both one input sensor fault and the wind in the output layer is implemented. Each NN was designed gust disturbance component, thus providing the optimal fil- to be insensitive to each input sensor fault, and the NN were tering of the input-output measurement noise sequences. On trained in order to provide the optimal output prediction on the other hand, a dynamic NN bank has been exploited in or- the basis of the training pattern and target sequences [7]. der to find the dynamic connection from a particular fault re- In the following of this section, the performances of the garding the input sensors to a particular residual. In this case, different FDI schemes have been evaluated by considering a the learning capability of NN is used for identifying the non- more complex aircraft trajectory. This has been obtained by linear dynamics of the monitored plant. The dynamic NN means of the guidance and control functions of a standard provides the prediction of the process output with an arbi- autopilot which stabilises the aircraft motion towards the ref- trary degree of accuracy, depending on the NN structure, its erence trajectory as depicted in Figure 3. The reference tra- parameters, and a sufficient number of neurons. Once the jectory is made up of 4 branches (2 straight flights and 2 turn NN has been properly trained, the residuals have been com- flights) so that a closed path is obtained. It is worth observing puted as the difference between predicted and measured pro- that only 2 steady-state flight conditions are used to follow M. Benini et al. 15

(0 m, 2000 m) (6000 m, 2000 m) in Table 6 in order to compare the effectiveness of the differ- 2000 1st path ent FDI schemes. Thechoiceofν has been performed with reference to the 1500 particular flight conditions involved in the complete trajectory following. In particular, the selected value of ν for each FDI observer or filter represents a tradeoff between two ob-

(m) 1000 2nd path 4th path jectives, that is, for increasing the residual fault sensitivity Y and promptness, as well as for minimising the occurrence of false alarms due to the switching among the reference flight 500 conditions needed to stabilise the aircraft motion towards the reference trajectory. Table 6 shows how the proper design of 3rd path 0 the parameter ν allows to obtain good performances with all (0 m, 0 m) (6000 m, 0 m) the considered FDI schemes, hence the robustness with re- − 1000 0 1000 2000 3000 4000 5000 6000 7000 spect to the proposed complete trajectory is always achieved. X (m) It is worth noting that the NLGA has a theoretical advan- Figure 3: Aircraft complete trajectory example. tage by taking into account the nonlinear dynamics of the aircraft. However, the behaviour of the related nonlinear residual generators is quite sensitive to the model uncertainties Table 6: Performances of the FDI schemes for a complete aircraft due to variation of the flight condition. In fact, the NLGA trajectory. FDIschemerequireshighvaluesofν which have to be in- Variable PM NLGA UIKF NN creased (from 8 to 12 in this work) when the aircraft motion regarding the complete trajectory is considered in place of ν 41295 ◦ ◦ ◦ ◦ the nominal flight condition. In particular, even though the δe 4 3 4 3 analysis was restricted just to the aircraft turn phase of the ◦ ◦ ◦ ◦ δa 5 3 5 4 complete trajectory, a performance worsening would hap- ◦ ◦ ◦ ◦ δr 5 3 4 4 pen, since the steady-state condition (nominal flight condi- δth 7% 10% 11% 12% tion) is quite far to be reached. However, the filter design Mean detection delay 26 s 25 s 31 s 27 s based on the NLGA lead to a satisfactory fault detection, above all in terms of promptness. On the other hand, regarding the PM, it is rather simple to note the good FDI perfor- alternatively the 4 branches of the reference trajectory: mances, even if optimisation stages can be required. The ν values selected for the PM are lower, but the related residual (i) straight flight condition: true airspeed = 50 [m/s]; ◦ fault sensitivities are even smaller. Similar comments can be radius of curvature =∞; flight-path angle = 0 ; ◦ made for the UIKF and NN techniques. altitude = 330 [m]; flap deflection = 0 ; The simulation model applied to the complete trajec- (ii) turn flight condition: true airspeed = 50 [m/s]; radius ◦ tory is an effective way to test the performances of the proof curvature = 1000 [m]; flight-path angle = 0 ;alti- ◦ posed FDI methods with respect to modelling mismatch and tude = 330 [m]; flap deflection = 0 . measurement errors. The obtained results demonstrate the The reference turn flight condition is used to design the reliability of the PM-, NLGA-, UIKF-, and NN-based FDI PM and the NLGA filters. The achieved results are reported schemesaslongasproperdesignproceduresareadopted. in Tables 2 and 4, respectively. The performed tests represent a also a possible reliability evaluation of the considered FDI 5.2. Monte Carlo analysis techniques. In fact, in this case the diagnosis requires that the residual generators are robust with respect to the flight In this section, further experiment results have been re- conditions that do not match the nominal trajectory used for ported. They regard the performance evaluation of the de- the design. veloped FDI scheme with respect to uncertainty acting on As an example, the fault-free and faulty residuals gener- the system. Hence, the simulation of different fault-free and ated by the designed NN and UIKF banks are shown in Fig- faulty data sequences was performed by exploiting the air- ures 4 and 5,respectively. craft Matlab-Simulink simulator and a Monte Carlo analysis Table 6 summarises the results obtained by considering implemented in the Matlab environment. The Monte Carlo the observers and filters (corresponding to the PM, NLGA, tool is useful at this stage as the FDI performances depend on UIKF,and NN) for the input sensor FDI whose parameters the residual error magnitude due to the system uncertainty, have been designed and optimised for the steady-state coor- as well as the signal c(t)andy(t)measurementerrors.Itis dinated turn represented by the 2nd reference flight condi- worth noting how the Monte Carlo simulations have been tion of the complete trajectory. Table 6 reports the perfor- achieved by perturbing the parameters of the PM filter resid- mances of the considered FDI techniques in terms of the uals by additive white Gaussian noises with standard devia- minimal detectable step faults on the various input sensors, tion values equal to a fixed percentage p of the element val- as well as the corresponding parameters ν for the residual ues. The same experiments have been performed by statis- evaluation of (86). The mean detection delay is also reported tically varying the main parameters of the NLGA filters. In 16 Journal of Control Science and Engineering

δe residuals δa residuals 0.3 0.5

0.2

0.1

0 0

−0.1

−0.2 −0.5 −0.3

−0.4

−0.5 −1 0 10 20 30 40 50 60 70 80 90 0 10 20 30 40 50 60 70 80 90 Time (s) Time (s)

(a) (b)

δr residuals δth residuals 0.8 0.5

0.6

0.4 0 0.2

0 −0.5 −0.2

−0.4

−0.6 −1 0 10 20 30 40 50 60 70 80 90 0 10 20 30 40 50 60 70 80 90 Time (s) Time (s)

Figure 4: NN residuals with ramp fault.

these conditions, the Monte Carlo analysis represents a fur- Mean Detection/Isolation Delay (τmd, τmi): for a particular ther method for estimating the reliability and the robustness fault case, the average detection/isolation delay time. of the developed FDI schemes, when applied to the consid- These indices are hence computed for the number ered aircraft. of Monte Carlo simulations and for each fault case. For robustness and reliability experimental analysis of the Table 7summarises the results obtained by considering the FDI schemes, some performance indices have been used. The PM dynamic filters for the input sensor FDI for a complete performances of the FDI method are then evaluated on a aircraft trajectory and with p = 10%. number of Monte Carlo runs equal to 1000. This number The same analysis can be applied again to the resid- of simulations is carried out to determine the indices listed ual generated by means of the NLGA, NN, and UIKF FDI belowwithagivendegreeofaccuracy. schemes. The results are summarised in Tables 8, 9,and False-Alarm Probability (rfa): the number of wrongly de- 10. tected faults divided by total fault cases. Tables 7, 8, 9,and10 show how the proper design of the Missed-Fault Probability(rmf): for each fault, the total dynamic filters with a proper choice of the FDI thresholds al- number of undetected faults, divided by the total number of low to achieve false-alarm and missed-fault probabilities less times that the fault case occurs. than 0.6%, detection and isolation probabilities bigger than True Detection/Isolation Probability (rtd, rti): for a par- 99.4%, with minimal detection and isolation delay times. ticular fault case, the number of times it is correctly de- The results demonstrate also that Monte Carlo simulation is tected/isolated, divided by total number of times that the an effective tool for testing and comparing the design robust- fault case occurs. ness of the proposed FDI methods with respect to modelling M. Benini et al. 17

δe residuals δa residuals 0.04 1.2

0.03 1 0.02 0.8 0.01 0.6 0 0.4 −0.01 0.2 −0.02

−0.03 0

−0.04 −0.2 0 10 20 30 40 50 60 70 80 90 0 10 20 30 40 50 60 70 80 90 Time (s) Time (s) (a) (b)

δr residuals δth residuals 0.4 0.07

0.2 0.06 0.05 0 0.04 −0.2 0.03 −0.4 0.02 −0.6 0.01 −0.8 0

−1 −0.01 0 10 20 30 40 50 60 70 80 90 0 10 20 30 40 50 60 70 80 90 Time (s) Time (s) (c) (d)

Figure 5: UIKF residuals with ramp fault.

Table 7: PM Monte Carlo analysis with ν = 4andp = 10%. Table 9: NN Monte Carlo analysis with ν = 5.

Faulty sensor rfa rmf rtd, rti τmd, τmi Faulty sensor rfa rmf rtd, rti τmd, τmi

δe 0.002 0.003 0.997 27 s δe 0.004 0.005 0.995 33 s

δa 0.001 0.001 0.999 18 s δa 0.003 0.003 0.997 23 s

δr 0.002 0.003 0.997 25 s δr 0.004 0.004 0.996 29 s

δth 0.003 0.002 0.998 35 s δth 0.005 0.003 0.997 38 s

Table 8: NLGA Monte Carlo analysis with ν = 12 and p = 10%. Table 10: UIKF Monte Carlo analysis with ν = 9.

Faulty sensor rfa rmf rtd, rti τmd, τmi Faulty sensor rfa rmf rtd, rti τmd, τmi

δe 0.003 0.004 0.996 30 s δe 0.003 0.004 0.996 26 s

δa 0.002 0.002 0.998 15 s δa 0.002 0.002 0.998 17 s

δr 0.001 0.001 0.999 23 s δr 0.001 0.002 0.998 26 s

δth 0.004 0.003 0.997 32 s δth 0.004 0.003 0.997 37 s uncertainty (p = 10%) and ﬁxed measurement errors. This ment of the reliability of the developed, analysed, and applied last simulation technique example hence facilitates an assess- FDI methods. 18 Journal of Control Science and Engineering

6. CONCLUSION nonlinear systems,” IEEE Transactions on Automatic Control, vol. 44, no. 10, pp. 1879–1884, 1999. The paper provided the development and application of [10] C. De Persis and A. Isidori, “A geometric approach to nonlin- two FDI techniques based on a PM scheme and on an ear fault detection and isolation,” IEEE Transactions on Auto- NLGA method, respectively. The PM procedure led to resid- matic Control, vol. 45, no. 6, pp. 853–865, 2001. ual generators optimising the tradeoff between disturbance- [11] C. De Persis, R. De Santis, and A. Isidori, “Nonlinear actuator decoupling and fault sensitivity. Moreover, the application of fault detection and isolation for a VTOL aircraft,” in Proceed- thePMFDIschemeresultedrobustwithrespecttomodel ings of the American Control Conference (ACC ’01), vol. 6, pp. 4449–4454, Arlington, Va, USA, June 2001. uncertainties. On the other hand, the NLGA relies on a novel [12] M. Bonfe,` P. Castaldi, W. Geri, and S. Simani, “Fault detec- design scheme based on the structural decoupling of distur- H H tion and isolation for on-board sensors of a general aviation bances and modelling errors, Thus, the mixed −/ ∞ op- aircraft,” International Journal of Adaptive Control and Signal timisation of the tradeoff between fault sensitivity, distur- Processing, vol. 20, no. 8, pp. 381–408, 2006. bances, and modelling errors has been proposed. The PM [13] M. Bonfe,` P. Castaldi, W. Geri, and S. Simani, “Design and and NLGA residual generators were tested by considering a performance evaluation of residual genertors for the FDI of an nonlinear aircraft simulator model that takes into account aircraft,” International Journal of Automation and Computing, also the wind gusts, the Dryden turbulence, the input-output vol. 4, no. 2, pp. 156–163, 2007. sensors measurement errors, as well as the engine and the [14] B. L. Stevens and F. L. Lewis, Aircraft Control and Simulation, servo actuators. Moreover, in order to verify the robustness John Wiley & Son, New York, NY, USA, 2nd edition, 2003. characteristics and the achievable performances of the ap- [15] R. P. Guidorzi, “Invariants and canonical forms for systems proaches, the simulation results considered a typical aircraft stuctural and parametric identification,” Automatica, vol. 17, no. 1, pp. 117–133, 1981. reference trajectory consisting of several steady-state flight ff ff [16] S. Van Hu el and P. Lemmerling, Eds., Total Least Squares and conditions. The e ectiveness of the developed PM and NLGA Errors-in-Variables Modeling: Analysis, Algorithms and Appli- FDI schemes was shown by simulations and a comparison cations, Springer, Berlin, Germany, 1st edition, 2002. with widely used data-driven and model-based disturbance- [17] M. Bonfe,` S. Simani, P. Castaldi, and W. Geri, “Residual gen- decoupling FDI schemes, such as NN and UIKF diagnosis erator computation for fault detection of a general aviation methods, was provided. The reliability and the robustness aircraft,” in Proceedings of the 16th IFAC Symposium on Auto- properties of the proposed residual generators to model un- matic Control in Aerospace (ACA ’04), vol. 2, pp. 318–323, St. certainty and disturbances and measurement noise for the Petersburg, Russia, June 2004. aircraft nonlinear model were investigated via Monte Carlo [18] C. De Persis and A. Isidori, “On the observability codistri- simulations. Further works extensive comparative studies butions of a nonlinear system,” Systems and Control Letters, for robustness of the FDI algorithms when applied to real vol. 40, no. 5, pp. 297–304, 2000. [19] P. Castaldi, W. Geri, M. Bonfe,` and S. Simani, “Nonlinear ac- data. tuator fault detection and isolation for a general aviation aircraft,” in Proceedings of the 17th IFAC Symposium on Auto- REFERENCES matic Control in Aerospace (ACA ’07), vol. CD-Rom, pp. 1–6, Toulouse, France, June 2007. [1] A. Marcos, S. Ganguli, and G. J. Balas, “An application of H∞ [20] M. Hou and R. J. Patton, “LMI approach to H−/H∞ fault de- fault detection and isolation to a transport aircraft,” Control tection observers,” in Proceedings of the 1996 UKACC Interna- Engineering Practice, vol. 13, no. 1, pp. 105–119, 2005. tional Conference on Control (CONTROL ’96), pp. 305–310, [2] F. Amato, C. Cosentino, M. Mattei, and G. Paviglianiti, “A Exeter, UK, September 1996. direct/functional redundancy scheme for fault detection and [21] A Emami-Naeini, M. M. Akhter, and S. M. Rock, “Effect of isolation on an aircraft,” Aerospace Science and Technology, model uncertainty on failure detection: the threshold selector,” vol. 10, no. 4, pp. 338–345, 2006. IEEE Transactions on Automatic Control, vol. 33, no. 12, pp. [3] J. Chen and R. J. Patton, Robust Model-Based Fault Diagnosis 1106–1116, 1988. for Dynamic Systems, Kluwer Academic Publishers, Dordrecht, [22] S. Simani, C. Fantuzzi, and R. J. Patton, Model-Based Fault The Netherlands, 1999. Diagnosis in Dynamic Systems Using Identification Tech- [4] R. Isermann, Fault-Diagnosis Systems: An Introduction from niques, Advances in Industrial Control, Springer, London, UK, Fault Detection to Fault Tolerance, Springer, Berlin, Germany, 1st edition, 2002. 1st edition, 2005. [5] J. Gertler, Fault Detection and Diagnosis in Engineering Systems, Marcel Dekker, New York, NY, USA, 1998. [6] M. Basseville and I. V. Nikiforov, Detection of Abrupt Changes: Theory and Application, Prentice Hall, Upper Saddle River, NJ, USA, 1993. [7] J. Korbicz, J. M. Koscielny, Z. Kowalczuk, and W. Cholewa, Eds., Fault Diagnosis: Models, Artificial Intelligence, Applica- tions, Springer, Berlin, Germany, 1st edition, 2004. [8] M. A. Massoumnia, A geometric appoach to failure detection and identification in linear systems, Ph.D. thesis, Massachusetts Institute of Technology, Cambridge, Mass, USA, 1986. [9] H. Hammouri, M. Kinnaert, and E. H. El Yaagoubi, “Observer-based approach to fault detection and isolation for Hindawi Publishing Corporation Journal of Control Science and Engineering Volume 2008, Article ID 523749, 11 pages doi:10.1155/2008/523749

Research Article Stability of Discrete Systems Controlled in the Presence of Intermittent Sensor Faults

Rui Vilela Dion´ısio1, 2 and Joao˜ M. Lemos3, 2

1 Laboratorio´ de Instrumentaçao˜ e Medida, Escola Superior de Tecnologia de Setubal,´ Instituto Politécnico de Setubal,´ Campus do IPS, Estefanilha, 2910-761 Setubal,´ Portugal 2 Instituto de Engenharia de Sistemas e Computadores-Investigaçao˜ e Desenvolvimento em Lisboa, Rua Alves Redol 9, 1000-029 Lisboa, Portugal 3 Instituto Superior Técnico, Universidade Técnica de Lisboa, Avenida Rovisco Pais, 1049-001 Lisboa, Portugal

Correspondence should be addressed to Rui Vilela Dion´ısio, [email protected]

Received 10 April 2007; Accepted 7 October 2007

Recommended by Jakob Stoustrup

This paper presents suﬃcient conditions for stability of unstable discrete time invariant models, stabilized by state feedback, when interrupted observations due to intermittent sensor faults occur. It is shown that the closed-loop system with feedback through a reconstructed signal, when, at least, one of the sensors is unavailable, remains stable, provided that the intervals of unavailability satisfy a certain time bound, even in the presence of state vanishing perturbations. The result is ﬁrst proved for linear systems and then extended to a class of Hammerstein systems.

Copyright © 2008 R. V. Dion´ısio and J. M. Lemos. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION packet dropout, and the problem of network-induced delay, in networked control systems [4, 5]. In recent years, the mass advent of digital communication Moreover, the approach suggested in this paper can be networks and systems has boosted the integration of tele- compared with different techniques based, for example, on operation in feedback control systems. Applications like un- the idea of the unknown input observer, as suggested in [6]. manned vehicles [1] or internet-based real time control [2] On the other hand, it is obvious to exploit Kalman filters and provide significant examples raising, in turn, new problems. fuzzy logic for sensor fusion, applied to autonomous under- This paper deals with one of such problems, if the com- water vehicle systems, as described in [7]. It was, also, shown munication channel through which feedback information in [8, 9] that the design of fault-tolerant observers can be passes is not completely reliable, sensors’ measurements may successfully applied to the control of rail traction drives. Fi- not be available to the controller during some intervals nally, the stability analysis for a real application example in of time. In such a situation, one has to couple the con- the presence of intermittent faults is described in [10]. troller with a block, hereafter called supervisor, which is Biomedical applications provide, as well, examples in able to discriminate between intervals of signal availability that the sensor used for feedback is intermittently unavail-

(availability time Tai ) and unavailability (unavailability time able. In [11] the artifacts in the neuromuscular blockade level

Tui+1 ), and to generate an estimate of the plant’s state dur- measurement in patients subject to general anaesthesia are ing this Tui+1 intervals. Methods for detection and estima- modeled as sensor faults. The occurrence of these faults is tion for abruptly changing systems [3] can be applied in detected with a Bayesian algorithm and, during the periods the problem considered here. For that purpose an algorithm of unavailability of the signal, the feedback controller is fed based on Bayesian decision could be implemented, for exam- with an estimate generated by a model. ple. It is shown, throughout the paper, that with the above Somehow related with the problem of temporary sensor described scheme, the controlled open-loop unstable plant unavailability presented in this paper are the problem of data will be stable (in some sense, to be deﬁned later) if the time 2 Journal of Control Science and Engineering

Supervisor

σ(k) Model x(k) x(k +1)= Ax(k)+Bu(k) ( , ) z(k) + δx k x Tu r(k) = 0 u(k) u (k) x(k) nl Plant Ta + Ψ(k, u) = + + x(k+1) (A + δA)x(k)+(B+δB)u(k) + −

Figure 1: Block diagram of a discrete feedback system with nonlinear actuator and interrupted observations supervisor.

T T T T T T T T T T a1 u2 a3 u4 a5 u6 a7 ui−1 ai ui+1 ···

0 T1 T2 T3 T4 T5 T6 Ti−1 Ti k Figure 2: Operation time line with availability intervals alternating with unavailability intervals.

interval, during which at least one of the sensors measure back from plant to model and from model to plant; (ii) the is unavailable, is somehow “small”, and that the Euclidean plant and the model rendered stable through state feedback. norm of the state x(k), at the end of each Tui+1 interval, is An example of supervisor based on Bayesian inference is a monotonic descent sequence. Moreover, if the plant state provided in [12, 13]. It is beyond the scope of this paper to is perturbed by a class of vanishing perturbations δx(k, x), detail this block. similar stability results are derived. The supervisor decides whether the state x(k) is being The contributions of the paper consist in providing suf- correctly measured by the sensors or not and commands the ficient conditions for stability of feedback controlled open- switch signal σ(k). During the time intervals in which the loop unstable systems with intermittent sensors faults. Linear sensors do not provide a reliable measure of the actual plant as well as nonlinear systems are considered. state (it is admitted that the state coincides with the out- This paper is organized in four sections and two appen- put) one possibility is to replace it by an estimate x(k)ob- dices. After this introduction, Section 2 makes a detailed sys- tained from a plant model. This yields a loss of performance tem description referring the functionality of the supervisor with respect to the ideal situation in which the sensors are in terms of detection and estimation of the state, and the always available, and may pose stability problems if the plant way the feedback system with linear as well as with nonlin- is open-loop unstable. ear actuators behaves when intermittent sensors faults oc- In order to understand the system functioning, consider cur. Section 3 presents two theorems with sufficient condi- the time line of operation, depicted in Figure 2, divided in tions, one for uniform stability of the system with linear and alternate intervals where all sensors operate correctly (Taj , nonlinear actuators, and respective corollaries, also with suf- with j = 1, 3, 5, 7, ..., i), and where, at least, one of them = − ficient conditions, and the other for uniform exponential fails (Tuj ,withj 2, 4, 6, ..., i 1, i + 1) being replaced by stability and descent monotonicity of the Euclidean norm the model estimate. Note that the index j does not repre- of the state x(k)attheendofeachTui+1 interval. More- sent discrete instants of time, but is rather used to enumerate over, Section 3 presents two other theorems, again with suf- both the availability, Taj , and the unavailability, Tuj , inter- ficient conditions, that prove that the system with linear and vals. These intervals are identified in script font in the up- nonlinear actuators, subject to a vanishing perturbation, is per part of the time line of Figure 2. The time instants cor- asymptotically stable. In Section 4 conclusions are drawn. responding to the beginning of each interval, wether it is Appendix A.1 gives a full proof of Theorem 1 and Corollar- an availability or an unavailability interval, are represented ies 1 and 2,andAppendix A.2 gives a full proof of Theorem 2 in the lower part of the time line of Figure 2.Letk0 de- and Corollaries 3 and 4. note the beginning of one such intervals. It is assumed that the first interval always corresponds to an availability inter- 2. SYSTEM DESCRIPTION val, and that the intervals are open at their end. Further- more, the time analysis always finishes in an unavailability The system depicted in Figure 1 is composed of two sub- interval at time k. Therefore, in a complete time sequence systems: (i) the supervisor responsible for detection of sen- there are (i + 1) intervals, where (i +1)isanevennum- sors’ measures interruptions, and for switching state feed- ber. R. V. Dion´ısio and J. M. Lemos 3

Supervisor

σ(k) Model x(k) x(k +1)= Ax(k)+Bu(k) δ (k, x) z(k) + x Tu = r(k) 0 u(k) Plant x(k) Ta + x(k+1)=(A + δ )x(k)+(B+δ )u(k) + + A B + −

Figure 3: Block diagram of a discrete feedback system with linear actuator, and interrupted observations supervisor.

The model initial sate x is made equal to the last available z(k) = x(k) during unavailability intervals, when measuring observation of the state x when an interrupted observation interruptions take place. occurs (x(k0) = x(k0) = x(k0 − 1)), since the sate x is no During availability intervals the plant state equation is longer available. x(k +1)= A + δA − B + δB L x(k)(4) 3. STABILITY RESULTS and during unavailability intervals the plant state equation is Three distinct situations regarding system’s stability are con- x(k +1)= A + δA x(k) − B + δB Lx(k). (5) sidered. In the ﬁrst case, the nonlinear function ψ(u(k)) does = Deﬁne the plant closed-loop dynamics matrix as not exist (ψ(u(k)) I;seeFigure 3). Moreover, the perturbation function ( , ) is also considered not to exist = − = − δx k x AδCL : A + δA B + δB L Aδ BδL,(6) (δx(k, x) = 0, see Figure 3). The second case is referred to the feedback system with nonlinear actuator function ψ(u(k)) the model closed-loop dynamics matrix as but, also, without the perturbation function δx(k, x); see A := A − BL,(7) Figure 1. The third case considers the existence of the per- CL turbation function δx(k, x) in both feedback systems, with the plant open and closed-loop transition matrices linear actuator, and with nonlinear actuator. − = k k0 In all the situations the reference signal, r(k), is consid- Φδ k, k0 : Aδ , − (8) ered to be zero, for all k ≥ 0 (regulation problem). k k0 Φδ k, k0 := A , Throughout the text, matrices norms are the ones in- CL δCL duced by the Euclidean norm of vectors, being given by their and the model open and closed-loop transition matrices largest singular value (A=σ [A] = σ ≥ 0). max A k−k0 Φ k, k0 := A , − (9) = k k0 3.1. System with linear input ΦCL k, k0 : ACL .

