a model–based approach to fault–tolerant control

Int. J. Appl. Math. Comput. Sci., 2012, Vol. 22, No. 1, 6786DOI: 10.2478/v10006-012-0005-x

A MODELBASED APPROACH TO FAULTTOLERANT CONTROL

HANS HENRIK NIEMANN

Department of Electrical Engineering, Automation and ControlTechnical University of Denmark, Building 326, DK-2800 Kgs. Lyngby, Denmark

e-mail: [email protected]

A model-based controller architecture for Fault-Tolerant Control (FTC) is presented in this paper. The controller architec-ture is based on a general controller parameterization. The FTC architecture consists of two main parts, a Fault Detectionand Isolation (FDI) part and a controller reconfiguration part. The theoretical basis for the architecture is given followed byan investigation of the single parts in the architecture. It is shown that the general controller parameterization is central inconnection with both fault diagnosis as well as controller reconfiguration. Especially in relation to the controller reconfigu-ration part, the application of controller parameterization results in a systematic technique for switching between differentcontrollers. This also allows controller switching using different sets of actuators and sensors.

Keywords: fault-tolerant control, controller architecture, fault diagnosis, active fault diagnosis, controller switching.

1. Introduction

Fault-Tolerant Control (FTC) (Blanke et al., 2003) andhigh performance feedback control (Tay et al., 1997),have been considered to be two distinct areas. In the highperformance control area, the efficiency requirements aresatisfied by the use of more advanced design methods.These include methods such as, e.g., H2, H, LMI-design, -synthesis, etc. (Maciejowski, 1989; Skogestadand Postlethwaite, 2005; Zhou et al., 1995). The price iscomplex controllers, where re-tuning of single parts is im-possible. Using simpler controller architectures consistingof P, PI, PID controllers, etc., it is reasonably simple tore-tune single parameters in connection with implemen-tation. The controller parameters are transparent to theoperator, so redesign is possible. That is not the case formore advanced and complex controller architectures. Thisis one of the main reasons why advanced controllers arenot always applied in real applications.

Fault-tolerant controllers deal with a concept for han-dling faulty situations by suitable reconfiguration of thefeedback controller applied. If a fault is detected and iso-lated, we want to change from a high performance con-troller to a safe-mode controller. The change must be donein a reliable way, so that closed-loop stability can be guar-anteed through the change. A number of different con-cepts have been described in books and papers (Blankeet al., 1997; 2000; 2003; Niemann and Stoustrup, 2002;

2005; Stoustrup and Niemann, 2001).The central issue in FTC is making the feedback con-

troller tolerant with respect to faults or changes in the sys-tem and/or the instrumentation. This can be done on thebasis of either a passive approach or an active approach.In the former, the nominal controller will be able to sta-bilize the system for possible faults. This is equivalent torobust feedback control. In the latter, the feedback con-troller is redesigned or reconfigured on the basis of theresults from detection and isolation of faults. This con-cept is more complex than the passive approach, but ingeneral it is also possible to handle a much larger numberof faults. This architecture is shown in Fig. 1.

A number of different controller architectures forFTC have been suggested in the literature. One ofthe architectures is based on the YoulaJabrBongiornoKucera (YJBK) parameterization described by Niemannand Stoustrup (2002; 2005), Stoustrop and Niemann(2001) as well as Zhou and Ren (2001). Here, the con-troller reconfiguration is obtained by design/redesign ofthe YJBK transfer matrix. The controller architecture isshown in Fig. 2.

The starting point for this paper is the mentionedFTC architecture shown in Fig. 2. Instead of using a stan-dard nominal controller as the normal-mode controller, ithas been selected as a safe-mode ONE. The reconfigura-tion controller is then designed to enhance performancein the system. This will allow a very fast switch from a

UnauthenticatedDownload Date | 3/30/15 4:15 PM

68 H.H. Niemann

G

K

yu

d e

Decision

Residualgenerator

yu

System

Nom. controllerandreconfiguration

Fault diagnosis

Fig. 1. Simple block diagram of fault-tolerant control includinga residual generator, a decision block and a controller-change block.

G

K

yu

d e

Q

Decision

Residualgenerator

yu

yQuQ

System

Nom. controller

Reconfiguration

Fault diagnosis

Fig. 2. Block diagram of fault-tolerant control including an FDIblock and a controller-modification block.

normal-mode controller to a safe-mode one just by remov-ing the reconfiguration loop in the controller architecture.The FTC set-up shown in Fig. 2 takes the form shown inFig. 3.

The FTC block diagram shown in Fig. 3 can be con-sidered from a more general point of view. The connectionbetween the three different operation modes (that does notinclude the start-up mode and the close-down mode) isshown in Fig. 4.

The diagram shows that an FTC architecture shouldallow switching from one operation mode to one of thetwo other operation modes. It is required that a switchfrom the Normal mode operation to the Safe modeoperation should be fast in the event of faults. This is veryimportant in cases where faults result in unstable closed-loop feedback systems. The switching is done on-line,i.e., it is hot switching. This requires that the switch-ing be done as a bump-less transfer between the differ-ent modes. This is to avoid introduction of large tran-

G

K

yu

d e

Q

Decision

Residualgenerator

yu

yQuQ

System

Safe modecontroller

Performancecontroller

Fault diagnosis

Fig. 3. Block diagram of a fault-tolerant controller with a safe-mode controller as the central controller.

sients in the closed-loop system. As indicated in Fig. 4,only the switching from Normal mode to Safe modeis required to be fast in the event of faults in the system.In general, it will not be possible to guarantee that thisswitching is done as a bump-less transfer due to the re-quirement for fast switching.

Another issue is the sensors and actuators applied. Inmany cases, the feedback controller applied for the nor-mal mode will in general be based on other sets of sensorsand actuators than the safe-mode controller. The FTC ar-chitecture needs therefore to be able to handle changesin the sensors and actuators in connection with controllerswitching.

A similar concept can be used in relation to high per-formance controllers. Here, the nominal controller can bea robust one based on reliable sensors and actuators. Asin the FTC case, the performance can be obtained by us-ing a suitable transfer matrix for the free transfer matrix in

Safe mode Reconguration mode

Normal mode

fastslow slow

slow

slow

slow

Fig. 4. FTC concept.


A model-based approach to fault-tolerant control 69

controller parameterization. The free transfer matrix canbe included when the system is in the normal mode. Thematrix can then either be decoupled or redesigned whenthe system is not in the nominal mode. This concept is inline with the ideas of Tay et al. (1997).

The main difference between the FTC concept andthe high performance one described is how the free trans-fer matrix in controller parameterization is changed. Inthe FTC case, the change is a consequence of a fault di-agnosis, whereas the change is typically handled by anoperator in the high performance case.

An important aspect in connection with both FTCand high performance control is system uncertainties. Ingeneral, the systems are given by

G = G(),

where describes the system uncertainties. Both fault di-agnosis and controller design/redesign must be done withrespect to the uncertainties in the system.

The main focus in this paper is to investigate the FTCcontroller architecture shown in Fig. 3 in greater detail.The concept described will be investigated with respect tofault diagnosis and controller reconfiguration. The changeof sensors and actuators in connection with reconfigura-tion of the controller will also be investigated.

The rest of this paper is organized as follows. Thesystem set-up is given in Section 2, followed by somepreliminary results for controller parameterization in Sec-tion 3. The set-up for fault diagnosis is considered in Sec-tion 4. Active fault detection and active fault isolation areconsidered in Sections 5 and 6, respectively. The last partof the FTC architecture, controller reconfiguration, is con-sidered in Section 7. Time aspects of the suggested FTCarchitecture are discussed in Section 8.

The paper ends with some closing remarks in Sec-tion 9.

2. System set-upLet a general system be given by

G :

zey

=

Gzw Gzd GzuGew Ged GeuGyw Gyd Gyu

wdu

, (1)

where w Rr is an external input vector, d Rs is adisturbance signal vector, u Rm is the saturated controlinput signal vector, z Rt is an external output vector,e Rq is the external output signal vector to be con-trolled, and y Rp is the measurement vector.

Let the external output z and the external input w beconnected through the uncertain block , i.e.,

w = z, (2)

where describes the uncertainty in the system. It canbe a fully uncertain complex block or it can be structured,(see, e.g., Skogestad and Postlethwaite, 2005). It is furtherassumed that is scaled such that

1, .

