An Architecture for Fault Tolerant Controllers Henrik Niemann Ørsted DTU, Automation Technical University of Denmark Building 326, DK2800 Lyngby, Denmark Email: hhn@oersted.dtu.dk www.oersted.dtu.dk/staff/all/hhn/ Jakob Stoustrup Dept. of Control Engineering Aalborg University DK9220 Aalborg, Denmark Email: jakob@control.auc.dk www.control.auc.dk/ jakob/ January 15, 2003
Abstract A general architecture for fault tolerant control is proposed. The architecture is based on the (primary) Youla parameterization of all stabilizing compensators, and uses the dual Youla parameterization to quantify the performance of the fault tolerant system. The approach suggested can be applied for additive faults, multiplicative faults, and for system structural changes, and the modeling for each of these fault classes are described. The method allows to design for passive as well as for active fault handling. Also, the related design method can be fitted either to guarantee stability or to achieve graceful degradation. A number of fault diagnosis problems, fault tolerant control problems, and feedback control with fault rejection problems are formulated/considered, mainly from a fault modeling point of view. The method is illustrated on a simple servo example with a broken tacho.
0.1 Introduction The best choice of fault model will depend on the purpose of the model. A number of faults can naturally be considered both as additive faults or as multiplicative faults. However, a random choice might not be optimal. The fault model needs to be selected with respect to the application, i.e. fault diagnosis, fault tolerant control (FTC) or feedback control with fault rejection. In the past, additive fault models have been the most popular, especially in connection with fault diagnosis. Modeling e.g. an actuator fault as an additive fault will in general be very useful in connection with fault detection and/or fault isolation. In connection with closedloop systems, an actuator fault might result in instability. Using an additive fault model description in this case, the fault will be considered as an external signal entering the system. The fault signal of the model will therefore not affect the stability of the system. This small example indicates clearly that the description of possible faults in a dynamic system needs to be selected in very close relation with the application of the fault description/fault model. In this paper, three types of faults/fault models will be considered. The three types are as follows: additive faults multiplicative faults parameter faults system structural changes The above fault models can be considered in connection with the following applications: fault detection, fault isolation and fault estimation. fault tolerant control, i.e. the control system can handle faults in the system without resulting in an unstable closed loop system. feedback control with fault rejection, i.e. the effect from the fault is minimized in the closed loop by a feedback controller. This is strongly related to robust feedback controller design. In this paper only linear systems will be considered. However, a number of the presented results can be generalized to nonlinear systems without further assumptions. The results of this paper relates to the areas of fault tolerant control and of robust control. These areas are very well described in a large number of papers and books. Without going into details, let us mention the books by Basseville and Nikiforov [2], Gertler [7] and by Chen and Patton [5] for a good introduction to the area of fault diagnosis. The paper by Blanke et al. [3, 4] and by Patton [11, 12] and the references herein are good introductions to the area of fault tolerant control. Most of these papers describe different concepts for FTC. However, in the past years, also a number of theoretic results has been presented in this area, see e.g. [15, 17, 18, 19, 20, 22]. The area of robust control has been investigated in a large number of books and papers. Let us only mention the books by Skogestad and Postlethwaite [14] and by Zhou et al. [21]. The focus in this paper will be on using different fault models in connection with FTC. The paper will give an overview of the various design problems, depending on the type of faults. A general architecture based on the Youla parameterization will be proposed which allows to handle all fault model types, and to implement solutions for all the design problems described. The architecture is based on the results presented in [8, 10]. This paper is organized as follows. In Section 0.2, the system setup is given for three different fault types together with a number of definitions. The Youla parameterization is first introduced in Section 0.3. A new controller architecture for FTC is introduced in Section 0.4 followed by a study of Faulttolerant control for the three types of fault models in Section 0.5. A passive FTC architecture is introduced in Section 0.6, where there is no switches included in the fault tolerant controller. An example is considered in Section 0.7. Finally, we give a conclusion in Section 0.8. 1