Consider Figure 3 with δx(k, x) = 0, and r(k) = 0, for all Theorem 1. Consider the closed-loop system of Figure 3 with ≤ k ≥ 0. The plant and the model depicted are described in the the unstable model in open-loop (bounded by Φ(k, k0) − state-space form by (1)and(2), respectively αβk k0 with α ≥ 1 and β>1, finite constants) rendered sta- k−k0 ble in closed-loop (ΦCL(k, k0)≤γλ with γ ≥ 1 afinite = x(k +1) A + δA x(k)+ B + δB u(k), (1) constant and 0 ≤ λ<1), through proper design of L. Consider, x(k +1)= Ax(k)+Bu(k)(2)also, that σB :=B, σL :=L, and that model uncertainties ≤ ≤ are bounded δA σδA ,and δB σδB . The system with ∈ Rn ∈ with x and x , accessible for direct measurement, u initial condition x(0) = x0 is globally uniformly stable provided Rp , A, B, δA,andδB are of appropriate dimensions, and that the total unavailability time Tu, up to discrete time k inside (A, B) is controllable. Moreover, δ and δ represent mod- A B the unavailability interval Tui+1 , satisfies the bound eling uncertainties. It is assumed that the plant is time in- log M (i +1) variant, and open-loop unstable. The state feedback of signal T < 1 − u log β + α·σ 2 z(k), yielded by the sensor δA log 1+ σB + σδ σL·γ/ β + α·σδ − λ αγ ( ) =− ( ), (3) · B A u k Lz k log β + α·σ δA is implemented by L, a matrix of feedback gains assumed to − log λ + γΣ = Ta · stabilize the model. Furthermore, z(k) x(k) during avail- log β + α σδA ability intervals, when all sensors are working properly, and (10) 4 Journal of Control Science and Engineering

≥ = · · ≤ with M1 1, a ﬁnite constant, and Σ : σδA + σδB σL is such Remark 2. Notice that since (β + α σδA ) > 1and0 (λ + that veriﬁes γΣ) < 1, then the bound on Tu has a monotonous crescent − linear relation with Ta in the result from Theorem 1,and ≤ 1 λ 0 Σ < , (11) Tui−1 also has a monotonous crescent linear relation with Tai−2 γ in the result from Corollary 1.

Ta is the total availability time. Remark 3. The constant N2 (in Corollary 2) represents an A result derived from the previous theorem is stated on upper bound on the rate of exponential decay of the overall the following corollary. system. If N2 <λ+ γΣ, then the result of Corollary 2 would indicate a negative solution for Tu,which,clearly,isnotpos- ∈ ∞ Corollary 1. Under the assumptions of Theorem 1, x(Tj ), sible, since Tu [0, [. Being N2 >λ+ γΣ, then the bound for j = 0, 2, 4, ..., i−1, (the state norm at the beginning of each on Tu has also a monotonous crescent linear relation with Ta, availability interval) is a monotonic descent sequence provided as mentioned in the previous remark. that the unavailability interval Tui−1 satisfies Remark 4. Concerning Theorem 1 and Corollary 2,con- · · − log 1+ σB + σδB σL γ/ β +α σδA λ αγ stants M1 and M2 represent an offset term for the upper T − < ui 1 log β + α·σ bound function on the evolution of ( ). The bigger these δA x k (12) constants are, the more conservative is the referred upper − log λ + γΣ T − ai 2 log β + α·σ bound on uniform stability and uniform exponential stabil- δA ity, respectively. = · and Σ : σδA + σδB σL is such that verifies Remark 5. Theorem 1 and Corollaries 1 and 2 present only 1 − λ 0 ≤ Σ < , (13) conservative sufficient stability conditions for the system of γ Figure 3.

Tai−2 is the availability time previous to Tui−1 . 3.2. System with nonlinear input Concerning global uniform exponential stability, con- = = sider the next corollary. Consider Figure 1 with δx(k, x) 0, and r(k) 0, for all k ≥ 0. The plant and the model depicted are described in the Corollary 2. Under the assumptions of Theorem 1, the sys- state-space form by (17)and(18), respectively, tem with initial condition x(0) = x is globally uniformly 0 x(k +1)= A + δ x(k)+ B + δ u (k), (17) exponentially stable provided that the total unavailability time A B nl x(k +1)= Ax(k)+Bunl(k), (18) Tu, up to discrete time k inside the unavailability interval Tui+1 , satisfies with x and x ∈ Rn, accessible for direct measurement, u and p unl ∈ R , A, B, δA,andδB are of appropriate dimensions, and log M2 − (i +1) Tu < (A, B) is controllable. Moreover, δA and δB represent model- log β + α·σδ /N2 2 A ing uncertainties. It is assumed that the plant is time invari- log 1+ σ + σ σ ·γ/ β + α·σ − λ αγ · B δB L δA (14) ant, and open-loop unstable. log β + α·σ /N δA 2 The vector unl represents the nonlinear input to both the plant and the model, u (k) = ψ(k, u). A memoryless nonlin- − log λ + γΣ /N 2 nl Ta · earity, ψ :[0,∞[×Rp→Rp, is said to satisfy a sector condition log β + α σδA /N2 globally [14]if ≥ = · with M2 1, a finite constant, and Σ : σδA + σδB σL is such T that verifies ψ(k, u) − Kmin u(k) ψ(k, u) − Kmax u(k) ≤ 0 (19) 1 − λ for all t ≥ 0, for all u ∈ Rp, for some real matrices K and 0 ≤ Σ < (15) min γ Kmax ,whereK = Kmax −Kmin is a positive definite symmetric matrix. The nonlinearity ψ(k, u)issaidtobelongtoasector and 0 ≤ N2 < 1 is a constant constrained to [Kmin , Kmax ]. N >λ+ γΣ, (16) 2 =− = Proposition 1. Consider Kmin (γ2/2)I and Kmax Ta is the total availability time. (γ2/2)I with γ2 a finite positive constant. The nonlinearity ψ(k, u) can be decomposed in a linear component and a A proof of the theorem and of the corollaries is presented nonlinear component, [15] in Appendix A.1. = − ψs(k, u) ψ(k, u) Kmin u(k), (20) Remark 1. The constraint Σ < (1 − λ)/γ is imposed to as- where ψ (k, u) represents the nonlinear component and verifies sure that the plant closed-loop transition matrix is such that s − the sector condition ≤ k k0 ≥ ΦδCL (k, k0) γ(λ + γΣ) with 0 (λ + γΣ) < 1 (see the T − ≤ proof in Appendix A.1). ψs (k, u) ψs(k, u) Ku(k) 0. (21) R. V. Dion´ısio and J. M. Lemos 5

Proof. This result is straightforward using (20)in(19), and Theorem 2. Consider the closed-loop system of Figure 1 where considering matrix K definition. the model is unstable in open-loop (bounded by Φ(k, k0)≤ − αβk k0 , with α ≥ 1,andβ>1, finite constants), rendered sta- Proposition 2. For the defined matrices Kmin and Kmax , k−k0 ble in closed-loop (ΦCL(k, k0)≤γλ , with γ ≥ 1 afi- the memoryless sector nonlinearity ψ(k, u) is bounded by ≤ ≤ ≥ ∈ Rp nite constant, and 0 λ<1), through proper design of P. ψ(k, u) (γ2/2) u(k) ,forallt 0,forallu . ≤ The nonlinearity ψs(k, u) satisfies ψs(k, u) γ2 u(k) for all t ≥ 0,forallu ∈ Rp. Consider, also, that σ :=B, Proof. Replacing K and K by their respective values in B min max σ :=L, σ :=P and that model uncertainties are (19), and since ψT (k, u)u(k) is a scalar, yields L P bounded δ ≤σ and δ ≤σ . The system with initial A δA B δB 2 = 2 γ 2 condition x(0) x0 is globally uniformly stable provided that ψ(k, u) − 2 u(k) ≤ 0. (22) 2 the total unavailability time Tu, up to discrete time k inside the unavailability interval T , satisfies the bound ≥ ≥ ui+1 By definition ψ(k, u) 0, u(k) 0, and γ2/2 > 0, which implies log M1 − (i +1) Tu < γ2 log β + α·σδ 2 ψ(k, u) ≤ u(k) . (23) A 2 · σB + σδB σP + γ2 σL γ log 1+ · − · · αγ β + α σδA λ + γσ δB γ2 σL . · log β + α σδA In order to find a bound on ψs(k, u) starting from (20), · using (23), and Kmin definition, it follows that log λ + γΣ + γ σB + σδB γ2 σL − Ta log β + α·σ ψ (k, u) ≤ γ u(k) . (24) δA s 2 (32) The state feedback of signal z(k), yielded by the sensor with ≥ 1, a finite constant, and := + · is such =− M1 Σ σδA σδB σP u(k) Lz(k), (25) that verifies is implemented by L, a matrix of feedback gains assumed to = 1 − λ stabilize the model. Furthermore, z(k) x(k) during avail- 0 ≤ Σ < (33) ability intervals, when all sensors are working properly, and γ z(k) = x(k) during unavailability intervals, when measuring interruptions take place. and γ2 is the less of the following two inequalities: During availability intervals, the plant state equation is − = − 1 λ + γΣ x(k +1) A + δA B + δB Kmin L x(k) γ2 < , (26) γ σB + σδB σL − (34) + B + δB ψs Lx(k) · − β + α σδA λ γ2 < · · , and during unavailability intervals, the plant state equation γ σδB σL is Ta is the total availability time. x(k +1)= A + δA x(k)+ B + δB (27) − − . ψs Lx(k Kmin Lx(k) . As in the previous subsection the following two corollaries are derived. Define the plant closed-loop dynamics matrix as = − = − Corollary 3. Under the assumptions of Theorem 1, x(Tj), AδCL : A + δA B + δB Kmin L Aδ BδKmin L, (28) for j = 0, 2, 4, ..., i−1, (the state norm at the beginning of each the model closed-loop dynamics matrix as availability interval) is a monotonic descent sequence provided

that the unavailability interval Tui−1 satisﬁes ACL := A − BKmin L, (29) the plant open and closed-loop transition matrices as σ + σ σ + γ ·σ γ log 1+ B δB P 2 L αγ − − β + α·σ − λ + γσ ·γ ·σ = k k0 = k k0 − δA δB 2 L Φδ k, k0 : A + δA Aδ , Tui−1 < log (β + α·σδ ) − (30) A = k k0 ΦδCL k, k0 : AδCL , log λ + γΣ + γ σ + σ γ ·σ − B δB 2 L Tai−2 · the model open and closed-loop transition matrices as log β + α σδA (35) k−k0 Φ k, k0 := A , (31) k−k0 = · = and Σ : σδA + σδB σL is such that veriﬁes ΦCL k, k0 : ACL , and matrix P = K L, considered to stabilize the model in 1 − λ min 0 ≤ Σ < (36) closed loop. γ 6 Journal of Control Science and Engineering

and γ2 is the less of the following two inequalities: Remark 8. Concerning Theorem 2 and Corollary 4,constants M1 and M2 represent, once again, an oﬀset term for the 1 − λ + γΣ γ < , upper bound function on the evolution of x(k) .Thebig- 2 γ σ + σ σ ger these constants are, the more conservative is the referred B δB L (37) · − upper bound on uniform stability and uniform exponential β + α σδA λ γ2 < · · , stability, respectively. γ σδB σL

Tai−2 is the availability time previous to Tui−1 . Remark 9. Theorem 2 and Corollaries 3 and 4 present only conservative sufficient stability conditions for the system of Corollary 4. Under the assumptions of Theorem 2, the system Figure 1. with initial condition x(0) = x0 is globally uniformly exponentially stable provided that the total unavailability time Tu,upto 3.3. Perturbed system with linear and nonlinear inputs discrete time k inside the unavailability interval Tui+1 ,satisfies Consider that both systems depicted in Figures 1 and 3, log M2 (i +1) ff Tu < − su er the influence of perturbation δx(k, x), where δx : log β + α·σδ /N2 2 ∞ × →Rn A [0, [ D is piecewise continuous in k and locally Lips- · chitz in x on [0, ∞[×D,andD ⊂ Rn is a domain that contains σB + σδB σP + γ2 σL γ log 1+ αγ the origin = 0. Also, ( , )≤ ( ) for all ≥ 0, for β + α·σδ − λ + γσδ ·γ ·σL x δx k x x k k . A B 2 all ∈ ,and is a nonnegative constant, meaning that the log β + α·σ /N x D δA 2 perturbation satisfies a linear growth bound, therefore, con- log λ + γΣ + γ σ + σ γ ·σ /N2 − T B δB 2 L sidering a vanishing perturbation, [14]. a · = log β + α σδA /N2 During availability intervals Taj ,forj 1, 3, 5, ..., i, (38) both systems can be represented by the autonomous equation ≥ = · with M1 1, a finite constant, and Σ : σδA + σδB σP is such that verifies x(k +1)= F(k, x), (42) 1 − λ 0 ≤ Σ < (39) where F(k, x), for the system depicted in Figure 3,is γ = ∈ F(k, x) AδCL x(k), k Taj , (43) and γ2 is the less of the following two inequalities: − and for the system depicted in Figure 1, F(k, x)is 1 λ + γΣ γ2 < , γ σB + σδ σL = − ∈ B F(k, x) AδCL x(k)+ B + δB .ψs Lx(k) , k Taj . · − (40) β + α σδA λ (44) γ2 < · · , γ σδB σL Clearly, F(0) = 0 in both situations (from (19)andma- ≤ and 0 N2 < 1 is a constant constrained to trices’ Kmin and Kmax definition in Proposition 1, the sector memoryless nonlinearity verifies ψ (0) = 0). Recalling + + + · , (41) s N2 > λ γΣ γ σB σδB γ2 σL the state equations (5)and(27) during unavailability intervals Tu ,forj = 2, 4, 6, ..., i + 1, and the fact that the ini- Ta is the total availability time. j tial model state x is made equal to the last available obser- A proof of the theorem and of the corollaries is presented vation of the state x when an interrupted observation occurs, = = − in Appendix A.2. (x(k0) x(k0) x(k0 1)), it is clearly understood that if the state becomes zero during an availability interval, then it will · remain zero for all time instants belonging to any unavail- Remark 6. Notice that since (β + α σδA ) > 1 then it must · ability interval that may occur. The function’s F(k, x)branch be (λ + γΣ)+γ(σB + σδB )γ2 σL < 1, which leads to (34), (37), and (40), so that the bound on Tu has a monotonous related with the unavailability interval is not of obvious writ- crescent linear relation with Ta in the result from Theorem 2, ing in terms only of x(k). It has an easier writing in terms of ( )andof( ). Nevertheless, since these two states are re- and Tui−1 also has a monotonous crescent linear relation with x k x k lated at the switching time between availability and unavail- Tai−2 in the result from Corollary 3. ability intervals (as recalled above), it can be understood that Remark 7. The constant N2 (in Corollary 4) represents an during an unavailability interval, F(k, x) exists. upper bound on the rate of exponential decay of the over- It is important to stress out that an unavailability interval · all system. If N2 < (λ + γΣ)+γ(σB + σδB )γ2 σL, then the cannot occur without having previously existed an availabil- result of Corollary 4 would indicate a negative solution for ity interval. Bearing this in mind, it is possible to state that Tu, which, clearly, is not possible, since Tu ∈ [0, ∞[. Being F(0) = 0, for all k ≥ 0, (including availability and unavail- · N2 > (λ + γΣ)+γ(σB + σδB )γ2 σL, then the bound on Tu has ability intervals). also a monotonous crescent linear relation with Ta,asmen- Also, linear and nonlinear systems were proved to be tioned in the previous remark. globally uniformly exponentially stable, under the conditions R. V. Dion´ısio and J. M. Lemos 7

= of Corollaries 2 and 4, respectively, therefore, both F(k, x) designated as Taj ,withj 1, 3, 5, 7, ..., i, and the intervals Rn are Lipschitz not only near the origin, but in ,andverify where the observations are interrupted are designated as Tuj , F(x1) − F(x2)≤Lvx1 − x2. with j = 2, 4, 6, ..., i − 1, i+1. Let the discrete time instant k0 Combining the results from Corollaries 2 and 4 with the denote the beginning of a generic interval. above comments, and with the result presented in [16], is Since it will be often used in the following proofs, a reproduced in the next theorem. Gronwall-Bellman type of inequality for sequences is presented [17]. Theorem 3. Let F : Rn→Rn satisfy a Lipschitz condition in a neighborhood of the origin, with F(0) = 0. If the origin is Lemma 1. Suppose the scalar sequences υ(k) and φ(k) are such an exponentially stable fixed point of x(k +1) = F(x(k)),it that υ(k) ≥ 0 for k ≥ k0,and is an asymptotically stable fixed point of the perturbed system ⎧ = ⎪ x(k +1) F(x(k)) + δx(k, x). ⎨⎪Ψ, k = k0, ≤ k−1 φ(k) ⎪ (A.1) This leads to the next two theorems. ⎩⎪Ψ + η υ(j)φ(j), k ≥ k0 +1, j=k0 Theorem 4. The nonperturbed system from Figure 3, x(k + ≥ 1) = F(k, x),verifyingCorollary 2 and Theorem 3 sufficient where Ψ and η are constants with η 0. Then conditions, has a globally asymptotically stable fixed point of = k−1 the perturbed system x(k +1) F(x(k)) + δx(k, x) in the ori- ≤ n φ(k) Ψ 1+ηυ(j) . (A.2) gin, and δx :[0,∞[×D→R is piecewise continuous in k and j=k locally Lipschitz in x on [0, ∞[×D,andD ⊂ Rn is a domain 0 = ≤ that contains the origin x 0.Also, δx(k, x) x(k) for − ≥ ∈ Consider, also, the sum of the (k k0) terms of a geomet- all k 0, for all x D with a nonnegative constant satisfies ric progression with ratio r, alineargrowthbound. k−1 rk0 − rk Theorem 5. It is the same redaction of Theorem 4,butconsid- r j = . (A.3) ering the system from Figure 1. 1 − r j=k0

Remark 10. TheseresultsareglobalsincebothF(k, x)are If |r| < 1, then, as k→∞,(A.3)becomes Lipschitz continuous in Rn, and the original systems are uniformly exponentially stable, [16]. − k1 k0 j = r r − . (A.4) = 1 r 4. CONCLUSIONS j k0

The paper presents and proves suﬃcient conditions that al- A.1. Stability proofs for system with linear input low a discrete time analysis of sensor unavailability (interrupted observations) intervals, bounding these intervals in Proof of Theorem 1. Consider the system depicted in order to state that the unstable open-loop plant represented Figure 3. During availability time intervals Taj ,with in Figure 1, when controlled in closed-loop, is globally uni- j = 1, 3, 5, 7, ..., i,itisz(k) = x(k), and the plant state x(k) formly exponentially stable. These results are proved under evolves according to the existence of modeling uncertainties and if plant state van- = ≥ ishing perturbations occur, then global asymptotical stability x(k) ΦδCL k, k0 x k0 , k k0 +1. (A.5) is achieved for the perturbed system. The results were proved for either systems with linear actuators, or with memoryless On the other hand, during unavailability time intervals Tuj , sector nonlinear actuators. with j = 2, 4, 6, ..., i − 1, i +1,itisz(k) = x(k), the model It is interesting to note that in a related work [4], a sim- state x(k) evolves according to ilar conservative theoretical result regarding uniform expo- = ≥ nential stability is reported, showing that longer intervals of x(k) ΦCL k, k0 x k0 , k k0 +1, (A.6) unavailability can be reached in practice and that these theoretical results might be too conservative for practical pur- and the plant state x(k) evolves according to poses. x(k) = Φδ k, k0 x k0

APPENDIX k−1 − Φδ k, j +1 B + δB Lx(j), k ≥ k0 +1. Throughout the appendix, the matrices norms are the ones j=k0 induced by the Euclidean norm of vectors, being given by (A.7) their largest singular values. Consider the discrete time line represented in Figure 2. Replacing (A.6)in(A.7), and knowing that the model ini- The intervals where the sensors yield correct measures are tial sate x is made equal to the last available observation of 8 Journal of Control Science and Engineering

= ≤ · the state x when an interrupted observation occurs (x(k0) Since 0 λ/(β + α σδA ) < 1, and considering (A.4), after x(k0) = x(k0 − 1)), the plant state x(k)evolutionis some calculations = σ ·γ x(k) Φδ k, k0 x k0 ≤ L x(k) 1+ σB + σδB − β + α·σδ − λ k1 A (A.13) k−k − Φδ(k, j +1) B + δB LΦCL j, k0 x k0 , · 0 · .α β + α σδA x k0 . j=k0 = k ≥ k0 +1. The complete state evolution from time instant k 0, up to ∈ (A.8) the ﬁnal time instant at k Tui+1 , is given by the alternate product of (A.5)by(A.8), where x(k0) = x(k0) = x(k0 − It is assumed that the model in closed-loop is stable and 1) is considered. Applying results (A.11)and(A.13) to this k−k0 bounded by ΦCL(k, k0)≤γλ , k ≥ k0,with0≤ λ<1 product originates ≥ and γ 1, and that the model is unstable in open-loop, but · − σL γ k−Ti ≤ k k0 ≥ ≤ · bounded by Φ(k, k ) αβ , k k ,withβ>1and x(k) 1+ σB + σδB α β + α σδA 0 0 β + α·σ − λ ≥ 1. δA α − − ≤ · (Ti 1) Ti−1 For bounded model uncertainties δA σδA , and con- γ λ + γΣ sidering the bound on Φ(k, k0) ,withβ>1 (this corre- σ ·γ − ··· 1+ + L + · T2 T1 sponds to assume an unfavorable situation), it can be proved σB σδB · − α β α σδA β + α σδA λ through the use of Lemma 1,ifδA is seen as a perturbation in − · T1 1· the system x(k +1)= (A + δA)x(k), [17], that Φδ(k, k0)≤ γ λ + γΣ x0 − · k k0 · (i+1)/2 Tu Ta α(β + α σδA ) ,with(β + α σδA ) > 1. This means, as ex- = · · · · c1 β + α σδA λ + γΣ x0 , pected, that if the model dynamics are open-loop unstable, (A.14) then there will be a δA such that the plant dynamics will be open-loop unstable (the use of a continuity argumenta- where Tu and Ta represent the entire duration of all unavail- tion could also explain such assertion). A similar proof can ability and availability time intervals, respectively, and be given for the stability of the plant in closed-loop since · k−k0 σL γ the model is stable in closed-loop (ΦCL(k, k0)≤γλ , := 1+ + (A.15) c1 σB σδB · − αγ. with 0 ≤ λ<1). Again, recurring to Lemma 1, and con- β + α σδA λ − sidering that (δA δBL) is seen as a perturbation in the In order for the system to be uniformly stable, it must verify = − system x(k +1) [(A + δA) (B + δB)L]x(k), it can be ≤ ≥ ≥ − x(k) M1 x(k0) , k k0,withM1 1. Therefore, from ≤ k k0 ≥ proved that ΦδCL (k, k0) γ(λ + γΣ) , k k0,with (A.14) ≤ − = · 0 Σ < (1 λ)/γ,andΣ : σδA + σδB σL. Upper bounds for (A.5) during availability time inter- c(i+1)/2· β + α·σ Tu · λ + γΣ Ta ≤ M 1 δA 1 vals, and for (A.8) during unavailability time intervals, are − − =⇒ ≤ log M1 (i +1)/2 log c1 Ta log λ + γΣ obtained, respectively Tu · . log β + α σδA x(k) = Φ k, k x k ,(A.9) (A.16) δCL 0 0 Replacing (A.15)in(A.16) gives the desired result from x(k) = Φδ k, k0 x k0 Theorem 1 subject to the constraint Σ < (1 − λ)/γ, and the − result holds globally since it is valid for any x(k0). k1 − Φ k, j +1 B + δ LΦ j, k x k . δ B CL 0 0 Proof of Corollary 1. Consider the Euclidean norm of x(k)at j=k0 discrete times = − ,and = − , at the end of the un- (A.10) k Ti 1 k Ti 3 availability intervals Tui−1 ,andTui−3 , respectively. In order for Starting from (A.9), yields x(Tj ),forj = 0, 2, 4, 6, ..., i−1, to be a monotonic descent sequence, it should verify − ≤ k k0 x(k) γ λ + γΣ x k0 (A.11) xTi−1 = ≤ < 1 (A.17) and for (A.10), recalling that B : σB, δB σδB ,and x Ti−3 L := σL, equivalently, from the ﬁrst two lines of (A.14), and consider- − ≤ · k k0 ing (A.15) x(k) α β + α σδA − − − · Ti−1 Ti−2 · (Ti−2 1) Ti−3 k−1 c1 β + α σδA λ + γΣ < 1 (A.18) − − − · k j 1 j k0 + α β + α σδA σB + σδB σLγλ − = − − = or, since Ti−1 Ti−2 Tu − ,and(Ti−2 1) Ti−3 Ta − j=k i 1 i 2 0 · − − x k0 . log c1 Tai−2 log λ+ γΣ − (A.19) Tui 1 < · . (A.12) log β + α σδA R. V. Dion´ısio and J. M. Lemos 9