The general uncertain system G() is given by

G(() = Fu(G,), (3)

where Fu(, ) is an upper Linear Fractional Transforma-tion (LFT), (cf. Skogestad and Postlethwaite, 2005). Letthe system be controlled by a stabilizing feedback con-troller given by

K : { u = Kuyy. (4)

2.1. Parametric fault sets. Certain modeling aspectshave to be considered in connection with FDI. The task ofFDI depends on which parametric faults can occur simul-taneously and which cannot. On the basis of the availableinformation as to which parametric faults can occur si-multaneously at any time and which cannot, one dividesthe set of all possible faults into a number of subsets. Thisaspect has been discussed by Saberi et al. (2000) in con-nection with additive faults. An equivalent definition ofparametric fault sets is given in the following. The mod-eling of parametric faults can be described in the sameway as modeling uncertainties. Let be a diagonal ma-trix given by = diag(1, . . . , i, . . . , k), representingthe parametric faults in the system. Let the connection be-tween the external output and the external input be givenby

w = z,

i.e., k = r = t.It is assumed that every single parametric fault i is

included in a parameter space, i i, i = 1, , k,where i can be an interval i = [i ,

+i ]. Note that the

interval must include the nominal value for i = 0. Theinterval for i is a continuous one, where i can take allvalues between i and

+i . This will not always be the

case. In other cases, the parametric fault can only takea fixed number of values, i.e., i = {0, i,1, i,2, . . . }.Furthermore, let i\0 = i\{0}, i.e., the nominal value(the fault-free case) of i is not included in i\0. Wewill use the notation i = 0 as a short form for =diag(0, . . . , 0, i, 0, . . . , 0), i.e., i = 0.

Let us denote the set of all possible parametric faultsby k = {1, . . . , k}. Based on the known information, letk be partitioned into mutually exclusive and exhaustivesets, i, i = 1, 2, . . . , . That is, let i j = fori = j, and 1 2 = k. Also, let ki denote thenumber of elements in i. This leads us to defining thefollowing simultaneous occurrence property.


70 H.H. Niemann

G

K

yu

d e

Fig. 5. Closed-loop system.

Simultaneous occurrence property. Only those faultsthat belong to any single set among the sets i, i =1, 2, . . . , , can occur simultaneously at any given time.This implies that certain faults belonging to a set, say i,and others that belong to a set, say j , i = j, cannot occursimultaneously at any given time.

Two special and extreme cases of the general simul-taneous occurrence property are interesting and important:the fault set of simultaneous occurrence of property ofType 1, where all possible faults can occur simultaneouslyat any time, and the fault set of simultaneous occurrenceof property of Type 2, where every fault occurs by itself,i.e., it never occurs simultaneously with any other fault.The first case is the most general one. If it is possible tohandle it, we do not need to consider other cases. Theother case is the simplest one, but in general it will also bethe most realistic one. Both fault sets of Type 1 and Type2 will be considered in this paper. Other types of paramet-ric faults sets can be derived based on the results given inthis paper.

In the following, only system changes with respect tofaults will be considered, i.e., = .

3. Parameterization of controllersParameterization of feedback controllers is considered inthe following. First, some simple calculations are derived,followed by a more detailed analysis.

Let us consider the feedback system shown in Fig. 5.The closed-loop transfer matrix Tcl is given by

Tcl = Ged + GeuKuy(I GyuKuy)1Gyd. (5)

Assume that K stabilizes G, i.e., Tcl is stable. Let R bedefined by

R = Kuy(I GyuKuy)1. (6)

The relation between Kuy and R is given by

Kuy = (I + RGyu)1R.

Internal stability gives directly that R is stable (Boyd

and Barratt, 1991). Using R in (5) gives directly

Tcl = Ged + GeuRGyd. (7)

Including a free stable transfer matrix Q gives thefollowing closed-loop system:

Tcl = T1 + T2QT3, (8)

where T1, T2 and T3 are specific, stable transfer matricesdepending on G and K.

Let us define D and D of appropriate dimensions in-cluding the unstable poles from Gyu as zeros. D and Dare not unique. Any suitable choice of D and D has theproperty that, if Q is stable, then each DQD, GeuDQD,DQDGyd and GeuDQDGyd is stable (Boyd and Bar-ratt, 1991). Comparing with (7) gives

T2 = GeuD,

T3 = DGyd.

Now, T1 can be selected as any closed-loop transfermatrix achieved by a stabilizing feedback controller. Thisresults in the following closed-loop transfer matrix:

Tcl(Q) = Ged + GeuRGyd + GeuDQDGyd, (9)

where Q is a free stable transfer matrix. It can be shownthat this is a parameterization of all stabilizing feedbackcontrollers for a given system in terms of the free stabletransfer matrix Q (Boyd and Barratt, 1991).

Implementation of parameterization can be done asshown in Fig. 6. The complete feedback controller isgiven as an LFT of Q, i.e.,

Kuy(Q) = Fl(K,Q).

G

K

Q

yu

d e

Fig. 6. Parameterization of all stabilizing controllers Kuy(Q)for a given nominal system G.

The construction of the architecture in Fig. 6 requires



that the transfer matrix from to be zero in the nominalcase. If this is not satisfied, the closed-loop transfer ma-trix will not be an affine matrix function of the free stabletransfer matrix Q. Further, the transfer matrix from d to it is DGyd and from to e is GeuD. The (1, 1)-elementin K is the nominal feedback controller Kuy .

If K is selected such that the above conditions aresatisfied, then the controller architecture in Fig. 6 givesa parameterization of all stabilizing linear controllers forthe nominal plant G in terms of the free stable transfermatrix Q.

Let K be given by

K :{ (

u

)

=(

Kuy KuKy K

)(y

)

, (10)

where Kuy is the nominal feedback controller.Based on K, the open-loop transfer matrices from d

and to are then given by

= Ky(I Gyu()Kuy)1Gyd()d

+ (K + Ky(I Gyu()Kuy)1Gyu()Ku),(11)

where G() has been applied. The condition that the trans-fer matrix from to must be zero in the nominal case(fault free) gives the following condition for the selectionof Ku, Ky and K:

0 = K + Ky(I GyuKuy)1GyuKu. (12)

Instead of using directly as given by (10), can bedefined by

= Kuu + Kyy, (13)with u given by (10). This gives the following descriptionof K:

K :{ (

u

)

=(

Kuy KuKuKuy + Ky KuKu

)(y

)

.

(14)The motivation for this small rewriting of is that we

want to use the vector in connection with fault diagnosis.Introducing the measurement vector in (13) gives directly

= Kuu + KyGydd + KyGyuu

= (Ku + KyGyu)u + KyGydd.

A condition for using as a residual vector is that theinput vector u is decoupled from (Blanke et al., 2003),i.e.,

Ku + KyGyu = 0. (15)

Applying the feedback controller K given by (14),

takes the following form:

= (KuKuy + Ky)(I Gyu()Kuy)1Gyd()d+ (KuKu + (KuKuy + Ky)

(I Gyu()Kuy)1Gyu()Ku).(16)

Using (15) in (16) gives

= Ky(I GyuKuy)(I Gyu()Kuy)1Gyd()d

+ Ky((I GyuKuy)(I Gyu()Kuy)1Gyu()Gyu)Ku

= Pd()d + S().(17)

S in the above equation is the dual transfer matrixof Q. Equivalent to Q, it gives a parameterization of allsystems stabilized by given feedback controller. For moredetails, see the works of Niemann (2003) and Tay et al.(1997), where the dual parameterization has been consid-ered in connection with the YJBK parameterization.

For the nominal case, (17) takes the following form:

= KyGydd. (18)

From the above equation, we can see that the decouplingcondition in (15) also satisfies the condition in (15) in con-nection with controller parameterization. This means thatthe input vector to the free transfer matrix Q in controllerparameterization can also be applied as a residual vectorin connection with fault diagnosis. In the following, willbe named the residual vector.

The residual vector given by (17) is applied in con-nection with both passive and fault diagnosis. In the pas-sive case, the diagnosis is based on the transfer matrixfrom d to , Pd(), and in the active case on S(). Thiswill be investigated further in the next section. Based onthe above derivations, the block diagram shown in Fig. 6now takes the form shown in Fig. 7.

The above parameterization cannot directly handlea change in the employed sets of sensors and actuators.As pointed out in Section 1, it is relevant to considerchanges of the sensors and actuators applied in connec-tion with controller reconfiguration. The controller archi-tecture shown in Figs. 6 or 7 needs to be extended to han-dle the case where additional sensors and actuators can beapplied. The change of the sets of sensors and actuatorsapplied needs to be handled through the free transfer ma-trix Q in the controller. This is because we do not wantto change the nominal (safe-mode) controller as it shouldalways be possible to return to this controller.

Let the system G be extended with additional inputs


72 H.H. Niemann

G

Kuy

Ku

yu

d e

Ku Ky

Q

Fig. 7. Parameterization of all stabilizing controllers based onthe controller K given by (14).

ua and outputs ya. The general system in (1) is given by

G :

zeyya

=

Gzw Gzd Gzu GzuaGew Ged Geu GeuaGyw Gyd Gyu GyuaGyaw Gyad Gyau Gyaua

wduua

.

(19)The nominal controller for the extended system in

(19) is given by

K :{

u =(

Kuy 00 0

)

y, (20)

whereu =

(uua

)

, y =(

yya

)

.

The free transfer matrix Q in controller parameter-ization needs to be extended with additional inputs andoutputs for handling the extended system. Q is then givenby

Q :{ (

ua

)

=(

Q QyaQua Quaya

)(ya

)

, (21)

where Q is the free transfer matrix in the standard con-troller architecture in Figs. 6 or 7.

