Hierarchical Control with Guaranteed Fault Diagnosability

Hierarchical Control with Guaranteed Fault Diagnosability

10th IFAC Symposium on Fault Detection, 10th IFAC Symposium on Fault Detection, Supervision and Safetyon forFault Technical Processes 10th Detection, ...
Download PDF
452KB Sizes 0 Downloads 66 Views
Report

10th IFAC Symposium on Fault Detection, 10th IFAC Symposium on Fault Detection, Supervision and Safetyon forFault Technical Processes 10th Detection, 10th IFAC IFAC Symposium Symposium Detection, Supervision and Safetyon forFault Technical Processes Available online at www.sciencedirect.com Warsaw, Poland, August 29-31, 2018 Supervision and Safety for Technical Processes 10th IFAC Symposium on Fault Detection, Supervision and Safety for Technical Warsaw, Poland, August 29-31, 2018 Processes Warsaw, Poland, August 29-31, 2018 Supervision and Safety for Technical Processes Warsaw, Poland, August 29-31, 2018 Warsaw, Poland, August 29-31, 2018

ScienceDirect

IFAC PapersOnLine 51-24 (2018) 1105–1110

Hierarchical Hierarchical Hierarchical Hierarchical

Control Control with with Guaranteed Guaranteed Fault Fault Control with Guaranteed Fault Diagnosability Control with Guaranteed Fault Diagnosability Diagnosability ∗ ∗∗ ∗∗∗ Florin StoicanDiagnosability ∗ Felix Petzke ∗∗ Ionela Prodan ∗∗∗