0.1.1 Notation Capital letters will denote matrices or matrix valued functions. is the transposed of. A nominal system is described by and a stabilizing feedback controller for is given by. Further, let an uncertain system or faulty system be given by, where represents the model uncertainty, finite sets of the fault parameters or the input fault signals. A more detailed description of is given below. The interconnection of the nominal system and the feedback controller is given by.! "$#%&(' )&*##+,. *#/ is the lower Linear Fractional Transformation (LFT) of 0,. The upper LFT of 01 is given by 32!4,56 #4#7 #/ 80'9): $#. 0.2 Definitions and System Setup 0.2.1 Definitions Let us first give a number of definitions in connection with feedback control and fault tolerant control. The definition of stable feedback control and robust feedback control are given in [21]. The definitions of fault tolerant control are equivalent with the definitions given in e.g. [3]. Definition 0.2.1 Given a nominal dynamic system and a feedback controller ;. The feedback controller is said to be a stabilizing feedback controller if and only if the closed loop transfer functions of the interconnection <>= is internally stable. Definition 0.2.2 Given a nominal dynamic system and a feedback controller. The feedback controller is said to satisfy nominal performance if and only if the closed loop transfer functions of the interconnection?: = is internally stable and the closed loop transfer function satisfy a predescribed performance condition. Definition 0.2.3 Given a dynamic system and a feedback controller. It is assumed that @ A represents the model uncertainty. The feedback controller is said to be a robustly stabilizing feedback controller if and only if the closed loop transfer functions of the interconnection = is internally stable for all. Definition 0.2.4 Given a dynamic system and a feedback controller. It is assumed that @ A represents the model uncertainty. The feedback controller is said to be a robust performance if and only if the closed loop transfer functions of the interconnection * = is internally stable and the closed loop transfer function satisfy a predescribed performance condition for all B. Definition 0.2.5 Given a set of dynamic systems and a feedback controller. It is assumed that represents a finite number of faulty parameter sets. The feedback controller is said to be a fault tolerant feedback controller if and only if the closed loop transfer functions of the interconnection 3 6 = is internally stable for all sets of faulty parameters. Definition 0.2.6 Given a set of dynamic systems and a feedback controller. It is assumed that represents a finite number of faulty parameter sets or the fault input signals. The feedback controller 3 is said to be a fault tolerant feedback controller with performance recovery if and only if the closed loop transfer functions of the interconnection 8 = is internally stable and the closed loop transfer function satisfy a predescribed (reduced) performance condition, for all sets of faulty parameters or all input fault signals. In connection with Definition 0.2.5 and 0.2.6, it should be pointed out that the first objective in connection with FTC is to stabilize the feedback system, i.e. Definition 0.2.5. However, in some cases, it might also be possible to design the FTC part of the controller such that the closed loop performance reduction due to fault in the system is minimized. Further note in connection with Definition 0.2.5, fault tolerant control is only defined in connection with parametric faults, due to the fact that additive faults cannot destabilize the system. 2
C W 1 200000 1 00. 200 K K K K K C 5 0.2.2 System Setup The general systems applied in connection with the above definitions will now be described in more details by using state space descriptions as well as using transfer functions for the descriptions. ;! system, Consider the following generalized nominal ; & 2 2 (1) where is a disturbance signal vector,! the control input signal vector, #" is the external output signal vector to be controlled, and $&% is the measurement vector. Further, let the system be controlled by a stabilizing feedback controller given by: "'A)( (2) Let the generalized system in (1) including faults. Three different types of faults will now be introduced. First, let us consider systems with additive faults, is then given by +* &435 687 9;: 6=<>6? 2 & 9 <? 2,* /.00000 @ 1A3 6B7 5 9;: 6)<>6 2 (3) @ ;1 9 < 2 where < 6?D FE HG;GHG JI signifies the C th fault for each C. The fault signal vector <?D JE HG;GHG JI $ is a collection of fault signals < 6,, into a vector. Also, it is common in the fault detection and isolation setting for model uncertainties to be described as external input signals in the same manner as disturbance signals K. In other words, K here can be thought of representing both external disturbance signals and signals that might arise due to model uncertainties, see e.g. [6]. However, in the cases where we want to detect, isolate and/or estimate parameter changes or uncertainty variations in the system, the fault model described by (3) can not in general be applied. In the case where the system includes multiplicative faults, can be described by ML : 5JT 5QU L N @OJP A SP P OQ*O.2R A &A 2 2R where KB $ and N $ are the external input and output vectors. The connection between the external output and the external input is given by V N V where represent the multiplicative (parameter) faults in the system. Note that the above description is also applied in connection with description of systems including model uncertainties, see e.g. [21]. In this case, the connection between the external output and the external input is given by where W @W N represent the model uncertainties. Closing the loop from K to N in L : X;6;2 YV +L +L by using V, we get Faults might change the structure of the system. One example is a sensor falling out, which will reduce the number of measurement signals. This will result in multi model systems or hybrid models. Based on a structural change of the nominal system in (1) due to faults, the general system then takes the following form: +Z>[ ] ;: 6 &^ 2R: 6 ;: 6 1 2R: 6 H`;`H` FI ` where indicates a change of system matrices or a change in transfer functions. Note that C. model, Z>a (4) (5) is defined as the nominal 3