The architecture for controller parameterization inthe extended case is shown in Fig. 8. A more detailedanalysis of controller parameterization for this case isgiven in connection with controller reconfiguration in Sec-tion 7.

3.1. Closed-loop stability. The stability of the closed-loop system is discussed briefly here. First, let us consider

G

K

Q

yuua ya

d e

Fig. 8. Parameterization of all stabilizing controllers for a nom-inal system G with additional inputs ua and outputs ya.

the connection between the two transfer matrices Q and S.The interpretation of S can be investigated on the basis ofa general controller parameterization. It turns out that S isthe open-loop transfer matrix from to , i.e., closing theloop around Q,

S = Fu(JK , Gyu(S)), (22)

where JK is given by

JK =(

Kuy KuKuKuy + Ky KuKu

)

,

see (14). As a direct consequence of (22), the stability ofthe closed-loop system can be analyzed using Q and S.

The closed-loop system shown in Fig. 9 is not guar-anteed to be stable by requiring that Q and S be stabletransfer matrices. Using the relation in (22), it can beshown that the closed-loop system shown in Fig. 9 is sta-ble if, and only if, the nominal feedback loop given by(Gyu,Kuy) and the feedback loop given by (Q,S) areboth stable. This is shown in Fig. 10. This result wasalso shown by Tay et al. (1997), who applied the YJBKparameterization.

Gyu(S)

Kuy(Q)

yu

Fig. 9. Closed-loop feedback system including a parameteriza-tion of all stabilizing controllers Kuy(Q) and S that de-scribe a parameterization of all systems Gyu(S).



Gyu

Kuy

u y

S

Q

Fig. 10. Two closed-loop feedback systems occur from con-troller parameterization and a system change.

4. Fault diagnosisThe fault diagnosis part of the FTC architecture is con-sidered in this section. The reliability of the final FTCcontroller depends strongly on that of the diagnosis part.The controller reconfiguration depends on the informationfrom the diagnosis.

The main focus in this section is on Active Fault Di-agnosis (AFD). This area has been considered in a num-ber of papers (Campbell et al., 2000; 2002; Campbelland Nikoukhah, 2004b; Kerestecioglu and Zarrop, 1994;Niemann, 2006b; Nikoukhah, 1994; 1998; Nikoukhahet al., 2000; Poulsen and Niemann, 2008) and books(Campbell and Nikoukhah, 2004a; Kerestecioglu, 1993;Zhang, 1989).

AFD is based on inclusion of an auxiliary (test) in-put signal into the system. The auxiliary input can be in-jected into either the open-loop system or in the closed-loop system. As output from the diagnosis system, a stan-dard residual signal known from the passive FDI approachis applied (Frank and Ding, 1994). Using the AFD ap-proach of Niemann (2005; 2006b), as well as Poulsen andNiemann (2008), the auxiliary input is injected into theclosed-loop system in such a way that the residual is de-coupled from the auxiliary input in the nominal case. Inthe event of parametric faults (system changes), the resid-ual will contain a component related to the auxiliary input.

4.1. Active fault diagnosis set-up. An AFD set-upbased on controller parameterization in Section 3 is shownin Fig. 11, where is an excitation/auxiliary input vectorand is the error/residual vector.

By suitable selection of Ku , it is possible to changethe placement of the auxiliary input vector in the AFDset-up shown in Fig. 11. By selecting Ku = I , the aux-iliary input is injected at the output point of the controller,i.e.,

u = Kuyy + .

Using Ku = Kuy gives an injection at the input point ofthe controller, i.e.,

u = Kuy(y + ).

G

Kuy

Ku

yu

d e

Ku Ky

Fig. 11. Controller structure including the residual vector andthe auxiliary input vector .

From (17), we have directly that the connection be-tween d, , and is given by

= Pd()d + S(). (23)

This means that not only do we have a relation between and as a function of the parametric faults (system varia-tions), but we also have a relation with the closed-loop sta-bility in the event of parametric faults. A consequence ofthis is that the faulty system is closed-loop stable if S()is stable, as discussed in Section 3.

Consider the closed-loop system shown in Fig. 11with the two inputs d, and the two outputs e, . Let therelation between the inputs and outputs be given by

P :{ (

e

)

=(

Ped() Pe()Pd() S()

)(d

)

, (24)

where

Ped() = Ged()

+ Geu()Kuy(I Gyu()Kuy)1Gyd(),Pe() = Geu()(I KuyGyu())1Ku

and Pd(), S() are given by (17).Only the residual vector is important in connection

with AFD. As can be seen from (23) and (24), S() is veryimportant in connection with the residual vector . Equiv-alent to the definition of fault signature for additive faults(Massoumnia, 1986), S() will be called the fault signa-ture matrix for parametric faults (Niemann, 2005; 2006b).The reason behind it is that both fault detection and faultisolation using an active method will be based directly on


74 H.H. Niemann

the fault signature matrix S(). This strong dependencyon S() in connection with FDI is investigated in detail inthe following. Furthermore, the transfer matrix from dis-turbance d to the residual vector is called the disturbancesignature matrix.

Inspired by the passive FDI approach, a parameter-ization of the residual generators for AFD can be deter-mined. Parameterization in the AFD case is obtained byincluding a stable filter WI at the input vector and a sta-ble filter WO at the output vector . This approach canbe considered a generalization of the parameterization ofall residual generators in the passive FDI case. The pa-rameterization of all residual generators in the AFD casereflects the additional freedom obtained by using an aux-iliary input vector in the set-up.

Including the pre- and the post-filter in the systemset-up, the closed-loop system given by (24) takes the fol-lowing form:

PW :{ (

ew

)

=(

Ped() Pe()WIWOPd() SW ()

)(dw

)

,

(25)where SW () = WOS()WI .

The design of the pre- and post-filter strongly de-pends on the number of parametric faults, inputs and out-puts and the disturbance in the system. This will be con-sidered in more detail in the following.

Finally, let us consider the connection with the pas-sive FDI approach considered by, e.g., Frank and Ding(1994). By moving the auxiliary input vector from thesystem shown in Fig. 11, the passive FDI set-up is ob-tained. It was shown by Frank and Ding (1994) that allresidual vectors w can be described by

w = WO(Kyy + Kuu) = WO, (26)

where WO is a stable and proper filter of suitable or-der. Rewriting (26) by including the controller in the loopgives (Niemann, 2003)

w = WOPdd. (27)

Here it is important to point out that fault detection andfault isolation are based on the external disturbance d.This can be seen from (27). A consequence of this is thatparametric faults will not necessarily be detected imme-diately after the faults have occurred in the system. Thefaults need to be observable from , which requires thatit be excited by the disturbance input d. If this is not thecase, it will not be possible to detect the faults using apassive approach.

4.2. Active fault diagnosis. On the basis of the set-upfor active fault diagnosis in the closed-loop system givenin Section 4.1, general conditions for active fault diagnosis

are considered in this section.We want to set up conditions for both fault detec-

tion and fault isolation based on the fault signature matrix.However, it is not possible to measure the fault signaturematrix directly, as we only have the input/output vectors(, ) available for the diagnosis. The diagnosis must becarried out by considering the signature from the auxiliaryinput in the residual vector. Isolation between differentfault situations can then only be obtained if it is possibleto separate the associated fault signatures in the residualvector. This results in requirements for the auxiliary inputvector; it needs to excite the fault signature matrix enoughto separate different fault situations. This is equivalent toexcitation inputs in connection with system identification.

To be more specific, let S(, ) be the fault signaturespace for a specific input , i.e.,

= S() S(, ),

where the residual vector is separated into a part fromthe auxiliary input and a part from the disturbance d,i.e.,

= + d,

Based on the fault signature space, it is possible to set upa definition for fault isolation. For a given input , the twofaults i and j are isolable if

S(i, ) S(j , ) = ,i i\0, j j\0, i = j.

(28)

(28) gives a separation in the fault signature output space.An equivalent definition for fault isolation was also givenby Campbell and Nikoukhah (2004a). Fault detection isalso included in the above general definition as a specialcase.

In many cases, it will not be possible to make a di-rect separation on the basis of the residual output space.Therefore, let the definition of the fault signature space begeneralized to

f(, ) = f(S(), ) Sf (, ), (29)

where f(, ) is a linear or a non-linear function of theauxiliary input and the signature from the input in theresidual output . The function can be, e.g., an evalua-tion function of the residual vector in a specific frequencyrange, in a specific direction, a statistical test, etc. Someof these functions are applied in the following.

Based on the general definition of by fault signaturespace given by (29), the definition of fault detection andfault isolation given above is still valid.

It is important to point out that the auxiliary input must be selected/designed with respect to obtaining a faultdetection and/or a fault isolation. The design of the aux-iliary input vector is a trade-off between maximizing the



effect in the residual vector for fast detection and mini-mizing the effect on the external output e. Another impor-tant aspect in this connection is the design of the two inputand output filters WI and WO . By suitable design of thesetwo filters, it is possible to simplify both the detection aswell as the isolation problem. This is investigated in thefollowing.

