fault-tolerant control of a polyethylene...
TRANSCRIPT
www.elsevier.com/locate/jprocont
Journal of Process Control 17 (2007) 439–451
Fault-tolerant control of a polyethylene reactor
Adiwinata Gani a, Prashant Mhaskar b, Panagiotis D. Christofides a,*
a Department of Chemical and Biomolecular Engineering, University of California, Los Angeles, CA 90095, United Statesb Department of Chemical Engineering, McMaster University, Hamilton, ON, Canada L8S4L7
Received 15 November 2005; accepted 14 April 2006
Abstract
This work focuses on fault-tolerant control of a gas phase polyethylene reactor. Initially, a family of candidate control configurations,characterized by different manipulated inputs, is identified. For each control configuration, a bounded nonlinear feedback controller,that enforces asymptotic closed-loop stability in the presence of constraints, is designed, and the constrained stability region associatedwith it is explicitly characterized using Lyapunov-based tools. Next, a fault-detection filter is designed to detect the occurrence of a faultin the control actuator by observing the deviation of the process states from the expected closed-loop behavior. A switching policy is thenderived, on the basis of the stability regions, to orchestrate the activation/deactivation of the constituent control configurations in a waythat guarantees closed-loop stability in the event of control system faults. Closed-loop system simulations demonstrate the effectivenessof the fault-tolerant control strategy.� 2006 Elsevier Ltd. All rights reserved.
Keywords: Fault-tolerant control; Fault-detection; Input constraints; Stability region; Lyapunov-based control; Polyethylene reactor
1. Introduction
Increasingly faced with the requirements of safety, reli-ability, and profitability, chemical process operation is rely-ing extensively on highly automated process controlsystems. Automation, however, tends to increase vulnera-bility of the process to faults (for example, defects/malfunc-tions in process equipment, sensors and actuators, faults inthe controllers or in the control loops) potentially causing ahost of economic, environmental, and safety problems thatcan seriously degrade the operating efficiency of the process.Problems due to faults may include physical damage tothe process equipment, increase in the wasteful use ofraw material and energy resources, increase in the down-time for process operation resulting in significant produc-tion losses, and jeopardizing personnel and environmentalsafety. These considerations provide a strong motivationfor the development of methods for the design of advanced
0959-1524/$ - see front matter � 2006 Elsevier Ltd. All rights reserved.
doi:10.1016/j.jprocont.2006.04.002
* Corresponding author. Tel.: +1 310 794 1015; fax: +1 310 206 4107.E-mail address: [email protected] (P.D. Christofides).
fault-tolerant control systems that ensure an efficient andtimely response to enhance fault recovery and prevent faultsfrom propagating or developing into total faults.
Fault-tolerant control has been an active area ofresearch for the past 10 years, and has motivated manyresearch studies in this area within the context of aerospaceengineering (see, for example, [37,3,47]). The whole notionof fault-tolerant control is based on the underlying assump-tion of the availability of more control configurations thanrequired. Under this assumption, the reliable controlapproach (see, for example, [45,41]) dictates use of all thecontrol loops at the same time so that fault in one controlloop does not lead to the failure of the entire control struc-ture. The use of only as many control loops as are requiredat a time, is often motivated by economic considerations(to save on unnecessary control action), and in this case,fault-tolerant control can be achieved through control-loopreconfiguration. Recently, fault-tolerant control has gainedincreased attention within process control; however, theavailable results have been based on the assumption of alinear process description [23,43,2,38].
CoolingWater
Bleed
Catalyst
Product
Fresh FeedEthyleneComonomerInertsHydrogen
Fig. 1. Industrial gas phase polyethylene reactor system.
440 A. Gani et al. / Journal of Process Control 17 (2007) 439–451
One of the prerequisites in implementing fault-tolerantcontrol is the ability to detect and isolate the occurrenceof faults. Existing results on the design of fault-detectionfilters include those that use past plant-data and those thatuse fundamental process models for the purpose of fault-detection filter design. Statistical and pattern recognitiontechniques for data analysis and interpretation (for exam-ple, [25,39,36,12,35,11,7,42,1,46]) use past plant-data toconstruct indicators that identify deviations from normaloperation to detect faults. The problem of using fundamen-tal process models for the purpose of detecting faults hasbeen studied extensively in the context of linear systems[27,19,20,9,29] and more recently some existential resultsin the context of nonlinear systems have been derived[40,10].
A switch to fall-back control configuration (upon detec-tion of a fault in a control configuration) results in an over-all process that exhibits intervals of piecewise continuousbehavior interspersed by discrete transitions. A hybrid sys-tems framework therefore provides a natural setting forthe analysis and design of fault-tolerant control structures.However, at this stage, despite the large and growing bodyof research work on a diverse array of hybrid system prob-lems (for example, [22,21,8,15,31,5]), the use of a hybridsystem framework for the study of fault-tolerant controlproblems has received limited attention. In [16], a hybridsystems approach to fault-tolerant control was employedwhere upon occurrence of a fault, stability region-basedreconfiguration is done to achieve fault-tolerant control.In [34], the problem of implementing integrated fault-detec-tion and fault-tolerant control (FDFTC) was addressedunder state and output feedback control and in [33], perfor-mance and robustness considerations were incorporated inthe fault-tolerant control structure.
Industrial processes stand to gain from an application offault-tolerant control structures that prevent loss of product(due, for example, to limit cycles) and possible loss of equip-ment (due, for example, to unacceptably high temperatures)in the event of a fault in the control configuration, whileaccounting explicitly for the complex process characteristicsmanifested in the form of nonlinearities, constraints anduncertainty. Motivated by these considerations, this workfocuses on fault-tolerant control of a gas phase polyethylenereactor modeled by seven nonlinear ordinary differentialequations (ODEs). Polyethylene is the most popular of allsynthetic commodity polymers, with current worldwideproduction of more than 40 billion tonnes per year. Largeproportion of this polyethylene is produced in gas phasereactors using Ziegler-Natta catalysts. In a gas phase poly-ethylene reactor, the temperature in the reaction zone iskept above the dew point of the reactant and below themelting point of the polymer to prevent melting and conse-quent agglomeration of the product particles. Most com-mercial gas phase fluidized bed polyethylene reactors areoperated in a relatively narrow temperature range between75 �C and 110 �C [44]. It has been demonstrated [4,28,24]that without feedback temperature control (or in the event
of failure in the control configuration), industrial gas phasepolyethylene reactors are prone to unstable steady-states,limit cycles, and excursions toward unacceptable high tem-perature steady-states which can lead to loss of product aswell as damage the equipment.