0.3 The Youla Parameterization Before considering the three different FTC design cases, the (primary) Youla parameterization and the dual Youla parameterization is shortly introduced. The controller architecture applied for the FTC in the following will be based on the Youla parameterization. The Youla parameterization has also been applied in connection with FTC in [15, 22]. 0.3.1 The Primary Youla Parameterization Let a coprime factorization of the system 2 )( ' from (1) and a stabilizing controller ( from (2) be given by: 2 2 2 2 2 ' 1 5 (6) where the eight matrices in (6) must satisfy the double Bezout equation given by, see [21]: ' ' ) )A 2,2,2 ) )@ 2 (7) Introducing the transfer function from the disturbance signal to the output given by from (1) in connection with the coprime factorization of 2 in (6), we obtain the following relationship: 2,2 Based on the above coprime factorization of the system 2! ( ' and the controller (, we can give a parameterization ( of all controllers that stabilize the system in terms of a stable parameter by [16]: ' * & where or by using a left factored form: * where * 6 6 ' & & 2 2, i.e. all stabilizing controllers are given!! Using the Bezout equation, the controller given either by (8) or by (9) can be realized as an LFT in the parameter, ' "!1 (10) where! is given by! )# 2 (8) (9) )#,2 (11) Reorganizing the controller ' given by (10) results in the closed loop system depicted in Figure 1, [16]. The main observation which shall be exploited in the solution to the fault tolerant control problem, is the following relatively simple expression for the transfer function from the external input to the external output terms of the parameter : 2 ' 0' ) 2 'A 2 2$ where (7) has been exploited. Note, that the transfer function relating and is affine in. 4
+ 2 Figure 1: Controller structure with parameterization + 0.3.2 The Dual Youla Parameterization The dual Youla parameterization, gives a parameterization in term of a stable parameter given controller. The parameterization is given by [16]: * 7 of all systems stabilized by a (12) where 5 or by using a left factored form: * 7 where 7 $! (13) An LFT representation of (12) or (13) is given by: * 6 ; where is given by The interpretation of the dual Youla parameter (14) ) (15) can be investigated from the primal Youla parameterization shown in Figure 1. It turns out that the dual Youla parameter is the open loop transfer function from to in Figure 1, [16], i.e. 2! 2 $ This fact can be used in connection with estimation of the system parameters. In Table 1, has been calculated for a number of different types of model uncertainties, These equations for will be applied in the following in connection with multiplicative faults. The calculation of as function of W is given in Appendix.1 for the general case. 0.4 Fault Tolerant Controller Architecture In the sequel, an architecture for fault tolerant controllers will be proposed, based on the Youla parameterization shown in the block diagram in Figure 1. There is a number of reasons for using the architecture from the Youla parameterization 5
L L L 2!V System description, The dual Youla parameter, )W 2!)W 5 0' W 2 )W W"(' ) / W 2!)W 5 2 ('> W )W W8(' ) W 2 W 5 2 W )W W8(' ) W 2 )W 5 2 (' ) W 2 )W 5 0' ) W 2 W1 2!0',) W 2 2 )W @ W W 2 )W W L W1 W"0',) W1 2 W1 W"0',) W )W W"0',) W1 W ) W W ' < ) W )W '> W L W ) W L W W W ) W Table 1: The connection between different system uncertainty descriptions in terms of. and the dual Youla parameter in connection with FTC. Using this architecture, the parameter will be the FTC part of the controller. This means that the FTC part of the feedback controller is a modification of the existing controller. Thus, a controller change when a fault appears in the system is not a complete shift to another controller, but only a modification of the existing controller by adding a correction signal in the nominal controller, the signal in Figure 1. However, it should be pointed out that it is possible to modify the controller arbitrarily by designing the Youla parameter, see e.g. [9, 16]. Another important thing is that the architecture includes also a parameterization of all residual generators. All residual signals can be described by, [6, 7]9 ),2R (16) This means that it is possible to combine both fault diagnosis and fault tolerant control in the same architecture without any problems. A block diagram for this combined FDI and FTC architecture based on the Youla parameterization is shown in Figure 2 for three potential multiplicative faults the generalization to any number of faults should be obvious. The above controller architecture applied for FTC shown in Figures 1 and 2 has a fixed structure with respect to the number of measurement signals and control signals. This will not in general be the case in real applications. Here, faults in e.g. sensors can be handled by applying other sensors in the system, i.e. the measurement output from the system is changed. Equivalent with faults in connection with the actuators in the system. This type of system change has not directly been included in the system description given by (4) or (5). However, it is possible to include change of sensors and/or actuators in the FTC architecture given above. Let us consider the system 2 given ' by )( (1). Assume that only a subset of the sensors and the actuators has been applied for the nominal feedback controller given by (2). Let the system 2 be partitioned as follows 2R: 2R: 21 2R: 2R: (17) Further, let us use controller given by ' ( ' (18) 6
: : L + Control Selector (switch) : : # 2 + : : # Isolation Logic (filtered NOT) Figure 2: Fault tolerant scheme with three potential multiplicative faults. The residual signal is used both for isolation and for feedforward in the fault handling. Based on this controller, the Youla matrices take then the following form:,2 ) ) 2 ',2 ' ),2 ' ) ' The Youla parameterized controller 'A ' ' given by (8) take then the following form: ) ' '> )# ',2 )# ' (19) A block diagram of the ' given by (19) is shown in Figure 3. From Figure 3, it is possible to calculate the transfer function from to. The open loop transfer function is the zero transfer function in the fault free case. As a direct consequence of this, the closed loop transfer function will be an affine 7