4.3. Time to detect. The time between a fault occur-ring in the system to when it is detected and a controllerswitches to the safe-mode controller is very critical. TheFTC architecture suggested in Section 1 will allow a fastswitch from the nominal feedback controller to a safe-mode controller. This leaves the diagnosis part of the ar-chitecture as the most critical part with respect to time de-lays. The aspect of time delay in connection with fault di-agnosis and isolation will not be discussed in further detailhere. A more detailed analysis of the time delay problemcan be found in the work of Stoorvogel et al. (2001).

5. Active fault detectionFirst, let us consider the fault-detection problem in thedisturbance-free case. Detection is based on the equa-tion for the residual vector in (23) or (24) with d = 0.From (23) we have directly that the fault signature matrixis equal to zero in the fault-free case and non-zero in thefaulty case, i.e.,

S() = 0 for = 0S() = 0 for = 0. (30)

Using f() as the identity function, we get directlythat the fault signature space in the fault-free case is emptyfor all non-zero auxiliary inputs by using the simple ob-servation from (30). This gives the following conditionfor fault detection:

Fault detection:S(0, ) = 0, = 0S(, ) = 0, = 0, for = 0.

(31)It is clear that using (31) gives a direct fault detec-

tion based on the fault signature space result in a directfault detection, i.e., detection based on an empty or a non-empty fault signature space. The above condition in (31)is independent of both the auxiliary input and the designof the two filters WI , WO , assuming that the two filtersare non-zero and stable. Detection based on (31) gives acomplete decoupling of the signature from in the resid-ual vector.

In the case where disturbance is included, the simpleconditions cannot be applied directly. The fault signaturespace will not be an empty space in the fault-free case dueto the disturbance. It will therefore be necessary to use a

statistical test on the residual vector. This is consideredbelow.

In the special case, where the number of residual sig-nals is larger than the number of disturbance signals, i.e.,p > s, it is possible to design WO such that we get p sdisturbance-free residual signals in the nominal case. Thismeans that we can get exact disturbance decoupling in theresidual signals for = 0. Following (Saberi et al., 2000),we have that it is possible to design WO such that

(w,1w,2

)

= WOPd(0)d =(Pwd

0

)

d. (32)

With this design of WO, we can use the last p s resid-ual signals w,2 for active fault detection. Note that theparametric faults will change the system and there willbe no guarantee for disturbance decoupling in the faultycase. However, this will not change the detectability ofthe faults. A non-zero q,2 will always indicate paramet-ric faults. Generically, it will be possible to detect all para-metric faults from w,2, but there is no guarantee. To seethis, consider the residual vector in the faulty case givenby

(w,1w,2

)

= WOS() + WOPd()d

=(SW,1()SW,2()

)

+(PW,d,1()PW,d,2()

)

d,

(33)

where PW,d,2(0) = 0. If SW,2() depends on all para-metric faults, it will be possible to detect all parametricfaults by using w,2. The auxiliary input vector justneeds to be selected such that it is possible to see a sig-nature of in the residual vector w,2 in the faulty case,i.e., the fault signature space needs to be non-empty for allfaults.

5.1. Stochastic active fault detection. In the casewhere disturbance is included, the simple conditions can-not be applied directly. The fault signature space will notbe an empty space in the fault-free case due to the distur-bance. It will therefore be necessary to use a statistical teston the residual vector. The detection (isolation) of faultscan then be based on the following hypothesis:

H0 : S() = 0,H1 : S() = 0. (34)

Standard statistical test methods such as CUSUM orGLR tests can be applied directly, but they will not beoptimal. That would be equivalent to using the passivefault detection approach.

The statistical test methods must be dedicated to de-tect if includes a signature from a specific, employedauxiliary input or not. For simplifying this task, it is rele-


76 H.H. Niemann

vant to use simple auxiliary inputs. A periodic input willin general be useful. The output in the residual vector willalso be periodic in the case of parametric faults in the sys-tem. For optimizing the detection of a periodic signaturein the residual vector, let us only consider the residual vec-tor at the specific frequency given by

=

a1,.

.

.

ai,.

.

.

am,

sin(0t) = A sin(0t), (35)

where A is the input vector with the input amplitudes andthe frequency 0 represents the tuning parameters in theauxiliary input. The choice of tuning parameters shouldalso be related to the frequency distribution of noise suchthat the signature of the residual is not covered by noise.However, it is also possible to use other types of auxiliaryinputs than periodic signals. For example, this was donein the approach used by Campbell and Nikoukhah (2004a)as well as Zhang (1989).

Using the auxiliary input given by (35), the i-th resid-ual signal is given by

i = i, i N(0, 2i ) (36)

in the nominal case. If the parameter is changed (fromnominal values),

i = |gi(S(), A)| sin(0t+i)+i, i N(mi, 2i ),(37)

where gi(S(), A) =p

j=1 Sij()aj, and i are re-spectively the (non-zero) gain and phase shift through thefault signature matrix S at the chosen frequency 0 from to the i. For brevity, we have omitted the dependence on and 0 in S = S(, 0), i = i(, 0), mi = mi()and i = i(). In general, mi will be zero. Both the am-plitude and the phase of the periodic signal in i dependon and on the chosen frequency, 0. The periodic signalin i is the signature of the periodic auxiliary input .

Detection of parameter changes is then based on de-tection of the signature from in . Furthermore, isolationof parameter changes may be possible from an investiga-tion of the amplitude and phase of the signature in i. Insome cases it may be necessary to include more than onesingle periodic signal in in order to isolate different pa-rameter changes. Here we will only consider a single pe-riodic auxiliary input vector.

Assume that the auxiliary input vector has been se-lected, i.e., the amplitude vector A and the frequency0 in (35) have been specified. The focus here will beon how the hypothesis and the alternative in (34) can beimplemented. As mentioned in the previous section, the

approach taken here is to test whether the signature of theauxiliary input is present in the residual. In order to do so,the following two signals are formed:

si = i sin(0t), ci = i cos(0t), (38)

where, according to (37) and some trigonometric rela-tions,

si = |gi(S(), A)|12(cos(i) cos(20t + i)

)

+ i sin(0t),

ci = |gi(S(), A)|12(sin(i) + sin(20t + i)

)

+ i cos(0t).(39)

From this it is clear that in the normal (or the fault-free) situation

si = i sin(0t) N(0, 2i sin2(0t)),ci = i cos(0t) N(0, 2i cos2(0t)).

Additionally, the two signals are white when a filterparameterization is applied. The time average variance isequal to 12

2i .

If a change has occurred, then the fault signature ma-trix, S, will be different from zero and the two detectionsignals, si, ci, will have a constant, deterministic compo-nent

|gi(S(), A)|12(

cos(i)sin(i)

)

. (40)

This component can be used for detection and isolation.Besides the mentioned component, the detector sig-

nals will also have a time varying deterministic compo-nent

|gi(S(), A)|12( cos(20t + i)

sin(20t + i)

)

, (41)

which on the (time) average is zero. The effect of thiscomponent can be eliminated by means of an averagingor integration technique such as in the CUSUM method-ology.

In the literature, the CUSUM technique is normallyconnected with detection of changes in the mean and/orvariance in a signal. In the normal situation it is as-sumed that the signal is white and has a specific meanor variance (see Basseville and Nikiforov, 1993; Gustafs-son, 2000). Detection is implementation of a sequentialtest in which the inspection data are increased succes-sively. CUSUM methods are normally based on simple(specified) hypotheses and simple (specified) alternativeswhich have to be given as tuning parameters. The simple



alternative then forms a situation that should be detected.In a heuristic setting, CUSUM methods can be regardedas being a test of whether the slope of the integral of thesignal in question is larger than a certain critical value. Inthis work we have transformed the problem and we testwhether the mean of the vector (si ci)T has a zero mean(vector) or has the component given in (40). Introduce thetuning parameters B and . The detection can be imple-mented as a CUSUM detection given by

ddt

z =

0 for z = 0 and i

2< 0,

i

2otherwise,

(42)

where

i =

sicisici

,

2i =

122i .

The hypothesis H0 is accepted if z is smaller than thethreshold h, i.e.,

z log(B)

= h,

where the inequality is to be understood component-wise.The parameter B in this CUSUM detector is related tothe average length between false detections. The otherparameter, , is chosen as a typical lower limit for changesto be detected. Furthermore note that the time averagevariance of ci and si has been used in (42).

Normally, the CUSUM detector will not be imple-mented in the continuous-time version given by (42).Instead, a discrete-time version will be applied. Thediscrete-time version of the CUSUM detector is given by

zt+1 = max(0, zt +

( t1

12

))

. (43)

For more details, see the work of Poulsen and Niemann(2008).