To develop a fault-tolerant control system for the gasphase polyethylene reactor, we initially describe the processevolution on the basis of a detailed model and identify afamily of candidate control configurations. For each con-trol configuration, a bounded nonlinear feedback control-ler, that enforces asymptotic closed-loop stability in thepresence of constraints, is designed, and the constrainedstability region associated with it is explicitly characterizedusing Lyapunov-based tools. Next, a fault-detection filter isdesigned to detect the occurrence of a fault in the controlactuator by observing the deviation of the process statesfrom the expected closed-loop behavior. A switching policyis then derived, on the basis of the stability regions, toorchestrate the activation/deactivation of the constituentcontrol configurations in a way that guarantees closed-loopstability in the event of control system faults. Closed-loopsystem simulations demonstrate the effectiveness of thefault-tolerant control strategy as well as investigate anapplication in the presence of measurement noise.
2. Process description and modeling
Fig. 1 shows a schematic of an industrial gas phase poly-ethylene reactor system. The feed to the reactor consists ofethylene, comonomer, hydrogen, inerts, and catalyst. Astream of unreacted gases flows from the top of the reactorand is cooled by passing through a heat exchanger in coun-ter-current flow with cooling water. Cooling rates in theheat exchanger are adjusted by instantaneously blendingcold and warm water streams while maintaining a constanttotal cooling water flowrate through the heat exchanger.
A. Gani et al. / Journal of Process Control 17 (2007) 439–451 441
Mass balance on hydrogen and comonomer have not beenconsidered in this study because hydrogen and comonomerhave only mild effects on the reactor dynamics [28]. Amathematical model for this reactor has the form [6]:
d½In�dt¼
F In � ½In�½M1�þ½In�
bt
V g
d½M1�dt¼
F M1� ½M1�½M1�þ½In�
bt � RM1
V g
dY 1
dt¼ F cac � kd1
Y 1 �RM1MW 1
Y 1
Bw
dY 2
dt¼ F cac � kd2
Y 2 �RM1MW 1
Y 2
Bw
dTdt¼ H f þ H g1 � H g0 � Hr � H pol
MrCpr þ BwCppol
dT w1
dt¼ F w
MwðT wi � T w1
Þ � UAMwCpw
ðT w1� T g1
Þ
dT g1
dt¼ F g
MgðT � T g1
Þ þ UAMgCpg
ðT w1� T g1
Þ
ð2:1Þ
where
Table 1Process variables
ac Active site concentration of catalystbt Overhead gas bleedBw Mass of polymer in the fluidized bedCpm1 Specific heat capacity of ethyleneCv Vent flow coefficientCpw, CpIn, Cppol Specific heat capacity of water, inert gas and polymerEa Activation energyFc, Fg Flow rate of catalyst and recycle gasFIn, F M1
, Fw Flow rate of inert, ethylene and cooling waterHf, Hg0 Enthalpy of fresh feed stream, total gas outflow
stream from reactorHg1 Enthalpy of cooled recycle gas stream to reactorHpol Enthalpy of polymerHr Heat liberated by polymerization reactionHreac Heat of reaction[In] Molar concentration of inerts in the gas phasekd1
, kd2Deactivation rate constant for catalyst site 1, 2
kp0 Pre-exponential factor for polymer propagation rate[M1] Molar concentration of ethylene in the gas phaseMg Mass holdup of gas stream in heat exchangerMrCpr Product of mass and heat capacity of reactor wallsMw Mass holdup of cooling water in heat exchangerMW 1
Molecular weight of monomerPv Pressure downstream of bleed ventR, RR Ideal gas constant, unit of J
mol K, m3 atmmol K
T, Tf, Tfeed Reactor, reference, feed temperatureT g1
, T w1Temperature of recycle gas, cooling water streamfrom exchanger
Twi Inlet cooling water temperature to heat exchangerUA Product of heat exchanger coefficient with areaVg Volume of gas phase in the reactorVp Bleed stream valve positionY1, Y2 Moles of active site type 1, 2
bt ¼ V pCv
ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffið½M1� þ ½In�Þ � RR � T � P v
pRM1 ¼ ½M1� � kp0 � exp
�Ea
R1
T� 1
T f
� �� �� ðY 1 þ Y 2Þ
Cpg ¼½M1�
½M1� þ ½In�Cpm1 þ
½In�½M1� þ ½In�
CpIn
H f ¼ F M1Cpm1ðT feed � T f Þ þ F InCpInðT feed � T f Þ
H g1 ¼ F gðT g1� T f ÞCpg
H g0 ¼ ðF g þ btÞðT � T f ÞCpg
H r ¼ H reacMW 1RM1
H pol ¼ CppolðT � T f ÞRM1MW 1
ð2:2Þ
Table 1 includes the definition of all the variables used inEqs. (2.1) and (2.2). The values of the process parametersare listed in Table 2. Under these operating conditions,the open-loop system behaves in an oscillatory fashion(i.e., the system possesses an open-loop unstable steady-state surrounded by a limit cycle).
The control objective is to stabilize the reactor. Toaccomplish this objective we consider the following manip-ulated input candidates:
(1) Feed temperature, u1 ¼F M1
Cpm1þF InCpIn
MrCprþBwCppolðT feed � T s
feedÞ,subject to the constraint ju1j 6 u1
max ¼F M1
Cpm1þF InCpIn
MrCprþBwCppolð20Þ K
s .
Table 2Parameter values and units
Vg 500 m3
Vp 0.5Pv 17 atmBw 7 · 104 kgkp0 85 · 10�3 m3
mol s
Ea (9000)(4.1868) Jmol
Cpm1 (11)(4.1868) Jmol K
Cv 7.5 atm�0:5 mols
Cpw, CpIn (103)(4.1868), (6.9)(4.1868) Jkg K
Cppol (0.85 · 103)(4.1868) Jkg K
kd10.0001 s�1
kd20.0001 s�1
MW 128.05 · 10�3 kg
mol
Mw 3.314 · 104 kgMg 6060.5 molMrCpr (1.4 · 107)(4.1868) J
K
Hreac (�894 · 103)(4.1868) Jkg
UA (1.14 · 106)(4.1868) JK s
FIn, F M1, Fg 5, 190, 8500 mol
s
Fw (3.11 · 105)(18 · 10�3) kgs
F sc
5:83600
kgs
Tf, T sfeed, Twi 360, 293, 289.56 K
RR 8.20575 · 10�5 m3 atmmol K
R 8.314 Jmol K
ac 0.548 molkg
umax1 , umax
2 5.78 · 10�4, 3.04 · 10�4 Ks , mol
s
[In]s 439.68 molm3
[M1]s 326.72 molm3
Y 1s , Y 2s 3.835, 3.835 molTs, T w1s
, T g1s356.21, 290.37, 294.36 K
442 A. Gani et al. / Journal of Process Control 17 (2007) 439–451
(2) Catalyst flowrate, u2 ¼ ðF c � F scÞac, subject to the
constraint ju2j 6 u2max ¼ 2
3600
� �ac
mols
.