)! ' + #. $# #4# 2 + ' Figure 3: Block diagram for controller with a measurements employed after reconfiguration. parameterization. Note that the nominal controller does not use the function of the fault isolation. parameter. Note that the (or ) vector still can be applied in connection with fault diagnosis and/or It is clear from both Figure 3 and (19) that the controller architecture will allow to use other sensors and/or actuators that is used in connection with the nominal controller '. The result of this generalization of applying the Youla parameterization in connection with fault tolerant control is that it is not a limitation of the controller structure. The structure can without any problems handle the problem of changing sensors and/or actuators, which is normal in connection with fault tolerant control. The above general controller architecture can directly be applied in connection with the results given in Section 0.5. A simplified FTC architecture is applied in Section 0.6 in connection with passive fault tolerant control. The idea in the passive FTC is to remove the FDI part in the architecture. The single FTC controller is designed to handle all faults in the system. Further, the FTC controller will be included all the time. This mean that will be included as an open loop transfer function in the nominal system and in a feedback loop in the faulty system. The advantage by this passive FTC architecture is that delays due to fault isolation is removed from the FTC loop. In Section 0.7, this passive FTC architecture is applied on a servo system. 0.5 Fault Tolerant Control Just as in connection with fault diagnosis, the fault tolerant control problem will depend strongly on the type of faults that can appear in the system. In this paper, the various fault tolerant control design problems will be described for the three different model structures given in Section 0.2. Especially in connection with FTC for systems with structural changes, the solution (the selected controller structure, type etc.) will depend strongly on the specific case. There does not exist any general method with explicit design formulae that can handle the general case. Much better design results can be obtained by using dedicated design methods. 8
E 0.5.1 FTC for Systems with Additive Faults In a large number of systems, faults are described as additive faults. In connection with FTC, this might not be very useful. The reason is that the additive faults can be considered as external input signals to the system. External input signals will not cause any changes in the system dynamics. Specifically, they are not able to change the stability of the closedloop system, see e.g.[21]. Consider for example faults on an actuator. Such faults will in general affect the stability margins of the closedloop system. FTC for systems with additive faults E is therefore only relevant if the faults that can appear enter the system outside the closed loop. Consider the general system setup with additive faults ' given by (3). Closing the system by a stabilizing controller ( given by (2) gives the following closed loop transfer function: B Y 2 ' ('9) 2 ' ) 9 2 'A0'9) 2 ' 9 < (20) From (20), it is clear that additive faults can not affect the closedloop stability only the performance of the system will be affected. The main FTC problem as defined in Definition 0.2.5 does not exist in this case. Instead the design of a feedback controller needs to be done with respect to minimizing the effect from additive faults on the closed loop transfer function, i.e. a fault tolerant control problem with mild performance reduction defined in Definition 0.2.6. This problem is equivalent with a disturbance rejection problem. ' The design of the controller can be done in two steps. First a nominal controller ( is designed such that the nominal performance is satisfied. In the second ' ' step, the Youla parameterized controller given by (9) or (10) is applied, based on the nominal controller (. Using 'A as the feedback controller for the system given by (3) result in the following closedloop system: ) 2 2$ > < Y9 2 9 2$ 9 < # > < 9 # (21) J F9 < From the above closed loop transfer function, it is clear that the FTC problem, i.e. the design of, is equivalent with a disturbance rejection problem. Standard optimization methods can be applied directly for the design of a stable Youla parameter. Using a standard method for the design of, the closed loop transfer function in (21) can be written as an LFT given by: Q < (22) where Q 9 # J J9 The standard setup design problem is shown in Figure 4. < Q )( ( Figure 4: The standard setup for design of for systems with additive faults Based on the standard setup for the design of, we have the following design problem for. E Problem 1 For a given number,, the suboptimal fault tolerant control problem with performance recovery for system with additive faults is defined as the problem of designing, if J: existent, a feedback controller Q is less than or equal to,, such F: J: that the closed loop transfer function Q is stable and the norm of where Q is given by J: Q3 Q 9
and Q is given by Q 2 Y9 2 9 2$ 9 It should also be pointed out that the exact, the almost exact and the optimal design problems for have been considered in details in [13]. Combining FTC with a fault isolation method gives a possibility to design a number of controllers, every single one dedicated to a single fault case. When faults appear in the system, the specified controller to the given fault case can then be selected. It is also important to note that the controller needs to be decoupled when there is no faults in the system, else the closed loop transfer function will be modified, see (21). It is clear that the FTC problem in this case is a performance problem and the closed loop stability will not be affected by the additive faults. 