− ≤ · k k0 Replacing (A.15)in(A.19) gives the desired result from in Appendix A.1 that Φδ(k, k0) α(β + α σδA ) with − · Corollary 1 subject to the constraint Σ < (1 λ)/γ, and the (β + α σδA ) > 1. A similar proof can be given for the stability result holds globally since it is valid for any x(k0). of the plant in closed-loop since the model is stable in closed- − loop (Φ (k, k )≤γλk k0 with 0 ≤ λ<1). Recurring to Proof of Corollary 2. In order for the system to be uni- CL 0 Lemma 1, and considering that (δ − δ P)isseenasaper- formly exponentially stable, it must verify x(k)≤ A B turbation in the system x(k+1) = [(A+δ )−(B+δ )P]x(k), k−k0 A B M N x(k ), k ≥ k ,withM ≥ 1, and 0 ≤ N < 1. k−k 2 2 0 0 2 2 it can be proved that Φ (k, k )≤γ(λ + γΣ) 0 , k ≥ k Therefore, from (A.14) and considering k = 0, and (k − δCL 0 0 0 with 0 ≤ Σ < (1 − λ)/γ,andΣ := σ + σ ·σ ,[17]. k ) = T + T , δA δB P 0 u a Upper bounds for (A.21) during availability time inter- (i+1)/2 Tu Ta Tu+Ta vals, and for (A.23) during unavailability time intervals, are c · β + α·σδ · λ + γΣ ≤ M2N 1 A 2 obtained, respectively log M2 − (i+1)/2 log c1 −Ta log λ+γΣ /N2 =⇒ ≤ Tu · . log β + α σδA /N2 = (A.20) x(k) ΦδCL k, k0 x k0 − Replacing (A.15)in(A.20) gives the desired result from k1 − − Corollary 2 subject to the constraint Σ < (1 λ)/γ, and the + ΦδCL k, j +1 B + δB ψs Lx(j) , = result holds globally since it is valid for any x(k0). j k0 − k1 = A.2. Stability proofs for system with nonlinear input x(k) Φδ k, k0 x k0 + Φδ(k, j +1) B + δB j=k 0 Proof of Theorem 2. Consider the system depicted in − − Figure 1. During availability time intervals Taj ,with . ψs Lx(j) Px(j) . j = 1, 3, 5, 7, ..., i,itisz(k) = x(k), and the plant state x(k) evolves according to (A.24)

k−1 = ≤ = From (A.24), recalling that B : σB, δB σδB , L : x(k) = Φδ k, k0 x k0 + Φδ k, j +1 B + δB CL CL σL and considering (24) yield, respectively j=k 0 − ≥ − .ψs Lx(j) , k k0 +1. k k0 x(k) ≤ γ λ + γΣ · x k0 (A.21) k−1 − −1 + γ λ + γΣ k j · σ + σ γ ·σ ·x(j), On the other hand, during unavailability time intervals Tuj , B δB 2 L = with j = 2, 4, 6, ..., i − 1, i +1,itisz(k) = x(k), the model j k0 initial sate x is made equal to the last available observation of (A.25) the state x when an interrupted observation occurs (x(k0) = − = − ≤ · k k0 · x(k0) x(k0 1)), the model state x(k) evolves according to x(k) α β + α σδA x k0 k−1 x(k) = ΦCL k, k0 x k0 k− j−1 + α β + α·σδ (A.26) − A k1 j=k − ≥ 0 + ΦCL(k, j +1)Bψs Lx(j) , k k0 +1 · σB + σδ σP + γ ·σL · x(j) . j=k0 B 2 (A.22) Applying Lemma 1 to (A.25)gives and the plant state x(k) evolves according to k−k0 x(k) ≤ γ λ + γΣ + γ σB + σδ γ ·σL · x k0 . x(k) = Φδ k, k0 x k0 B 2 (A.27) k−1 + Φ (k, j +1) B + δ (A.23) δ B Anupperboundfor(A.22) is obtained from j=k 0 − − ≥ . ψs Lx(j) Px(j) , k k0 +1. k−1 − − − ( ) ≤ k k0 · + k j 1 · · ·( ) It is assumed that the model in closed-loop is stable and x k γλ x k0 γλ σB γ2 σL x j . − j=k0 ≤ k k0 ≥ ≤ bounded by ΦCL(k, k0) γλ , k k0,with0 λ<1 (A.28) and γ ≥ 1, and that the model is unstable in open-loop, but − ≤ k k0 ≥ bounded by Φ(k, k0) αβ , k k0,withβ>1and Applying Lemma 1 and recalling that x(k ) = x(k ) = x(k − ≥ 0 0 0 α 1. 1) yield ≤ For bounded model uncertainties δA σδA , and considering the bound on Φ(k, k0) with β>1 (this corre- − ≤ · · · k k0 · sponds to assume an unfavorable situation), it was proved x(k) γ λ + γ σB γ2 σL x k0 . (A.29) 10 Journal of Control Science and Engineering

Using (A.29)in(A.26), Proof of Corollary 3. Consider the Euclidean norm of x(k)at = = discrete times k Ti−1,andk Ti−3, at the end of the un- k−k ≤ · 0 · availability intervals Tui−1 ,andTui−3 , respectively. In order for x(k) α β + α σδA + α σB + σδB σP + γ2 σL γ x(Tj ),forj = 0, 2, 4, 6, ..., i−1, to be a monotonic descent − − · k 1· · · · k0 sequence, it should verify . β + α σδA λ + γ σB γ2 σL k−1 · · · j λ + γ σB γ2 σL xTi−1 · · x k0 . < 1. (A.36) · − β + α σδA x Ti 3 j=k0 (A.30) This proof is outlined in the very same way as Corollary 1 proof, therefore, the following equation yields naturally after Making use of (A.3)in(A.30)gives Theorem 2 proof calculations: k−k0 − − · ≤ · · log c2 Tai−2 log λ + γΣ + γ σB + σδB γ2 σL x(k) α β + α σδA + α σB + σδB σP + γ2 σL γ Tui−1 < · . log β + α σδA − − β + α·σ k k0 − λ + γ·σ ·γ ·σ k k0 (A.37) . δA B 2 L β + α·σ − λ + γ·σ ·γ ·σ δA B 2 L Replacing (A.34)in(A.37) gives the desired result from · x k0 . Corollary 3 subject to the constraints Σ < (1 − λ)/γ,and · − · · (A.31) γ2 < (β + α σδA λ)/(γ σB σL). The result holds globally since it is valid for any x(k0). · − · · Providing γ2 < (β + α σδA λ)/(γ σB σL), and considering (A.4), after some calculations, (A.31) yields Proof of Corollary 4. In order for the system to be uniformly exponentially stable, it must verify x(k)≤ − σ + σ · σ + γ ·σ γ M Nk k0 x(k ), k ≥ k ,withM ≥ 1, and 0 ≤ N < x(k) ≤ 1+ B δB P 2 L 2 2 0 0 2 2 · − · · · 1. Therefore, from (A.33), and considering k0 = 0, and β + α σδA λ + γ σB γ2 σL (A.32) − = k−k0 (k k0) Tu + Ta, .α β + α·σ · x k0 . δA (i+1)/2· · Tu · · Ta c2 β + α σδA λ + γΣ + γ σB + σδB γ2 σL From this point on, the demonstration follows closely the one of Theorem 1 (see Appendix A.1), and applying results log M − (i +1)/2 log c ≤ Tu+Ta =⇒ ≤ 2 2 (A.27)and(A.32) originates M2N2 Tu · log β + α σδA /N2 ≤ (i+1)/2· · Tu · x(k) c2 β + α σδA λ + γΣ +γ σB +σδB γ2 σL (A.33) Ta log Ta N2 · λ + γΣ + γ σB + σδ γ ·σL · x0 , − B 2 · . log β + α σδA /N2 where Tu and Ta represent the entire duration of all unavail- (A.38) ability and availability time intervals, respectively, and Replacing (A.34)in(A.38) gives the desired result from · · Corollary 4 subject to the constraints Σ < (1 − λ)/γ and σB + σδB σP + γ2 σL γ c2 := 1+ αγ. (A.34) · − · · · − · · · γ2 < (β + α σδA λ)/(γ σB σL). The result holds globally β + α σδA λ + γ σB γ2 σL since it is valid for any x(k0). In order for the system to be uniformly stable, it must verify x(k)≤M1x(k0), k ≥ k0 with M1 ≥ 1. Therefore, from ACKNOWLEDGMENT (A.33) This work was produced in the framework of the (i+1)/2 Tu Ta project IDEA—Integrated Design for Automated Anaesthe- c · β + α·σ · λ + γΣ + γ σ + σ γ ·σ 2 δA B δB 2 L sia, PTDC/EEA-ACR/69288/2006. log M − (i +1)/2 log c ≤ M =⇒ T ≤ 1 2 1 u log β + α·σ δA REFERENCES T log λ + γΣ + γ σ + σ γ ·σ − a B δB 2 L . log β + α·σ [1] E. Halberg, I. Kaminer, and A. Pascoal, “Development of a δA ﬂight test system for unmanned air vehicle,” IEEE Control Sys- (A.35) tems, vol. 19, no. 1, pp. 55–65, 1999. [2] J. W. Overstreet and A. Tzes, “An Internet-based real-time con- Replacing (A.34)in(A.35) gives the desired result from trol engineering laboratory,” IEEE Control Systems, vol. 19, Theorem 2 subject to the constraints Σ < (1 − λ)/γ,and no. 5, pp. 19–34, 1999. · − · · γ2 < (β + α σδA λ)/(γ σB σL). The result holds globally [3] J. Tugnait, “Detection and estimation for abruptly changing since it is valid for any x(k0). systems,” Automatica, vol. 18, pp. 607–615, 1982. R. V. Dion´ısio and J. M. Lemos 11

[4] W. Zhang, M. S. Branicky, and S. M. Phillips, “Stability of networked control systems,” IEEE Control Systems, vol. 21, no. 1, pp. 84–99, 2001. [5] T. Estrada, H. Lin, and P. J. Antsaklis, “Model-based control with intermittent feedback,” in Proceedings of the 14th Mediter- ranean Conference on Control and Automation (MED ’06),pp. 1–6, Ancona, Italy, June 2006. [6] H. Yang and M. Saif, “Observer design and fault diagnosis for state-retarded dynamical systems,” Automatica,vol.34,no.2, pp. 217–227, 1998. [7] D. Loebis, R. Sutton, J. Chudley, and W. Naeem, “Adaptive tuning of a Kalman filter via fuzzy logic for an intelligent AUV navigation system,” Control Engineering Practice, vol. 12, no. 12, pp. 1531–1539, 2004. [8] S. M. Bennett, R. J. Patton, and S. Daley, “Sensor fault-tolerant control of a rail traction drive,” Control Engineering Practice, vol. 7, no. 2, pp. 217–225, 1999. [9] C. J. Lopez-Toribio and R. J. Patton, “Takagi-Sugeno fuzzy fault-tolerant control for a non-linear system,” in Proceedings of the 38th IEEE Conference on Decision and Control (CDC ’99), vol. 5, pp. 4368–4373, Phoenix, Ariz, USA, December 1999. [10] O. R. Gonzalez, W. S. Gray, A. Tejada, and S. Patilkulkarni, “Stability analysis of upset recovery methods for electromagnetic interference,” in Proceedings of the 40th IEEE Conference on Decision and Control, vol. 5, pp. 4134–4139, Orlando, Fla, USA, December 2001. [11] J. M. Lemos, H. Magalhaes,˜ T. Mendonça, and R. V.Dion´ısio, “Control of neuromuscular blockade in the presence of sensor faults,” IEEE Transactions on Biomedical Engineering, vol. 52, no. 11, pp. 1902–1911, 2005. [12] J. M. Lemos, H. Magalhaes,R.V.Dion˜ ´ısio, and T. Mendonça, “Control of physiological variables in the presence of interrupted feedback measurements,” in Proceedings of the 16th International Conference on Systems Engineering (ICSE ’03), vol. 2, pp. 433–438, Coventry, UK, September 2003. [13] R. V. Dion´ısio and J. Lemos, “Stability results for discrete systems controlled in the presence of interrupted observations,” in Proceedings of the 11th IEEE Mediterranean Conference on Control and Automation (MED ’03), Rhodes, Greece, June 2003. [14] H. K. Khalil, Nonlinear Systems, Prentice Hall, Upper Saddle River, NJ, USA, 2nd edition, 1996. [15] W. M. Haddad and V. Kapila, “Static output feedback controllers for continuous-time and discrete-time systems with input non-linearities,” European Journal of Control, vol. 4, pp. 22–31, 1998. [16]P.O.M.Scokaert,J.B.Rawlings,andE.S.Meadows, “Discrete-time stability with perturbations: application to model predictive control,” Automatica, vol. 33, no. 3, pp. 463– 470, 1997. [17] W. J. Rugh, Linear System Theory, Prentice-Hall, Upper Saddle River, NJ, USA, 2nd edition, 1996. Hindawi Publishing Corporation Journal of Control Science and Engineering Volume 2008, Article ID 723292, 7 pages doi:10.1155/2008/723292

Research Article Actuator Fault Diagnosis with Robustness to Sensor Distortion

Qinghua Zhang

INRIA-IRISA, Campus de Beaulieu, 35042 Rennes Cedex, France

Correspondence should be addressed to Qinghua Zhang, [email protected]

Received 1 April 2007; Revised 15 August 2007; Accepted 11 November 2007

Recommended by Jakob Stoustrup

Actuator fault diagnosis is often studied under strong assumptions on available sensors. Typically, it is assumed that the sensors are either fault free or suﬃciently redundant. The purpose of this paper is to present a new method for actuator fault diagnosis which is robust to sensor distortion. It does not require sensor redundancy to compensate sensor distortion. The essential assumption is that sensor distortions are strictly monotonous. Despite the nonlinear and unknown nature of distortions, such sensors still provide useful information for fault diagnosis. The robustness of the presented diagnosis method is analyzed, as well as its ability to detect actuator faults. A numerical example is provided to illustrate its eﬃciency.

Copyright © 2008 Qinghua Zhang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION The purpose of this paper is to present a method for actuator fault diagnosis which is robust to sensor distortion. In the design of modern control systems, fault diagnosis is It is assumed that each sensor can be affected by an un- often considered for component faults, sensor faults, and ac- known and arbitrary,butstrictly monotonous, nonlinearity. tuator faults. Various methods for fault diagnosis are gener- The monotonousness is a weak assumption since any non ally based on the processing of sensor signals [1–3]. Many monotonous distortion would make the sensor information methods for actuator fault diagnosis assume reliable fault- useless. Remark that saturation is not a strictly monotonous free sensors, see, for instance, [4, 5]. For methods simultane- nonlinearity, and thus is excluded in the proposed method. ously dealing with actuator and sensor faults, it is typically Nevertheless, a correctly working sensor should not be satu- assumed that there is sufficient redundancy among the sen- rated when it is in its normal working range. sors such that at any moment, the valid sensors can provide Robust methods for fault diagnosis has been studied in the information required for faults diagnosis. For mass pro- different contexts by many authors. In [6], a method based duction, it is important to use as less sensors as possible to on adaptive wavelet analysis is proposed. The method stud- reduce production cost. In such situations, fault diagnosis iedin[7] uses generalized frequency response functions. cannot uniquely rely on redundant sensors. Moreover, still Kullback discrimination information is used as a fault de- for the purpose of cost reduction, sensors used in mass pro- tection index in [8]. In [9], some faults of induction motors duction may be highly nonlinear. If the sensor nonlinearity is are detected by Fourier analysis of frequency signatures. (See well known, it can often be electronically compensated. Un- the references cited in these publications for more informa- fortunately, sometimes sensor nonlinearity varies within the tion.) Compared to these existing results, the novelty of the production, and for each piece in use, the nonlinearity varies method presented in this paper is its ability to deal with un- during its normal life duration. For example, most oxygen known nonlinear sensor distortions without requiring sensor sensors used in cars equipped with catalytic converters are redundancy. highly nonlinear. They roughly indicate if the oxygen con- The preliminary results presented in [10] are further de- centration is over or below a reference value. Nevertheless, veloped in this paper, in particular, the analysis of the pro- such sensors are sufficient for the purpose of engine control. posed robust detection method is completed with the char- It is then important to develop fault diagnosis methods rely- acterization of the faults which can be detected. ing on the same sensors. In this paper, unknown nonlinear The paper is organized as follows. The problem consid- behaviors of sensors are generally called sensor distortion. ered in this paper is formulated in Section 2. Fault detection 2 Journal of Control Science and Engineering and isolation are, respectively, studied in Sections 3 and 4.A 3. FAULT DETECTION numerical example is presented in Section 5. Some conclud- ffi ing remarks are given in Section 6. The main di culty of the problem formulated in the previous section is caused by the unknown sensor distortions. The key question is how to use the information provided by 2. PROBLEM STATEMENT such sensors. Because of the unknown nature of hi,foreach = The considered linear state-space system with sensor distor- measured value of yi hi(zi), the corresponding value of zi tion is formulated as is completely unknown, and even the sign of zi is unknown. The strict monotonousness of h assumed in Assumption 1 is = i x˙(t) Ax(t)+B diag u(t) θ + w(t), (1a) not helpful in this aspect. However, it is important to make z(t) = Cx(t)+v(t), (1b) the following observation. For any two time instants t and τ, = Assumption 1 implies that y(t) h z(t) ,(1c) sign z (t) − z (τ) = sign y (t) − y (τ) . (7) where x(t) ∈ Rn is the state, u(t) ∈ Rl the input, z(t) ∈ Rm i i i i ∈ Rm the output before sensor distortion, y(t) the output af- In other words, the relative sign of zi at different time in- ∈ Rn ∈ Rm ter sensor distortion, and w(t) and v(t) represent stants is known from the sensor output yi measured at these bounded modeling uncertainties. The notation diag(u(t)) time instants. Remark that t and τ are two arbitrary and in- denotes the diagonal matrix formed by the components of dependent time instants, and either one can be earlier than ∈ Rl ffi the input vector u(t), and the vector θ is a coe cient the other one. Since the absolute value |zi(t) − zi(τ)| is com- vector introduced to describe the efficiency loss of actua- pletely unknown, the relative sign is thus the only informa- tors (multiplicative actuator faults). For fault-free actuators, tion about zi(t) − zi(τ) provided by the sensor output. This θ takes the nominal value θ0. information will be the basis for the design of fault detection For notation simplicity, the parenthesis (t) of the time- and isolation algorithms in this paper. Such information can dependent variables will not be written unless necessary. also be used for the identification of Wiener systems [11]. Sensor distortion is modeled by the component-wisely Let Z(s), U(s), W(s), and V(s) be, respectively, the defined nonlinear function h:letzi and yi be, respectively, Laplace transforms of z(t), u(t), w(t), and v(t). It is then the ith component of z and y, i = 1, ..., m, then derived from (1a), (1b), and (1c) (by assuming zero initial state) that yi = hi zi . (2) − − Z(s)=C(sI −A) 1B diag U(s) θ+C(sI −A) 1W(s)+V(s). Assumption 1. Each sensor distortion hi : R→R is an unknown, but a strictly monotonously increasing, function. In (8) ∈ R other words, for any ξ1, ξ2 , Define =⇒ −1 −1 ξ1 <ξ2 hi ξ1

For any two time instants t and τ, it is obvious that Proposition 1 guarantees the absence of false detection if fault detection is made by comparing the residual ri(t, τ)with − − ≥ sign zi(t) zi(τ) zi(t) zi(τ) 0. (13) the threshold 2λ. However, it does not tell what are the faults which can be detected with such a decision rule. In general, Substitute zi(t)andzi(τ) with the last equality, then, for con- robust fault detection methods are based on conservative de- stant θ, cision rules, preventing the detection of some faults. In publications about robust fault detection, typically robustness sign z (t) − z (τ) φ (t) − φ (τ) θ + ζ (t) − ζ (τ) ≥ 0. i i i i i i results are provided, but the analysis about the set of faults (14) which can be detected is usually absent, because it is often ﬃ Remind the relative sign equality (7), then di cult to characterize the detectable faults in a robust detection framework. In contrast, for the method proposed in − − − ≥ sign yi(t) yi(τ) φi(t) φi(τ) θ + ζi(t) ζi(τ) 0, this paper, the faults which can be detected are clearly char- (15) acterized as follows. or equivalently Proposition 2. Assume that the system matrix pair (A, B) is controllable, θ=0,andθ0=0. For the faulty actuator parameter − − − sign yi(t) yi(τ) φi(t) φi(τ) θ vector θ = θ0, if there does not exist any positive real number (16) α such that θ = αθ , then there exist an input signal u(t) and ≤ − − 0 sign yi(t) yi(τ) ζi(t) ζi(τ) . time instants t and τ such that

Let θ0 be the nominal value of θ (corresponding to fault- ri(t, τ) > 2λ (22) free actuators), a residual r (t, τ) for actuator fault detection i for each i = 1, ..., m,whereλ is a positive constant such that can be generated as | |≤ ζi(t) λ. =− − − ri(t, τ) sign yi(t) yi(τ) φi(t) φi(τ) θ0. (17) Proof. This proof applies to the residual ri(t, τ)foreachi = It then follows from (16) that, in the fault-free case, 1, ..., m. Define the vector ≤ − − ri(t, τ) sign yi(t) yi(τ) ζi(t) ζi(τ) . (18) −1 −1 ν = β θ θ − θ0 θ0 , (23) This result leads to the following proposition. where the norm θ= θT θ and β is a positive number to | |≤ Proposition 1. If ζi(t) λ for some constant λ and any t, be specified later. Then then the residual ri(t, τ) defined in (17) satisfies, in the fault- νT = − −1 T free case, that is, θ = θ0, the inequality θ β θ θ0 θ0 θ (24) = − −1 −1 T ≥ ri(t, τ) ≤ 2λ. (19) β θ 1 θ0 θ θ0 θ 0, | T |≤ Proof. Let us first consider the case yi(t)=yi(τ), then it fol- where the last inequality follows from the fact that θ0 θ lows from the inequality (18) that θ0θ. Notice that the equality

ri(t, τ) ≤ ri(t, τ) T θ θ = θ θ (25) ≤ ζ (t) − ζ (τ) (20) 0 0 i i ≤ ≤ = ζi(t) + ζi(τ) 2λ. would imply θ αθ0 for some α>0, that is, the case excluded in Proposition 2. Therefore, Now for the case yi(t) = yi(τ), it follows trivially from the νT = − −1 T inequality (18) that θ β θ θ0 θ0 θ > 0. (26)

ri(t, τ) ≤ 0 ≤ 2λ. (21) Similarly, it is also shown that

νT = − −1 T θ0 β θ θ0 θ0 θ < 0. (27) Remind that ζi(t) is a component of the variable ζ(t) It then follows that depending on the bounded modeling uncertainties w(t) and v(t), as deﬁned in (10). The boundedness of w(t)and T T sign ν θ ν θ0 < 0. (28) v(t), together with Assumption 2, implies the boundedness of ζ(t). For practical convenience, the residual threshold For given values of θ and θ0, the value of β in (23) is chosen should be directly derived from the assumed bounds of w(t) large enough such that and v(t). It would require nontrivial error bound propa- gation through (10). Techniques of interval analysis or set- νT θ > 2λ, membership computation [12] can be applied for this pur- (29) νT 2 pose. This topic is not further discussed in this paper. θ0 > λ. 4 Journal of Control Science and Engineering

Now, let us consider φi, the ith row of the matrix Φ 4. FAULT ISOLATION defined in (9). If there is an input signal u(t) such that − = νT After the detection of an actuator fault, the purpose of fault φi(t) φi(τ) for two time instants t and τ, then the inequality (28)leadsto isolation is to figure out which actuators are faulty. In terms of (11a)and(11b), it amounts to deciding which components of have deviated from the nominal value . sign φ (t) − φ (τ) θ φ (t) − φ (τ) θ0 < 0. (30) θ θ0 i i i i It should be first remarked that, because of the arbitrary Notice that the existence of such input signals is ensured unknown function h, it is not possible to detect or isolate any by the controllability of the matrix pair (A, B). proportional changes in all the components of θ. In other − |=|νT | ≥| − | words, for any value α ∈ R, the parameter vector θ1 = αθ0 Because (φi(t) φi(τ))θ θ > 2λ ζi(t) ζi(τ) , − − cannot be distinguished from θ0 based on the known signals the sign of (φi(t) φi(τ))θ +(ζi(t) ζi(τ)) is determined by the sign of (φ (t) − φ (τ))θ,thus Φ(t)andy(t). For the same reason, if all the components of i i , except one, have changed, it is not possible to determine θ sign φ (t) − φ (τ) θ + ζ (t) − ζ (τ) which one has not changed. i i i i (31) = sign φ (t) − φ (τ) θ . After having clarified the limitation related to unknown i i sensor distortion, let us look for an algorithm for fault iso- This last equality, together with the inequality (30), leads to lation. The basic idea is to design residuals similar to (17), but capable of rejecting some actuator faults. Each designed − − − residual should be insensitive to some of the possible actuator sign φi(t) φi(τ) θ + ζi(t) ζi(τ) φi(t) φi(τ) θ0 <0, (32) faults, whereas sensitive to the others. The actually occurred fault can then be isolated by comparing such residuals. or equivalently Let P be a permutation matrix, that is, a matrix obtained × by permuting the rows of the l l identity matrix Il (remind − − that l is the number of actuators). Divide P into two sub- sign zi(t) zi(τ) φi(t) φi(τ) θ0 < 0, (33) matrices P and P , respectively, composed of l and l = l−l sign y (t) − y (τ) φ (t) − φ (τ) θ < 0. f s f s f i i i i 0 rows of P. Then it can be easily verified that | − |=|νT | T T = Remind that [φi(t) φi(τ)]θ0 θ0 > 2λ, then P f P f + Ps Ps Il. (37) − − − sign yi(t) yi(τ) φi(t) φi(τ) θ0 < 2λ. (34) The notations P f θ and Psθ will be used to select, respectively, the assumed faulty components and sound (or fault- Therefore, the residual as defined in (17)satisfies free) components of θ.Itisderivedfrom(11a) that

T T z(t) = Φ(t)P P f θ + Φ(t)P Psθ + ζ(t). (38) ri(t, τ) > 2λ. (35) f s

If Ps is assumed to select the components of θ corresponding to sound actuators, then, even after the occurrence of actua- If t is the current time instant, then ri(t, τ)canbecom- tor faults, the equality puted for different past time instant τ. In order to reduce the ff e ect of modeling uncertainties, ri(t, τ) can be averaged over Psθ = Psθ0 (39) different values of τ in a sliding window. The computation of the residul from sampled signals is summarized as follows. still holds. Define

θ f P f θ, (40) Residual generation algorithm summary then Assume that Φ(t)andy(t) are sampled1 at discrete time = T T instants 1, 2, ..., N. Choose the sliding window length 0 < z(t) Φ(t)P f θ f + Φ(t)Ps Psθ0 + ζ(t). (41) = L

i i For a given set of signals Φ(t), y(t) sampled at discrete time where the indices kj , kj+1 come from the sequence sorting instants 1, 2, ..., N, the value of θ f can be estimated by min- yi(k)asin(43). − = imizing the error term ζi(t) ζi(τ) in the inequality (42) It is assumed that Psθ Psθ0. Then the above inequal- where the time instants , are replaced by all pairs among ity shows that there exist a value of (equal to )anda t τ θ f P f θ the sampling instants 1, 2, ..., N. value of ζ j (equal to ζ (ki ) − ζ (ki )) such that the in- i i j i j+1 Because yi(t)

Note that the known time delays at the inputs do not cause +ζ ki − ζ ki = z ki − z ki ≤ 0, i j i j+1 i j i j+1 any serious diﬃculty for fault diagnosis, though the on-line (48) computation has to be delayed accordingly. 6 Journal of Control Science and Engineering

×10−2 10 10 8 8 6 6 4 4 2 2 0 0 0 200 400 600 800 1000 1200 1400 1600 1800 2000 0 200 400 600 800 1000 1200 1400 1600 1800 2000 (a) (b)

Figure 1: Fault detection residual. The same residual is plotted twice at diﬀerent scales. The time unit is the minute.