Each of the above manipulated inputs represents aunique control configuration (or control loop) that, byitself, can stabilize the reactor. The first control configura-tion, with feed temperature (Tfeed) as the manipulatedinput, will be considered as the primary configuration. Inthe event of some faults in this configuration, however,the plant supervisor, will have to activate the fall-back con-figuration in order to maintain closed-loop stability. Thequestion which we address in the next section, is how thesupervisor determines, from observing the evolution ofthe process, that a fault has occurred in the control config-uration and whether or not the fall-back control configura-tion will be able to stabilize the reactor if the primarycontrol configuration fails.
3. Fault-tolerant control
Having identified the candidate control configurationsthat can be used, we outline in this section the main stepsinvolved in the fault-tolerant control system design proce-dure. These include: (a) the synthesis of a stabilizing feed-back controller for each control configuration, (b) theexplicit characterization of the constrained stability regionassociated with each configuration, (c) the design of a fault-detection filter, and (d) the design of a switching law thatorchestrates the re-configuration of control system in away that guarantees closed-loop stability in the event offaults in the active control configuration.
To present our results in a compact form, we write themodel of Eq. (2.1) in a deviation (from the operatingunstable steady-state) variable form, by defining x ¼½x1 x2 x3 x4 x5 x6 x7�T where x1 = In � Ins, x2 ¼ M1 �M1s ,x3 ¼ Y 1 � Y 1s , x4 ¼ Y 2 � Y 2s , x5 = T � Ts, x6 ¼ T w1
� T w1s,
x7 ¼ T g1� T g1s
, and obtain a continuous-time nonlinearsystem with the following state-space description:
_xðtÞ ¼ fkðtÞðxðtÞÞ þ gkðtÞðxðtÞÞukðtÞ
jukðtÞj 6 umaxk
kðtÞ 2 K ¼ f1; 2gð3:3Þ
where xðtÞ 2 R7 denotes the vector of process state vari-ables and ukðtÞ 2 ½�umax
k ; umaxk � � R denotes the constrained
manipulated input associated with the kth control configu-ration. k(t), which takes values in the finite index set K, rep-resents a discrete state that indexes the vector fields fk(Æ),gk(Æ) as well as the manipulated input uk(Æ). The explicitform of the vector fields fk(t)(x(t)) and gk(t)(x(t)) can be ob-tained by comparing Eqs. (2.1) and (3.3) and is omitted forbrevity. For each value that k assumes in K, the process iscontrolled via a different manipulated input which defines agiven control configuration. Switching between the twoavailable control configurations is controlled by a higher-level supervisor that monitors the process and orchestrates,accordingly, the transition between the different control
configurations in the event of control system fault. Thisin turn determines the temporal evolution of the discretestate, k(t). The supervisor ensures that only one controlconfiguration is active at any given time, and allows onlya finite number of switches over any finite interval of time.The control objective is to stabilize the process of Eq. (3.3)in the presence of actuator constraints and faults in thecontrol system. The basic problem is how to detect theoccurrence of a fault and coordinate switching betweenthe different control configurations (or manipulated inputs)in a way that respects actuator constraints and guaranteesclosed-loop stability in the event of faults. To simplify thepresentation of our results, we will focus only on the statefeedback problem where measurements of all process statesare available for all times.
3.1. Constrained feedback controller synthesis
In this step, we synthesize, for each control config-uration, a feedback controller that enforces asymptoticclosed-loop stability in the presence of actuator constraints.This task is carried out on the basis of the process input/output dynamics. While our control objective is to achievefull state stabilization, process outputs are introduced onlyto facilitate transforming the system of Eq. (2.1) into a formmore suitable for explicit controller synthesis.
1. For the primary control configuration with u1 ¼F M1
Cpm1þF InCpIn
MrCprþBwCppolðT feed � T s
feedÞ, we consider the output
y1 = T � Ts. This choice yields a relative degree ofr1 = 1 with respect to u1. The input/output dynamicscan be then expressed in terms of the time-derivativeof the variable: e1 = T � Ts.
2. For the fall-back control configuration with u2 ¼ðF c � F s
cÞac, we choose the output y2 = T � Ts whichyields a relative degree of r2 = 2 and the correspondingvariables for describing the input/output dynamics take
the form: e12 ¼ T � T s, e2
2 ¼HfþHg1�Hg0�Hr�Hpol
MrCprþBwCppol. In particu-
lar, for the fall-back control configuration, the systemdescribing the input/output dynamics has the followingform:
_e2 ¼ A2e2 þ l2ðe2Þ þ b2a2u2 :¼ �f 2ðe2Þ þ �g2ðe2Þu2 ð3:4Þwhere
A2 ¼0 1
0 0
" #; b2 ¼
0
1
" #; e2 ¼
e12
e22
" #;
l2ð�Þ ¼ L2f2
h2ðxÞ; a2ð�Þ ¼ Lg2Lf2
h2ðxÞ
h2(x) = y2 is the output associated with the fall-backcontrol configuration (the explicit form of the functionsf2(Æ) and g2(Æ) is omitted for brevity).
The inverse dynamics, for both the first and second con-trol configurations, have the following form:
A. Gani et al. / Journal of Process Control 17 (2007) 439–451 443
_g1 ¼ W1;kðe; gÞ
..
.
_g7�rk ¼ W7�rk ;kðe; gÞ
ð3:5Þ
where k = 1,2 and W1;k � � �W7�rk ;k are nonlinear functions oftheir arguments describing the evolution of the inversedynamics of the kth mode.
Using a quadratic Lyapunov function of the formV k ¼ eT
k P kek, where Pk is a positive-definite symmetricmatrix that satisfies the Riccati inequality AT
k P k þ P kAk �P kbkbT
k P k < 0, we synthesize, for each control-loop, abounded nonlinear feedback control law (see [26,13,14])of the form:
uk ¼ �rðx; umaxk ÞL�gk V k ð3:6Þ
where
rðx; umaxk Þ ¼
L��f kV k þ
ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiðL��f k
V kÞ2 þ ðumaxk jL�gk V kjÞ4
qðjL�gk V kjÞ2 1þ
ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi1þ ðumax
k jL�gk V kjÞ2q� � ð3:7Þ
and L��f kV k ¼ L�f k
V k þ qjekj2, q > 0. The scalar function r(Æ)in Eqs. (3.6) and (3.7) can be considered as a nonlinear con-troller gain. It can be shown that each control configura-tion asymptotically stabilizes the e states in each mode.This result, together with the property of the g states tobe input-to-state stable, can be used to show, via a smallgain argument, asymptotic stability for each control config-uration (verified through simulation and analysis of thesystem of Eq. (3.7) with ek = 0 for both k = 1 and k = 2).This controller gain, which depends on both the size ofactuator constraints, umax
k , and the particular configurationused is shaped in a way that guarantees constraint satisfac-tion and asymptotic closed-loop stability within awell-characterized region in the state-space. The character-ization of this region is discussed in the next step.