0.5.2 FTC for Systems with Multiplicative Faults In this case, the closedloop stability can be affected by the ' multiplicative faults, if 2 depend on the multiplicative faults. As in Section 0.5.1, a Youla parameterized controller ' ) ' is applied, where the nominal controller is designed for the nominal system. The Youla parameter is then applied for obtaining FTC, i.e. needs to stabilize the closedloop system when a fault has appeared in the system. The stability of the closed loop system require stability of the nominal closedloop system and closedloop stability of a loop where both V and the multiplicative faults is included, [16]. The stability of the closedloop system is satisfied by the design of the nominal feedback controller '. The other closedloop system that needs to be stable is given by 0',) V where V is the dual Youla parameter, depending on the multiplicative faults V. It is required that is stable to guarantee closedloop stability. Combining the Youla parameterization with the dual Youla parameterization, it is not a condition that and need to be stable to guarantee closedloop stability. and V just need to satisfy that the closedloop system given by (23) is stable, [16]. Using the equation from Appendix.1, then take the following form in the general case: V P V 0',) OJP O.2 P BV In connection with (24), it is important to note that the stability condition of and/or of in (23) for satisfying that the faulty closed loop system is stable, is only valid if the faulty system is still detectable and stabilizable from the specified input signals and output signals. This is a standard condition in connection with FTC systems. If the faulty system is not detectable and/or stabilizable, additional actuators and/or sensors need to be included in the system to satisfy these two conditions. It is important to note that if is stable, we do not need a parameter to stabilize the system. In this way, can be used for analyzing which faults are admissible and how large they can be before the closedloop system will become unstable. Based on the general equation for O.2 V given by (24), we have the following FTC design problem. Problem 2 The fault tolerant control problem for system with multiplicative faults is defined as the problem of designing, if existent, a feedback controller, such that given by 0',) V is stable, where is given by V P V 0',) OJP O.2 P BV O.2 (23) (24) In the general case, the equation for V given above is quite complicated. V needs to be derived explicitly in every single case in order to reduce the complexity of V. Consider two simple cases, where the multiplicative faults are 10
placed at either the input to the system (actuator faults) or at the output to the system (sensor faults), i.e. the system given by (4) takes the following form Y V 2 V V 2 V Y 2 2 V 2 2 V (25) for multiplicative faults at the input. The system given by (4) takes the following form for multiplicative faults at the output V 2 V V 2 V Y 2 V 2 V 2 (26) The dual Youla parameter is then given by: V 5 2 V 0' ) 2 V (27) for multiplicative faults at the input and V 2 V 0',) 2 V 2 (28) for multiplicative faults at the output. The two FTC design problems for multiplicative faults at the input and the output are given as follows. Problem 3 The fault tolerant control problem for system with multiplicative input faults is defined as the problem of designing, if existent, a feedback controller, such that given by 0',) V is stable, where is given by V 5 2 V 0' ) 2 V Problem 4 The fault tolerant control problem for system with multiplicative output faults is defined as the problem of designing, if existent, a feedback controller, such that given by 0',) V is stable, where is given by V 2 V 0',) 2 V 2 So far, the stability part with respect to multiplicative faults has been treated. This is the most important part of the FTC. However, it will also in some cases be possible to design the FTC controller (the controller) with respect to both closedloop stability as well as closedloop performance. Closing the loop of the system in (4) with the feedback controller 'A, we get the following closed loop transfer function, see Appendix.2: )( Y where )( Y V 2 V and V 2 V V 2 V %$ B) 2!V 9,29) 2!V V Y SP V 0',) OJP V OJ 2> SP V (' ) OFP V O.2 P V 0',) OJP V OQ 2 P V 0',) OJP V O42 Again, using a standard setup, shown in Figure 5, for the design of the feedback controller, we have the following design problems for FTC with mild performance reduction. E Problem 5 For a given number,, the suboptimal fault tolerant control problem with performance recovery for system with multiplicative faults is defined as the problem of designing, if existent, a feedback controller ;: ;:, such that the closed loop transfer function is stable and the norm of is less than or equal ;: to, where is given by ;: 6 and is given by V 2 V * ) 2 V 9 V 2 )?) 2 V 9 2 ) 2 V?) 2 V V )?) 2 V 9 2 ) 2 V (29) 11
V F( ( Figure 5: The standard setup for design of for systems with multiplicative faults At last, let us again consider the two cases with multiplicative input faults and output faults. The general system in (4) is then given by (25) and (26), respectively. The general closed loop transfer function in (29) is then given by Y V 2 0' V %$ B) 2 0' V 9 < 2 ) 2 0'> V 2 0' V %0'9),2V (30) for multiplicative faults at the input and Y V 2 2$ 6 for multiplicative faults at the output, respectively. %$?)60' V 2 9 < 29)60'> V Y 2 ('> V ('9) V 2 6 $ 0'> V Y (31) Using a standard setup formulation, we get the following open loop transfer functions for the design of the in the two cases (see Figure 5 for the standard setup). For the input fault case, we have : 6 V V 2 V V 2 V 2 ('> V (' ) 2 V 9 2 0' V 0',) 2 V ('9) 2V 9 0' ) 2 V,2RV controller (32) and for the output fault case, we have respectively. : V V 2 V V 2 V 2$ (' ) V 2 9 ('> V 2$ 0' ) V" 2 0',) V 2 0'> V Y V,2!0',) V,2 (33) As in the additive fault case, it is possible to combine fault tolerant control with fault isolation. It is then possible to design a number of controllers, one for every single fault case and then select a specific controller when a fault appear in the system. A system setup including a FTC controller for potential multiplicative faults is shown in Figure 2, where : are the FTC part and 6 are the residual generators for the fault isolation part. 0.5.3 FTC for Systems with Structural Changes This is the most relevant problem in connection with FTC. From a feedback point of view, a fault in a closedloop system will in most cases change the structure of the system. However, in many cases, these structural changes can be described by using LFTs as considered in the multiplicative fault case. In the following, let us just consider the system given by transfer functions described by (5). It is further assumed that the system can only be in the normal (nominal) mode and in one abnormal mode. The abnormal mode is given by: Z 2 2 (34) 12