1.5 riod. At the beginning, all the actuators are fault free. At the 1 1000th minute (of the recorded duration), a factor of 0.8 is 0.5 applied to the first actuator, simulating an actuator fault. The residual for fault detection, computed with the av- 0 1800 1820 1840 1860 1880 1900 1920 1940 1960 1980 2000 eraging window length L = 100, is illustrated in Figure 1.In (a) Figure 1(a) showing the residual in full scale, there is a strong transient behavior of the residual after occurrence of the ac- 1.5 tuator fault (at the 1000th minute). This transient behavior 1 is in favor of a fast detection of the actuator fault. In order 0.5 to view better the residual outside the transient period, it is 0 plotted in Figure 1(b) in a finer scale. The detected fault is 1800 1820 1840 1860 1880 1900 1920 1940 1960 1980 2000 clearly confirmed by the residual after the transient period. (b) For fault isolation, three residuals are computed with the 1.5 signals from the 1801th minute to the 2000th minute. Each ff 1 of the three residuals is designed to reject a fault a ecting one of the three actuators. The residuals rejecting the faults of ac- 0.5 tuator 1, 2, and 3 are, respectively, plotted in the top, middle, 0 1800 1820 1840 1860 1880 1900 1920 1940 1960 1980 2000 and bottom pictures of Figure 2. The first residual is clearly (c) smaller than the two others, indicating that the hypothesis of a fault affecting the first actuator is the most likely one, which Figure 2: Fault isolation residuals. The time unit is the minute. Top: corresponds to the actually simulated fault. residual rejecting the fault of actuator 1. Middle: residual rejecting the fault of actuator 2. Bottom: residual rejecting the fault of actuator 3. 6. CONCLUSION

Numericalsimulationisﬁrstmadeincontinuoustime. Despite unknown nonlinear distortions of sensors, the in- The three input variables are randomly drawn with uniform formation provided by such sensors is still useful for fault distributions ranged within the intervals [20, 40] (mol/min), diagnosis, even when there is no redundant sensors, if the [10, 30] (mol/min) and [10, 20] (◦C). The simulated noise- distortions are strictly monotonous. The monotonousness is free output is disturbed by an additive bandlimited noise a weak assumption since nonmonotonous distortion would with noise power 0.01 and unitary sample time. Then the make the sensor information useless. The main idea of the sensor distortion function method presented in this paper is about how to use the information provided by such sensors. Because of the unknown 100 nature of nonlinear distortion, neither the absolute value of h(z) = + 10 (53) 1+e−0.2(z−320) the measured physical variable nor its sign can be determined from the sensor signal. The strict monotonousness of the is applied. In this monotonously increasing function, the ad- nonlinear distortion is not helpful in this aspect. However, ditive constant 10 has been added to illustrate the robustness foranytwodiﬀerent time instants, the relative sign of the of the proposed method to sensor bias (shifting error). Fi- measured variable is preserved by the monotonous nonlinear nally, the distorted sensor output y(t) sampled at the period distortion. By using the information residing in the relative of one minute is corrupted by a random noise uniformly dis- sign of sensor signals, the method for actuator fault diagnosis tributed within the interval [−0.05, 0.05] (◦C). The simu- presented in this paper is conceptually robust to sensor dis- lated data is recorded during 2000 minutes after an initial tortions, as illustrated by the numerical example presented in simulation of 1000 minutes to avoid the initial transient pe- this paper. Qinghua Zhang 7

REFERENCES

[1] M. Basseville and I. Nikiforov, Detection of Abrupt Changes: Theory and Applications, Information and System Sciences Se- ries, Prentice-Hall, Englewood Cliffs, NJ, USA, 1993. [2]J.J.Gertler,Fault Detection and Diagnosis in Engineering Sys- tems, Marcel Dekker, New York, NY, USA, 1998. [3] J. Chen and R. J. Patton, Robust Model-Bsed Fault Diagnosis for Dynamic Systems, Kluwer Academic Publishers, Dordrecht, The Netherlands, 1999. [4] M.-A. Massoumnia, G. C. Verghese, and A. S. Willsky, “Failure detection and identification,” IEEE Transactions on Automatic Control, vol. 34, no. 3, pp. 316–321, 1989. [5] C. De Persis and A. Isidori, “A geometric approach to nonlinear fault detection and isolation,” IEEE Transactions on Auto- matic Control, vol. 46, no. 6, pp. 853–865, 2001. [6] P.W. Tse, W.-X. Yang, and H. Y. Tam, “Machine fault diagnosis through an effective exact wavelet analysis,” Journal of Sound and Vibration, vol. 277, no. 4-5, pp. 1005–1024, 2004. [7] H. Ma, C. Han, X. Kong, G. Wang, J. Xu, and X. Zhu, “A chaos- GFRF based fault diagnosis method,” in Proceedings of IEEE Conference on Cybernetics and Intelligent Systems (ICCIs ’04), vol. 2, pp. 1314–1317, Singapore, December 2004. [8] K. Kumamaru, K. Inoue, and T. Iwamura, “Improved approach to KDI-based fault detection for non-linear black-box systems,” in Proceedings of the SICE Annual Conference, vol. 1, pp. 927–932, Sapporo, Japan, August 2004. [9] M. E. H. Benbouzid, H. Nejjari, R. Beguenane, and M. Vieira, “Induction motor asymmetrical faults detection using advanced signal processing techniques,” IEEE Transactions on En- ergy Conversion, vol. 14, no. 2, pp. 147–152, 1999. [10] Q. Zhang, “A method for actuator fault diagnosis with robustness to sensor distortion,” in Proceedings of the 6th IFAC Symposium on Fault Detection, Supervision and Safety of Tech- nical Processes (SAFEPROCESS ’06), Beijing, China, August- September 2006. [11] Q. Zhang, A. Iouditski, and L. Ljung, “Identification of Wiener system with monotonous nonlinearity,” in Proceedings of IFAC Symposium on System Identification, Newcastle, Aus- tralia, March 2006. [12] R. B. Kearfott and V. Kreinovich, Eds., Applications of Inter- val Computations, Kluwer Academic Publishers, Boston, Mass, USA, 1996. [13] D. Den Hertog, Interior point approach to linear, quadratic, and convex programming: algorithms and complexity,KluwerAca- demic Publishers, Dordrecht, The Netherlands, 1994. [14] T. Glad and L. Ljung, Control Theory: Multivariable and Non- linear Methods, Taylor & Francis, New York, NY, USA, 2000. Hindawi Publishing Corporation Journal of Control Science and Engineering Volume 2008, Article ID 189064, 9 pages doi:10.1155/2008/189064

Research Article Stability Guaranteed Active Fault-Tolerant Control of Networked Control Systems

Shanbin Li, Dominique Sauter, Christophe Aubrun, and Joseph Yame´

Centre de Recherche en Automatique de Nancy (CRAN-UMR 7039), Nancy Universit´e, CNRS, BP 239, 54506 Vandoeuvre-l`es-Nancy Cedex, France

Correspondence should be addressed to Joseph Yame,´ [email protected]

Received 4 May 2007; Revised 15 October 2007; Accepted 9 December 2007

Recommended by Jakob Stoustrup

The stability guaranteed active fault-tolerant control against actuators failures and plant uncertainties in networked control systems (NCSs) is addressed. A detailed design procedure is formulated as a convex optimization problem which can be eﬃciently solved by existing software. An illustrative example is given to show the eﬃciency of the proposed method for network-based control for uncertain systems.

Copyright © 2008 Shanbin Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION der to ensure stability of the closed-loop system at all times. The aim of this paper is to extend the results in [5]touncer- Fault-tolerant control (FTC) techniques against actuator tain plants controlled over digital communication networks. faults can be classified into two groups [1]: passive and ac- In such networks, the information transfer from sensors to tive approaches. In passive FTC systems, a single controller controllers and from controllers to actuators is not instan- with fixed structure/parameters is used to deal with all possi- taneous but suffers communication delays. Such communi- ble failure scenarios which are assumed to be known a priori. cation delays can be highly variable due to their strong de- Consequently, the passive controller is usually conservative. pendence on variable network conditions such as congestion Furthermore, if a failure out of those considered in the design and channel quality. These network-induced delays may im- occurs, the stability and performance of the closed-loop sys- pact adversely on the stability and performance of the control tem might not be guaranteed. Such potential limitations of system [6, 8]. Networked control systems (NCSs) are now passive approaches provide a strong motivation for the de- pervasive (see, e.g., the recent special issue of the proceed- velopment of methods and strategies for active FTC (AFTC) ings of the IEEE [7]), and such systems are long-running systems. real-time systems which should function in a correct man- In contrast to passive FTC systems, AFTC techniques rely ner even in the presence of failures. This makes the issue of on a real-time fault detection and isolation (FDI) scheme and fault tolerant control in NCS an important one and entails a controller reconfiguration mechanism. Such techniques al- designing strategies to cope with some of the fundamental low a flexibility to select different controllers according to dif- problems introduced by the network such as bandwidth lim- ferent component failures, and therefore better performance itations, quantization and sampling effects, message schedul- of the closed-loop system can be expected. However, this ing and communication delays. Motivated by the above con- holds true when the FDI process does not make an incorrect siderations, we address the problem of fault tolerant con- or delayed decision [2]. Some preliminary results have been trol in NCSs with time-varying delays. Specifically, we extend obtained on AFTC which is immune to imperfect FDI process the results of [5] for the stabilization of a plant, subject to [3, 4]. In [5], the latter issue is further discussed in a classical model uncertainties and actuator faults, which is controlled setting (i.e., point-to-point control) by using the guaranteed over a communication network that induces time-varying cost control approach and online controller switching in or- but bounded delays. 2 Journal of Control Science and Engineering

A S bounded parameter uncertainties and satisfies the bound T A Plant S Δ(k) Δ(k) ≤ I where I denotes the identity matrix with appropriate dimension. The constant matrices D and E char- Fault A S indicator Network acterize the structure of these parameter uncertainties. The fault indicator matrix L is given by 1 1 1 sc sc sc 1 2 m τk τk τk L = { } ··· ··· diag l1, ..., lm (4) ∈{ } = = Switching with lj 0, 1 for j 1, 2, ..., m,wherelj 1 means that the jth actuator is in healthy state, whereas the jth actuator is meant to experience a total failure when l = 0. Having a m multiple j controllers finite number of actuators, the set of possible related failure modes is also finite and, by abuse of notation, we denote this set by L ={L1, L2, ...LN } (5) FDI unit with N= 2m − 1. Each failure mode Li,(i = 1, 2 ..., N)is therefore an element of the set L. We also view Li as a matrix, that is, as a particular pattern of matrix L in (4)de- Figure 1: Networked control system with actuator failures. pending on the values of lj (j = 1, 2, ...m). Throughout, when L is invoked as a matrix, it will mean that matrix L varies over the set of matrices in (5). Note that the faulty Li The outline of the paper is as follows. In Section 2,a mode in the NCS architecture of Figure 1 is estimated by network-based control model for an uncertain plant subject the FDI unit. In order to ensure that system (1) should re- L to actuator failures is proposed and the guaranteed cost con- main controllable, we assume that the set excludes the ele- { } trol problem is formulated. In Section 3, the detailed proce- ment diag 0, 0, ...,0 , that is, at least one actuator should be dure for designing the NCSs-based fault-tolerant controller healthy. is given. Section 4 presents a design example to illustrate the We further assume that the time-varying delays τ(k)lie benefit of the proposed FTC design procedure. Finally, con- between the following positive integer bounds τm and τM, clusions are given in Section 5. The proof of the main theo- that is, rem of the paper is reported in the appendix. τm ≤ τ(k) ≤ τM. (6) Given positive definite symmetric matrices Q and Q ,we 2. PROBLEM STATEMENT 1 2 consider the quadratic cost function Figure 1 shows the basic networked control architecture ∞ T T which is considered in this paper and which consists of a J = [x (k)Q1x(k)+u (k)Q2u(k)], (7) single uncertain plant, with few sensors and actuators, con- k=0 trolled by a digital controller in a centralized structure. and with respect to this cost function, we define the guaran- The delays induced by the network in the closed- teed cost controller in the event of actuator failures as follows. loop control system are modeled as time-varying quantities = sc τ(k) τk arising from the communication delays between Definition 1. If there exists a control law u(k) and a positive sensors and controllers at time k. Without loss of general- scalar J ∗ such that for all admissible uncertainties Δ(k)and ity, we assume that there are no transmission time-delays be- all failure modes Li ∈ L the closed-loop system (1)–(3)is tween the controllers and the actuators. The actuators might stable with cost function (7) satisfying J ≤ J ∗, then J ∗ is said be subject to faults during the system operation. Thus, taking to be a guaranteed cost and u(k) a guaranteed cost controller into account the potential failures of actuators, the intercon- for the uncertain system (1). nection of the uncertain discrete-time plant and a discrete- time controller through the digital communication link as In Section 3, we will proceed through two main steps to depicted in Figure 1 can be described by the following dy- design a cost guaranteed active fault tolerant control in the namical and state-delayed feedback equations: NCS framework. These steps are x(k +1)= A + DΔ(k)E x(k)+BLu(k), (1) (i) construct a fault-tolerant controller (i.e., a robust controller), with structure as given by (3), which achieves x(0) = x0, (2) ∗ the smallest possible value for J under all admissible u(k) = Kx k − τ(k) , (3) plant uncertainties and all actuator failure modes; (ii) redesign that part of the above controller associated to where x(k) ∈ Rn is the state of the uncertain plant, u(k) ∈ only one fault-free actuator in order to improve the ro- Rm is the control input, A, B, D, E are all real constant bust performance without loss of the stability property matrices, and matrix K is the controller gain matrix to be of the design in step (i); step (ii) repeats for all m actu- designed. The time-varying matrix Δ(k)representsnorm- ators and results in a bank of m controllers. ShanbinLietal. 3

It follows from inequality m ≤ N = 2m − 1, that the cardi- then system (8) is asymptotically stable and the cost function nality of the bank of controllers (which is equal to the num- (9) satisﬁes the inequality L ber of actuators) is less than the cardinality of the set of −1 faulty modes. For each faulty mode Li, the controller to be T T J ≤ x (0)P1x(0) + x (l)Rx(l) switched on should be the best as ranked with respect to a l=−τM closed-loop performance index. In this paper, we will not − address the switching and reconﬁguration mechanisms; we 0 1 + yT (l)Sy(l) (13) focus on the design of the bank of m controllers. θ=−τM +1 l=−1+θ − τM +1 −1 3. AFTC DESIGN FOR NCS + xT (l)Rx(l),

θ=−τM +2 l=θ−1 3.1. Robust stability where y(l) = x(l +1)− x(l). In this subsection, we establish a suﬃcient condition for the Proof. See the appendix. existence of a guaranteed cost network-based controller for the uncertain plant (1). Note that the control law (3)applied Remark 2. The “∗” sign represents blocks that are readily in- to plant (1) results in the following system: ferred by symmetry.

x(k +1)= A1x(k)+BLKx(k − τ(k)), (8) Remark 3. Note that the upper bound in (13) depends on the initial condition of system (8). To remove the dependence on where A = A + DΔ(k)E. The cost function associated to the initial condition, we suppose that the initial state of sys- 1 S ={ ∈ system (8) is therefore tem (8) might be arbitrary but belongs to the set x(l) n T R : x(l) = Uv, v v ≤ 1, l =−τM, −τM +1,..., −τm}, ∞ where U is a given matrix. Inequality (13)leadsto = T T T T J xe (k)Qxe(k), (9) J ≤ λmax U P1U + ρ1λmax U RU + ρ2λmax U SU , k=0 (14) · where xT (k)=[xT (k), xT (k−τ(k))] and Q=diag{Q , K T Q K}. where λmax( ) denotes the maximum eigenvalue of matrix e 1 2 · = = Under the assumptions made in Section 2, we can state the ( ), ρ1 μ(τM + τm)/2, and ρ2 2τM(τM +1). following result. 3.2. Step (i): Controller Design Theorem 1. If there exist a gain matrix K,ascalar > 0,sym- n×n n×n Now, we derive the guaranteed cost controller in terms of the metric positive-deﬁnite matrices P1 ∈ R , R ∈ R , S ∈ n×n n×n n×n 2n×2n feasible solutions to a set of linear matrix inequalities. R , and matrices P2 ∈ R , P3 ∈ R , W ∈ R , M ∈ R2n×n such that the following matrix inequalities are sat- Using Sherman-Morrison matrix inversion formula, we have isﬁed: −1 − P1 0 ⎡ ⎡ ⎤ ⎤ P 1 = . (15) ET −P−1P P−1 P−1 ⎢ 0 ⎣ ⎦ ⎥ 3 2 1 3 ⎢Γ PT − M ⎥ ⎢ BLK ⎥ = −1 = −1 = ⎢ 0 ⎥ < 0, (10) In the sequel, we will denote X P1 , Y P3 ,andZ ⎢ T ⎥ − −1 −1 ⎣∗−R + K Q2K 0 ⎦ P3 P2P1 . We further restrict M to the following case in ∗∗ −I order to obtain a linear matrix inequality (LMI) (see, e.g., [9]): WM ≥ 0 ∗ 0 (11) M = δPT , (16) S BLK with where δ is a scalar parameter. Pre- and postmultiply (10) { −1 T −1 } { −1 −1 } by diag (P ) , P1 , I and diag P , P1 , I ,respectively; { −1 T −1} T also pre- and postmultiply (11) by diag (P ) , P1 and 0 I 0 I − − Γ = PT + P diag{P 1, P 1} and denote A − I −I A − I −I 1 L = P−1RP−1, F = KP−1, S = S−1, 00 1 1 1 T μR + Q1 0 + P T P + W1 W2 (17) 0 DD 0 P1 + τMS (12) −1 T −1 = P WP ∗ . T W3 + τ W +[M 0 ]+[M 0 ] , M Applying the Schur complement and expanding the block P1 0 μ = 1+ τM − τm , P = , matrices, we obtain the following result under the assump- P2 P3 tions made in Section 2. 4 Journal of Control Science and Engineering

Theorem 2. Suppose that for a prescribed scalar δ, there ex- Given a prescribed scalar δ, the design problem of the op- ist a scalar > 0,matricesX>0, Y, Z, F, L>0, S> timal guaranteed cost controller can be formulated therefore 0, W1, W2, W3, such that the following matrix inequalities as the following optimization problem: are satisﬁed: ⎡ ⎤ OP1: min α + ρ1β + ρ2γ Ψ1 Ψ2 0 Ψ41 ⎢ ⎥ ⎧ ,X,Y,Z,F,L,S,W1,W2,W3 ⎢ ∗ Ψ (1 − δ)BLF Ψ ⎥ ⎪ ⎢ 3 42⎥ ⎪(i) inequality (18), ⎢ ⎥ < 0, (18) ⎪ ⎡ ⎤ ⎣ ∗∗ −L Ψ43⎦ ⎪ ⎪ W1 W2 0 ⎪ ⎢ ⎥ ∗∗ ∗ Ψ5 ⎪ ⎢ ⎥ ⎪(ii) ⎢ ∗ L ⎥ ≥ 0, ⎪ ⎣ W3 δB F ⎦ ⎡ ⎤ ⎪ W1 W2 0 ⎨⎪ ∗∗ − ⎢ ⎥ 2X S ⎢ ⎥ ⎡ ⎤ ⎡ ⎤ ∗ W3 δBLF ≥ s.t. ⎪ ⎣ ⎦ 0, (19) ⎪ − T − T −1 ⎪ ⎣ αI U ⎦ ⎣ βI U ⎦ ∗∗ ⎪(iii) < 0, < 0, XS X ⎪ ⎪ ∗−X ∗−2X + L ⎪ ⎪ ⎡ ⎤ ⎪ − T where ⎪ γI U ⎪ ⎣ ⎦ < 0. ⎩ ∗− T S Ψ1 = Z + Z + μL + τ W1, M (25) T T T Ψ2 = Y + X(A − I) − Z + τMW2 + δ(BLF) , Ψ =−Y − Y T + τ W + DDT , Clearly, the above optimization problem (25)isaconvexop- 3 M 3 ﬀ ⎡ ⎤ ⎡ ⎤ (20) timization problem which can be e ectively solved by exist- Ψ XET τ ZT 0 XZT ⎢ 41⎥ ⎢ M ⎥ ing LMI software [10]. Thus, the minimization of α+ρ1β+ρ2γ ⎢ ⎥ ⎢ T T ⎥ ⎣Ψ42⎦ = ⎣ 0 τMY 00Y ⎦ , implies the minimization of the cost in (9). By applying a simple one-dimensional search over δ for a certain τ ,a Ψ 00FT 00 M 43 global optimum cost can be found. = {− − − −1 − −1 − } Ψ5 diag I, τMS, Q2 , Q1 , X .