3.2. Characterization of constrained stability regions
Given that actuator constraints place fundamental limi-tations on the initial conditions that can be stabilized, it isimportant for the control system designer to explicitlycharacterize these limitations by identifying, for each con-trol configuration, the set of admissible initial conditionsstarting from where the constrained closed-loop system isasymptotically stable. As discussed in step (d) below, thischaracterization is necessary for the design of an appropri-ate switching policy that ensures the fault-tolerance of thecontrol system. The control law designed in step (a) pro-vides such a characterization. Specifically, using a Lyapu-nov argument, one can show that the set
Hðumaxk Þ ¼ fx 2 R7 : L��f k
V k 6 umaxk jL�gk V kjg ð3:8Þ
describes a region in the state space where the control ac-tion satisfies the constraints and the time-derivative of thecorresponding Lyapunov function is negative-definitealong the trajectories of the closed-loop system. Note that
the size of this set depends, as expected, on the magnitudeof the constraints. In particular, the set becomes smaller asthe constraints become tighter (smaller umax
k ). For a givencontrol configuration, one can use the above inequality toestimate the stability region associated with this configura-tion. This can be done by constructing the largest invariantsubset of H, which we denote by Xðumax
k Þ. Confining the ini-tial conditions within the set Xðumax
k Þ ensures that theclosed-loop trajectory stays within the region defined byHðumax
k Þ, and thereby Vk continues to decay monotonically,for all times that the kth control configuration is active (see[13] for further discussion on this issue).
An estimate of the region of constrained closed-loop sta-bility for the full system is obtained by defining a compositeLyapunov function of the form V ck ¼ V k þ V gk
, whereV gk¼ gTP gk
g and P gkis a positive definite matrix and
choosing a level set of V ck , Xck , for which _V ck < 0 for allx in Xck .
Remark 1. Note that the composite Lyapunov functions,V ck , used in implementing the switching rules, are ingeneral different from the Lyapunov functions Vk used indesigning the controllers. Owing to the ISS property of thegk-subsystem of each mode, only a Lyapunov function forthe ek subsystem, namely Vk, is needed and used to design acontroller that stabilizes the full ek � gk interconnection foreach mode. However, when implementing the switchingrules (constructing the Xck ), we need to track the evolutionof x (and hence the evolution of both ek and gk). Therefore,the Lyapunov functions used in verifying the switchingconditions at any given time, V ck , are based on x. From theasymptotic stability of each mode, the existence of theseLyapunov functions is guaranteed by converse Lyapunovtheorems. Note also that the above controller design is onlyone example of a controller design that allows for anexplicit characterization of the stability region and is usedfor the purpose of illustration. Other controller designssuch as the hybrid predictive controller [18,30,17,32] thatenable implementation of predictive controllers with a wellcharacterized stability region can also be used to achievefault-tolerant control within the proposed framework.
Remark 2. Note that in practical implementation when thestate trajectory gets close to the desired equilibrium point,the first ðjL�gk V kjÞ2 term in the denominator of the controllaw of Eq. (3.7) could cause chattering in the control action.To alleviate this chattering, a small positive number mk maybe added to the first ðjL�gk V kjÞ2 term in the denominator. Theaddition of mk allows for achieving practical stability, withdecrease in magnitude of mk (while keeping it large enoughto avoid chattering) resulting in the state trajectory goingfurther closer to the desired equilibrium point.
3.3. Fault-detection filter design
The next step in implementing fault-tolerant control isthat of designing appropriate fault-detection filters that
444 A. Gani et al. / Journal of Process Control 17 (2007) 439–451
can detect the occurrence of a fault in the control actuatorby observing the behavior of the closed-loop process. Tothis end, we design for a given control configuration, afault detection filter of the form:
_wðtÞ ¼ fkðwðtÞÞ þ gkðwðtÞÞukðwÞ
jukj 6 umaxk
rkðtÞ ¼ kxðtÞ � wðtÞk
ð3:9Þ
where xðtÞ 2 R7 denotes the vector of process state vari-ables and ukðtÞ 2 ½�umax
k ; umaxk � � R denotes the constrained
manipulated input associated with the kth control configu-ration, wðtÞ 2 R7 is the vector of filter states and rkðtÞ 2 R isthe residual that detects the occurrence of a fault. The filterstates are initialized at the same value as the process states(w(0) = x(0)) and essentially predict the evolution of theprocess in the absence of actuator faults. The residuals cap-tures the difference between the predicted evolution of thestates in the absence of faults and that of the process state,thereby detecting faults in the control actuators. Specifi-cally, the value of rk(t) becomes non-zero at the earliesttime that a fault occurs (for a detailed analysis of the detec-tion properties of the filter, see [34]).
Remark 3. Note that in the presence of measurementnoise, the value of r(t) will be nonzero even in the absenceof faults. To handle this problem, the filter should declare afault only if the value of r(t) increases beyond some
0 10 20 30 40 50440
445
450
455
Time (hr)
[In] (
mol
/m3 )
0 10 20 30 40 503.5
4
4.5
5
Time (hr)
Y1, Y
2 (m
ol)
0 10 20 30 40 50290
295
300
Time (hr)
Tw
1 (K
)
Fig. 2. Evolution of the op
threshold, d, where d accounts for the deviation of theplant measurements from the nominal measurements in theabsence of faults (see the simulation section for a demon-stration). Note also, that plant model mismatch orunknown disturbances can also cause the value of r(t) tobe nonzero even in the absence of faults. The FDFTCproblem in the presence of time varying disturbances withknown bounds on the disturbances can be handled byredesigning the filter as well as the controllers for theindividual control configuration. Specifically, as in the caseof measurement noise, the filter should declare a fault onlyif the value of r(t) increases beyond some threshold, d,where d accounts for the deviation of the plant dynamicsfrom the nominal dynamics in the absence of faults. Thecontrollers for the individual control configurations need tobe redesigned to mitigate the effect of disturbances on theprocess, in a way that allows the characterization of therobust stability regions. The robust stability region cansubsequently be used in deciding which backup controlconfiguration should be implemented in the closed-loop.With regard to the fault-detection filter, the detectionthreshold provides a suitable handle that can be used toachieve early fault detection. In the presence of noise,however, having a small fault-detection threshold can leadto the triggering of false alarms (as demonstrated in thesimulation example) and should be picked to achieve thedesired tradeoff between avoiding false alarms and detect-ing faults.