Z The closed loop transfer function for the nominal system and Z when the feedback controller in (2) is applied are given by ;: ( 2 ' 0' ) 2' ;: ( Z 2 ' 0' ) 2 ' (35) Following the line from the above section, we can again calculate obtaining FTC. The structural changes of 2 can be described in the following way: 2 2 2 ) 2 2 V as a function of the system changes and use this for From Table 1, we have that V 0',) V V Using 2,) 2 in, we get directly B 2 ),2 ) 2 (36) If given by (36) is unstable, the controller needs to be modified by using the feedback controller for stabilizing the system in the abnormal mode. Based on this fact, we have the following FTC design problem for systems with structural changes. Problem 6 The fault tolerant control problem for system with structural changes is defined as the problem of designing, if existent, a feedback controller, such that given by 0' ) is stable, where V with 2,) 2. is given by V 0',) V Now, let us consider the closed loop transfer function from to given by (35). Let the system given in the abnormal mode be described as additive changes of the nominal transfer functions, i.e. 2 2 2 2 V V In the general case, the parameters defined in (37) will be function of a single parameter, i.e. V>Y V V V V V V 2 V 2 V 2 V V 2 V V>Y V V 2 V 2 (37) due to the fact that every system change is caused by a single fault. The closed loop transfer function by is the given by ;: Z )( Y 2 ' ('9) 2 ': ) V < 29 V>2 Y' ('9) ) 29 V 2 ': In the special case where 2 ;: )( does not change in the abnormal mode, i.e. ;: )( V Y ) 2 V 2 'A0' ) 2 ' ) V> Z ;: Z )( is given V (38) in (38) is given by In this case, the stability of the closed loop system will not be affected by the system change. The system change will only affect the performance of the closed loop system. This is equivalent with the additive fault case, where the design of turns out to be an open loop design problem. Note that a change in and/or 2 might not be detectable from the measurement signal, which can make it impossible to do any compensation for the fault in the system. This case will not be discussed further. E As a closing of this section, we will give the, fault tolerant control design problem with mild performance reduction for system with structural changes. For doing this, 'A is applied. It is further assumed that V> 2 V 5V. This assumption is without loss of generality. We then have the following design problem. 13
E Problem 7 For a given number,, the suboptimal fault tolerant control problem with performance recovery for system with structural changes is defined as the problem of designing, if existent, a feedback controller ;: ;:, such that the closed loop transfer function is stable and the norm of is less than or equal ;: to, where is given by ;: 6 and is given by V ) 2 V 2 (' ) V ) V> 2 V 2 %0',) V V 0' ) V V V 0',) 0.6 A Passive Fault Tolerant Controller Architecture In the above section, the applied architecture for the fault tolerant controllers is based on a fault detection/isolation followed by a connection of a dedicated FTC controller, see e.g. Figure 2. The fault detection/isolation will introduce a time delay from a fault appear in the system until a fault tolerant controller can be connected to the system. However, it can not in all cases be accepted that a time delay is included between a fault appear in the system until a fault tolerant controller is active. One way to remove this time delay in the FTC architecture is the let the fault tolerant controller be active all the time. As a consequence of this, the fault tolerant controller needs to be designed with respect to both the performance of the nominal system as well as with respect to closed loop stability of the faulty system. Using the Youla architecture shown in Figure 1 as the architecture for a passive fault tolerant controller, we get the following transfer function for the performance of the nominal closed loop system: 2$ 2 Further, let the dual Youla parameter for the faulty system be given by. Then the FTC design problem is to design such that (' ) (39)! (40) Design of a controller that will minimize a suitable norm of the closed loop transfer function given in (39) and also satisfy the stability condition in (40) is a multi objective design problem. Further and more important, it is required that is open loop stable, because appears in an open loop in in (39). This means that the faulty system must be stabilizable by a stable controller, i.e. it must be strongly stabilizable. It should also be pointed out that this passive FTC approach has the disadvantage that it can only handle a single fault or a few faults in the system. Further, another problem is a possible reduction of the performance of the nominal system by including in the closed loop system. Lets close this section with the design problem for passive fault tolerant controllers. E Problem 8 For a given number,, the passive fault tolerant control problem is defined as the problem of designing, Y if existent, a feedback controller!, such that the norm of the nominal closed loop transfer function is less than or equal to, and stabilize the faulty system, i.e. (' ) where is given by 2 2 0.7 Example The following servo system is quite simple, so it is easy to follow all the calculations. The example deals with a broken tacho loop. It is quite clear that a direct FTC solution to this problem is by replacing the broken loop by a loop based on a differentiation of the output signal. Let us consider a simple servo system given by the following state space realization: 2, 9 ) 2 14