Then, the control law 3.3. Robust Stability with at least a fault-free actuator u(k) = FX−1x k − τ(k) (21) Based on the controller designed in Theorem 2,letusas- sume that actuator i is fault-free, then we can redesign the i th row of controller gain matrix K to improve the robust is a guaranteed cost networked control law for system (1) and performance for the system against actuator failures. We can the corresponding cost function satisﬁes rewrite the overall control system as T −1 T −1 −1 J ≤ λmax U X U + ρ1λmax U X LX U = L − − (22) x(k +1) A1x(k)+ Bi iKi + biki x k τ(k) , (26) T 1 + ρ2λmax U S U , = where A1 A + DΔ(k)E,matrixKi is obtained by deleting where ρ1 = μ(τM + τm)/2 and ρ2 = 2τM(τM +1). the ith row from K, Bi is obtained by deleting the ith col- L Remark 4. From (22), we establish the following inequalities: umn from B,and i is obtained by deleting ith row and ith column from L. The cost function associated to system (26) reads as −αI UT −βI UT < 0, − < 0, ∗−X ∗−XL 1X ∞ (23) J = xT (k)Qx (k) (27) −γI UT e e < 0, k=0 ∗−S

T = T T − = { T where α, β,andγ are scalars to be determined. It is worth with xe (k) [x (k), x (k τ(k))], Q diag Q1, ki Q2iki + T } noting that condition (23) is not an LMI because of the term Ki Q2iKi ,whereQ2i is obtained by deleting the ith row and − −XL 1X. This is also the case for condition (19) which is not ith column from Q2.Withregardtosystem(26)whereKi is −1 an LMI because of the term XS X. Note that for any matrix assumed to be known, we have the following result. X>0wehave Theorem 3. If there exist a gain matrix ki, a scalar > 0,sym- n×n n×n − metric positive-deﬁnite matrices ∈ R , ∈ R , ∈ 1 −1 P1 R S XS X ≥ 2X − S, XL X ≥ 2X − L. (24) n×n n×n n×n 2n×2n R , and matrices P2 ∈ R , P3 ∈ R , W ∈ R , ShanbinLietal. 5

M ∈ R2n×n such that the following matrix inequalities are sat- where isfied: T Ψ1 = Z + Z + μL + τMW1, ⎡ ⎤ = − T − T ∗ T 0 ET Ψ2 Y + X(A I) Z + τMW2 + δ biF , ⎢Γ PT − M ⎥ ⎢ L ⎥ ⎢ Bi iKi + biki 0 ⎥ Ψ =−Y − Y T + τ W + DDT , ⎢ ⎥ < 0, (28) 3 M 3 ⎢∗− T T ⎥ ⎡ ⎤ ⎡ ⎤ ⎣ R + ki Q2iki + Ki Q2iKi 0 ⎦ T T T (34) ⎢Ψ41⎥ XE τMZ 00XZ ∗∗ −I ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ = ⎢ T T ⎥ ⎣Ψ42⎦ ⎣ 0 τMY 000Y ⎦ , WM 00(F∗)T XKT 00 ≥ 0, (29) Ψ43 i ∗ S = − − − −1 − −1 − −1 − Ψ5 diag I, τMS, Q2i , Q2i , Q1 , X . then, system (26) is asymptotically stable and the cost function Then, the ith control law (27) satisfies inequality (13). ∗ −1 ui(k) = F X x k − τ(k) (35) Proof. The proof is similar to the proof of Theorem 1. is a guaranteed cost networked control law of system (26) and the corresponding cost function satisfies T −1 T −1 −1 3.4. Step (ii): Controller Redesign J ≤ λmax U X U + ρ1λmax U X LX U − (36) T 1 Proceeding as in step (i), we restrict M to the following case + ρ2λmax U S U , in order to obtain an LMI: where ρ1 = μ(τM + τm)/2 and ρ2 = 2τM(τM +1). Given a prescribed scalar δ, the redesign problem of the T 0 M = δP , (30) optimal guaranteed cost controller can be formulated as the biki following convex optimization problem:

OP2: min (α + ρ1β + ρ2γ) where δ is a scalar parameter. Pre- and postmultiply (28) ∗ ⎧ ,X,Y,Z,F ,L,S,W1,W2,W3 { −1 T −1 } { −1 −1 } with diag (P ) , P1 , I and diag P , P1 , I ,respectively; ⎪(i) inequality (32), ⎪ { −1 T −1} ⎪ ⎡ ⎤ also pre- and postmultiply (29) with diag (P ) , P1 and ⎪ { −1 −1} ⎪ W1 W2 0 diag P , P1 ,respectively,anddenote ⎪ ⎢ ⎥ ⎪ ⎢ ∗ ∗ ⎥ ≥ ⎪(ii) ⎣ W3 δbiF ⎦ 0, ⎪ ⎪ ∗∗ − = −1 −1 ∗ = −1 = −1 ⎨ 2X S L P1 RP1 , F kiP1 , S S , ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ s.t. ⎪ ⎪ −αI UT −βI UT W1 W2 (31) ⎪ ⎣ ⎦ ⎣ ⎦ −1 T −1 ⎣ ⎦ ⎪(iii) < 0, < 0, P WP = . ⎪ ∗− ∗− ∗ ⎪ X 2X + L W3 ⎪ ⎡ ⎤ ⎪ ⎪ − T ⎪ ⎣ γI U ⎦ ⎩⎪ < 0. The Schur complement trick leads to the following controller ∗−S redesign result. (37) Theorem 4. Suppose that for a prescribed scalar δ, there ex- ∗ ist a scalar > 0,matricesX>0, Y, Z, F , L>0, S>0, 4. ILLUSTRATIVE EXAMPLE W1, W2, W3, such that the following matrix inequalities are satisﬁed: The dynamics are described by the following matrices: 0.90 0.20.1 ⎡ ⎤ A = , B = , 0.20.5 0 −0.1 ⎢Ψ1 Ψ2 0 Ψ41⎥ ⎢ ⎥ ⎢ ∗ L − ∗ ⎥ (38) ⎢ Ψ3 Bi iKiX +(1 δ)biF Ψ42⎥ ⎢ ⎥ < 0, (32) 00.1 0.10 ⎢ ∗∗ − ⎥ D = , E = , ⎣ L Ψ43⎦ 0.10 0.1 −0.1 ∗∗ ∗ Ψ 5 and the design parameters are chosen as ⎡ ⎤ W W 0 ⎢ 1 2 ⎥ 10 0.10 10 ∗ = = = ⎢ ∗ ⎥ ≥ Q1 , Q2 , U . ⎣ W3 δbiF ⎦ 0, (33) 01 00.1 01 −1 ∗∗XS X (39) 6 Journal of Control Science and Engineering

0 0.1

−0.05 0.05 Disturbance 1 Disturbance 2 −0.1 0

020406080 020406080 Time/step Time/step (a) (b)

1 1

0.5 0.5 Failure of actuator 1 Failure of actuator 2 0 0 020406080020406080 Time/step Time/step (c) (d)

0.2 0

0 2 1

− x

x 0.5 −0.2

− 1 −0.4 020406080 020406080 Time/step Time/step (e) (f)

Figure 2: Disturbance, actuator failures, and state response.

When τm = 1, τM = 2, and δ = 1, by OP1 (25), the cost As a result, the two controllers are determined as follows: is obtained as J1 = 61.6653 and the fault-tolerant controller can be designed for step (i): k∗ −0.8776 −0.2857 1 = #1 : − × −5 − × −5 , k2 0.1865 10 0.3060 10 − × −5 − × −5 (42) k1 0.0812 10 0.1333 10 −5 −5 = . (40) k1 −0.0812 × 10 −0.1333 × 10 − × −5 − × −5 = k2 0.1865 10 0.3060 10 #2 : ∗ − − . k2 0.6494 0.4161

In step (ii), by OP2 (37), the cost and the feedback gains are Figure 2 reports the simulation for two failures scenarios of redesigned as the actuators. For this simulation, the time-varying norm- bounded uncertain matrix Δ(k) is taken as = ∗ = − − J2 39.0026, k1 0.8776 0.2857 , sin(πk)0 (41) = = ∗ = − − Δ(k) , (43) J3 49.9616, k2 0.6494 0.4161 . 0cos(πk) ShanbinLietal. 7 which clearly satisﬁes the bound Δ(k)T Δ(k) ≤ I. The left col- APPENDIX umn of Figure 2 is related to failures of actuator 1 and the right column is related to failures of actuator 2. Note also PROOF OF THEOREM 1 that for these two failures scenarios the system has been dis- The following matrix inequalities are essential for the proof turbed by step disturbances entering additively in the state of Theorem 1. equations. This is illustrated in the simulation where the step disturbance 1 shown in Figure 2(a) disturbs the state vari- Lemma 5 (see [11]). Assume that a(·) ∈ Rna , b(·) ∈ × ables at time instant 35 and disappears at time instant 40. Rnb , and N(·) ∈ Rna nb . Then, for any matrices X ∈ × × × The step disturbance 2 shown in Figure 2(b) disturbs the sys- Rna na , Y ∈ Rna nb , and Z ∈ Rnb nb , the following holds: tem at time instant 5 and disappears at time instant 10. In T Figure 2(c), the solid line represents the failure of actuator 1 a XY− N a −2aT Nb ≤ ,(A.1) which occurs at time instant 15 and disappears at time in- b Y T − NT Z b stant 35, occurs again at time instant 55 and disappears at time instant 65. In Figure 2(d), the solid line represents the XY where T ≥ 0. failure of actuator 2 which occurs at time instant 35 and dis- Y Z appears at time instant 45, occurs again at time instant 65 Lemma 6 (see [12]). Let Y be a symmetric matrix and let and disappears at time instant 80. The delay of fault detec- H, E be given matrices with appropriate dimensions, then tion is assumed to be 3 time steps, which is represented by dot-dashed lines as shown in Figures 2(c) and 2(d).Under Y + HFE + ET FT HT < 0(A.2) the above simulation setting, the state responses are shown in Figures 2(e) and 2(f): holds for all F satisfying FT F ≤ I, if and only if there exists a scalar > 0 such that (i) the dotted line represents the state response for controller-switching sequence N◦1 : #2 is the initial Y + HHT + −1ET E<0. (A.3) controller, and #1 is switched-on at time instant 38, − = − k−1 then #2 at time instant 48, #1 at time instant 68; Proof. Note that x(k τ(k)) x(k) l=k−τ(k) y(l), where (ii) the solid line represents the state response for y(l) = x(l +1)− x(l). Then from system (8)wehave controller-switching sequence N◦2 : #1 is the initial − controller, and #2 is switched-on at time instant 38, k1 0 = A + BLK − I x(k) − y(k) − BLK y(l). (A.4) then #1 at time instant 48, #2 at time instant 68; 1 l=k−τ(k) (iii) the dot-dashed line represents the state response under the fault tolerant control (i.e., robust control) of Choose the Lyapunov-Krasovskii function candidates as fol- step (i). lows: ∗ ∗ T The trace of matrices (x )(x ) /(simulation time) is used as V(k) = V1(k)+V2(k)+V3(k), (A.5) a performance measure for comparison, where x∗ represents the state trajectory in the diﬀerent schemes and the simula- where tion time is 80 seconds. After computation, we obtain for the T V1(k) = x (k)P1x(k), above three control schemes the traces Tr1 = 0.0279, Tr2 = − 0.0338, Tr3 = 0.0499, which means that Tr1

T T T where N = (A1 +BLK −I)x(k)− y(k), η (k) = [x (k) y (k)] . where Choose constant matrices W, M,andS satisfying (11); by T = T T − Lemma 5,wehave ξ (k) η (k) x (k τ(k)) , T T − D = 0D P 0 , E = [E0]0 , k1 0 − 2 ηT (k)PT y(l) ⎡ ⎤ BLK 0 l=k−τ(k) ⎢ T − ⎥ ⎢Γ0 P L M⎥ (A.15) k−1 Θ0(τm, τM) = ⎣ B K ⎦ , T T ≤ τ η (k)Wη(k)+ y (l)Sy(l) T M ∗−R + K Q2K = − l k τM 00 T T 0 T +2η (k) M − P x(k) − x(k − τ(k) . Γ0 = Γ − P P. BLK 0 DDT (A.9) By Lemma 6,wehave Similarly, T T −1 T ΔV(k) ≤ ξ (k) Θ0 τm, τM + DD + E E ξ(k) T T ΔV2(k) = x (k)Rx(k) − x k − τ(k) Rx k − τ(k) − T xe (k)Qxe(k). k−1 k−1 (A.16) + xT (l)Rx(l) − xT (l)Rx(l). T l=k+1−τ(k+1) k−τ(k)+1 It is worth observing that matrix [Θ0(τm, τM)+DD + (A.10) −1ET E] is the Schur complement of −I in the matrix of the left-hand side of inequality (10). Therefore, the negative T −1 T Note that deﬁniteness of matrix [Θ0(τm, τM)+DD + E E] result-

− ing from inequality (10) implies that kτm T x (l)Rx(l) ≤− T ΔV(k) xe (k)Qxe(k). (A.17) l=k+1−τ(k+1)

− Summing both sides of the above inequality from 0 to ∞ k−1 kτm = xT (l)Rx(l)+ xT (l)Rx(l) leads to = − = − l k+1 τm l k+1 τ(k+1) ∞ = ∞ − − ΔV(k) V( ) V(0) k−1 kτm k=0 ≤ xT (l)Rx(l)+ xT (l)Rx(l). ∞ (A.18) l=k+1−τ(k) l=k+1−τ ≤− T =− M xe (k)Qxe(k) J (A.11) k=0

So, we have which, from system stability, yields T T J ≤ V(0), (A.19) ΔV2(k) ≤ x (k)Rx(k) − x k − τ(k) Rx k − τ(k)

− kτm (A.12) that is, inequality (13). + xT (l)Rx(l). = − l k+1 τm ACKNOWLEDGMENTS

Furthermore, we have The authors would like to thank the anonymous review- ers for their constructive comments and suggestions that k−1 have improved the quality of the manuscript. This work is = T − T ΔV3(k) τM y (k)Sy(k) y (l)Sy(l) supported by the French National Research Agency (Agence = − l k+1 τm Nationale de la Recherche, ANR) project SafeNECS (Safe- − kτm Networked Control Systems) under Grant no. ANR-ARA − T − T + τM τm x (k)Rx(k) x (l)Rx(l). SSIA-NV-15. l=k+1−τm (A.13) REFERENCES

Combining (9)and(A.7)–(A.13), we have [1] M. Blanke, M. Kinnaert, J. Lunze, and M. Staroswiecki, Di- agnosis and Fault-Tolerant Control, Springer, Berlin, Germany, T T T T ΔV(k) ≤ ξ (k) Θ0 τm, τM + DΔ(k)E + E Δ (k)D ξ(k) 2003. [2] M. Mariton, “Detection delays, false alarm rates and the recon- − T xe (k)Qxe(k), ﬁguration of control systems,” International Journal of Control, (A.14) vol. 49, no. 3, pp. 981–992, 1989. ShanbinLietal. 9

[3] M. Mahmoud, J. Jiang, and Y. Zhang, “Stabilization of active fault tolerant control systems with imperfect fault detection and diagnosis,” Stochastic Analysis and Applications, vol. 21, no. 3, pp. 673–701, 2003. [4] N. E. Wu, “Robust feedback design with optimized diagnostic performance,” IEEE Transactions on Automatic Control, vol. 42, no. 9, pp. 1264–1268, 1997. [5] M. Maki, J. Jiang, and K. Hagino, “A stability guaranteed active fault-tolerant control system against actuator failures,” In- ternational Journal of Robust and Nonlinear Control, vol. 14, no. 12, pp. 1061–1077, 2004. [6] W. Zhang, M. S. Branicky, and S. M. Phillips, “Stability of networked control systems,” IEEE Control Systems Magazine, vol. 21, no. 1, pp. 84–99, 2001. [7] P. Antsaklis and J. Baillieul, “Special issue on technology of networked control systems,” Proceedings of the IEEE, vol. 95, no. 1, pp. 5–8, 2007. [8] Y. Tipsuwan and M.-Y. Chow, “Control methodologies in networked control systems,” Control Engineering Practice, vol. 11, no. 10, pp. 1099–1111, 2003. [9] W.-H. Chen, Z.-H. Guan, and X. Lu, “Delay-dependent guaranteed cost control for uncertain discrete-time systems with delay,” IEE Proceedings: Control Theory and Applications, vol. 150, no. 4, pp. 412–416, 2003. [10] P. Gahinet, A. Nemirovsky, A. J. Laub, and M. Chilali, LMI Control Toolbox—for Use with Matlab, The Math Works, Nat- ick, Mass, USA, 1995. [11] Y. S. Moon, P. Park, W. H. Kwon, and Y. S. Lee, “Delay- dependent robust stabilization of uncertain state-delayed systems,” International Journal of Control, vol. 74, no. 14, pp. 1447–1455, 2001. [12] Y. Wang, L. Xie, and C. E. de Souza, “Robust control of class uncertain nonlinear systems,” Systems and Control Let- ters, vol. 19, no. 2, pp. 139–149, 1992. Hindawi Publishing Corporation Journal of Control Science and Engineering Volume 2008, Article ID 265189, 10 pages doi:10.1155/2008/265189

Research Article Reliability Monitoring of Fault Tolerant Control Systems with Demonstration on an Aircraft Model

Hongbin Li,1 Qing Zhao,1 and Zhenyu Yang2

1 Department of Electrical and Computer Engineering, University of Alberta, Edmonton, AB, Canada T6G 2V4 2 Department of Computer Science and Engineering, Aalborg University Esbjerg, Niels Bohrs Vej 8, 6700 Esbjerg, Denmark

Correspondence should be addressed to Qing Zhao, [email protected]

Received 4 April 2007; Revised 6 September 2007; Accepted 13 November 2007

Recommended by Kemin Zhou

This paper proposes a reliability monitoring scheme for active fault tolerant control systems using a stochastic modeling method. The reliability index is deﬁned based on system dynamical responses and a safety region; the plant and controller are assumed to have a multiple regime model structure, and a semi-Markov model is built for reliability evaluation based on the safety behavior of each regime model estimated by using Monte Carlo simulation. Moreover, the history data of fault detection and isolation decisions is used to update its transition characteristics and reliability model. This method provides an up-to-date reliability index as demonstrated on an aircraft model.

Copyright © 2008 Hongbin Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION we considered static model-based control objectives and built a semi-Makov model from imperfect FDI and hard- In order to meet high reliability requirement of safety-critical deadline concepts [3, 4]. However, in many practical sys- processes, major progress has been made in fault toler- tems, the safety and reliability of operation are often assessed ant control systems (FTCSs). FTCSs usually employ fault based on dynamic system responses. For instance, reliability detection and isolation (FDI) schemes and reconfigurable in structural control is defined as the probability of system controllers to accommodate fault effects, also known as ac- outputs outcrossing safety boundaries and evaluated by us- tive FTCSs. Most work on reconfigurable controller design ing Gaussian approximation [5]. Also, an online available re- is performed under the assumption of perfect FDI detec- liability monitoring scheme using updated information may tions. However, imperfect FDI results are inevitable owing aid maintenance scheduling, provide prealarming, and avoid to disturbances or modeling uncertainties and may corrupt emergent overhauls. How to evaluate reliability when it is de- designated reliability requirement. Therefore, it is necessary fined based on system trajectory and how to implement an to validate the design of FTCSs from a reliability perspec- online-monitoring scheme are the main motivations of this tive. paper. The reliability of FTCSs has been investigated using var- The objectives of this paper are threefold. First of all, ious methods. The key problem is to set up appropriate a steady-state test (SST) is proposed to reduce false alarms reliability models with control objectives and safety require- of FDI decisions. The stochastic modeling of such an FDI ments incorporated. As fault occurrences and system failures scheme is studied based on which the transition character- are rare events, dynamic models are usually not suitable istics of FDI modes can be described. The second objective for reliability analysis. For example, Wu used serial-parallel is to develop a reliability evaluation scheme for FTCSs based block diagrams and Markov models for evaluation purpose, on system dynamic responses and safety boundary. At last, and defined a coverage concept to relate reliability and con- online monitoring features are considered, such as estima- trol actions [1]. Walker proposed Markov and semi-Markov tion of FDI transition parameters based on history data and models to describe the transitions of fault and FDI modes, timely update of reliability index to reflect up-to-date system but control actions are not considered [2]. In previous work, behavior. 2 Journal of Control Science and Engineering

The remainder of this paper is organized as follows: the ζn:0→ 1 assumptions and system structure are given in Section 2;FDI M0, K0 M1, K0 scheme, modeling, and parameter estimation are discussed in Section 3; the determination of outcrossing failure rates 1 and hard-deadlines are discussed in Section 4; the reliabil- → :0 n

ity model construction is discussed in Section 5 followed η by a demonstration example of an F-14 aircraft model in Section 6. M0, K1 M1, K1

2. ASSUMPTIONS AND SYSTEM STRUCTURE Figure 1: Transitions among regime models.

Assumption 1. The considered plant is assumed to have finite fault modes, and dynamics under each fault mode can by faults. Safety region Ω is assumed to be fixed and known be effectively represented by a linear system model. a priori. The scenario that z(t) exceeds Ω represents lost of control and system failures. More discussions on this as- Fault modes are represented by a set S with N integers; sumption can be found in [8]. {Mi : i ∈ S} represents the set of dynamical plant models under various fault modes; {K : j ∈ S} denotes a set of Definition 1. For a time interval from 0 to t, the reliability j function R(t) is defined as the following probability: reconfigurable controllers in a switching structure. Kj is de- ∈ signed for fault mode j based on Mj , j S.However,true R(t) = Pr ∀0 ≤ τ ≤ t, z(τ) ∈ Ω . (1) fault modes are usually not directly known, so an FDI scheme is used to generate estimates of fault modes, which may de- Meantimetofailure(MTTF)isdefinedastheexpectedtime viate from true fault modes with error probabilities. of satisfactory operation: Assumption 2. FDI scheme is assumed to generate a fault es- ∞ MTTF = R(t)dt. (2) timate based on a batch of measurements and calculations 0 for every fixed period Tc. Remark 2. Different from repairs relying on human inter- This assumption states a cyclic feature of FDI, such as sta- vention when system operation is stopped, control actions tistical tests and interactive multiple model (IMM) Kalman are executed automatically and can be deemed as an inter- filters [6]. FDI modes are represented by a discrete-time nal actions of FTCSs. Therefore, MTTF represents the mean ∈ ∈ N operational time without human intervention before failure. stochastic process ηn S,wheren , the set of nonnegative integers. The time duration between consecutive discrete Compared with ζn and η , z(t) is typically a fast chang- indices is equal to FDI detection period Tc. Kj is put in use n = ∈ ing function determined by both continuous and discrete when ηn j, j S. Corresponding to ηn, a discrete-time dynamics. As shown in Figure 1, ζn and η are two regime stochastic process ζn denotes true fault mode. In reliability n engineering, constant failure rates are usually assumed for modes and determine the transitions among regime models. = = When ζn i and η j are fixed, z(t) evolves according to the main part of component life cycle. In such a case, ζn can n be described as a Markov chain [7], and its transition proba- plant model Mi and controller Kj . As a result of this hybrid = { = | = } ∈ dynamics, directly evaluating R(t) and MTTF is a difficult bilities are denoted as Gij Pr ζn+1 j ζn i , i, j S. problem. Therefore, a discrete-time semi-Markov chain Xn Remark 1. The semi-Markov process can be used as a gen- is constructed for reliability evaluation purpose. The main eral FDI model. It can describe any type of sojourn time idea is that the hybrid system is decomposed into various distribution; in contrast, the Markov process model accepts regime models; each regime model is then evaluated for re- exponential sojourn time distributions only. More discus- lated safety characteristics, and Xn is constructed to integrate sions can be found in [4]. these characteristics with transition parameters of regime modes and to solve its transition probabilities for reliability Assumption 3. System performance is assumed to be repre- evaluation. The structure and main components of reliability sented by a vector signal z(t). Safety region, denoted as Ω, monitoring scheme are illustrated in Figure 2. is assumed to be a fixed region in the space of z(t)bounded Semi-Markov reliability model Xn is the kernel compo- by its safety threshold. Failure is assumed to occur when z(t) nent for calculating MTTF. It is constructed based on the fol- exceeds a safety region for the first time. lowing parameters: (1) the transition rates of ζn, called plant failure rates, (2) the estimates of ζn from FDI and confirma- This assumption intends to define an appropriate relia- tion test, called confirmed fault modes, (3) the parameters of bility index based on system dynamical response. It is com- ηn estimated from history data, called FDI transition charac- mon in control systems to use a signal z(t)torepresent teristics, (4) the probability of z(t) crossing safety boundary = performance, and z(t) is usually to be kept at small values during an FDI cycle Tc when ζn ηn, called failure outcross- against influences from exogenous disturbances, modeling ing rates, (5) the average number of periods before crossing = uncertainties, and dynamical characteristic changes caused safety boundary when ζn ηn, called hard deadlines. Among HongbinLietal. 3

ηn R(t), MTTF η5 θ1 η12 Reliability model (semi-Markov chain Xn)

0 0 TSST0 σ TSST1 σ θ η0 01 10 2 Out-crossing failure Hard-deadline FDI transition θ rate (matched cases) (mismatched) characteristics 0 0 0 τ01 τ10 n estimates ζ Conﬁrmed FDI

Plant faults ηn T0 T1 T2 n Switching controllers Steady-state test Conﬁrmation test Figure 3: A sample path of ηn.