6. Active fault isolationThe fault isolation case is more complicated than the de-tection case. The main reason for this is that the elementsin S() in general depend on more than a single para-metric fault. This was an advantage in the fault detectioncase which makes it easy to detect faults. A consequenceof this is that it is generally impossible to isolate singleparametric faults directly by evaluating single elements inS(). Isolation also depends on which parametric faultscan occur simultaneously and which cannot.

As in the fault detection case, we want to come upwith conditions for fault isolation based directly on thefault signature matrices S() or SW () with respect to the

associated fault set type, so that it is possible to give sim-ple fault signature output spaces that can be separated.

In contrast to the detection case, where the detectioncondition can be derived on the basis of the general set-upin Fig. 11, this is not possible for fault isolation. Here,a more detailed set-up is needed to be able to come upwith conditions for fault isolation. This can be obtainedby using an FTC architecture based on the YJBK param-eterization described in Appendix. Using the YJBK pa-rameterization, the transfer matrices given in (14) for thegeneral parameterization are given by

Kuy = V 1U ,

Ku = V 1,

Ku = N,Ky = M,

(44)

which gives the YJBK parameterization in (77).Further, let the system G() be described by (1) with

w = z. The transfer matrices from d and to are givenby (Niemann, 2003; 2006b)

Pd() = M(I Gyw(I Gzw)1GzuUM)1

(Gyd + Gyw(I Gzw)1Gzd),

S() = MGyw(I (Gzw + GzuUMGyw))1

GzuM

= MGyw(I Tzw,cl)1GzuM,(45)

where Tzw,cl is the closed-loop transfer matrix from w toz. The dimension of S() is pm, i.e., the same dimen-sion as Gyu.

Based on these two transfer matrices, conditions forfault isolation using the active approach are derived in thefollowing.

6.1. Direct fault isolation. Let us start with direct faultisolation in the disturbance-free case. Including distur-bance can be handled in the same way as in the fault de-tection case considered in the previous section. By directfault isolation, we mean that a fault can be isolated directlyby a validation of a certain transfer function in S(), if itis zero or not, equivalent to the detection case consideredabove.

First, let the set of all possible faults be divided intoa number of fault sets as described in Section 2, depend-ing on which faults can occur simultaneously and whichcannot.

Let us consider SW (). Using the fact that bothMGyw and GzuM are two stable transfer matrices, it is


78 H.H. Niemann

possible to design WI and WO such that

GzuMWI =(

II

)

, WOMGyw =(

O O),

(46)where I and O are two stable diagonal matrices of di-mension m m and p p, respectively, and I , O aretwo stable transfer matrices of suitable dimensions. UsingWI and WO satisfying (46) in SW () gives directly

SW () =(

O O)(I Tzw,cl)1

(II

)

. (47)

Note that, if GzuM is right invertible, we can obtain acomplete diagonalization of GzuM by the design of WI .Similarly, if MGyw is left invertible, a complete diagonal-ization of MGyw can be obtained by the design of WO .

Let us assume that the dimension of the residual vec-tor is greater than or equal to the dimension of the auxil-iary input vector, i.e., p m. Furthermore, assume thatki p 1, i = 1, . . . , l, i.e., the number of faults inthe l-th fault sets i is less than the number of residualsignals. Let , Tzw,cl and GzuM be rearranged and parti-tioned into

= diag(i , \i),

Tzw,cl =(

Tzw,cl,11 Tzw,cl,12Tzw,cl,21 Tzw,cl,22

)

,

GzuM =(GM,1GM,2

)

,

where i includes the ki faults in fault set i and \iincludes the other k ki parametric faults. Now, let(

O O)

be partitioned into(

O O)

=(

O O),

where dim(O) = p ki. Using the fact that O is a di-agonal matrix,

(O O

)can then be partitioned into

(O O

)=

(O,1 O,1

0 O,2

)

, (48)

where dim(O,1) = ki ki. Using WO given by (46),the fault signature matrix with respect to i is given by

SW,i() =(

O O)(

i 00 \i

)

(

I (

Tzw,cl,11 Tzw,cl,12Tzw,cl,21 Tzw,cl,22

)

(

i 00 \i

))1 (GM,1GM,2

)

WI ,

(49)

where the index i in SW,i() is related to the separation of into i and \i. In the event of faults, either i = 0or \i = 0, but not at the same time. SW,i() in (49) willbe given by

SW,i() =(SW,i,1()SW,i,2()

)

=(

O,10

)

i(I Tzw,cl,11i)1GM,1WI(50)

for i = 0, or

SW,i() =(SW,i,1()SW,i,2()

)

=(

O,1O,2

)

\i(I Tzw,cl,22\i)1GM,2WI(51)

for \i = 0. Equivalently, l 1 other output filters aredesigned with respect to the other l 1 fault sets. Thel fault signature matrices SW,i() given by (50) and (51)can now be used for both fault-set isolation as well as faultisolation in a specific fault set. The fault-set isolation canbe derived directly by using SW,i,2(). From (50), it isclear that

SW,i,2() = 0 for i, i = 1, . . . , l

If the fault is not included in the given fault set, SW,i,2()will be non-zero, i.e.,

SW,i,2() = 0 for / i, i = 1, . . . , l.

The above condition on SW,i,2() will in general besatisfied, because all elements in O,2 will in general benon-zero. However, if O,2 includes a single column withonly zeros, it is still possible to get an isolation of the sin-gle fault sets. It will only require that the fault set isolationbe combined with the isolation of the single faults in thespecific fault set. This aspect is considered later in thissection. Let h() be the identity function in the following,the associated fault signature space for SW,i,2() is givenby SW,i,2(, ). Therefore, the condition for fault-set iso-lation is

Fault-set isolation:

SW,i,2(, ) = 0, = 0for i

SW,i,2(, ) = 0, = 0for / i.

(52)The last step is isolation of the single faults in the iso-

lated fault set i. For simplicity, consider the case wherefaults occur in 1. Assume that i in 1 is non-zero. Thiswill give a non-zero element in O,11 at the diagonal



element (i, i), i.e.,

O,11 = diag(0, . . . , ii, 0, . . . , 0).

Further, the columns of Tzw,cl,111 are given by

Tzw,cl,11i = (0, . . . , tii, 0, . . . , 0),

where ti is the i-th column of Tzw,cl,11. This gives

(I Tzw,cl,111)1(:,i) =

0.

.

.

01i0.

.

.

0

for i = 0,

(I Tzw,cl,111)1(:,i) =

x1,i.

.

.

xi1,ixi,i

xi+1,i.

.

.

xk,i

for i = 0,

where x,i are non-zero transfer functions. Combine thiswith the diagonal structure in O,11 ; the i-th row inSW,1,1() is only non-zero if i is non-zero. When twofaults i and j have occurred in the system, the i-th andthe j-th row in SW,1,1() will be non-zero, etc. This givesa complete fault isolation in the fault set based on the faultsignature matrix given by (50).

Let the i-th row of SW,1,1() be given by SiW,1,1().The fault isolation conditions are as follows:

SiW,1,1() = 0 for i = 0,SjW,1,1() = 0 for i = 0, j = 0, i = j

Following the line from fault-set isolation, let SiW,1,1(, )be the associated fault signature space for SiW,1,1(, ).Based on this, the condition for fault isolation in the faultset 1 is

Fault isolation in 1:

SiW,1,1(, ) = 0, = 0for i = 0,

SjW,1,1(, ) = 0, = 0for i = 0, j = 0, i = j.

(53)The complete fault isolation consists of three steps:

a fault detection given by (31), a fault-set isolation givenby (52) and, finally, a fault isolation in a specific fault setgiven by (53). This is shown in Fig. 12.

The only problem remaining is when HO,2 includes

WI S() WO,1

WO,l

w

.

.

.

1,11,2

l,1l,2

Fig. 12. Fault detection and isolation on the basis of fault occur-rence in fault sets. Here is the residual vector for faultdetection, 1,1 is the residual vector for fault isolationin the fault set 1, 1,2 is the residual signal appliedfor isolation of the fault sets, l,1 is the residual vec-tor for fault isolation in the fault set l, and l,2 is theresidual signal applied for isolation of the fault sets.

a column with only zero elements. A consequence is thatthere is a single fault that will not affect the residual outputfrom SW,i,2. Assume that this fault belongs to j . Ifthe fault occurs by itself, there will be no signature from in both ri,2 and j ,2, i.e., the two fault sets i andj have been isolated. It might be possible to reject oneof the fault sets directly by using the knowledge about theresidual generators. If this is not possible, the isolation canthen be derived by using the two sets of residual signalsi,1 and j ,1, if ki > 1. The single fault will resultin a number of residual signals in i,1 with a signaturefrom , whereas only a single residual signal from j ,1will include a signature from . Furthermore, the specificsignal will be known in advance.

Consider the special case where the faults only occurby themselves, i.e., fault sets of simultaneous occurrenceof property of Type 2. In this case, an isolation of a faultset is also an isolation of the fault, because the single faultsets will only include a single fault. The complete faultisolation consists then only of two steps: a fault detectiongiven by (31) and a fault isolation given by

Fault isolation:

SW,i,2(, ) = 0, = 0,for i = 0,

SW,j ,2(, ) = 0, = 0for i = 0, i = j.