K K C C 9 where is the reference input, is a disturbance load and ), D D 5 ai I # 2 I 4DE G I ;E I # & G I I # G I is the tacho feedback gain. It is assumed that the tacho loop can be broken, which will result in a multiplicative fault. Let us describe the servo system with a potential tacho fault in the general setup given by (4). The multiplicative fault model is given by P ) 2 where and N,O P I HI #,O D N D with fault free system for. Based on this setup, we get directly: OFP O.2 P 2,O )( ' ) )( ',) 2 2 2 Let us use an observer based controller with state feedback gain such that such that is stable. The two gains are given by: The design of the controller is based on an space form. is then given by )( ' ) ) >2 0',) O )( ' ) ) 2 2 0'9),2 (' ) O O OJP O ) G G D )D; G D ) D,O )( ' ) )( ',) 2 2 >2 is stable and an observer gain design followed by a transformation into an observer structure, see e.g. [1]. Calculating the dual Youla parameter given by (24) can now be done by using the coprime factorization in state by using that )( ' ) ), 2 O (+',) ) 2 Based on the above observer based feedback 94D controller, the poles for can now be calculated. It turns out that is unstable when the tacho loop is broken, i.e.. In this case, the poles of is given by: In this case, is not stable for all ( D )D DRG E G E G D E G, a controller needs to be designed such that (' ) $ is stable. In this case, a constant controller can be applied to stabilize )( ) E D ) G D, given by 2 The implementation of the (11). controller must be done based on the Youla parameterized controller given by (10) and 15
1 0. 20 C 0 0 The servo system with the observer based controller givene above ( G has been simulated with a fault on the tacho loop. The system has been simulated with a reference step at and a fault at the tacho loop at. Further, a disturbance is given as normally Gaussian distributed random signal with mean value and a variance at. ( G G D The results of the simulations is shown in Figure 6 9. A step response of the system with disturbance is shown in Figure 6. The tacho loop is partly broken at ( ). It can be seen directly from this figure that the faulty closed loop system is unstable. ( G 12 Output for servo system for q = 0 and δ = 0.71 after 5 sec. 10 8 6 y 4 2 0 2 0 1 2 3 4 5 6 7 8 9 10 Time [sec] Figure 6: Step response of the servo system with a fault at the tacho loop given by G D without any fault handling. The system has become unstable. For stabilizing the faulty servo system, a controller needs to be included. As calculated above, a constant can be ) E D ) G applied for stabilizing the faulty closed loop system, if is selected in the interval. In this example, the controller will be implemented without any switch, i.e. as a passive FTC setup. The reason is that the system includes only a single fault, so we need only a single controller. The parameter can be found by solving the following design problem: ) E D ) G where is a Gaussian distributed random signal. 2 2 and 2! Y' ) 0') 2 'A $ (41) Optimizing (41) gives the following optimal : Using % 6. )DE, we get the following poles for : ( 5 % 6. B)D E ) G E E D G ) E G E ) ERE G RE Based on this design of, the step response for the servo system output is shown in Figure 7 in the case when the R( tacho loop is G 1D complete broken at ( ). As expected the closed loop is stable. Further, the effect from the disturbance on the output is still minimized both for the nominal system as well as for the faulty system. However, from Figure 8, it can be seems that the performance is reduced in the faulty case, i.e. the reduction of the disturbance on the output is not as good as in the nominal case. 16
12 Output for servo system for δ = 1.0 and q = 125 10 8 6 y 4 2 0 2 0 1 2 3 4 5 6 7 8 9 10 Time [sec] Figure 7: Step response of the servo system with a complete broken tacho loop, i.e. 9?D and by using a FTC feedback given by B)DE. Stability is preserved. Finally, the tacho loop signal is shown in Figure 9 with a broken loop at ( G. At last, let us consider the closed loop transfer function from input to output, i.e. the transfer function given by (29). Using and Y9 Y, we get directly that is given by * * $?) * 9 2 ) * * 2 ) O )6 <,2 6,2 2 ) O ) ' 2 by using 2 2 2 ('9) OJP 2!('9) OFP 2 ('9) OJP 2!('9) OFP 2 ) O 2 ) O 2 ) O 2 ) O )( ',) ) >2,O 2 (+',) ) >2,O, )( ',) ) 2 O 2, (+',) ) 2 O * * * * 2 2 2 The design of the parameter needs to be done such that the closed loop transfer function Y Y ) F is given by ; F, i.e. the closed loop transfer function will be the same as the closedloop transfer function for the nominal system, where the nominal closedloop transfer function A controller that satisfy Y 2 B) is given by the following implicit form: O ('> O A direct consequence of this is that it is not possible to design a proper such that strictly proper. This is in line with the direct FTC approach described in the beginning of this example, where the tacho, because 2 is 17