0 10 20 30 40 50100
200
300
400
500
Time (hr)
[M1] (
mol
/m3 )
0 10 20 30 40 50340
350
360
370
380
Time (hr)
T (
K)
0 10 20 30 40 50290
295
300
305
Time (hr)
Tg 1 (
K)
en-loop process states.
A. Gani et al. / Journal of Process Control 17 (2007) 439–451 445
3.4. Fault-tolerant switching logic
Having designed the feedback control laws, character-ized the stability region associated with each control con-figuration, and designed the fault-detection filter, thefourth step is to derive the switching policy that the super-visor needs to employ to activate/deactivate the appropri-ate control configurations in the event of faults. The keyidea here is that, because of the limitations imposed by con-straints on the stability region of each configuration, thesupervisor can only activate the control configuration forwhich the closed-loop state is within the stability regionat the time of control system fault. Without loss of gener-ality, let the initial actuator configuration be k(0) = 1, Tfault
be the time when this configuration fails and let Tdetect bethe earliest time at which the value of r1ðtÞ > dr1
> 0 (wheredr1
is the detection threshold chosen based on the accept-able level of deviation of the actual closed-loop perfor-mance from the desired one), then the switching rulegiven by
kðt P T detectÞ ¼ 2 if xðT detectÞ 2 Xc2ðumax
2 Þ ð3:10Þ
0 10 20 303.8
4
4.2
4.4
4.6
4.8
Time (hr)
Y1, Y
2 (m
ol)
0 10 20 30290
292
294
296
298
300
Time (hr)
Tw
1 (K
)
0 10 20 30440
445
450
455
Time (hr)
[In] (
mol
/m3 )
Fig. 3. Closed-loop state profiles under
guarantees asymptotic closed-loop stability. The imple-mentation of the above switching law requires monitoringthe closed-loop state trajectory with respect to the stabilityregions associated with the various actuator configura-tions. This idea of tying the switching logic to the stabilityregions was first proposed in [15] for the control ofswitched nonlinear systems.
4. Simulation results
Several simulation runs were carried out to evaluatethe effectiveness of the proposed fault-detection andfault-tolerant control strategy. Fig. 2 shows the evolutionof the open-loop state profiles. Under the operating condi-tions listed in Table 2, the open-loop system behaves inan oscillatory fashion (i.e., the system possesses an open-loop unstable steady-state surrounded by a stable limitcycle).
First, process operation under primary control configu-ration was considered (i.e., the feed temperature, Tfeed, wasthe manipulated input) and a bounded nonlinear controllerwas designed using the formula of Eqs. (3.6) and (3.7).
0 10 20 30150
200
250
300
350
400
Time (hr)
[M1] (
mol
/m3 )
0 10 20 30340
350
360
370
380
Time (hr)
T (
K)
0 10 20 30290
295
300
305
Time (hr)
Tg 1 (
K)
the primary control configuration.
446 A. Gani et al. / Journal of Process Control 17 (2007) 439–451
Specifically, a quadratic function of the form V 1 ¼12ðT � T sÞ2 and q1 = 0.01 were used to design the controller
and a composite Lyapunov function of the form V c1¼ 5�
10�3ðIn � InsÞ4 þ 5 � 10�4ðM1 � M1sÞ2 þ 5 � 10�11ðY 1 �
0 5 10 15 20 25 30
−20
−15
−10
−5
0
5
10
15
20
Time (hr)
Tfe
ed –
Tfe
eds (
K)
Fig. 4. Manipulated input profile under primary control configuration.
0 10 20 30 40 50435
440
445
450
455
Time (hr)
[In] (
mol
/m3 )
0 10 20 30 40 503.6
3.8
4
4.2
4.4
4.6
Time (hr)
Y1, Y
2 (m
ol)
0 10 20 30 40 50290
292
294
296
298
300
Time (hr)
Tw
1 (K
)
Fig. 5. Evolution of the closed-loop state profiles under primary control confiswitch to (or fall-back control configuration is not activated) resulting in openfails at Tfault = 5 h 34 min.
Y 1sÞ2 þ 5 � 10�11ðY 2 � Y 2sÞ2 þ 5 � 10�4ðT � T sÞ2 þ 5 �10�2ðT w1
� T w1sÞ2 þ 5 � 10�11ðT g1
� T g1sÞ2 was used to
estimate the stability region of the primary control config-uration yielding a cmax
1 ¼ 62.The first ðjL�gk V kjÞ2 term in the denominator of the con-
trol law of Eq. (3.7) was replaced by ðjL�gk V kjÞ2 þ mk (as dis-cussed in Remark 2), with m1 = 1 and m2 = 5 · 10�9, toalleviate chattering of the control action close to thedesired equilibrium point under configurations 1 and 2,respectively. Fig. 3 shows the evolution of the closed-loopstate profiles and Fig. 4 shows the evolution of the manip-ulated inputs starting from the initial conditionInð0Þ ¼ 450 mol
m3 , M1ð0Þ ¼ 340 molm3 , Y1(0) = 4.6 mol, Y2(0) =
4.6 mol, T(0) = 360 K, T w1ð0Þ ¼ 300 K, and T g1
ð0Þ ¼300 K for which V c1
¼ 61:4. Since this initial state iswithin the stability region of the primary control configura-tion (i.e., V c1
ðxð0ÞÞ 6 cmax1 ), the primary control configura-
tion is able to stabilize the system at the steady-state ofinterest.
Next, we considered the case of having a fault in the pri-mary control configuration. In this case, the supervisor hadavailable a fall-back control configuration with the catalystflowrate, Fc, as the manipulated input. A quadratic Lyapu-nov function of the form V 2 ¼ eT
2 P 2e2 and q2 = 0.01 wasused to design the controller that used the fall-back controlconfiguration and a composite Lyapunov function of the
0 10 20 30 40 50150
200
250
300
350
400
Time (hr)
[M1] (
mol
/m3 )
0 10 20 30 40 50345
350
355
360
365
370
375
Time (hr)
T (
K)
0 10 20 30 40 50292
294
296
298
300
302
304
Time (hr)
Tg 1 (
K)
guration (dashed lines) and no fall-back control configuration available to-loop oscillatory behavior (solid lines) after primary control configuration
0 1 2 3 4 5 6 7
0
0.1
0.2
0.3
0.4
0.5
Time (hr)
r 1
Detection threshold: δr1
= 0.5
Fig. 7. Evolution of the detection filter residual value under primarycontrol configuration (dashed line). At Tdetect = 5 h 54 min, the detectionfilter residual value reaches the detection threshold of 0.5 which verifiesthat a fault on the primary control configuration occurs. A switch to thefall-back control configuration (solid line) resets the detection filterresidual back to zero.