(54)

Consider again the fault signature matrix given in(45); it might be concluded that making the fault isola-tion by using input filters WI instead of the output filtersWO is dual. This is correct if we only consider SW ()in isolation. If the isolation problem instead is consideredfrom an input/output point of view, the two cases will notbe dual. The reason is very simple. When the fault isola-tion is derived by using WI , the isolation is derived by aninvestigation of the transfer matrix from the single aux-


80 H.H. Niemann

iliary inputs to the residual output. This means that anauxiliary signal must be applied sequentially on the sin-gle inputs. Alternatively, different auxiliary inputs can beapplied on the different inputs. The disadvantage with thefirst method is that the isolation time will increase. In theother approach, a number of different detection tests needto be applied to detect the different signatures from theinputs.

Let i, i = 1, . . . ,m be the m auxiliary inputs. Theycan be identical or different. Using the same notation asabove, the fault signature matrices in (50) and (51) aregiven by

SW,1() =(

SW,1,1() SW,1,2())

= WOGM,1(I 1Tzw,cl,11)11 ( I,1 0

)

(55)

for 1 = 0, or

SW,1() =(

SW,1,1() SW,1,2())

= WOGM,2(I 2lTzw,cl,22)1

2l(

HI,1 HI,2)

(56)

for 2l = 0. Furthermore, let the fault signature out-put space for SW,i()j , j = 1, . . . ,m be given bySW,i(, j). Based on this, the condition for fault-setisolation is

Fault-set isolation:

SW,i(, j) = 0, j = 0j [ki + 1, m], for i,SW,i(, j) = 0, j = 0j [ki + 1, m], for / i.

(57)The fault isolation is a fault set given by

Fault isolation in 1:

SW,1,i(, i) = 0, i = 0for i = 0,

SW,1,j(, j) = 0, j = 0for i = 0, j = 0, i = j,

(58)where SW,1,i(, i) is the fault signature space for theauxiliary input i.

6.2. Indirect fault isolation. It is important to pointout that the above fault-isolation approach, based on faultsets, does not give an upper bound on the number of faultsthat can be isolated. The limitation is on the number offaults in the fault sets. It is required that the maximal num-ber of faults ki in the fault sets satisfies

ki max{p,m} 1, i = 1, . . . , l. (59)

If (59) is not satisfied, it is not possible to base the iso-lation on a decoupling of the signature from the auxiliaryinput in specific residual signals. Instead, the fault isola-tion must be derived indirectly. This can be done by aninvestigation of the signature from in the residual out-put space. This is not a possibility in the passive faultisolation case, where the input to the system is not well-defined and therefore there is not a well-defined signaturein the residual output.

To get fast fault isolation, it is possible to use opti-mally designed auxiliary inputs, as considered by Camp-bell and Nikoukhah (2004a). However, a good alternativeto this is again to use simple periodic inputs which givesimple signatures in that are easy to detect (Niemann andPoulsen, 2006). Let us only consider fault sets of simulta-neous occurrence of property of Type 2 in the following.

Assume that a simple periodic auxiliary input vector(0) is applied. The residual vector (0) will also beperiodic with the same frequency. The amplitude and thephase of single signals in (0) will depend on throughS(). The single residual signals can then be investigatedin the complex plane.

Let the residual vector (0) be given by

sc(0) =

s1c1.

.

.

sici.

.

.

spcp

,

where si and ci are given by (38). The single signals in scwill both include a constant part and a time-varying part.The constant part is given by (40). The directions givenby (40) can now be applied for fault isolation. The nomi-nal directions for the single faults given by sc,nom(i, 0)can be calculated. Based on this, the following conditionfor isolation is given:

nom,sc(i, 0) sc(0) = 0 for i = 0,nom,sc(i, 0) sc(0) = 0 for = 0, i = 0,

(60)where sc(0) is the mean value of sc(0). In theory, anunlimited number of faults can be isolated. In practice,it will not be possible to isolate an unlimited number offaults. The reason is that sc(0) is a non-linear functionof . The direction of sc(0) is not constant for differentvalues of i. Instead, the isolation needs to be based onsectors in the complex plane. Then (60) cannot be useddirectly. Instead, isolation can be done by

i = argmini

nom,sc(i, 0) sc(0).



In the general case, where there are p residual signals,this means that sc(0) is in a 2p dimension space. In the-ory, it should be possible to isolate 2p 1 simultaneousfaults, but in practice it will be less. To increase the sig-nature space further, the auxiliary input can be extendedwith other periodic input signals. Using, e.g., an auxiliaryinput with two periodic signals will give two residualoutputs (0) and (1) that can be applied for isolation,i.e., the dimension of the signature space is increased by afactor of 2.

7. Controller reconfigurationThe controller reconfiguration part of the FTC architec-ture is considered in this section. The reconfigurationis based on the diagnosis part, the controller is modifiedwhen faults have been detected or isolated in the system.The reconfiguration is derived by using the YJBK transfermatrix Q.

Following the discussion in Section 1, the nominalfeedback controller Kuy is assumed to be a safe-modeone. The nominal feedback is then obtained by a con-troller switching using the YJBK parameterization. Thisis described in the following.

7.1. Controller switching. One application of theYJBK parameterization is controller switching, in whichthe YJBK transfer matrix Q is used. It is possible tochange the nominal controller Kuy to another stabilizingcontroller Kuy,i by suitable selection of Q. Assume theexistence of a co-prime factorization of the system andthe new controller

Gyu = NiM1i = M1i Ni, Kuy,i = UiV

1i = V

1i Ui

which satisfy the double Bezout equation given in (74).Then a switching from Kuy to Kuy,i can be obtained byusing Qi given by (Niemann and Poulsen, 2009a; Nie-mann et al., 2004)

Qi = M1Mi(UiV ViU) = Zi(UiV ViU) (61)

or

Qi = Zi(

Ui Vi)(VU

)

in (75). The transfer matrix Zi = M1Mi is stable,(Niemann and Poulsen, 2009a; Niemann et al., 2004).In some special cases, we will have that M = Mi andN = Ni and therefore with the result Zi = I .

An alternative to (61) is given by

Qi = (V Ui UVi)Zi, (62)

where Zi = MiM1.It should be pointed out that the stability properties

depend on the FTC concept applied. Using the FTC con-cept described in Section 1, it will be more reasonable toguarantee closed-loop stability both in the nominal caseas well as in the faulty case. In the latter, only the cen-tral controller Kuy is applied. The closed-loop systemis stable if the faulty system is stabilized by Kuy . Inthe former, where the system is controlled by Kuy(Q),the closed-loop system is stable if the nominal closed-loop system given by (Gyu,Kuy) is stable and Q is sta-ble. If the nominal controller has been applied as the cen-tral controller, the closed-loop stability of the faulty casewill require that the nominal closed-loop system given by(Gyu,Kuy) and Q be stable together, and that closed-loopsystem (Q,S()) be stable. This is a direct consequenceof the stability result given in Section 3.1.

7.2. Sensor and actuator extension. The controllerarchitecture considered in Section 1 is based on a generalcontroller parameterization. This architecture does not di-rectly allow a change in the sensor and/or actuator config-uration. A change from a safe-mode or a reliable robustcontroller to a controller with high performance will inmany cases also require a change of sensors and/or actua-tors. To handle this problem, let us consider the extendedsystem G given by (19), where additional inputs ua andoutputs ya have been included.

On the basis of the partitioned system in (19) and thefeedback controller in (20), the following representationof the eight co-prime matrices for the partitioned systemand controller can be derived (Niemann, 2006a):

Mext =(

M M120 I

)

, Uext =(

U 00 0

)

,

Next =(

N N12N12 N22

)

, Vext =(

V 0V21 I

)

,

Vext =(

V V120 I

)

, Uext =(

U 00 0

)

,

Next =(

N N12N21 N22

)

, Mext =(

M 0M21 I

)

,

(63)

where the eight co-prime matrices will satisfy the doubleBezout equation.

This structure can be obtained directly by using anobserver-based feedback controller or by using the statespace description for general controllers given by Nie-mann (2006a) and Tay et al. (1997). It is important topoint out that a general co-prime factorization of the par-titioned system and controller will not have this struc-ture. However, using the equations given above for theobserver-based feedback controller case or the equations


82 H.H. Niemann

for a general feedback controller of Tay et al. (1997), itwill always possible to obtain the structure given in (63).

The Bezout equation in (74) for the extended systemdescribed by the co-prime matrices in (63) can be foundin the work of Niemann (2006a). The YJBK parameter-ized controller given by (75) can now be developed for theextended system. The controller takes the following form:

Kuy(Qext) = Uext(Qext)Vext(Qext)1

=(

K1(0) 00 0

)

+ V 1ext Qext (Vext + NextQext)1 ,

(64)

where the YJBK transfer matrix Qext is given by

Qext =(

Q QyaQua Quaya

)

, (65)

where Q = Q is the YJBK transfer matrix for the orig-inal controller given by (75), Qya is the YJBK transfermatrix related with the additional sensors, Qua is theYJBK transfer matrix related with the additional actua-tors, and Quaya is the YJBK transfer matrix related withthe additional actuators and sensors.