0.03 Output for servo system for δ = 1 and q = 125 0.02 0.01 0 y 0.01 0.02 0.03 0.04 0 1 2 3 4 5 6 7 8 9 10 Time [sec] Figure 8: Response for disturbance rejection of the servo system with a complete broken tacho loop at, i.e. 9?D 9B)D E and by using a FTC feedback given by. The performance is slightly degraded, but stability is preserved. ( G loop is replaced by a differentiation of the output signal. This will also be an approximation up to a certain frequency. The bandwidth of the controller depend on the dynamics of 2 and can therefore not be selected completely free. Calculating by using the above, we get the following equation for which show that is stable. 0' ) O 0'> O 0.8 Conclusion An architecture for fault tolerant control has been proposed. This architecture relies on a common framework for fault modeling based on linear fractional transformations has been introduced, which facilitates modeling of additive faults, multiplicative faults, as well as faults that change the model structure. By applying the (primary) Youla parameterization, an additional controller parameter has been introduced as the main tool to achieve fault tolerance. A feature of the Youla parameterization is that it automatically includes a diagnostic signal. Systematic design procedures to obtain numerical values for the correction parameter have been indicated, which rely on optimization based control design techniques. In order to quantify the fault tolerance of a given configuration, the dual Youla parameterization has been introduced. The magnitude of the corresponding parameter reflects the magnitude of faults that can be handled by the FTC system without losing e.g. stability or performance. Although faults leading to structural changes of a system in principle calls for ad hoc solutions, it has still been possible to give general formulae for fairly rich and important classes of structural changes. The example demonstrated how the method can be used to maintain stability for a simple servo loop, even if the tacho loop is broken at some time. In this case, introducing a constant (nondynamical) correction of the compensators suffices to maintain stability after occurrence of the fault. 18
= = 1.5 The tacho signal in the servo system for δ = 1 and q = 125 1 Tacho signal 0.5 0 0.5 1 0 1 2 3 4 5 6 7 8 9 10 Time [sec] Figure 9: The time response of the tacho signal for the case when the loop is broken at is available. (. No tacho information.1 Calculation of Let us consider the transfer function from to in (4) when multiplicative faults appear in the system. The transfer function is given by: 2 V 56 2 2 V where 2 OJP O.2 P 2 (42) needs to satisfy: 2 2 V where 2! is given by (12) or (13). (43) given now directly that: ('> P V 0',) OJP V O42 (43) Rewriting this equation gives us 0' ) P V (' ) OJP V O.2 P V 0',) OJP V P V 0',) (' ) OJP V O.2 P V 0',) OJP V P V 0',) OJP V9) O42 P V O.2 P V 0',) )OJP O.2$ P V O.2 O42 O42$.2 Calculation of Closing the upper loop in (4) with W W 2 )W )W 2 )W gives SP W"0',) OJP W P W"0',) OJP W OQ 2 P W8(' ) OJP W OQ 2 P W"(' ) OFP W O42 O.2 Let the controller ' be given by 'A ' 0' 0'> 2 2 19
The closedloop transfer function from to, is then given by )W8 W 2 W ' (' ) 2 )W 'A )W W 2 W (',2 0',) 2!)W % 0',2 )W W 2! W *0'> 2 &0' 2 ) 2 W1 0'9 2 ) 2 )W )W W 2 W 2 2 ) 2 )W ) 2!)W,2 ) 2 )W W1 W 2 W %?) 2 )W < 2 ) 2 W )W 20
Bibliography [1] D. Alazard and P. Apkarian. Exact observerbased structures for arbitrary compensators. International Journal of Robust and Nonlinear Control, 9:101 118, 1999. [2] M. Basseville and I.V. Nikiforov. Detection of abrupt changes theory and application. Prentice Hall, 1993. [3] M. Blanke, C.W. Frei, F. Kraus, R.J. Patton, and M. Staroswiecki. What is faulttolerant control? In Preprints of 4th IFAC Symposium on Fault Detection Supervision ans Safety for Technical Processes, SAFEPROCESS 2000, pages 40 51, Budapest, Hungary, 2000. [4] M. Blanke, M. Staroswiecki, and E. Wu. Concepts and methods in faulttolerant control. In Proceedings of American Control Conference, ACC2001, pages 2606 2620, Washington DC, USA, 2001. [5] J. Chen and R. Patton. Robust modelbased fault diagnosis for dynamic systems. Kluwer Academic Publishers, 1998. [6] P.M. Frank and X. Ding. Frequency domain approach to optimally robust residual generation and evaluation for modelbased fault diagnosis. Automatica, 30:789 804, 1994. [7] J. Gertler. Fault detection and diagnosis in engineering systems. Marcel Dekker, 1998. [8] H. Niemann and J. Stoustrup. Passitive fault tolerant control of an inverted double pendulum A case study example. Submitted for publication, November 2002. [9] H. Niemann, J. Stoustrup, and R.B. Abrahamsen. A note on implementation of multivariable controllers. Submitted for publication, journal paper, November 2002. [10] H.H. Niemann and J. Stoustrup. Reliable control using the primary and dual Youla parameterization. In Proceedings of the 41st IEEE Conference on Decision and Control, pages 4353 4358, Las Vegas, NV, USA, 2002. [11] R. Patton. Fault tolerant control: The 1997 situation. In Proceedings of the IFAC Symposium SAFEPROCESS 97, pages 1033 1055, Hull, England, 1997. [12] R. Patton. Where are we in fault tolerant control. Seminar notes, June 1997. Centre for Systems and Control, Faculty of Engineering, Glasgow University, Glasgow, G12 8QQ, UK. [13] A. Saberi, A. A. Stoorvogel, and P. Sannuti. Exact, almost, and optimal input decoupled (delayed) observers. International Journal of Control, 73(7):552 582, 2000. [14] S. Skogestad and I. Postlethwaite. Multivariable feedback control Analysis and design. John Wiley & Sons, 1996. [15] J. Stoustrup and H.H. Niemann. Fault tolerant feedback control using the youla parameterization. In Proceedings of the 6th European Control Conference, Porto, Portugal, September 2001. [16] T.T. Tay, I.M.Y. Mareels, and J.B. Moore. High performance control. Birkhäuser, 1997. [17] Y.Y. Wang and N.E. Wu. An approach to configuration of robust control systems for robust failure detection. In Proceedings of the 32nd Conference on Decision and Control, pages 1704 1709, San Antonio, Texas, USA, 1993. [18] N.E. Wu. Reconfigurable control design: Achieving stability robustness and failure tracking. In Proceedings of the 32nd Conference on Decision and Control, pages 2278 2283, San Antonio, Texas, USA, 1993. [19] N.E. Wu and T.J. Chen. Feedback design in control reconfigurable systems. International Journal of Robust and Nonlinear Control, 6(6):561 570, 1996. 21
[20] N.E. Wu, K. Zhou, and G. Salomon. Control reconfigurability of linear timeinvariant systems. Automatica, 36:1767 1771, 2000. [21] K. Zhou, J.C. Doyle, and K. Glover. Robust and optimal control. Prentice Hall, 1995. [22] K. Zhou and Z. Ren. A new controller architecture for high performance robust, and faulttolerant control. IEEE Transactions on Automatic Control, 46(10):1613 1618, 2001. 22