Plant model FDI scheme

Figure 2: System structure. 3.2. Stochastic models ∈ ∈ A sample path of ηn is given in Figure 3.Letθm S and Tm N denote the FDI mode and cycle index, respectively, after these parameters, the second and third ones can be updated ∈ N the mth transition of ηn, m . For example, in Figure 3, online. = = θ1 η5 and T2 5. θm and Tm together determine FDI = = { ∈ N ≤ } trajectory, and ηn θSn ,whereSn sup m : Tm n 3. FDI SCHEME AND ITS CHARACTERIZATION is the discrete-time counting process of the number of jumps in [1, n]. (θ, T) {θm, Tm : m ∈ N} is called a discrete-time 3.1. Steady-state tests Markov renewal process if It is well known that false alarm and missing detection rates Pr θm+1 = j, Tm+1 − Tm = l | θ0, ..., θm; T0, ..., Tm are two conflicting quality criteria of FDI. One is usually im- (4) = = − = | proved at the cost of degrading the other. What is worse, the Pr θm+1 j, Tm+1 Tm l θm general rules of adjusting FDI to improve these two crite- = = ··· = = ∈ ria simultaneously are often not known. For example, in a holds for fixed ζTm ζTm+1 ζTm+1 k, k, j S, ∈ N = scheme based on IMM Kalman filters, it is not clear how to l, m . ηn θm is then called the associated discrete- determine Markov interaction parameters. Considering that time semi-Markov chain of (θ, T). It can be shown that θm most false alarms last for short time only, an SST strategy is is a Markov chain, and its transition probability matrix is de- adopted for postprocessing FDI decisions. noted by Pk. = = ··· = = k = − SST requires that, when FDI decision changes, new Given ζTm ζTm+1 ζTm+1 k,letτij Tm+1 decision is accepted only when it stays the same for a min- = = ∈ k Tm if θm i and θm+1 j, i, j, k S. τij is the sojourn time imum number of detection cycles. Let TSSTj denote the re- of η between its transition to state i at Tm and the consecu- ∈ n quired number of consistent cycles for FDI mode j, j S. tive transition to j at Tm+1. If the transition destination state The effectiveness of this SST strategy relies on the distribu- k is not specified, let τi denote the sojourn time at state i. tion of false alarm durations. For example, if a nonnegative k As shown in Figure 3, τij is the sum of two variables: a discrete random variable λ0 denotes the false alarm duration k constant TSSTi for SST period and a random sojourn time σij. when system fault mode ζ = 0, TSST0 can be taken as (1−α)- n k k quantile of λ0,0<α<1, meaning Let hij(l)andgij(l) denote the discrete distribution functions k k of τij and σij respectively, which have the following relations: Pr λ >T ≤ α,(3) 0 SST0 0, ≤ , k = k = = l TSSTi which implies that false alarm probability can be reduced by hij(l) Pr τij l k − (5) gij l TSSTi , l>TSSTi. ratio α when accepting FDI decisions after TSST0. The weakness of this method is additional detection time delay of This semi-Markov description provides a general model on TSSTj when fault occurs. However, this happens only under rare occurrences of faults. Compared with the improvement FDI mode transitions, but it involves a large number of pa- on relatively more frequently transitions of FDI modes, this rameters. The transition characteristics of ηn are jointly de- k k k weakness is acceptable. termined by P and hij (or gij). If S contains N fault modes, k 3 Detection decisions from SST are represented by ηn and there are N transition probability matrices P and N distri- k k used for controller reconfigurations. In Figure 2, the confir- bution functions hij.Ifeachhi follows geometric distribu- mation test is an SST with large test period to further reduce tion, the description of ηn may degenerate to a hypothetical false alarm probability to a negligible level. It generates con- Markov model ηn. firmed fault modes, which are used with FDI trajectories for All Markov chains can be considered as a special type of updating transition parameters of ηn and reliability index. semi-Markov chains. If ηn can be modeled as a Markov chain 4 Journal of Control Science and Engineering

k = k = with transition probability matrix denoted by H for ζn k, where τi (l)denoteM sojourn time samples at state i, l k the following relations hold: 1, ..., M. Hij can be estimated based on the transition frequency from state i to j: Hk k = ij Pij k ,(6) − k k 1 − H 1 Hii wij ii k = , (11) − Hij k = k l 1 k M hij(l) Hii Hij,(7) k k −1 where 1− is a normalization coeﬃcient and represents k = k l − k Hii wij hi (l) Hii 1 Hii . (8) the number of FDI transitions from i to j. k It is obvious that hi is a geometric distribution. In fact, this is an essential property of Markov chain, as shown in the fol- 4. OUTCROSSING FAILURE RATES lowing lemma. AND HARD-DEADLINES

Lemma 1. A discrete-time semi-Markov chain degenerates to a Owing to FDI delays or incorrect decisions, controller Ki Markov chain if and only if the sojourn time at each state (when may be used for its designated regime model Mi (namely, = subsequent state is not speciﬁed) follows geometric distribution. matched cases) and other model Mj , i j (namely, mismatched cases). Matched cases usually account for major

The proof is given in the appendix. When TSST is nonzero, operation time, while mismatched cases often appear as temporary operation. the sojourn time of ηn does not follow geometric distribution owing to this deterministic constant, and Lemma 1 cannot Definition 2. The outcrossing failure rate in matched cases is be directly applied. However, as TSST is known, a hypotheti- defined as cal process ηn can be constructed by setting TSST to zeros; if the sojourn time of is geometrically distributed, it can be ηn vii Pr ∃τ, nTc <τ≤ (n +1)Tc, described as a Markov chain; the original sojourn time of ηn ∈ | ∈ = = ∈ z(τ) Ω z nTc Ω, ζn ηn i , i S. can be recovered by adding TSST to that of ηn. This method may greatly reduce the number of parameters for character- (12) izing FDI results. Monte Carlo simulation can be used for estimating vii: sample simulations are performed by using generated sam- 3.3. Transition parameter estimation ple uncertain plant model and sample disturbance input; the simulation time when system fails is called a sample time- FDI transition parameters can be estimated as an offline test to-failure. With a large number of time-to-failure samples on FDI when both fault mode and FDI detection results are obtained, v can be estimated as the ratio between T and known. This estimation can also be carried out online using ii c sample mean of time-to-failure. FDI history data and confirmed fault modes. Mismatched cases are usually temporary operation When η is modeled as a semi-Markov chain, Pk and hk n ij caused by FDI false alarms or delays, and system may return k k (or gij) are parameters to be estimated. P can be estimated to matched cases if z(t) does not diverge to unsafe region. from the transition history of ηn.Forexample,whenζn is So, it is important to find out the average tolerable time be- kept as a constant k, if there are Mij transitions from i to j fore system failure. This time limit is called hard-deadline, k = = among all M transitions leaving i, the ijth element of P can denoted by Thdij for ζn i and ηn j. It can also be esti- k = be estimated as Pij Mij/M. mated by sample mean of time-to-failure using Monte Carlo k simulations. The estimation of sojourn time distribution gij can be completed in two steps: the histogram of sojourn time is firstly examined to select a standard distribution such that 5. RELIABILITY MODEL CONSTRUCTION nonparametric estimation is converted to a parametric one; k The states of semi-Markov chain Xn for reliability evaluation gij is then obtained by estimating unknown parameters in distribution functions. are classified into two groups: one unique failure state, de- If gk follows geometric distribution for all i, j, k ∈ S, η noted by sF, and multiple functional states, defined as state ij n = = ∈ can be described as a hypothetical Markov chain η under the combinations of ζn i and ηn j,denotedassij, i, j S. n For example, if two types of faults are considered in the plant, hypothesis that TSSTi = 0. As a result, transition probability Hk from i to j and sojourn time τk at i have the following ζn includes states of fault-free, fault type 1, fault type 2, and ij i ={ } relation: both fault 1 and fault 2, represented by S 0, 1, 2, 3 ,and − Xn contains 17 states. k = = k n 1 − k Pr τi n Hii 1 Hii . (9) The semi-Markov kernel of Xn is denoted as Q(·, ·, m), representing the one-time transition probability in m cycles. k = − k k Therefore, E(τi ) 1/(1 Hii ), and Hii can be estimated by It is determined by the following parameters: (1) transition ⎧ ⎪ M k characteristics of fault and FDI modes, (2) outcrossing failure ⎨⎪ 1 = τ (l) 1 − , l 1 i =0, k = M k rate in state sii denoted by vii, (3) hard-deadline in state sij Hii ⎪ l=1τi (l)/M M (10) ⎩⎪ denoted by Thdij, (4) FDI SST period denoted by TSSTj for 1, otherwise, FDI mode j. HongbinLietal. 5

Let us begin with the case that FDI mode can be de- Q(sii, sF, m) can be obtained by combining these two proba- { = | = }= scribed as a hypothetical Markov chain ηn with transition bilities with Pr X1 sF X0 sii vii. probability denoted by Hk . The calculation of Q is classified ij = ≤ into the following cases. Case 4. Mismatched states, sij, i j. When m TSSTj , the transition probability of X(t) to any other state is zero be- ≤ Case 1. The transitions from functional states to themselves cause of SST period. When TSSTj 1. Q sij, sF, m 0, − − (19) = i m TSSTj 1 i = ∈ Q sij, sii, m Hjj Hji, j l, j, l S. Case 3. Initial states are matched states sii: = Q sii, sF, m When m>Thdij +1,Xn jumps to sF at the earliest time m ⎧ − T +1only: ⎨ − m 1 m−1 ≤ hdij 1 vii Gii vii, m TSSTi, = ⎩ − − Thdij − i (m TSSTi 1) pii 1 vii GiiHii vii, m>TSSTi, = − Q sij, sF, TSSTi +1 1 Q sij, sii, m k=TSSTi+1 Q sii, sji, m (20) ⎧ Tij−TSSTj +1 ⎨ − m−1 m−1 − ≤ 1 − Hi 1 vii Gii 1 vii Gij, m TSSTi, = − jj i = 1 Hji. ⎩ − − − i − i (m TSSTi 1) − i 1 Hjj pii 1 vii GiiHii 1 vii GijHii, m>TSSTi, In the general cases, is modeled as a semi-Markov Q s , s , m ηn ⎧ii ij chain, and the competition probabilities methods discussed ⎨ 0, m≤TSSTi, in [4] can be utilized. = − − ⎩ − i (m TSSTi 1) − i pii 1 vii GiiHii 1 vii GiiHij, m>TSSTi, Definition 3. Given ζ = i and η = j, the combinational n n mode is denoted as (i, j), i, j ∈ S. Suppose (ζ , η ) = Q sii, skj, m n+1 n+1 ⎧ ··· = (ζ − , η ) = (i, j) and the next combinational ⎨ n+m 1 n+m−1 0, m≤TSSTi, mode after the consequent transition of ζn or/and ηn at n+m = − − ⎩ (m TSSTi 1) is ( , ) = ( , ), where = or/and = , , ∈ .The p 1−v G Hk 1−v G Hi , m>T , ζn+m ηn+m k l k i l j k j S ii ii ii jj ii ik ij SSTi probability of this event is called the competition probability, (15) denoted by ρ(i,j)(k,l)(m). = { = = ··· = = | = }= where pii Pr X1 X2 XTSSTi sii X0 sii − TSSTi TSSTi = = ∈ The calculation formulas of ρ (m) were derived in (1 vii) Gii , i j, k i, i, j, k S. (i,j) (k,l) The derivation of these equations are based on Markov [4, Section 3] and are omitted here for brevity. As the states transition probabilities and the decomposition of each event. of Xn are mainly defined as the state combinations of ζn and For example, ηn, the calculation of the semi-Markov kernel of Xn is simplified when ρ (m) is available, as shown in the follow- Q s , s , m (i,j) (k,l) ii F ing listed formulas: = Pr X1 = X2 =··· =Xm−1 = sii, Xm = sF | X0 = sii = − m = = =··· = = | = Q sii, skl, m 1 vii ρ(i,i)(k,l)(m), Pr X1 X2 Xm−1 sii X0 sii m−1 × = | = Q s , sF, m = 1 − v v , Pr X1 sF X0 sii . ii ii ii (16) Q s , s , m = 0, ii ii ⎧ ⎨ Considering the SST of FDI, if ≤ , ρ (m), m ≤ T , k = l = i, m TSSTi = (i,j)(k,l) hdij Q sij, skl, m ⎩ = =··· = = | = 0, otherwise, Pr X1 X2 Xm−1 sii X0 sii ⎧ m−1 − (17) ⎪ = − m 1 ⎨⎪0, m ≤ Thd , 1 vii Gii . ij , , = T hdij Q sij sF m ⎪ If m>TSSTi, ⎩1 − Q sij, sii, m , m>Thdij, =1 m Pr{X = X =··· =X − = s | X = s } 1 2 m 1 ii 0 ii 1, = 1, = m = Pr{X = X =··· =X = s | X = s } Q sF, sF, m 1 2 TSSTi ii 0 ii (18) 0, m>1. − − × − i (m TSSTi 1) 1 vii GiiHii . (21) 6 Journal of Control Science and Engineering

“True” airplane

Wact eact Win ΔG β Lateral stick AS r δdstab p Rudder K F-14nom pedal AR yac δrud Wind gust disturbance

p HQ model Wn Noise 2 − 5 s +2 1.252 − −2.5 s2 +2.5s +1.252 β HQ model ep Wp

eβ Wβ

Figure 4: Control design diagram for F-14 lateral axis (Courtesy of The MathWorks, Inc.).

Although these formulas appear to be simpler, both the pa- HQ models are 5(2/(s+2))and−2.5(1.252/(s+2.5s+1.252)); rameter estimation and competition probability calculations when fault occurs, HQ models degrade to 5(1/(s +1))and need much more calculation burden than the first case when −2.5(0.752/(s +1.5s +0.752)), respectively. FDI decision is modeled as a hypothetical Markov chain. The system block diagram is shown in Figure 4,whereF- Once Xn is constructed, calculation of reliability function 14nom represents the nominal linearized F-14 model, and AS and MTTF are straightforward using available formulas [9]. and AR the actuator models. ep and eβ represent the weighted model matching errors. Actuator energy is described by eact, and noise is added to the measured output after antialiasing 6. DEMONSTRATION ON AN F-14 AIRCRAFT MODEL filters. The considered fault occurs in two actuators. Under 6.1. Model description fault-free mode, their transfer functions are 25 A control problem of F-14 aircraft was presented in [10], and A = A = . (22) also used as a demonstration example in MATLAB Robust S R s +25 Control Toolbox.1 This problem considers the design of a Two types of actuator faults are considered here, each has lateral-directional axis controller during powered approach mean occurrence time 105 of FDI periods or its failure rate to a carrier landing with two command inputs from the pilot: − is 10 5. Under fault type 1, the transfer function of A be- lateral stick and rudder pedal. At an angle-of-attack of 10.5 S comes degrees and airspeed of 140 knots, the nominal linearized F- 14 model has four states: lateral velocity, yaw rate, roll rate, 15 A = 0.5 . (23) and roll angle, denoted by v, r, p,andφ, respectively, two S s +15 control inputs: differential stabilizer deflection and rudder Under fault type 2, the transfer function of AR becomes deflection, denoted by δdstab and δrud,respectively,andfour outputs: roll rate, yaw rate, lateral acceleration, and side-slip 10 A = 0.5 . (24) angle, denoted by p, r, yac,andβ,respectively.Thesystem R s +10 dynamics equations are ignored here, and can be loaded in MATLAB 7.1 using command “load F14nominal.” An addi- These fault modes are described as the change of actuator tional disturbance input is added to represent the wind gust gains and time constants. The set of fault modes is denoted effects. by S ={0, 1, 2, 3}, representing fault-free, fault type 1, type The control objective is to have desired handling qual- 2, and simultaneous occurrence of both. ity (HQ) responses from lateral stick to roll rate p and from rudder pedal to side-slip angle β. Under fault-free modes, the 6.2. Performance characterization of controller and FDI

1 MATLAB and Robust Control Toolbox are the trademarks of The Math- Four H∞ controllers are designed for each fault mode to Works, Inc. achieve nominal HQ control objectives under fault-free HongbinLietal. 7

8 1

) 6 p 4 2 0 0.5 −

Roll rate ( 2

−4 Roll rate error 2 4 6 8 10 12 14 0 0 10 20 30 40 50 60 Time Time Real (a) Ideal Degraded 0.8 (a) 0.6 4 0.4 )

β 2 0.2 0 Side slip error − 0 Side slip ( 2 0 10 20 30 40 50 60 −4 Time 0 10 20 30 40 50 60 (b) Time

Real Figure 6: The trajectories of matching errors. Ideal Degraded (b) 4 Figure 5: Output trajectories. 3 2

Fault mode 1 mode and degraded HQ performance under fault modes. 0 10 20 30 40 50 60 Typical output trajectories under fault-free mode are shown Time in Figure 5, where the curves labeled with “Real” represent (a) the measured outputs, “Ideal” the outputs under nominal HQ performance, and “Degraded” the outputs under de- 4 graded HQ performance. The absolute minimal matching 3 errors between the real responses and the expected outputs 2 under ideal HQ performance are shown in Figure 6,which FDI mode 1 are assumed to represent system safety behaviors. When 0 10 20 30 40 50 60 these matching errors go over the safety limits, 30% of ex- Time pected output, aircraft is considered as failed. (b) An IMM FDI is constructed to detect fault occurrences. To reduce false alarms, a steady-state test strategy is applied 4 on FDI decisions with TSSTj = 6foranyFDImodej.Atyp- ical FDI trajectory is shown in Figure 7. It is clear that the 3 steady FDI mode is free of false alarms in the shown time 2 period. But detection time delays are introduced when fault 1 occurs at 20 and 50 seconds, respectively. Steady FDI mode 0 10 20 30 40 50 60 To represent FDI detection characteristics, a batch of Time fault and FDI history data is collected for statistical estima- (c) tion. First, histograms of FDI delays are generated to check its distribution type. When there is no fault, the histogram Figure 7: FDI trajectory. of FDI sojourn time at fault-free mode is shown in Figure 8. It clearly resembles a geometric distribution. Equations (10)- (11) are then used to estimate Markov transition probabilities, and those under fault-free mode are obtained as Note that H0(2, 1) = 1andH0(2, 2) = 0 represent the tran- ⎡ ⎤ sition probabilities of FDI from a false alarm state. Estimated 0.9990 0 0.0010 0.0000 ⎢ ⎥ based on the given history data, these values imply that the ⎢ ⎥ 0 = ⎢1.0000 0 0 0 ⎥ FDI leaves false alarm state in one transition cycle. But there H ⎣ ⎦ . (25) 0.1330 0 0.8670 0 may exist estimation error, and the true value of H0(2, 2) may 0.5000 0 0 0.5000 be close to but not exact zero. 8 Journal of Control Science and Engineering

16 6.3. Reliability evaluation 14 Reliability semi-Markov model can be constructed based on 12 fault transition rates, FDI transition parameters, outcrossing failure rate, and hard-deadlines. Predicted reliability func- 10 tion and MTTF can be thereby calculated. By using MTTF 8 as an objective, an optimization is performed on TSST.Itis

Frequency 6 found that MTTF will be improved from 27 727 to 32 605 seconds if T is reduced from 6 to 1. A comparison of reli- 4 SSTj ability functions before and after this optimization is shown 2 in Figure 9. It is clearly shown that reliability index is im- 0 proved. 0 500 1000 1500 2000 2500 3000 3500 4000 Comparisons on the transition probabilities between Sojourn time these two SST periods are shown in Figure 10, in which each subfigure gives the transition probability curves from s to Figure 8: Histogram of FDI sojourn time. 00 other states. For example, the subfigure at the first row and second column shows that the transition probabilities to s01 are increased from 0 to about 0.008. This is a natural result 1 of increased false alarms when reducing TSSTj .Infact,when = 0 0.995 TSSTj 1, new Markov transition parameters H become

0.99 ⎡ ⎤ 0.9822 0.0017 0.0122 0.0038 ⎢ ⎥ 0.985 ⎢0.2634 0.7366 0 0 ⎥ H 0 = ⎢ ⎥ . (26) ⎣0.1989 0 0.8011 0 ⎦ 0.98 0.3530 0 0 0.6470 0.975

0.97 Compared with H0, the element on the ﬁrst row and second column is increased from 0 to 0.0017, a conﬁrmation of

Predicted reliability function 0.965 increased false alarms. On the other hand, detection delays 0.96 are reduced approximately from 6 to 1, and system stays less 0.955 time under mismatched fault and FDI cases. Overall, MTTF 0 100 200 300 400 500 600 700 800 900 1000 is improved. Time This evaluation procedure can be completed in an online manner. Estimated FDI transition parameters H and current Original mode of ζ provided by conﬁrmed test on FDI can be used Optimized n to provide updated MTTF based on this most recent infor- Figure 9: Reliability functions comparison. mation.

7. CONCLUSIONS

As a result of FDI false alarms, missing detections, and A reliability monitoring scheme for FTCSs is reported in this detection delays, controllers may be engaged for various fault paper. The scheme contains two postprocessing strategies on modes for which they are not designed. So, it is necessary FDI results to provide estimated fault mode for control re- to evaluate system behavior under all possible combinations configuration and confirmed mode for updating reliability. of FDI and fault modes. Here, Monte Carlo simulations are The stochastic transitions of FDI mode is represented by a adopted with the following settings: (1) command stick in- semi-Markov chain with parameters estimated from history puts are square waves with frequency as a random vari- data. Under geometric sojourn time distributions, FDI mode able ranging from 0.2 to 2 Hertz, (2) wind gust disturbances can be described by an equivalent hypothetical Markov chain and sensor measurement noises are assumed to be Gaus- that simplifies its model and reliability analysis. Safety and sian processes, (3) actuator saturation effects limit control satisfactory operation of system is defined by system trajec- inputs to 20 and 30, respectively, (4) system failure is as- tories and safety boundaries; the probability of violating this sumed to occur when model matching errors go over 30% safety criterion under fixed fault and FDI modes is estimated of stick commands. For example, with fault mode 2 occurred using Monte Carlo simulations. Overall reliability evaluation and K2 engaged, mean time to system failure is 57 403 sec- is obtained through a semi-Markov model constructed by onds when controller K2 is used, and 6 seconds when K1 is integrating FDI transition characteristics and failure prob- used. Considering the sampling period to be 0.1 second for abilities under each regime model. This scheme provides IMM FDI, the outcrossing failure rate and hard-deadline are timely monitoring on the reliability index of FTCSs, and was v22 = 1/574030, Thd21 = 60. demonstrated on an F-14 aircraft model. HongbinLietal. 9

S00 S01 S02 S03 1 0.01 0.1 0.02

0.9 0.005 0.05 0.01

0.8 0 0 0 0 500 1000 0 500 1000 0 500 1000 0 500 1000 × −4 × −3 × −5 × −5 10 S10 10 S11 10 S12 10 S13 2 5 1 4

1 0.5 2

0 0 0 0 0 500 1000 0 500 1000 0 500 1000 0 500 1000

−3 −6 −3 −6 ×10 S20 ×10 S21 ×10 S22 ×10 S23 1 5 5 4

Transition probabilities 0.5 2

0 0 0 0 0 500 1000 0 500 1000 0 500 1000 0 500 1000 × −7 × −6 × −6 × −5 10 S30 10 S31 10 S32 10 S33 2 1 1 2

1 0.5 0.5 1

0 0 0 0 0 500 1000 0 500 1000 0 500 1000 0 500 1000 Time

Orignal Optimized

Figure 10: Comparison of transition probabilities.

= APPENDIX otherwise, θSn j,andwehave = | Pr ηn+1 j η1, ..., ηn Proof of Lemma 1. The “only if” part is trivial as shown in = = = | (8). Let η denote a semi-Markov chain; the associated Pr θSn+1 j, TSn+1 n +1 θ1, ..., θSn , n Markov renewal processes are denoted as θm and Tm,and k T1, ..., TSn , TSn+1 >n the sojourn time distribution hi when subsequent state is not speciﬁed is in geometric distribution: = = = | Pr θSn+1 j, TSn+1 n +1 θSn , TSn , TSn+1 >n = = − = − | Pr θSn+1 j, TSn+1 TSn n +1 TSn θSn , = | Pr ηn+1 j η1, ..., ηn − − (A.1) TSn+1 TSn >n TSn = = | Pr ηn+1 j θ1, ..., θSn , T1, ..., TSn . = = − = | Pr θSn+1 j, TSn+1 TSn 1 θSn = Pr η = j | η . = n+1 n If θSn j, (A.3) In the above derivations, the memoryless property of geo- Pr η = j | η , ..., η metric distributions has been used: n+1 1 n − − | − − = Pr T >n+1| θ , ..., θ , T , ..., T , T >n Pr TSn+1 TSn >n+1 TSn TSn+1 TSn >n TSn Sn+1 1 Sn 1 Sn Sn+1 = − = | Pr TSn+1 TSn > 1 , Pr TSn+1 >n+1 θSn , TSn , TSn+1 >n Pr T − T = n +1− T | T − T >n− T = − − | − − Sn+1 Sn Sn Sn+1 Sn Sn Pr TSn+1 TSn >n+1 TSn θSn , TSn+1 TSn >n TSn = Pr TS +1 − TS = 1 . = − | n n Pr TSn+1 TSn > 1 θSn (A.4) = = | Pr ηn+1 j ηn ; The Markov property of ηn is proved, so ηn is a Markov chain. (A.2) 10 Journal of Control Science and Engineering

REFERENCES

[1] N. E. Wu, “Coverage in fault-tolerant control,” Automatica, vol. 40, no. 4, pp. 537–548, 2004. [2] B. Walker, “Fault tolerant control system reliability and performance prediction using semi-Markov models,” in Proceedings of Safeprocess, pp. 1053–1064, Kingston Upon Hull, UK, 1997. [3] H. Li, Q. Zhao, and Z. Yang, “Reliability modeling of fault tolerant control systems,” to appear in International Journal of Applied Mathematics and Computer Science. [4] H. Li and Q. Zhao, “Reliability evaluation of fault tolerant control with a semi-Markov fault detection and isolation model,” Proceedings of the Institution of Mechanical Engineers Part I, vol. 220, no. 5, pp. 329–338, 2006. [5] J. Song and A. Der Kiureghian, “Joint ﬁrst-passage probability and reliability of systems under stochastic excitation,” Journal of Engineering Mechanics, vol. 132, no. 1, pp. 65–77, 2006. [6] Y. Zhang and X. R. Li, “Detection and diagnosis of sensor and actuator failures using IMM estimator,” IEEE Transactions on Aerospace and Electronic Systems, vol. 34, no. 4, pp. 1293–1313, 1998. [7] W. Kuo and M. Zuo, Optimal Reliability Modeling,JohnWiley & Sons, Hoboken, NJ, USA, 2002. [8] R. V. Field Jr. and L. A. Bergman, “Reliability-based approach to linear covariance control design,” Journal of Engineering Me- chanics, vol. 124, no. 2, pp. 193–199, 1998. [9] V. Barbu, M. Boussemart, and N. Limnios, “Discrete-time semi-Markov model for reliability and survival analysis,” Com- munications in Statistics: Theory and Methods, vol. 33, no. 11, pp. 2833–2868, 2004. [10] G. J. Balas, A. K. Packard, J. Renfrow, C. Mullaney, and R. T. M’Closkey, “Control of the F-14 aircraft lateral-directional axis during powered approach,” Journal of Guidance, Control, and Dynamics, vol. 21, no. 6, pp. 899–908, 1998. Hindawi Publishing Corporation Journal of Control Science and Engineering Volume 2008, Article ID 310652, 13 pages doi:10.1155/2008/310652

Research Article Fault-Tolerant Control of a Distributed Database System

N. Eva Wu,1 Matthew C. Ruschmann,1 and Mark H. Linderman2

1 Department of Electrical and Computer Engineering, Binghamton University, Binghamton, NY 13902-6000, USA 2 US Air Force Research Laboratories at Rome Research Site, Rome, NY 13441-4505, USA

Correspondence should be addressed to N. Eva Wu, [email protected]

Received 31 December 2006; Accepted 11 September 2007

Recommended by Kemin Zhou

Optimal state information-based control policy for a distributed database system subject to server failures is considered. Fault- tolerance is made possible by the partitioned architecture of the system and data redundancy therein. Control actions include restoration of lost data sets in a single server using redundant data sets in the remaining servers, routing of queries to intact servers, or overhaul of the entire system for renewal. Control policies are determined by solving Markov decision problems with cost criteria that penalize system unavailability and slow query response. Steady-state system availability and expected query response time of the controlled database are evaluated with the Markov model of the database. Robustness is addressed by introducing additional states into the database model to account for control action delays and decision errors. A robust control policy is solved for the Markov decision problem described by the augmented state model.