The transfer matrix from to is zero in the nominalcase, (Niemann and Poulsen, 2009b). As a consequence,the closed-loop transfer matrix will be an affine functionof the Q transfer matrix. Using the feedback controllergiven by (64) on the partitioned nominal system G givesthe following closed loop:

e = Gedd + GeuKuy(Qext)(I GyuKuy(Qext))1Gydd= Ted(Qext)d.

(66)

Furthermore, rewriting (66) gives the following equationfor the closed-loop transfer matrix

Ted(Q) = (T1 + T2QT3) + GeuM(Qext)Gyd, (67)

where

T1 = Ged+GeuUMGyd, T2 = GeuM, T3 = MGyd

and

M(Qext)

=(

M11(Qext) MQya + M12QuayaQuaM + QuayaM12 Quaya

)

,

M11(Qext)

= M12QuaM + MQyaM12 + M12QuayaM12

Here we have used the fact that the transfer matrixfrom to is zero. This shows that the above closed-looptransfer matrix is an affine function in the YJBK transfermatrix Qext when additional sensors and actuators are in-cluded.

Note that T1 + T2QT3 represents the closed-loopsystem when only the original measurement y and controlinput u are applied.

It is clear from (64) that the controller architecturewill allow the use of other sensors and/or actuators thanthe sensors and/or actuators used in connection with thenominal controller Kuy.

7.3. Controller switching for extended systems. It ispossible to extend (61) or (62) to handle the case where thetwo controllers do not apply the same set of sensors andactuators. This is relevant in connection with optimizingthe closed-loop performance.

Consider the general case where the feedback con-troller Kuy,i is based on a subset of measurements y aswell as inputs u given by yi and ui. For simplicity, let yiand ui be assumed as the last signals in y and u, respec-tively, i.e., the feedback controller Kuy,i is given by

u =(

0 00 Kuy,i

)

y. (68)

Let the associated co-prime factorization of Gyu,i(the transfer matrix from input ui to output yi) and Kuy,ibe given by

Gyu,i = NiM1i = M1i Ni, Ni,Mi, Ni, Mi RH,

Kuy,i = UiV 1i = V1i Ui, Ui, Vi, Ui, Vi RH.

(69)Based on this feedback controller, the associated coprimematrices in (69) are given by

Mext,i =(

I 0Mi,21 Mi

)

, Uext,i =(

0 00 Ui

)

,

Next,i =(

Ni Ni,12Ni,12 Ni,22

)

, Vext,i =(

I Vi,120 Vi

)

,

Vext,i =(

I 0Vi,21 Vi

)

, Uext,i =(

0 00 Ui

)

,

Next,i =(

Ni Ni,12Ni,21 Ni,22

)

, Mext,i =(

I Mi,120 Mi

)

.

(70)

Using these matrices in Qext,i given by (61) results in



the following:

Qext,i = Zext,i(Uext,iVext Vext,iUext)

= Zext,i

((0 00 Ui

)(V 0V21 I

)

(

I 0Vi,21 Vi

)(U 00 0

))

,

Zext,i =(

M M120 I

)1 (I 0

Mi,21 Mi

)

RH.(71)

Note that the structure in Uext, Vext and in Uext,i, Vext,iis not the same. Therefore, it is not possible to multiplythe matrices by using the structure.

A special case is when the feedback controller Kuy,iis only based on ya and ua. Using the co-prime matricesin (70) and Qext,i given by (61) results in the following:

Qext,i = Zext,i(Uext,iVext Vext,iUext)

= Zext,i

((0 0

UiV21 Ui

)

(

U 0Vi,12U 0

))

= Zext,i

( U 0UiV21 Vi,12U Ui

)

,

Zext,i =(

M M120 I

)1 (I 0

Mi,21 Mi

)

=(

M1(I M12Mi,21) M1M12MiMi,21 Mi

)

RH.(72)

Using the above equation for Qext,i, it is possible toswitch from a nominal feedback controller based on y, uto a controller based on other sensors and actuators, with-out decoupling the first controller Kuy. Kuy will still beincluded as part of the new feedback controller.

8. Time aspects of the FTC architectureSome time aspects of the suggested FTC architecture arediscussed in the following. The described FTC architec-ture includes the following time steps:

1. t [0, t0[, start-up mode or safe mode. The safe-mode controller Kuy is applied.

2. t [t0, tfault[, normal mode. The nominal controllerKuy(Q) is applied, where Q is the performance partof the controller shown in Fig. 3. The controller isrunning in this mode until faults occur in the system.

3. t [tfault, tdetection[, the controller Kuy(Q) continuesto run in the normal mode until faults have been de-tected in the system.

4. t [tdetection, tisolation[, the controller is running in thesafe mode until the faults have been isolated.

5. t [tisolation, . . . [, depending on the faults in the sys-tem, the system will either be closed down or con-tinue to operate with full or reduced performance.This is obtained by re-including the performancecontroller Q in the feedback controller. A reducedperformance requires a redesign of Q.

The third step is the most critical one in the FTC ar-chitecture. Here the normal-mode controller is applied ona faulty system. The time period from the faults first oc-curring to when the faults are detected, t = tdetection tfault, is critical. This time period t will depend on boththe faults, the systems, and the residual generator and de-tector applied. An analysis of the transient system re-sponse in the case of faults when the nominal feedbackcontroller is applied gives an upper bound on how larget can be accepted. It is not directly a matter of theclosed-loop system being unstable or not, but it is morea matter of how much the system has moved away fromthe nominal operation point. If the faulty system is closed-loop stable, the system might run into different limitationsthat will make it difficult to get the system back to thenormal operation point. Using AFD, it will in some casesbe possible to detect faults before they have affected theclosed-loop system. This could be faults that are slowlyincreasing. Here quite a large t can be accepted.

The residual generator and change detector need tobe designed with respect to the upper bound on t. Whenexact fault detection is possible (Saberi et al., 2000), anupper bound on the time to detection can be derived.This was done by Stoorvogel et al. (2001), who consid-ered both the continuous-time as well as the discrete-timecase. In the former, the time to detection can be arbitrar-ily small. In the latter, the maximal number of samplesrequired for detection depends on the order of the infinitezeros in the system.

Normally, a statistical test needs to be applied on topof a residual generator. Applying the CUSUM method(Basseville and Nikiforov, 1993), the mean time to de-tect can be calculated based on the ARL function. Thelatter can be applied in connection with both the passiveas well as the active FD approach (Basseville and Niki-forov, 1993; Poulsen and Niemann, 2008). As a conse-quence, the mean time between false alarms cannot beoptimized; it will be a result of the selected mean timeto detection.

When faults have been detected, the performancepart of the controller is decoupled by removing Q from thecontroller (in Step 4). The faults need to be isolated before


84 H.H. Niemann

it is possible to decide whether the system should con-tinue in operation with reduced performance or whether itshould be closed down. In general, there will not be stronglimitations on the time used for isolation.

9. Closing remarksA concept for FTC has been suggested in this paper. Theimplementation of the FTC architecture has been based onthe YJBK parameterization. Both fault diagnosis as wellas controller reconfiguration can be based on the same setof signal vectors in the architecture. The architecture al-lows application of both passive and active fault diagnosismethods. In connection with the controller reconfigura-tion, it is shown how it is possible to switch to feedbackcontrollers using another set of sensors and actuators.

ReferencesBasseville, M. and Nikiforov, I. (1993). Detection of Abrupt

ChangesTheory and Application, Prentice Hall, UpperSaddle River, NJ.

Blanke, M., Frei, C., Kraus, F., Patton, R. and Staroswiecki, M.(2000). What is fault-tolerant control?, Preprints of the4th IFAC Symposium on Fault Detection, Supervision andSafety for Technical Processes, SAFEPROCESS2000, Bu-dapest, Hungary, pp. 4051.

Blanke, M., Izadi-Zamanabadi, R., Bgh, S. and Lunau, C.(1997). Fault tolerant control systemsA holistic view,Control Engineering Practice 5(5): 693702.

Blanke, M., Kinnart, M., Lunze, J. and Staroswiecki, M.(2003). Diagnosis and Fault-Tolerant Control, Springer,Berlin/Heidelberg.

Boyd, S. and Barratt, C. (1991). Linear Controller DesignLimits of Performance, Prentice Hall, Upper Saddle River,NJ.

Campbell, S., Horton, K. and Nikoukhah, R. (2002). Auxiliarysignal design for rapid multi-model identification using op-timization, Automatica 38(8): 13131325.

Campbell, S., Horton, K., Nikoukhah, R. and Delebecque, F.(2000). Rapid model selection and the separability in-dex, Proceedings of Safeprocess 2000, Budapest, Hungary,pp. 11871192.