A. Gani et al. / Journal of Process Control 17 (2007) 439–451 447
form V c2¼ 5� 10�3ðIn� InsÞ4 þ 5� 10�4ðM1 �M1sÞ2þ
5� 10�11ðY 1 � Y 1sÞ2 þ 5� 10�11ðY 2 � Y 2sÞ2 þ 5� 10�4ðT �T sÞ2 þ 5� 10�11ðT w1
� T w1sÞ2 þ 5� 10�11ðT g1
� T g1sÞ2 was
used to estimate the stability region of the fall-back controlconfiguration yielding a cmax
2 ¼ 56:8.To demonstrate that control loop reconfiguration results
in fault-tolerant reactor control in the presence of inputconstraints, we carried out the following simulations: Wefirst initialized the reactor at Inð0Þ ¼ 450 mol
m3 , M1ð0Þ ¼340 mol
m3 , Y1(0) = 4.6 mol, Y2(0) = 4.6 mol, T(0) = 360 K,T w1ð0Þ ¼ 300 K, and T g1
ð0Þ ¼ 300 K resulting in V c1¼
61:4 which implied that this initial state was within the sta-bility region of the primary control configuration. Considernow, a fault in the primary control configuration at timeTfault = 5 h 34 min (see dashed lines in Figs. 5 and 6). Inthe case of no switching to fall-back control configurationor no backup control configurations available, closed-loopstability is not achieved and the process behaves in an oscil-latory fashion (solid line in Fig. 5).
However, applying our fault-detection and fault-toler-ant control strategy, the supervisor kept track of the resid-ual value r1 (see dashed line in Fig. 7) and observedthe residual value r1 becoming non-zero at Tfault = 5 h34 min. At Tdetect = 5 h 54 min, the residual value r1
reached the detection threshold ðdr1¼ 0:5Þ and a fault on
primary control configuration was declared. The supervi-
0 5 10 15 20440
445
450
455
Time (hr)
[In] (
mol
/m3 )
0 5 10 15 203.6
3.8
4
4.2
4.4
4.6
Time (hr)
Y1, Y
2 (m
ol)
0 5 10 15 20290
292
294
296
298
300
Time (hr)
Tw
1 (K
)
5.4 5.6 5.8 6
449.5
450
5.4 5.6 5.8 63.85
3.9
3.95
4
5.4 5.6 5.8 6290.35
290.36
290.37
290.38
Fig. 6. Evolution of the closed-loop state profiles under primary control configprocess starts operating open-loop (dotted lines). At Tdetect = 5 h 54 min, tconfiguration and the control system switches to the fall-back control configu
sor, then, checked if switching to fall-back control con-figuration would preserve stability. This was done byevaluating the value of the composite Lyapunov function
0 5 10 15 20150
200
250
300
350
400
Time (hr)
[M1] (
mol
/m3 )
0 5 10 15 20345
350
355
360
365
370
375
Time (hr)
T (
K)
0 5 10 15 20292
294
296
298
300
302
304
Time (hr)
Tg 1 (
K)
5.4 5.6 5.8 6310
320
330
5.4 5.6 5.8 6355356357358
5.4 5.6 5.8 6294.25
294.3
294.35
294.4
uration (dashed lines) which fails at Tfault = 5 h 34 min. At this point, thehe detection filter verifies that there is a fault on the primary controlration (solid lines).
0 5 10 15 20440
445
450
455
Time (hr)
[In] (
mol
/m3 )
0 5 10 15 20
200
250
300
350
Time (hr)
0 5 10 15 203.63.8
44.24.44.64.8
5
Time (hr)
Y1, Y
2 (m
ol)
0 5 10 15 20345350355360365370375380
T (
K)
0 5 10 15 20290
292
294
296
298
300
302
Time (hr)
Tw
1 (K
)
0 5 10 15 20292
294
296
298
300
302
304
Time (hr)
Tg 1 (
K)
[M1] (
mol
/m3 )
Time (hr)
Fig. 8. Evolution of the closed-loop state profiles in the case of measurement noise under primary control configuration (dashed lines) which fails atTfault = 5 h 34 min. At this point, the process starts operating open-loop (dotted lines). At Tdetect = 5 h 54 min, the detection filter verifies that there is afault on the primary control configuration and the control system switches to the fall-back control configuration (solid lines).
0 1 2 3 4 5 6 70
0.1
0.2
0.3
0.4
0.5
0.6
0.7
Time (hr)
r 1
Detection threshold: δr1
= 0.7
Fig. 9. Evolution of the detection filter residual value in the case ofmeasurement noise. A detection threshold of 0.5 triggers false alarm evenbefore real fault on primary control configuration at Tfault = 5 h 34 min. Anew detection threshold of 0.7 is picked and implemented. At Tdetect = 5 h54 min, the detection filter residual value reaches the detection thresholdof 0.7 which verifies that a fault on the primary control configurationoccurs. A switch to the fall-back control configuration resets the detectionfilter residual back to normal.
448 A. Gani et al. / Journal of Process Control 17 (2007) 439–451
of the fall-back control configuration at Tdetect = 5 h54 min where the states were of the following values:InðT detectÞ ¼ 449:7 mol
m3 , M1ðT detectÞ ¼ 316:9 molm3 , Y1(Tdetect) =
3.86 mol, Y2(Tdetect) = 3.86 mol, T(Tdetect) = 356.3 K,T w1ðT detectÞ ¼ 290:4 K, and T g1
ðT detectÞ ¼ 294:3 K. SinceV c2ðxðT detectÞÞ ¼ 49:6 6 cmax
2 , the state, at the time the filterdetected the fault in the primary control configuration, waswithin the stability region of the fall-back control configu-ration. Therefore, switching to fall-back control configura-tion would preserve closed-loop stability (see solid lines inFig. 6).