Copyright © 2008 N. Eva Wu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION minimizes a total expected discounted cost is sought. For the purpose of illustration, a simple problem that disregards the A database, as described in [1], is a shared collection of re- query states is set up, for which the policy developed in [2]is lated data and the description of this data, designed to meet confirmed to be optimal. the information needs of a client. A recent study by Wu et al. In reality, however, it is not practical to monitor every [2] on a distributed database system, as shown in Figure 1, state variable in a network. As a result, knowledge on a cer- revealed the benefits of a conscientious design of redundant tain set of states is inferred based on the observables. On the architecture and the application of state information-based other hand, a control action, in response to a state transi- control. Such benefits were quantified in terms of mean time tion such as an occurrence of a server failure, must wait un- to system failure, steady-state availability, expected response til a process of diagnosing the failure state [11]iscomplete. time, and service overhead. The database system was viewed The time required for diagnosis is assumed to be a random as a queuing network [3, 4] and mathematically modeled as variable and the outcome of the diagnosis usually has some a Markov chain [5]. The control authorities considered in- degreeofuncertaintyaswell.Ifserversmustcommunicate cluded the ability to restore the lost data sets in a single server through wireless channels, the likelihood of an erroneous de- and the ability to route service requests. In order to obtain cision and a delayed action is drastically increased. Recogniz- an analytic model of manageable size for scrutinizing the ef- ing that the assumption of instantaneous accessibility of the fects of control, the queuing network was restricted to the state information in the database system could lead to overly closed type with a query population of three. In addition, optimistic conclusions on system performance, Wu et al. [12] all the event lifetime distributions were assumed to be expo- took a further step to analyze the effects of control action de- nential. A simulation study conducted by Metzler [6] using lays and decision errors for the same database system. Their Arena [7, 8]withtheaboverestrictionsremovedsupported analysis concluded that delays and errors can significantly de- the conclusions in [2]. grade the performance of the database system. The first objective of this paper is to provide justification Therefore, the second objective of the paper is to seek a that the control policy applied in the aforementioned study robust control policy that mitigates the effects of such con- [2]isoptimalinawelldefinedsense.Tothatend,aMarkov trol action delays and decision errors. A robust solution ob- decision problem [9, 10] is formulated and the solution that viously has a strong dependence on how uncertainties are 2 Journal of Control Science and Engineering

The distributed database system in Figure 1 contains

SAB three servers in parallel to answer three classes, A, B,andC, of queries for which relevant information can be found in μ the partitioned data sets, A, B,andC, of the database, respectively. Server S would contain the data set corresponding SBC MN to class M as the primary set and a reproduction of data set Scheduling N as the secondary set. Alternate secondary data sets are reproduced in order to automate restoration of failed servers SCA within the database. The failure of a server implies the loss of λ two sets of data within the server. A system level failure is de- clared when two servers fail, in which case one set of data is Data restoration completely lost. The queues preceding servers SAB, SBC,and λ SCA are named QAC, QBC,andQCA, respectively. All queues are of sufficient capacity in the baseline model. Service is provided on a first-come-first-served (FCFS) basis at each server. λ The three delay elements of average delay 1/λ imply that there are always three queries present in the system at any given time. A new query is generated at a delay element with Figure 1: A queuing network representation of a partitioned rate λ upon the completion of the service to a query at one of database system with three servers. the servers. The delay elements are also intended to be reflec- tive of the response time to the querying customers by other service nodes in the system that are not explicitly modeled. modeled. This paper establishes an uncertain database model Any new query is assumed to have a likelihood of ρIJ to visit following the basic principles presented in [12]. The new server SIJ,whereIJ can be AB, BC,orCA. model also captures the effect of routing delays of queries The use of a queuing network model for the database is from a failed server to remote intact servers. A new Markov based on its suitability to involve control actions and to cap- decision problem is then formulated and solved. Due to the ture their effects on the system performance. The model is increased dimension of the problem, approximate solutions built in this study with the premise that event life distribu- are sought via numerical means. tions have been established for the process of query genera- This paper presents a novel model of a replicated data tion (exp(λ) ≡ 1 − e−γt), the process of service completion store wherein a set of information is partitioned and each (exp(μ)), the process of server failure (exp(ν)), the process partition is stored on multiple servers. This work is moti- of data restoration (exp(γ)), and the process of system over- vated by the recognition of the need for greatly enhanced haul (exp(ω)) when the failed database system is repaired. All availability of information management systems in air op- such processes are independent. Standard statistical meth- erations [13]. It addresses the desirability of hardware repli- ods that involve data collection, parameter estimation, and cation and state-information-controlled restoration, whereas goodness of fit tests exist [15] for identifying event life distri- published works in the field of distributed database and repli- butions. Alternative distributions and goodness of these as- cation have discussed specific protocols and software failures sumptions were investigated in [6]. Since all event lives are [14]. assumed to be exponentially distributed, the database sys- The paper is organized as follows: Section 2 describes the tem can be conveniently modeled as a Markov chain specified baseline model of the controlled database system shown in by a state space X, an initial state probability mass function Figure 1; Section 3 formulates and solves a Markov decision (pmf) πx(0), and a set of state transition rates Λ. problem that justifies the control policy applied to the baseline model; Section 4 presents an approach to modeling con- 2.1. Model specification trol action delays and decision errors; Section 5 formulates and solves, using dynamic programming, a Markov decision State space X problem with an uncertain model containing delays and errors, and analyzes the robustly controlled system in terms of A state name is coded with a 6-digit number indicative system availability and query response time in the presence of all queue lengths and server states in the system. With of control action delays and decision errors. some abuse of notations, a valid state representation is given by QABQBCQCASABSBCSCA, where queue length QAB, QBC, ∈{ } ≡ ≤ 2. BASELINE MODEL AND NOTATION FOR QCA 0, 1, 2, 3 with total length L QAB + QBC + QCA 3 A CONTROLLED DATABASE SYSTEM limited by the three entities available in the closed-queue system. The server states SAB, SBC, SCA ∈{0, 1, 2} are further The description of a baseline model for a replicated data store defined as “2” ≡ data are lost in both the primary and the follows to a large extent that of Wu et al. [2]. In particular, secondary sets in a server, “1” ≡ the data in the primary set a system of three servers is studied, each storing two parti- have been restored and data in the secondary set have not tions out of a total of three. Each partition has one “primary” been restored, and “0” ≡ data in both primary set and sec- server and one “secondary” server. ondary set in a server are intact. A server is said to be in the N. Eva Wu et al. 3 down state if it is either at states “1” or “2.” For example, state 2.2. Control Policy 110020 indicates that server SAB is up with one customer in Our intention is to eliminate all single point failures. Our ap- its queue, server SBC is down with both sets of data lost and one customer in its queue, and server S is up and idle. Note proach is to base the control actions on the state informa- CA ff that the queue length includes the customer being served. tion, which e ectively alter the transition rates when loss of There are 540 valid states in the baseline system. The total data occurs in a single server. The possible set of control ac- number of states is reduced to 147 when all the states repre- tions includes restoration, overhaul, and no decision needed. senting system level failures are aggregated into seven states There is one admissible set of control actions at each state. A memorizing the possible queue length distributions and ex- state of no decision needed has an empty admissible set. ploiting the symmetry of the three servers. A set of alterna- Taking into consideration the symmetry of the model, tive state names are assigned from X ={1, 2, ..., 147} with the control policy considered for this study is summarized 000000 mapped to x = 1 and the aggregated system failure as follows: = ⎧ state mapped to x 141, ..., 147. Although the symmetry of ⎪ ⎪0, upon entering the state of one server the system allows further reduction on the number of states ⎨⎪ failure, system overhauls; to 56, the 147-state model is retained for clarity of presenta- ( ) = (5) u x ⎪ tion. ⎪1, upon entering the state of one server ⎩⎪ failure, system restores. Initial state pmf {πx(0), x = 1, 2, ..., 147} The presence of control in the transition rate matrix is seen It is assumed that the database system starts operation from via u(x)andu(x) = 1 − u(x). The values of u(x)repre- state x = 1(000000), that is, the initial state probability is sent specific control actions associated with data restoration given by vector π(0) = [1 0 ...0]. (u(x) = 1) or system overhaul (u(x) = 1), respectively. Pre- viously in [2], system overhaul is considered only at state = = Set of state transition functions pi,j (t) x 141 through x 147. Events that trigger the transitions and the corresponding 2.3. Performance measures transition rates are given as follows. A newly generated query − × entersoneoftheserverswithrate(3 L) λ/3. Aqueryisan- Two of the four performance measures defined in [2]are swered at a server with rate μ. Acompletedatalossoccursata reintroduced: steady-state availability A and expected re- ν sys server with rate . Data in the primary data set of a server are sponse time E[R]. These will be used later to validate the con- restored with rate γ or repaired with overhaul rate ω. Data in trol policies that are derived under cost criteria intended to the secondary data set of the server are restored with rate γ, improve both Asys and E[R]. following the restoration of the primary data set. The failed database system is always renewed with overhaul rate ω. Steady-state availability Let X ∈ X denote the random state variable at time t. The set of state transition functions is given by Suppose as soon as the database system reaches a system level failure, an overhaul process starts. Suppose, with a rate , the pi,j (t) ≡ P X(t) = j | X(0) = i , i, j = 1, 2, ..., 147. ω (1) system is repaired, and at the completion of the repair, the system immediately starts to operate again. In this case, the The continuous-time Markov chain can be solved from Markov chain becomes irreducible, and a unique steady-state the forward Chapman-Kolmogorov equation [5, 10] distribution exists [5, 10]. The steady-state availability, which can be roughly thought of as the fraction of time the database P˙(t) = P(t)Q u(x) , P(0) = I, P(t) = pi,j (t) (2) system is upto, is computed in [2]by and Q(u(x)) is called an infinitesimal generator or a rate transition matrix whose (i, j)th entry is given by the rate as- Asys = 1 − πF (∞), (6) sociated with the transition from current state i to next state ∞ j. (See [2] for the complete rate transition.) Control variable where πF ( ) is the sum of the system level failure state prob- u(x) will be defined shortly. State probability mass function abilities determined by solving at time t, 147 ∞ = ∞ = π(t) = [π1(t) π2(t) ... π147(t)], t ≥ 0, (3) π( )Q 0, πx( ) 1. (7) x=1 is computed by π(t) = π(0)P(t). (4) Expected query response time At this point, a baseline Markov model for the database Query response time is the amount of time elapsing from system of Figure 1 has been established. Since transition rate the instant a query enters a queue until it completes service matrix Q is dependent on control actions, the state transition [10]. With server failures, the average response time E[R]is functions pi,j (t) are being controlled, as are the state proba- calculated as the expectation of the ratio of total amount of bilities. time that all queries spend waiting for service in queue, plus 4 Journal of Control Science and Engineering

υ + ωu +(2v + γ)u ρ

0 2υ u primary data ρ γu + ωu restored ρ γ u 3υ ρ 3υ + γ ρ ρ

2υ u 3 2 ρ 1 3servers 2servers 2+ servers intact intact failed ω u ρ υ + ωu +(2υ + γ)u ω + γ ω ρ ρ ρ

Figure 2: Markov chain model of the database reﬂecting only the server states.

their service times to the number of queries that are serviced. {u0(x0), u1(x1), ...} that minimizes the following expected Consider, again, the irreducible chain modeling of the system total discounted cost: in Figure 1.LetIi,j be the indicator function associated with ∞ transition from state i to state j that indicates a query arrival. k Vπ (x0) = Eπ α C(Xk, uk), (10) Let Ni be the total number of queries in queue at state i. Then k=0 the total expected number of queries in queue at the steady state is given by where 0 <α<1 is a discount factor. To simplify the presentation, state information on repre- 147 senting service demand is ignored for the moment. In this E[X] = πi(∞)Ni,(8)case, the inherent symmetry of the database system leads to i=1 a very simple 4-state Markov model as shown in Figure 2. As a result, the finite population assumption can be relaxed, and the arrival rate at steady-state is that is, the closed queuing network of Figure 1 can either remain closed or can be revised to an open queuing network. In addition, query handling in the event of a server failure 147 147 becomes completely unrestricted. Two different methods of λs = πi(∞) Iijqij. (9) i=1 i=1 query handling are to be examined in this section. (1) Each arrival query has equal likelihood to seek infor- The calculation of the response time at steady-state then fol- mation in data sets A, B,orC, but only the primary lows Little’s Law [4, 10] E[X] = λsE[R]. data set is available for query service in each server, and the secondary server is there to restore data in a failed server. 3. RESTORATION AS SOLUTION TO MARKOV (2) Upon a server failure, queries are rerouted to the two DECISION PROBLEM remaining servers where the secondary data sets also participate in query service though only one of the two Intuition suggests that by restoring the lost data sets in a intact servers can provide service to only two of the single failed server, overhaul can be avoided, and therefore, three classes of queries during restoration. the stationary control policy u(x)givenin(5)oughttoren- der service more available. However, the restoration process The distinction in these two cases is captured in transi- occupies one of the remaining servers, and therefore, may tion probabilities and in transition cost C(i, u). Fault-tolerant prolong the average response time of the system to queries. control policies are now developed for the two cases. This section formulates and solves a Markv decision problem (MDP) for the database system to justify the optimality of the 3.1. Secondary data set reserved for restoration policy used in [2]. lost data restoration The Markov decision problem considered in this paper assumes that a cost C(i, u) is incurred at every state tran- This subsection derives the optimal control policy with the sition, where i is the state entered and u is a control ac- first method for handling queries; each arrival query has tion selected from a set of admissible actions [9, 10]. The equal likelihood to seek information in data sets A, B,orC, solution amounts to determining a stationary policy π = but only the primary data set is available for query service in N. Eva Wu et al. 5

Table 1: One step cost C(xk, uk). where pi,j have been marked in Figure 2. In addition, policy π∗ is optimal if and only if it yields V ∗(i)foralli.The = = State u 1 u 0 four optimality equations can be expressed explicitly based 30 0on (11): 21/γ 1/ω 11/ω 1/ω 1 3ν + γ ω 01/γ 1/ω V(0) = min + α V(0) + α V(3), u ω ρ ρ u=0 Optimal control regions 1 ν + ω 2ν γ 1.8 + α V(0) + α V(1) + α V(3) ; γ ρ ρ ρ 1.7 u=1 1.6 1 3ν + γ ω V(1) = min + α V(1) + α V(3), 1.5 u ω ρ ρ 1.4 1 3ν + γ ω + α V(1) + α V(3) ;

γ/ω ω ρ ρ 1.3 1 2ν + γ ω 1.2 V(2) = min + α V(2) + α V(3), u ω ρ ρ 1.1 1 γ 2ν ν + ω + α V(0) + α V(1) + α V(2) ; 1 γ ρ ρ ρ 0.9 00.20.40.60.81 3ν ω + γ V(3) = min α V(2) + α V(3), α u ρ ρ u = 1optimal 3ν ω + γ u = 0optimal α V(2) + α V(3) . ρ ρ Figure 3: Optimal policy on the (α, γ/ω)graph. (12)

TheaboveequationsaresolvedforV ∗(i), for i = each server, and the secondary server is there to restore data 0, 1, 2, 3, using Mathematica [16]. Figure 3 is created with in a failed server. ω = 10ν and α ∈ [0, 1). It can be seen that, when the ra- Figure 2 shows a discrete time Markov chain model for tio of γ to ω is above the blue curve, u = 1 (restoration) this case. This model is obtained by the application of a uni- is optimal at all states, whereas u = 0(overhaul)isoptimal formization procedure [10] with a uniform rate ρ = 3ν+ω+γ when γ/ω is below the red curve. Between the two curves, that is greater than any total outgoing transition rates at any {u(2) = ϕ, u(0) = ϕ} is optimal, for transition from state state of the original continuous time Markov process. All pa- “2” to state “0” implies restoration of primary data set, which rameters in Figure 2 have been defined earlier. cannot occur with control action u(2) = 0. Therefore, the A fault-tolerant control policy essentially determines mid-region optimal policy does not take place in the opera- whether to occupy one of the two working servers to restore tion of the database system. the data in the failed server or to overhaul the entire system Note that γ/ω = 5in[2], which lies above the blue curve at the state of one server failure. It is determined by how the in Figure 3 for any α ∈ [0, 1). Therefore, the always-restore designer penalizes a control action at any given state. Table 1 policy implemented in [2] is optimal under the cost structure specifies the one step cost at each state. defined in Table 1. Let Xk ∈{1, 2, 3, 4} denote the random state variable at t = k/ρ in the discrete time Markov chain. Control action = u(xk) 1(or 0, or ϕ) indicates the system’s decision to (or not 3.2. Secondary data set available for both query to overhaul, or not to act) restore a failed server. C(xk, uk)in service and data restoration Table 1 is the cost incurred when control action uk is taken based on xk. It has been shown that under the condition This subsection considers the second method of query han- 0 ≤ C(j, u) < ∞ for all j and all u that belongs to some ∗ dling upon a server failure: overhaul can only occur at finite admissible sets Uj , the minimal cost V (i) satisfies the state “1,” which implies that queries of the failed server are following optimality equation [9, 10]: rerouted to the two remaining servers where the secondary data sets also participate in query service though only one of V(i) = min C(i, u)+α pi,j V(j) , (11) the two intact servers can provide service to only two of the u∈U i j three classes of queries during restoration. 6 Journal of Control Science and Engineering

υ + ω + γu ρ

0 2υ primary data ρ γ u restored ρ γ u ρ 3υ + γ ρ 3υ 2υ 3 ρ 2 ρ 1 3servers 2servers 2+ servers intact intact failed

υ + ω + γu ω + γ ω ρ ρ ρ

Figure 4: Markov chain model of the database where overhaul does not occur until a second server failure.

×104 Line types correspond to control actions ×104 Line types correspond to control actions 8 4

7 3.5

6 3 ) i ) ( i

5 ( 2.5 V V

4 2

Cost-to-go, 3 1.5 Cost to go,

2 1

1 0.5

0 0 00.01 0.02 0.03 0.04 0.05 0.06 0.07 0.08 0.09 0.1 00.02 0.04 0.06 0.08 0.1 Restoration rate (γ) Restoration rate (γ)

State 3: no action State 2: restoration State 3: no action State 2: restoration State 1: overhaul State 0: overhaul State 1: overhaul State 0: no action State 2: overhaul State 0: restoration State 2: no action State 0: restoration (a) Overhaul allowed at all states (b) Overhaul allowed only at system failure state

Figure 5: Minimum cost-to-go versus restoration rate for the 4-state model with cost criteria of Table 1.

The uniformized Markov chain model is shown in Figures 5(a) and 5(b) compare the optimal cost-to-go’s of Figure 4. In this case, the two methods of query handling as functions of restora- = ν ν = ff ⎧ tion rate γ at fixed ω 10 and 0.001. Di erent line ⎪ types specify different control actions. In Figure 5(b),forex- ⎪0, upon entering the state of one server ⎨⎪ ample, no control action is taken at state “0” unless ≥ 1 8 failure, system awaits, γ . ω ( ) = (13) where restoration takes place; the system is always overhauled u x ⎪ ⎪1, upon entering the state of one server ⎩⎪ at state “1;” no control action is taken at state “2” unless failure, system restores, γ ≥ 2.6ω where restoration takes place; and no control action is ever taken at state “3.” It is seen that control pol- overhaul is held until a second server fails, and all classes of icy change occurs at a higher ratio of γ/ω with the second queries rely on the service of the two operating servers in the method (policy change at γ = .026 in Figure 5(b)) than meantime. that with the first method (policy change at γ = .014 in N. Eva Wu et al. 7

tent error state. It is assumed that from this state, only tran- ··· ··· sitions representing service completion can occur. Figure 6 B1 Bn F F 1 m depicts a generic representation of such a case. To service completion Without loss of generality, let A be a state that is entered To server data loss upon the loss of both data sets in a server. Let C be the state entered upon the completion of primary data set restora- To restoration of primary database tion associated with the data loss. Let B1 through Bn be the A C states representing completion of services at other n servers. Let G1, ..., Gl be the state entered upon the arrival of a new cλA,C query in one of the queues. (Gi are not shown explicitly in To server data loss Figure 6.) Let F1 through Fm be the states entered upon data − rC (1 c)λA,C loss at other m servers. An intermittent state I is introduced, To recovery from error To intermittent error as shown in Figure 6, to allow the representation of imperfect decision making upon entering A. Therefore, there is an I intermittent error state for each state that involves outgoing transitions with weakened control authorities due to some Figure 6: Decision error modeling with an intermittent error state. decision errors. In the database system of Figure 1, 60 states are added to the original 147 states of baseline model. It is assumed that once the primary data set restoration takes place for a particular server, the secondary data set restoration pro- ceeds without a decision error. Figure 5(a)). Despite the slight favor toward overhaul, the Let λA,C denote the transition rate from state A to state optimality of the “always-restore” policy applied in [2]still C in the absence of decision error in the restoration of the holds with the second method at the nominal parameter val- primary database associated with the most recent data loss. ues μ = 12, γ = 0.05, and ω = 0.01, where γ/ω = 5 > 2.6. Let c be the probability of successful restoration, given that the event of restoration occurs. (1 − c) then is referred to 4. AUGMENTED MODEL INCLUDING CONTROL as the thinning [5] of the Poisson arrival process associated DELAYS AND DECISION ERRORS with the restoration. The split of rate λA,C into rate cλA,C and rate (1 − c)λA,C is sometimes also called a decomposition of This section establishes a full-state model to include the ef- a Poisson arrival process into type 1 with probability w and fects of decision errors and control action delays upon enter- type 2 with probability (1 − c). ing a state of a single server failure. The first two subsections An imperfect decision corresponds to the value of c be- follow [12] that treated these separately as the effect of de- ing less than unity. As a consequence, the authority of con- cision errors when a control action is taken incorrectly but trol that is supposed to reinforce the restoration process is immediately upon entering a state, and the effect of delayed weakened. The smaller the value of c, the weaker the control control actions when a correct control action is taken but authority is. after some time delay. There are deterministically diagnos- The rate of recovery from decision error is denoted by rC. able systems for which the only cost of diagnosis is time [11]. To state the fact that recovery from an intermittent error state The third subsection presents a new model to be used in ro- to restoration cannot be faster than the error-free (c = 1) bust control policy design that combines the two augmented restoration process, rC ≤ λA,C is enforced. On the other hand, models and introduces also delays due to rerouting queries the outgoing transition rates from the intermittent error state from failed sever to intact servers. to the states of data loss in other servers, that is, from I to Fi, i = 1, 2, ..., m, are bounded below by the corresponding 4.1. Modeling the effect of erroneous decisions rates going from A to Fi. These transitions further reduce the likelihood of reaching state C. The control action considered in this study is state informa- It is now shown that decision errors always degrade the tion based. Upon entering a state, for instance, A, any infor- performance in terms of the state transition probability PAC mation deficiency can result in uncertainty in decision mak- which is the probability that restoration to state C occurs ing as to whether to take a control action or what control given current state A. It turns out that this probability is read- actions to take. In this case, every decision carries a risk [17]. ily obtained for a Markov chain A decision error in the database system could include the possibility that upon a server failure, the wrong server cλ P = AC , (14) is identified as being failed. More specifically, SAB, for in- AC Λ(A) stance, has failed. However, SCA is mistakenly observed as the failed server. Based on the false information, the control ac- where tion would be for SBC to restore data set C in SCA,whereasSAB would be expected to continue to work. As a consequence, = ··· ··· ··· none of the servers can process queries for a period of time, Λ(A) λAB1 + + λABn + + λAF1 + + λAFm + λAC and the database system is said to have entered an intermit- (15) 8 Journal of Control Science and Engineering

Erlang distribution [5]; ··· B1 Bn F1 ··· Fm − N δ L 1 Π i . (17) i=1 s + δi To service completion To server data loss OnemayuseanN-stage Erlang to approach a constant delay, an N-state hyperexponential to approach a highly un- λA,C certain delay, or a mixture of the two to acquire more general A C To restoration without delay properties [10] in its distribution. Note that there are two significant differences between the decision error model of Figure 6 and the control delay δ model of Figure 7. First, the link to restoration of primary λ To diagnosed data loss A,C database is present in Figure 7 with a smaller likelihood of D transition, whereas the link to restoration without delay is ab- To restoration after delay sent in Figure 7. In addition, all links to service completion are absent in Figure 6, but are present in Figure 7. Therefore, Figure 7: Control action delay modeling with a single-stage delay each case has its distinct nature. state. 4.3. Full-state model of the controlled database system without decision error, in which case w = 1in(14), and Referring again to the closed queuing network view of the distributed database system in Figure 1, this section presents Λ(A) its augmented model that incorporates all three sources of = ··· ··· − λAB1 + +λABn +λAF1 + +λAFm + cλAC +(1 c)λAC uncertainties: decision errors (Section 4.1), control action (16) delays (Section 4.2), and routing delays. Routing delays are incurred when queries at a failed server are rerouted to the with decision error, in which case c<1. Note that (15)and remaining intact servers. (16) are the same, and both enter (14). Therefore, (14)ispro- Rerouting of queries becomes desirable when the queries portional to c, and is largest at c = 1 when there is no decision observe a server failure after they have entered the queue error. preceding the server. An exponentially distributed random routing time is introduced with rate τ/sec for this purpose. A routing delay is assumed independent of a control ac- 4.2. Modeling the effect of delayed control actions tion delay. The former captures the random time of diagnosis, whereas the latter captures random time of transmis- Time required for diagnosis [11] can be regarded as the uni- sion of queries among servers. Model augmentation amounts versal cause of a control action delay. An example of the con- to adding new transitions among existing states without the trol action delay in the database system shown in Figure 1 need for new states. would be that a total loss of data in a server is not immedi- In order to establish a full state model with all uncer- ately observed. As a result, the action of data restoration is tainty types, the representation of the composite state vari- delayed. able is modified to x = QABQBCQCASABSBCSCAU,where As in the previous subsection, let A be a state that is en- QIJ ∈{0, 1, 2, 3} and SIJ ∈{0, 1, 2} as in the baseline model tereduponatotallossofdatainaserver.LetC be the state described in Section 2; newly introduced uncertainty vari- entered upon the completion of primary database restoration able U ∈{0, 1, 2} with “1” = control delayed and “2” = associated with the data loss. States B1 through Bn and states wrong decision made. This results in a 267 state-model. By F1 through Fm also follow the earlier definitions. Figure 7 exploiting symmetry, the 256 (147 + 60 + 60) state model can depicts a proposed model capable of describing a delayed be reduced to a 96-state model. The binary control variables restoration action by an exponentially distributed random are defined as follows: u1 = 1torestore,u2 = 1tooverhaul, −1 amount with average δ units of time upon entering state and u3 = 1toreroutequeries. A. With a single-stage delay for each state entered upon a to- The states, the transitions, and the transition rates of tal loss of data in a server, another 60 states are added to the the uncertain model are summarized in Figure 8,basedon baseline model. which transition matrix Q ofaMarkovchaincanbebuilt In a more general case, there can be an N-phased de- and used in the next section for robust control policy design. lay implemented in the augmented model by inserting N τ in Figure 8 is the newly introduced query transmission rate states D1 through DN in series between states A and C.Each when the action for rerouting is called for. Error probability state Di retains outgoing transitions to all B1 through Bn,and c relates to c in Figure 6 through c = 1 − c. Subscript “p” F1 through Fm, in addition to transition to Di+1. The total denotes “primary” and “s” denotes “secondary.” Use of sym- amount of delay before restoration action is bounded below metry is reflected in server state S f and arrival rates λ1, λ2, by random variable D = D1 + ··· + DN , with a generalized and λ3. N. Eva Wu et al. 9