Campbell, S. and Nikoukhah, R. (2004a). Auxiliary SignalDesign for Failure Detection, Princeton University Press,Princeton, NJ.

Campbell, S. and Nikoukhah, R. (2004b). Software for auxiliarysignal design, Proceedings of the American Control Con-ference, Boston, MA, USA, pp. 44144419.

Frank, P. and Ding, X. (1994). Frequency domain approachto optimally robust residual generation and evaluation formodel-based fault diagnosis, Automatica 30(5): 789804.

Gustafsson, F. (2000). Adaptive Filtering and Change Detection,Wiley & Sons, Chichester.

Kerestecioglu, F. (1993). Change Detection and Input Design inDynamic Systems, Research Studies Press, Baldock, Hert-fordshire.

Kerestecioglu, F. and Zarrop, M. (1994). Input design for detec-tion of abrupt changes in dynamical systems, InternationalJournal of Control 59(4): 10631084.

Maciejowski, J. (1989). Multivariable Feedback Control, Addi-son Wesley, Boston, MA.

Massoumnia, M. (1986). A geometric approach to the synthesisof failure detection filters, IEEE Transactions on AutomaticControl 31(9): 839846.

Niemann, H. (2003). Dual Youla parameterization,IEE ProceedingsControl Theory and Applications150(5): 493497.

Niemann, H. (2005). Fault tolerant control based on active faultdiagnosis, Proceedings of the American Control Confer-ence, Portland, OR, USA, pp. 22242229.

Niemann, H. (2006a). Parameterization of extended sys-tems, IEE ProceedingsControl Theory and Applications153(2): 221227.

Niemann, H. (2006b). A setup for active fault diagnosis, IEEETransactions on Automatic Control 51(9): 15721578.

Niemann, H. and Poulsen, N. (2006). Fault tolerant controlfor uncertain systems with parametric faults, Preprints ofthe 6th IFAC Symposium on Fault Detection, Supervisionans Safety for Technical Processes, SAFEPROCESS2006,Beijing, China, pp. 517522.

Niemann, H. and Poulsen, N. (2009a). Controller architecturesfor switching, Proceedings of the American Control Con-ference, St. Louis, MO, USA, pp. 10981103.

Niemann, H. and Poulsen, N. (2009b). A concept for fault tol-erant controllers, in Z. Kowalczuk (Ed.) Diagnosis of Pro-cesses and Systems, Pomeranian Science and TechnologyPublishers PWNT, Gdansk, pp. 107114.

Niemann, H. and Stoustrup, J. (2002). Reliable control usingthe primary and dual Youla parameterization, Proceedingsof the 41st IEEE Conference on Decision and Control, LasVegas, NV, USA, pp. 43534358.

Niemann, H. and Stoustrup, J. (2005). An architecture forfault tolerant controllers, International Journal of Control78(14): 10911110.

Niemann, H., Stoustrup, J. and Abrahamsen, R. (2004). Switch-ing between multivariable controllers, Optimal ControlApplication and Methods 25(2): 5166.

Nikoukhah, R. (1994). Innovations generation in the presenceof unknown inputs: Application to robust failure detection,Automatica 30(12): 18511867.

Nikoukhah, R. (1998). Guaranteed active failure detectionand isolation for linear dynamical systems, Automatica34(11): 13451358.

Nikoukhah, R., Campbell, S. and Delebecque, F. (2000). Detec-tion signal design for failure detection: A robust approach,International Journal of Adaptive Control and Signal Pro-cessing 14(7): 701724.



Poulsen, N. and Niemann, H. (2008). Active fault diagnosisbased on stochastic tests, International Journal of AppliedMathematics and Computer Science 18(4): 487496, DOI:10.2478/v10006-008-0043-6.

Saberi, A., Stoorvogel, A., Sannuti, P. and Niemann, H. (2000).Fundamental problems in fault detection and identifica-tion, International Journal of Robust and Nonlinear Con-trol 10(14): 12091236.

Skogestad, S. and Postlethwaite, I. (2005). Multivariable Feed-back Control: Analysis and Design, Wiley, Hoboken, NJ.

Stoorvogel, A., Niemann, H. and Saberi, A. (2001). Delays infault detection and isolation, Proceedings of the AmericanControl Conference, Washington, DC, USA, pp. 459463.

Stoustrup, J. and Niemann, H. (2001). Fault tolerant feedbackcontrol using the Youla parameterization, Proceedings ofthe 6th European Control Conference, Porto, Portugal,pp. 19701974.

Tay, T., Mareels, I. and Moore, J. (1997). High PerformanceControl, Birkhuser, Boston, MA.

Zhang, X. (1989). Auxiliary Signal Design in Fault Detectionand Diagnosis, Springer-Verlag, Heidelberg.

Zhou, K., Doyle, J. and Glover, K. (1995). Robust and optimalcontrol, Prentice Hall, Upper Saddle Rider, NJ.

Zhou, K. and Ren, Z. (2001). A new controller architecture forhigh performance robust, and fault-tolerant control, IEEETransactions on Automatic Control 46(10): 16131618.

Hans Henrik Niemann was born in Denmark in1961. He received the M.Sc. degree in mechan-ical engineering in 1986 and the Ph.D. degree in1988 from the Technical University of Denmark.From 1988 to 1994 he held a research positionand since 1994 he has been an assistant professorof control engineering at the Technical Universityof Denmark. His research interests include opti-mal and robust control, fault detection and isola-tion, active fault diagnosis, fault tolerant control,

controller architecture for controller switching and fault tolerant control,system and performance monitoring, controller anti-windup.

AppendixCo-prime factorization

A number of preliminary results for co-prime factorizationand parameterization are given in this appendix.

Co-prime factorization. Let a co-prime factorization ofthe system Gyu from (1) and the stabilizing controllerKuy from (4) be given by

Gyu = NM1 = M1N , N,M, N, M RH,

Kuy = UV 1 = V 1U , U, V, U , V RH,(73)

where the eight matrices in (73) must satisfy the doubleBezout equation given by (see Tay et al., 1997):

(I 00 I

)

=(

V UN M

)(M UN V

)

=(

M UN V

)(V UN M

)

.

(74)

State space descriptions of the above eight co-primematrices can be derived. The standard description is basedon using an observer-based feedback controller (Tay et al.,1997), but state space descriptions can also be derived forother types of feedback controllers.

YJBK parameterization. Based on the above co-primefactorization of the system Gyu and the controller Kuy ,we can give a parameterization of all controllers that sta-bilizes the system in terms of a stable transfer matrix Q,i.e., all stabilizing controllers are given by using a right-factored form (Tay et al., 1997):

Kuy(Q) = (U+MQ)(V +NQ)1, Q RH, (75)

or by using a left-factored form:

Kuy(Q) = (V +QN)1(U+QM), Q RH. (76)

Using the Bezout equation, the controller given ei-ther by (75) or by (76) can be realized as an LFT in theparameter Q:

Kuy(Q) = Fl((

UV 1 V 1

V 1 V 1N)

, Q

)

= Fl(JK , Q).(77)

Dual YJBK parameterization. The dual YJBK param-eterization gives a parameterization in terms of a stabletransfer matrix S of all systems stabilized by a givencontroller. The dual YJBK parameterization was consid-ered in detail by Niemann (2003), who also described theconnection between the dual YJBK transfer matrix andchanges in the system. The parameterization is givenby Niemann (2003) and Tay et al. (1997):

Gyu(S) = (N +V S)(M +US)1, S RH, (78)

or by using a left-factored form:

Gyu(S) = (M +SU)1(N +SV ), S RH. (79)

An LFT representation of (78) or (79) is given by

Gyu(S) = Fl((

NM1 M1

M1 M1U)

, S

)

= Fl(JG, S).(80)


86 H.H. Niemann

The interpretation of the dual YJBK transfer matrixS can be investigated from the primal YJBK parameteri-zation. It turns out that the dual YJBK transfer matrix Sis the open-loop transfer matrix from to , i.e., closingthe loop around Q

S = Fu(JK , Gyu(S)) (81)

equivalent to (22).Received: 12 January 2011Revised: 16 July 2011


IntroductionSystem set-upParametric fault sets

Parameterization of controllersClosed-loop stability

Fault diagnosisActive fault diagnosis set-upActive fault diagnosisTime to detect

Active fault detectionStochastic active fault detection

Active fault isolationDirect fault isolationIndirect fault isolation

Controller reconfigurationController switchingSensor and actuator extensionController switching for extended systems

Time aspects of the FTC architectureClosing remarks

/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 150 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 150 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 2.00000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages true /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 1200 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 600 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName (http://www.color.org?) /PDFXTrapped /False

/CreateJDFFile false /SyntheticBoldness 1.000000 /Description >>> setdistillerparams> setpagedevice

a model–based approach to fault–tolerant control

Documents

controller reconfiguration

controller parameters

nominal controller

controller reconfiguration

safemode controller

controller architecture

faulttolerant controllers

ftc architecture