Next, we also investigated the implementation of thefault-detection and fault-tolerant control strategy in thepresence of measurement noise. Specifically, we consideredGaussian measurement noise of the following magnitude:In ¼ 0:5 mol
m3 , M1 ¼ 0:3 molm3 , Y1 = 0.04 mol, Y2 = 0.04 mol,
T = 0.8 K, T w1¼ 0:3 K, and T g1
¼ 0:3 K. Note that inthe presence of measurement noise, the value of the resid-ual stayed non-zero even in the absence of actuator faults(for the measurement noise considered in this study, adetection threshold of dr1
¼ 0:5 was no longer appropriateand triggered false alarms). A new threshold that capturedthe effect of the measurement noise on the value of theresidual was needed. A detection threshold of ðdr1
¼ 0:7Þwas then picked. Consider once again a fault in theprimary control configuration at time Tfault = 5 h 34 min.This fault was detected by the fault-detection filter via
the residual reaching the threshold at Tdetect = 5 h 54 min(see dashed line in Fig. 9). The supervisor, then, checked
0 10 20 30 40440
445
450
455
Time (hr)
[In] (
mol
/m3 )
0 10 20 30 40
200
400
600
Time (hr)
[M1] (
mol
/m3 )
0 10 20 30 403.5
4
4.5
Time (hr)
Y1, Y
2 (m
ol)
0 10 20 30 40
340
360
380
400
Time (hr)
T (
K)
0 10 20 30 40
290
295
300
Time (hr)
Tw
1 (K
)
0 10 20 30 40290
295
300
305
Time (hr)
Tg 1 (
K)
Fig. 10. Evolution of the open-loop (dotted lines) and closed-loop (solid lines) state profiles under the primary control configuration in the presence ofparametric model uncertainty and disturbances.
A. Gani et al. / Journal of Process Control 17 (2007) 439–451 449
if switching to fall-back control configuration would pre-serve stability. As before, this was done by evaluating thevalue of the composite Lyapunov function of the fall-backcontrol configuration at Tdetect = 5 h 54 min where thestates were of the following values: InðT detectÞ ¼ 449:3 mol
m3 ,M1ðT detectÞ ¼ 327:5 mol
m3 , Y1(Tdetect) = 3.83 mol, Y2(Tdetect) =3.83 mol, T(Tdetect) = 355.6 K, T w1
ðT detectÞ ¼ 290:4 K,and T g1
ðT detectÞ ¼ 294:4 K. Since V c2ðxðT detectÞÞ ¼ 42:7 6
cmax2 , the state, at the time the filter detected the fault
in the primary control configuration, was within the stabil-ity region of the fall-back control configuration. Subse-quent switching to the fall-back control configurationonce again resulted in closed-loop stability (see solid linesin Fig. 8).
Finally, we also evaluated the robustness of the control-ler that is a vital component of the fault-tolerant controlstructure. We considered values of some of the processparameters being different from the ones used in thecontroller design, specifically, Ea = 38.058 kJ/mol andHreac = 3780.429 kJ/kg and also in the presence of distur-bance in the inlet coolant temperature, with Twi = 288.56K. The dotted lines in Fig. 10 shows the open-loop profilesillustrating the effect of the presence of disturbances anduncertainty in the parameters on the process states. In con-trast, when the primary control configuration is imple-mented, the controller is able to reject the disturbancesand stabilize the process at the desired equilibrium point(see solid lines in Fig. 10).
5. Conclusions
In this work we focused on fault-tolerant control of agas phase polyethylene reactor. Initially, a family of candi-date control configurations, characterized by differentmanipulated inputs, were identified. For each control con-figuration, a bounded nonlinear feedback controller, thatenforced asymptotic closed-loop stability in the presenceof constraints, was designed, and the constrained stabil-ity region associated with it was explicitly characterizedusing Lyapunov-based tools. A fault-detection filter wasdesigned to detect the occurrence of a fault in the controlactuator by observing the deviation of the process statesfrom the expected closed-loop behavior. A switching pol-icy was then derived, on the basis of the stability regions,to orchestrate the activation/deactivation of the constitu-ent control configurations in a way that guaranteedclosed-loop stability in the event of control system faults.Closed-loop simulations were carried out to implement thefault-tolerant control strategy on the gas phase polyethyl-ene reactor and to demonstrate the implementation of thefault-tolerant control method in the presence of measure-ment noise.
Acknowledgement
Financial support from NSF, CTS-0529295, is gratefullyacknowledged.
450 A. Gani et al. / Journal of Process Control 17 (2007) 439–451
References
[1] H.B. Aradhye, B.R. Bakshi, J.F. Davis, S.C. Ahalt, Clustering inwavelet domain: a multiresolution art network for anomaly detection,AIChE Journal 50 (2004) 2455–2466.
[2] J. Bao, W.Z. Zhang, P.L. Lee, Passivity-based decentralized failure-tolerant control, Industrial & Engineering Chemistry Research 41(2002) 5702–5715.
[3] M. Blanke, R. Izadi-Zamanabadi, S.A. Bogh, C.P. Lunau, Fault-tolerant control systems – a holistic view, Control EngineeringPractice 5 (1997) 693–702.
[4] K.-Y. Choi, W.H. Ray, The dynamic behavior of fluidized-bedreactors for solid catalyzed gas-phase olefin polymerization, ChemicalEngineering Science 40 (1985) 2261–2279.
[5] P.D. Christofides, N.H. El-Farra, Control of Nonlinear and HybridProcess Systems: Designs for Uncertainty, Constraints and Time-Delays, Springer, New York, 2005.
[6] S.A. Dadebo, M.L. Bell, P.J. McLellan, K.B. McAuley, Temperaturecontrol of industrial gas phase polyethylene reactors, Journal ofProcess Control 7 (1997) 83–95.
[7] J.F. Davis, M.L. Piovoso, K. Kosanovich, B. Bakshi, Process dataanalysis and interpretation, Advances in Chemical Engineering 25(1999) 1–103.
[8] R.A. Decarlo, M.S. Branicky, S. Petterson, B. Lennartson, Perspec-tives and results on the stability and stabilizability of hybrid systems,Proceedings of the IEEE 88 (2000) 1069–1082.
[9] M.A. Demetriou, A model-based fault detection and diagnosisscheme for distributed parameter systems: a learning systemsapproach, ESAIM-Control Optimisation and Calculus of Variations7 (2002) 43–67.
[10] C. DePersis, A. Isidori, A geometric approach to nonlinear faultdetection and isolation, IEEE Transactions on Automatic Control 46(2001) 853–865.
[11] R. Dunia, S.J. Qin, Subspace approach to multidimensional faultidentification and reconstruction, AIChE Journal 44 (1998) 1813–1831.
[12] R. Dunia, S.J. Qin, T.F. Edgar, T.J. McAvoy, Identification of faultysensors using principal component analysis, AIChE Journal 42 (1996)2797–2812.
[13] N.H. El-Farra, P.D. Christofides, Integrating robustness, optimality,and constraints in control of nonlinear processes, Chemical Engi-neering Science 56 (2001) 1841–1868.