States Arrivals Completions Failures Delay Restorations Overhaul Reroute State # ν QAB QBC QCA S f U λ1 λ2 λ3 Overhaul μp δ cγp cγs cγ¯ p cγ¯ s ω τ 1 0000022200000 029292900000 0 0 2 1000043300010 032303100000 0 0 3 1100076500022 038373600000 0 0 4 2000087600020 035333400000 0 0 5 1110000000033 339393900000 0 0 6 1200000000043 044434000000 0 0 Available 7 2100000000034 045414200000 0 0 8 3000000000040 048464700000 0 0 9 0 0 0 1 0 12 11 10 50 50 50 0 0 0 0 49 49 0 0 1 0 0 1 0 10 0 0 1 1 0 17 16 13 51 51 52 0 0 9 0 50 50 0 0 2 0 0 2 0 11 0 1 0 1 0 1814165152510 9 0 0 5050 0 0 2 0 0 2 0 12 1 0 0 1 0 15 18 17 52 51 51 0 0 0 0 50 50 0 0 2 0 0 2 10 13 0 0 2 1 0 21 20 26 55 54 56 0 0 10 0 52 52 0 0 4 0 0 4 0 14 0 2 0 1 0 2427225456550 11 0 0 5252 0 0 4 0 0 4 0 15 2 0 0 1 0 28 25 23 56 55 54 0 0 0 0 52 52 0 0 4 0 0 4 17 16 0 1 1 1 0 1922205355540 10 110 5151 0 0 3 0 0 3 0 17 1 0 1 1 0 23 19 21 54 53 55 0 0 12 0 51 51 0 0 3 0 0 3 13 18 1 1 0 1 0 2524195554530 12 0 0 5151 0 0 3 0 0 3 16 19 1 1 1 1 0 0 0 0 0 0 0 0 17 18 0 53 53 0 0 5 0 0 5 20 20 0 1 2 1 0 0 0 0 0 0 0 0 13 16 0 54 54 0 0 6 0 0 6 0 21 1 02100000000017055550 0700 7 26 Secondary restore 22 0 2 1 1 0 0 0 0 0 0 0 0 16 14 0 55 55 0 0 7 0 0 7 0 23 2 01100000000015054540 0600 6 21 24 1 2 0 1 0 0 0 0 0 0 0 0 18 0 0 54 54 0 0 6 0 0 6 22 25 2 1 0 1 0 0 0 0 0 0 0 0 15 0 0 55 55 0 0 7 0 0 7 19 26 0031000000000130565600800 8 0 27 0 3 0 1 0 0 0 0 0 0 0 0 14 0 0 56 56 0 0 8 0 0 8 0 28 3 001000000000 0056560 0800 8 23 29 0 0 0 2 0 32 31 30 50 50 50 0 0 0 0 49 49 57 0 0 0 0 1 0 30 0 0 1 2 0 37 36 33 51 51 52 0 0 29 0 50 50 58 0 0 0 0 2 0 31 0 1 0 2 0 38 34 36 51 52 51 0 29 0 0 50 50 59 0 0 0 0 2 0 32 1 0 0 2 0 35 38 37 52 51 51 0 0 0 0 50 50 60 0 0 0 0 2 0 33 0 0 2 2 0 41 40 46 55 54 56 0 0 30 0 52 52 61 0 0 0 0 4 0 34 0 2 0 2 0 44 47 42 54 56 55 0 31 0 0 52 52 62 0 0 0 0 4 0 35 2 0 0 2 0 48 45 43 56 55 54 0 0 0 0 52 52 63 0 0 0 0 4 0 36 0 1 1 2 0 39 42 40 53 55 54 0 30 31 0 51 51 64 0 0 0 0 3 0 37 1 0 1 2 0 43 39 41 54 53 55 0 0 32 0 51 51 65 0 0 0 0 3 0 38 1 1 0 2 0 45 44 39 55 54 53 0 32 0 0 51 51 66 0 0 0 0 3 0 39 1 1 1 2 0 0 0 0 0 0 0 0 37 38 0 53 53 67 0 0 0 0 5 0 40 0 1 2 2 0 0 0 0 0 0 0 0 33 36 0 54 54 68 0 0 0 0 6 0 41 1 0220000000003705555690000 7 0

Observation delay 42 0 2 1 2 0 0 0 0 0 0 0 0 36 34 0 55 55 70 0 0 0 0 7 0 43 2 0120000000003505454710000 6 0 44 1 2020000000038005454720000 6 0 45 2 1020000000035005555730000 7 0 46 00320000000003305656740000 8 0 47 03020000000034005656750000 8 0 48 3 0 0 2 0 0 0 0 0 0 0 0 0 0 0 56 56 76 0 0 0 0 8 0 49 0 0 0 3 0 50 50 50 50 50 50 0 0 0 0 49 49 0 0 0 0 0 1 0 50 1 0 0 3 0 52 51 51 52 51 51 0 0 0 0 50 50 0 0 0 0 0 2 0 51 110 3 0 5554535554530 0 0 0 5151 0 0 0 0 0 3 0 52 2 0 0 3 0 56 55 54 56 55 54 0 0 0 0 52 52 0 0 0 0 0 4 0 53 1113000000000 0053530 0000 5 0

Failure 54 1 2 03000000000 0054540 0000 6 0 55 2 1 03000000000 0055550 0000 7 0 56 3 003000000000 0056560 0000 8 0 57 0 0 0 2 1 60 59 58 50 50 50 0 0 0 0 49 49 0 9 0 77 0 1 0 58 001 2 1 65 64 61 51 51 52 0 0 57 0 50 50 0 10 0 78 0 2 0 59 0 1 0 2 1 66 62 64 51 52 51 0 57 0 0 50 50 0 11 0 79 0 2 0 60 1 0 0 2 1 63 66 65 52 51 51 0 0 0 0 50 50 0 12 0 80 0 2 58 61 002 2 1 69 68 74 55 54 56 0 0 58 0 52 52 0 13 0 81 0 4 0 62 0 2 0 2 1 72 75 70 54 56 55 0 59 0 0 52 52 0 14 0 82 0 4 0 63 2 0 0 2 1 76 73 71 56 55 54 0 0 0 0 52 52 0 15 0 83 0 4 65 64 011 2 1 67 70 68 53 55 54 0 58 59 0 51 51 0 16 0 84 0 3 0 65 1 0 1 2 1 71 67 69 54 53 55 0 0 60 0 51 51 0 17 0 85 0 3 61 66 1 1 0 2 1 73 72 67 55 54 53 0 60 0 0 51 51 0 18 0 86 0 3 64 67 1 1 1 2 1 0 0 0 0 0 0 0 65 66 0 53 53 0 19 0 87 0 5 68 68 012 2 1 0 0 0 0 0 0 0 61 64 0 54 54 0 20 0 88 0 6 0 69 1 0 2 2 1 0 0 0 0 0 0 0 0 65 0 55 55 0 21 0 89 0 7 74

Primary restoration 70 021 2 1 0 0 0 0 0 0 0 64 62 0 55 55 0 22 0 90 0 7 0 71 2 0 1 2 1 0 0 0 0 0 0 0 0 63 0 54 54 0 23 0 91 0 6 69 72 1 20210000000660054540240920 6 70 73 2 10210000000630055550250930 7 67 74 003 2 1 0 0 0 0 0 0 0 0 61 0 56 56 0 26 0 94 0 8 0 75 030210000000620056560270950 8 0 76 3 0 0 2 1 0 0 0 0 0 0 0 0 0 0 56 56 0 28 0 96 0 8 71 77 0 0 0 2 2 80 79 78 50 50 50 0 0 0 0 49 49 0 9 0 57 0 1 0 78 001 2 2 85 84 81 51 51 52 0 0 77 0 50 50 0 10 0 58 0 2 0 79 0 1 0 2 2 86 82 84 51 52 51 0 77 0 0 50 50 0 11 0 59 0 2 0 80 1 0 0 2 2 83 86 85 52 51 51 0 0 0 0 50 50 0 12 0 60 0 2 78 81 002 2 2 89 88 94 55 54 56 0 0 78 0 52 52 0 13 0 61 0 4 0 82 0 2 0 2 2 92 95 90 54 56 55 0 79 0 0 52 52 0 14 0 62 0 4 0 83 2 0 0 2 2 96 93 91 56 55 54 0 0 0 0 52 52 0 15 0 63 0 4 85 84 011 2 2 87 90 88 53 55 54 0 78 79 0 51 51 0 16 0 64 0 3 0 85 1 0 1 2 2 91 87 89 54 53 55 0 0 80 0 51 51 0 17 0 65 0 3 81 86 1 1 0 2 2 93 92 87 55 54 53 0 80 0 0 51 51 0 18 0 66 0 3 84 87 1 1 1 2 2 0 0 0 0 0 0 0 85 86 0 53 53 0 19 0 67 0 5 88 88 0 1 2 2 2 0 0 0 0 0 0 0 81 84 0 54 54 0 20 0 68 0 6 0 89 1 0 2 2 2 0 0 0 0 0 0 0 0 85 0 55 55 0 21 0 69 0 7 94 90 021 2 2 0 0 0 0 0 0 0 84 82 0 55 55 0 22 0 70 0 7 0 91 2 0 1 2 2 0 0 0 0 0 0 0 0 83 0 54 54 0 23 0 71 0 6 89 92 1 20220000000860054540240720 6 90 Rework primary restoration 93 2 10220000000830055550250730 7 87 94 003 2 2 0 0 0 0 0 0 0 0 81 0 56 56 0 26 0 74 0 8 0 95 030220000000820056560270750 8 0 96 3 0 0 2 2 0 0 0 0 0 0 0 0 0 0 56 56 0 28 0 76 0 8 91

Figure 8: Transitions and transition rates of the uncertain database state model. 10 Journal of Control Science and Engineering

5. ROBUST CONTROL POLICY DESIGN Dynamic programming is the most natural numerical approach to policy design (18) because (11)isderived This section seeks robust control policies as solutions to the through taking limit of a finite horizon dynamic program Markov decision problem: [9, 10] ∞ ∗ = k Vπ (x0) min Eπ α C Xk, uk , Vk+1(j) = min C(j, u)+α pj,r Vk(r) , π u∈U k=0 (18) j r∈X (24) x0 ∈ X ={1, 2, ..., 95, 96}, k = 1, 2, ..., N − 1, where 0 <α<1, π ={u0, u1, ...} is the control policy where α<1, and terminal cost V0(j) = 0, forall j ∈ X. In sought, u = (u1, u2, u3), and ui ∈{0, 1}.u1 = 1torestore, this case the optimal cost is given by VN (x0), x0 ∈ X. More u2 = 1 to overhaul, and u3 = 1 to reroute queries, as defined specifically, with u taking values in a finite set, the minimal in Section 4.3. Note that the full-state model enables the de- cost-to-go from x0 of the 96-state Markov decision process signer to consider service demand and to weigh availability satisfies against response time. Thus two cost criteria are established. ∗ lim VN (x0) = V x0 , x0 ∈ X ={1, 2, ..., 95, 96}, The first criterion, N→∞ (25) Q1 xk + Q2 xk + Q3 xk C xk, uk = , (19) μ whereVN (x0) is the minimal cost-to-go from x0 of an N-step finite horizon process. ff penalizes long queues that cannot e ectively reduce in time The solution to a dynamic program results from an it- due to server failure, and thus favors response time. The sec- erative calculation backwards along the horizon from V0(j) ond criterion, shown in the following table, penalizes pro- to the first step VN (j). For the dynamic programming calcu- longed service time, again, due to server failure, and thus fa- lation to converge to the true cost-to-go, N must be signifi- vors availability. cantly large, and must be less than 1. The size of the state space suggests numerical means for Linear programming [18] can be considered as an alter- solutions. Mathematical programs will be applied to obtain native numerical approach to the solution of the Markov de- the solutions. The steady-state availability and the expected cision problem. In this case, the set of optimality equations is query response time of the controlled database system with turned into a set of affine constraints on the set of optimiza- the optimal policy will then be examined under various con- tion variables {V(i)}, and the problem can be formally stated ditions. as follows:

5.1. Optimal policy design via mathematical Maximize V(1) + V(2) + ··· + V(95) + V(96) (26) programming subject to V(i) ≥ 0, i ∈ X ={1, ...,96}, (27) The rate transition matrix Q(u(x)) of the 96-state model can be obtained based on Figure 8 established in Section 4.3. This Q(u(x)) depends on u(x) = (u (x), u (x), u (x)), u ∈{0, 1}. 1 2 3 i ≤ ∀ ∈ ∈ State probability equation V(i) C(i, u)+α pi,j V(j) u Ui, i X. i u π˙ (t) = π(t)Q u(x) (20) (28) The equivalence of the linear program formulation (26)– originated from the forward Chapman-Kolmogorov (2)can (28) and the optimality equation formulation can be easily now be uniformized to yield a discrete time Markov chain established. First, (27) is trivially satisfied for all i in both 1 formulations because one-step cost C(i, u) is always nonneg- π(k +1)= π(k) I + Q u(x) , (21) ρ ative. Suppose (V(1), ..., V(96)) is the linear program solu- where uniform rate ρ can be chosen to be tion. Then there must be one active (equality achieved) constraint for each of the affine inequality constraints of the ρ = 3λ +3ν + τ + δ + γ + μ + ω. (22) form V(i) ≤ ··· for each i. Suppose for some j, the constraint(s) V(j) is not active. Then V(j) can be increased until Recall optimality (11) one of the inequality constraints becomes active without violating the rest of the inequality constraints because αpi,j < 1 as coefficient of V(j) on the right side of the inequality con- V(i) = min C(i, u)+α pi,j V(j) , i ∈ X, (23) u∈U i j straints (28). This, however, contradicts the assumption that iV(i) is maximum. Therefore, (V(1), ..., V(96)) is also the as an alternative characterization of the solution to Markov solution to the optimality equations (28). decision problem (18), which produces a system of 96 equa- Assume now that (V(1), ..., V(96)) satisfies the optimal- tions. ity equations. It then automatically satisfies the inequality N. Eva Wu et al. 11

Control policy switching curves under The function linprog in MATLAB’s Optimization Tool- the queue-size cost criterion box [19] solves the maximization problem above. The active 3 10 constraints are checked with a MATLAB script to determine the optimal control policy. Overhaul The computational complexity of the dynamic program 102 and that of the linear program are now compared. Finding the solution to a linear program generally requires a compu- 2 ≥ Restoration tation time proportional to n m [18] when m n,wheren is

s) the number of optimization variables, and m is the number 101 /δ of constraints. The computational complexity of an iterative dynamic programming solution can be approximated by as-

Delay (1 suming that each iteration is a series of linear programs. The 100 linear programming solution to the set of optimality equations is of course a single linear program. The number of control variables, u, the number of states, 10−1 s, and the horizon length, N, are critical to the computation 0 0.20.40.60.81time of these methods. First, consider the iterative method as P (successful primary restoration) a series of linear programs. Each individual iteration along the N-step horizon consists of s individual linear programs. No query at state “A” No query at state “D” Each individual linear program has u variables and 2u con- One query at state “A” One query at state “D” straints. Therefore, the computation time is proportional to Two queries at state “A” Two queries at state “D” 2 = 3 Three queries at state “A” Three queries at state “D” Ns(u 2u) Ns(2u ). Now, consider the method of solving the optimality equations through linear programming. (a) The single linear program has s variables and 2us constraints. Hence, its computation time is proportional to s22us = s32u. Although the computation time grows faster for the linear program as the number of states increases, the horizon 2 To restoration without delay or error N is typically much larger than s for small discount factorin A C β in α = ρ/(β + ρ). Therefore, the linear program is more δ λA,C eﬃcient for moderate numbers of states and small discount To diagnosed data loss cλA,C factors. To restoration after delay To service completion &serverdataloss 5.2. Availability and response time under D robust control policy

(1 − c)λ A,C cλA,C A selected set of results on the robust control policies solved To recovery from error via mathematical programming are presented in this subsec- (1 − c)λA,C To intermittent error tion, and the system availability and query response time under some of the optimal policies are examined. To server data loss I 5.2.1. Restoration-overhaul switching

(b) Under the cost criterion (19) (minimum total discounted queue size), the optimal policy depends on the number of Figure 9: (a) Switching curves of the optimal policy under dis- queries in the queue behind the failed server. No action is counted queue size. (b) Partial database model containing both con- taken to overhaul the system until the two active queues are trol action delay and decision error. empty and the buildup of queries behind the failed server is signiﬁcant. Figure 9(a) depicts a switching curve of of the control policy between overhaul and restoration before (solid) and after (dotted) state D in Figure 9(b) is reached. constraints (28), of which 96 are active, one for each V(i) Policy switching is determined by the amount of control ac- appearing on the left side. Suppose iV(i) is not maximum. tion delay, the decision error probability, and the number ThereisatleastaV(j)forsome j that is smaller than the of queries in the failed server. It can be seen that, while the corresponding cost in max iV(i), which implies that the two active queues are occupied or after the primary data is corresponding constraint(s) for V(j) < ··· is (are) slack or successfully restored, restoration is performed on the failed inactive. This contradicts that V(j) satisﬁes the optimality server as long as the server performing the restoration does equation. Therefore, (V(1), ..., V(96)) must also be the so- not have any customers waiting in its queue. lution of the linear program formulation (28). The equiva- Under the cost criterion stated in Table 2 (minimally re- lence is thus established. duced service time), the optimal policy always attempts to 12 Journal of Control Science and Engineering

Optimal under service time criterion of table 2 (1/δ = 100) Optimal under service time criterion of table 2 (c = 1) 2.5 0.55 2 0.5 0.45 1.5 0.4 1 0.35 0.3 0.5 0.25 Response time (s) 0 Response time (s) 0.2 00.10.20.30.40.50.60.70.80.91 0 102030405060708090100

1 1 0.95 0.95 0.9 0.9 0.85 0.85

Availability 0.8 Availability 0.8 0.75 0.75 00.10.20.30.40.50.60.70.80.91 0 102030405060708090100 Error probability (1 − c) Average delay (1/δ sec)

Robust policy Overhaul Robust policy Overhaul Restoration Nominal policy Restoration Nominal policy (a) (b)

Figure 10: Response time (upper panel) and availability (lower panel) resulting from robust control policy (solid black) and nominal control policy(dottedred)versus(a)decisionerror(1− c) and (b) control delay (1/δ).

Table 2: Discounted service rate with service demand considera- The routing only policy does not attempt to restore the tion. single failed server. Instead, queries are routed to an empty queue whenever the subsequent server contains the data for Current state xk One-step cost C(xk, uk) the query. The system is overhauled upon a second server The database is fully functional 0 failure. It offers some advantage in response time over the One unavailable server has a queue 1/μ always-restore policy when there is no routing delay, as Two unavailable servers have a queue 2/μ shown in Figure 11(a). It is also seen that the robust opti- All servers are unavailable and have a queue 3/μ mal policy experience improved performance with rerouting authority. However, a routing delay of about one second is significant enough to discourage the use of the routing-only policy, as shown in Figure 11(b). restore the failed server as long as the server performing the restoration does not have any queries waiting in its queue. 6. CONCLUSIONS The only exception is when three queries are piled into any single queue. In this case, overhaul occurs when the uncer- Uncertainties due to control delays, transmission delays, and tainties are significant. decision errors in the distributed database system degrade the performance of the database system performance in 5.2.2. Performance under nominal and robust policies, and terms of availability and response time. Restoration remains effect of routing delay to be the optimal policy over a significant range of uncertainties. Beyond boundaries of the range, however, the optimal This subsection examines the system steady-state availabil- control policy switches to overhaul. By formulating and solv- ity and the expected query response under the robust policy, ing a Markov decision problem, the robustness of the control where random control delay and decision error are explic- policies is investigated. Boundaries for which optimal actions itly modeled, and under nominal policy where uncertainties alter are shown to exist and are quantified. The robust poli- are ignored. The results are similar for policies derived with cies are shown to provide the best compromise among com- either the queue size criterion (19) or the service time crite- peting interests. rion (Table 2). The robust policy shows two distinct features The authors have also investigated the optimal control in Figures 10(a) and 10(b); it switches control action when policy for the database under the open queuing network uncertainties (delay and error) becomes significant, and it setting in the face of delays and errors. Simulations with balances between availability and response time in this sit- SimEvents [20] show that response time further depends on uation. the arrival rate of queries. Simulation results will be reported N. Eva Wu et al. 13

Optimal under queue size criterion (1/τ = 0) Optimal under queue size criterion (1/δ = 100) 0.6 2 0.5 1.5 0.4 1 0.3 0.2 0.5 Response time (sec) 0.1 Response time (sec) 0 0 20406080100 0246810

1 1 0.95 0.95 0.9 0.9 0.85 0.85 Availability 0.8 Availability 0.8 0.75 0.75 0 20406080100 0246810 Average delay (1/δ sec) Average routing delay (1/τ sec) Robust policy Overhaul Robust policy Overhaul Restoration Rerouting only policy Restoration Rerouting only policy (a) (b)

Figure 11: Response time (upper panel) and availability (lower panel) resulting from robust control policy (solid black) and routing only policy (dotted red) versus (a) control delay (1/δ) and (b) routing delay (1/τ).

separately. Simulation study of larger networks has also been [10] C. G. Cassandras and S. Lafortune, Introduction to Discrete planned. Event Systems, Kluwer Academic Publishers, Dordrecht, The Netherlands, 1999. [11] D. Thorsley and D. Teneketzis, “Diagnosability of stochastic ACKNOWLEDGMENT discrete-event systems,” IEEE Transactions on Automatic Con- trol, vol. 50, no. 4, pp. 476–492, 2005. This work was supported in part by AFOSR under Grants [12] N. E. Wu, J. M. Metzler, and M. H. Linderman, “Controlled FA9550-06-0456 and FA9550-06-10249. database unit subject to control delays and decision errors,” in Proceedings of the 8th International Workshop on of Discrete REFERENCES Event Systems (WODES ’06), pp. 131–136, Michigan, Mich, USA, July 2006. [13] N. E. Wu and T. Busch, “Reconfiguration of C2 architec- [1] T. Connolly and C. Begg, Database Solutions: A Step by Step ture for improved availability to support air operations,” IEEE Guide to Building Databases, Pearson/Addison Wesley, New Transactions on Aerospace and Electronics,vol.43,no.2,pp. York, NY, USA, 2nd edition, 2004. 795–805, 2007. [2] N. E. Wu, J. M. Metzler, and M. H. Linderman, “Supervisory [14] A. A. Helal, A. A. Heddaya, and B. K. Bhargava, Replication control of a database unit,” in Proceedings of the 44th IEEE Con- Techniques in Distributed Systems, Kluwer Academic Publish- ference on Decision and Control and European Control Confer- ers, Norwell, Mass, USA, 1996. ence (CDC-ECC ’05), pp. 7615–7620, Seville, Spain, December [15] S. Zacks, Introduction to Reliability Analysis: Probability Models 2005. and Statistics Methods, Springer, New York, NY, USA, 1992. [3] L. Kleinrock, Queueing Systems: Volume 2: Computer Applica- [16] S. Wolfram, Mathematica 5.2, Wolfram Media, Champaign, tions, John Wiley & Sons, New York, NY, USA, 1976. Ill, USA, 3rd edition, 2005. [4] G. Bolch, S. Greiner, H. de Meer, and K. S. Trivedi, Queueing [17] N. E. Wu, “Coverage in fault-tolerant control,” Automatica, Networks and Markov Chains: Modeling and Performance Eval- vol. 40, no. 4, pp. 537–548, 2004. uation with Computer Science Applications,JohnWiley&Sons, [18] S. Boyd and L. Vandenberghe, Convex Optimization,Cam- New York, NY, USA, 1998. bridge University Press, New York, NY, USA, 2004. [5]E.P.C.Kao,An Introduction to Stochastic Processes,Duxbury [19] MathWorks, “Optimization Toolbox User’s Guide, for Use Press, New York, NY, USA, 1997. with MATLAB, Version 3,” The MathWorks, 2006. [6] J. M. Metzler, “The effect of supervisory control on a re- [20] MathWorks, “SimEvents User’s Guide, for Use with Simulink,” dundant database unit,” M.S. thesis, Binghamton University, The MathWorks, 2006. Vestal, NY, USA, 2005. [7] Arena, Academic Version 7.01.00, Rockwell Software, 2004. [8] W. D. Kelton, R. P. Sadowski, and D. T. Sturrock, Simulation with Arena, McGraw-Hill, New York, NY, USA, 3rd edition, 2004. [9]D.P.Bertsekas,Dynamic Programming and Optimal Control, vol. 1, 2, Athena Scientific, Belmont, Mass, USA, 1995.