[14] N.H. El-Farra, P.D. Christofides, Bounded robust control ofconstrained multivariabe nonlinear processes, Chemical EngineeringScience 58 (2003) 3025–3047.
[15] N.H. El-Farra, P.D. Christofides, Coordinated feedback and switch-ing for control of hybrid nonlinear processes, AIChE Journal 49(2003) 2079–2098.
[16] N.H. El-Farra, A. Gani, P.D. Christofides, Fault-tolerant control ofprocess systems using communication networks, AIChE Journal 51(2005) 1665–1682.
[17] N.H. El-Farra, P. Mhaskar, P.D. Christofides, Hybrid predictivecontrol of nonlinear systems: method and applications to chemicalprocesses, International Journal of Robust and Nonlinear Control 4(2004) 199–225.
[18] N.H. El-Farra, P. Mhaskar, P.D. Christofides, Uniting boundedcontrol and MPC for stabilization of constrained linear systems,Automatica 40 (2004) 101–110.
[19] P.M. Frank, Fault diagnosis in dynamic systems using analytical andknowledge-based redundancy – a survey and some new results,Automatica 26 (1990) 459–474.
[20] P.M. Frank, X. Ding, Survey of robust residual generation andevaluation methods in observer-based fault detection systems, Journalof Process Control 7 (1997) 403–424.
[21] V. Garcia-Onorio, B.E. Ydstie, Distributed, asynchronous andhybrid simulation of process networks using recording controllers,International Journal of Robust and Nonlinear Control 14 (2004) 227–248.
[22] I.E. Grossmann, S.A. van den Heever, I. Harjukoski, Discreteoptimization methods and their role in the integration of planningand scheduling, in: Proceedings of 6th International Conference onChemical Process Control, Tucson, AZ, 2001, pp. 124–152.
[23] K.M. Hangos, J.B. Varga, F. Friedler, L.T. Fan, Integrated synthesisof a process and its fault-tolerant control-system, Computers andChemical Engineering 19 (1995) S465–S470.
[24] I. Hyanek, J. Zacca, F. Teymour, W.H. Ray, Dynamics and stabilityof polymerization process flow sheets, Industrial & EngineeringChemistry Research 34 (1995) 3872–3877.
[25] J.V. Kresta, J.F. Macgregor, T.E. Marlin, Multivariate statisticalmonitoring of process operating performance, Canadian Journal ofChemical Engineering 69 (1991) 35–47.
[26] Y. Lin, E.D. Sontag, A universal formula for stabilizationwith bounded controls, Systems & Control Letters 16 (1991) 393–397.
[27] M. Massoumnia, G.C. Verghese, A.S. Wilsky, Failure detection andidentification, IEEE Transactions on Automatic Control 34 (1989)316–321.
[28] K.B. McAuley, D.A. Macdonald, P.J. McLellan, Effects of operatingconditions on stability of gas-phase polyethylene reactors, AIChEJournal 41 (1995) 868–879.
[29] N. Mehranbod, M. Soroush, C. Panjapornpon, A method of sensorfault detection and identification, Journal of Process Control 15(2005) 321–339.
[30] P. Mhaskar, N.H. El-Farra, P.D. Christofides, Hybrid predic-tive control of process systems, AIChE Journal 50 (2004) 1242–1259.
[31] P. Mhaskar, N.H. El-Farra, P.D. Christofides, Predictive control ofswitched nonlinear systems with scheduled mode transitions, IEEETransactions on Automatic Control 50 (2005) 1670–1680.
[32] P. Mhaskar, N.H. El-Farra, P.D. Christofides, Robust hybridpredictive control of nonlinear systems, Automatica 41 (2005) 209–217.
[33] P. Mhaskar, A. Gani, P.D. Christofides, Fault-tolerant control ofnonlinear processes: performance-based reconfiguration and robust-ness, International Journal of Robust and Nonlinear Control 16(2006) 91–111.
[34] P. Mhaskar, A. Gani, C. McFall, N.H. El-Farra, P.D. Christofides,J.F. Davis, Integrated fault-detection and fault-tolerant control forprocess systems, AIChE Journal 52 (2006) 2129–2148.
[35] A. Negiz, A. Cinar, Statistical monitoring of multivariable dynamicprocesses with state-space models, AIChE Journal 43 (1997) 2002–2020.
[36] P. Nomikos, J.F. Macgregor, Monitoring batch processes usingmultiway principal component analysis, AIChE Journal 40 (1994)1361–1375.
[37] R.J. Patton, Fault-tolerant control systems: the 1997 situation, in:Proceedings of the IFAC Symposium, SAFEPROCESS 1997, HullUnited Kingdom, 1997, pp. 1033–1054.
[38] J. Prakash, S.C. Patwardhan, S. Narasimhan, A supervisoryapproach to fault-tolerant control of linear multivariable systems,Industrial & Engineering Chemistry Research 41 (2002) 2270–2281.
[39] D.K. Rollins, J.F. Davis, Unbiased estimation technique when grosserrors exist in process measurements, AIChE Journal 38 (1992) 563–572.
[40] A. Saberi, A.A. Stoorvogel, P. Sannuti, H. Niemann, Funda-mental problems in fault detection and identification, Interna-tional Journal of Robust and Nonlinear Control 10 (2000) 1209–1236.
[41] D.D. Siljak, Reliable control using multiple control systems, Inter-national Journal of Control 31 (1980) 303–329.
[42] E. Tatara, A. Cinar, An intelligent system for multivariate statisticalprocess monitoring and diagnosis, ISA Transactions 41 (2002) 255–270.
[43] N.E. Wu, K.M. Zhou, G. Salomon, Control reconfigurability oflinear time-invariant systems, Automatica 36 (2000) 1767–1771.
A. Gani et al. / Journal of Process Control 17 (2007) 439–451 451
[44] T.Y. Xie, K.B. McAuley, J.C.C. Hsu, D.W. Bacon, Gas-phaseethylene polymerization – production processes, polymer properties,and reactor modeling, Industrial & Engineering Chemistry Research33 (1994) 449–479.
[45] G.H. Yang, S.Y. Zhang, J. Lam, J. Wang, Reliable control usingredundant controllers, IEEE Transactions on Automatic Control 43(1998) 1588–1593.
[46] X.D. Zhang, T. Parisini, M.M. Polycarpou, Adaptive fault-tolerantcontrol of nonlinear uncertain systems: an information-based diag-nostic approach, IEEE Transactions on Automatic Control 49 (2004)1259–1274.
[47] D.H. Zhou, P.M. Frank, Fault diagnostics and fault tolerant control,IEEE Transactions on Aerospace and Electronic Systems 34 (1998)420–427.