Florin Stoican ∗∗ Felix Petzke ∗∗ Ionela Prodan ∗∗∗ ∗∗∗∗Ionela Prodan ∗∗∗ Florin Petzke Stefan Streif Florin Stoican Stoican ∗ Felix Felix Petzke Ionela Prodan ∗∗∗ Stefan Streif∗∗∗∗ ∗∗ Florin Stoican Felix Petzke Ionela Prodan Stefan Streif Stefan Streif ∗∗ ∗ Stefan Streif ∗∗ Automatic Control and of Bucharest, ∗ University POLITEHNICA ∗ University POLITEHNICA of Bucharest, Automatic Control and ∗ University POLITEHNICA of Bucharest, Bucharest, Automatic Control and and Systems Engineering Department, 313 Splaiul Independentei, University POLITEHNICA of Automatic Control ∗ Systems Engineering Department, 313 Splaiul Independentei, University POLITEHNICA of Bucharest, Automatic Control and Systems Engineering Department, 313 Splaiul Independentei, Bucharest, Romania (e-mail: [email protected]). Systems Engineering Department, 313 Splaiul Independentei, Bucharest, Romania (e-mail: [email protected]). ∗∗ Systems Engineering Department, 313 Splaiul Independentei, Bucharest, Romania (e-mail: Universit¨ a Automatic ∗∗ Technische Bucharest, Romania (e-mail: [email protected]). [email protected]). Technische Universit¨ att Chemnitz, Chemnitz, Automatic Control Control and and System System ∗∗ ∗∗ Technische Bucharest, Romania (e-mail: [email protected]). Universit¨ a t Chemnitz, Automatic Control and System Dynamics Lab, 09107 Chemnitz, Germany (e-mail: Technische Universit¨ a t Chemnitz, Automatic Control and System Dynamics Lab, 09107 Chemnitz, Germany (e-mail: ∗∗ Technische Universit¨ t Chemnitz, Automatic Control and System Dynamics Lab,a09107 09107 Chemnitz, Germany (e-mail: {stefan.streif,felix.petzke}@.etit.tu-chemnitz.de) Dynamics Lab, Chemnitz, Germany (e-mail: {stefan.streif,felix.petzke}@.etit.tu-chemnitz.de) ∗∗∗ Dynamics Lab, 09107 Chemnitz, Germany (e-mail: {stefan.streif,felix.petzke}@.etit.tu-chemnitz.de) of ∗∗∗ Laboratory {stefan.streif,felix.petzke}@.etit.tu-chemnitz.de) Laboratory of Conception Conception and and Integration Integration of of Systems Systems (LCIS (LCIS EA EA ∗∗∗ ∗∗∗ {stefan.streif,felix.petzke}@.etit.tu-chemnitz.de) Laboratory of Conception and Integration of Systems (LCIS 3747), Grenoble INP, France ([email protected]) Laboratory of Conception and Integration of Systems (LCIS EA EA 3747), Grenoble INP, France ([email protected]) ∗∗∗ Laboratory of Conception Integration of Systems (LCIS EA 3747), Grenoble INP, ([email protected]) 3747), Grenoble INP, France Franceand ([email protected]) 3747), Grenoble INP, France ([email protected]) Abstract: Abstract: A A multiple multiple time-scale time-scale hierarchical hierarchical control control approach approach with with guarantees guarantees for for active active fault fault Abstract: A A multiple multiple time-scale hierarchical controlRobust approach with invariance guaranteesnotions for active active fault fault diagnosability (detection and isolation) is presented. positive Abstract: time-scale hierarchical control approach with guarantees for diagnosability (detection and isolation) is presented. Robust positive invariance notions are are used used Abstract: Aset-membership multiple time-scale hierarchical control approach withand guarantees for active fault diagnosability (detection and isolation) is presented. Robust positive invariance notions are used to provide a test for FDI validation at the low level sufficient constraints for diagnosability (detection and isolation) is presented. Robust positive invariance notions are to provide a set-membership test for FDI validation at the low level and sufficient constraintsused for diagnosability (detection and isolation) is presented. Robust positive invariance notions are used to provide a set-membership test for FDI validation at the low level and sufficient constraints for guaranteeing FDI at the high level. Due to the computational burden of the involved bilinear to provide a set-membership test for FDI validation at the low level and sufficient constraints for guaranteeing FDI at the high level. Due to the computational burden of the involved bilinear to provide a set-membership test for FDI validation at the low level and sufficient constraints for guaranteeing FDI at the high level. Due to the computational burden of the involved bilinear optimization problem, the high-level reference governor operates at a slower sampling time guaranteeing FDI at thethe high level. Due to the computational burden the involved bilinear optimization problem, high-level reference governor operates at aofslower sampling time guaranteeing FDI atof the high level.system. Due to Therefore, the computational burden the involved bilinear optimization problem, the high-level reference governor operates atavoidance aofslower slower sampling time than the controller the low-level corner cutting constraints are optimization problem, the high-level reference governor operates at a sampling time than the controller of the low-level system. Therefore, corner cutting avoidance constraints are optimization problem, thelow-level high-level reference governor operates a slower constraints sampling time than controller of system. Therefore, corner cutting avoidance are imposed that faster-sampled lower level guaranteed to function than the the such controller of the the low-level system. cuttingat constraints are imposed such that the the faster-sampled lower Therefore, level is is still stillcorner guaranteed toavoidance function properly. properly. than the controller of the low-level system. Therefore, corner cutting avoidance constraints imposed such that the faster-sampled lower level is still guaranteed to function properly. A case study illustrates the presented theoretical notions. imposed such illustrates that the faster-sampled level is still guaranteed to function properly. are A case study the presented lower theoretical notions. imposed such illustrates that the faster-sampled level is still guaranteed to function properly. A the theoretical notions. A case case study study illustrates the presented presented lower theoretical notions. © case 2018, study IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. A illustrates the presented theoretical notions. Keywords: Keywords: hierarchical hierarchical control, control, fault fault detection detection and and isolation, isolation, corner corner cutting cutting Keywords: Keywords: hierarchical hierarchical control, control, fault fault detection detection and and isolation, isolation, corner corner cutting cutting Keywords: hierarchical control, fault detection and isolation, corner cutting 1. INTRODUCTION (2009) perform low-level 1. INTRODUCTION (2009) perform low-level collision collision avoidance avoidance using using a a gamegame1. (2009) perform perform low-level collision collision avoidance avoidance using using a a gamegametheoretic optimization. 1. INTRODUCTION INTRODUCTION (2009) low-level theoretic optimization. 1. INTRODUCTION (2009) perform low-level collision avoidance using a gametheoretic optimization. theoretic optimization. assumption With an an increasing increasing degree degree of of automation automation in in production production A theoretic optimization. A common common assumption in in obstacle obstacle avoidance avoidance is is that that the the With A common assumption in obstacle avoidance is thatlower the top layer works on a larger sampling time than the With an increasing degree of automation in production A common assumption in obstacle avoidance is that the plants of all types, the automated detection and identifiWith an increasing degree of automation production layer works on a larger sampling time than the lower plants of all types, the automated detectioninand identifi- top A common assumption in obstacle avoidance is the that the top layer works on aa larger sampling time than lower one(s). Regarding this assumption, Bemporad and Rocchi With an increasing degree of automation inand production plants of all types, the automated detection identifitop layer works on larger sampling time than the lower cation faults (FDI) is crucial for the safe operation of plants of all types, the automated detection and identifiRegarding this assumption, Bemporad and Rocchi cation of faults (FDI) is crucial for the safe operation of one(s). top layer works on a larger sampling time than the lower one(s). Regarding this assumption, Bemporad and Rocchi (2011) note that too large differences in the sampling plants of all types, the automated detection and identification faults (FDI) is crucial for the safe operation of Bemporad Rocchi such systems. An important prerequisite for operation FDI is is fault fault cationsystems. of faultsAn (FDI) is crucial for the safe of one(s). (2011) Regarding note that this too assumption, large differences in theand sampling such important prerequisite for FDI this Bemporad and Rocchi (2011) ofRegarding note that too assumption, large differences in tothe thetrajectories sampling times the individual layers may lead cation of faultsAn (FDI) is crucial for diagnosability the safe operation of one(s). such systems. important prerequisite for FDI is fault (2011) note that too large differences in sampling diagnosability. To guarantee fault during such systems. An important prerequisite for FDI is fault times of the individual layers may lead to trajectories diagnosability. To guarantee fault diagnosability during (2011) note that too large differences in to thetrajectories sampling times of the individual layers may lead that actually intersect with the obstacles. Stoican such systems. An important prerequisite for FDI is fault diagnosability. To guarantee fault diagnosability during times of the individual layers may lead to trajectories the operation of the plant, model-based FDI methods may diagnosability. fault diagnosability during actually intersect with the obstacles. Stoican et et al. al. the operation ofTo theguarantee plant, model-based FDI methods may that times ofapproaches the individual layers may lead to trajectories that actually intersect with the obstacles. Stoican et (2015) this problem by using a hyperplane diagnosability. To guarantee fault diagnosability during the operation of the plant, model-based FDI methods may that actually intersect with the obstacles. Stoican et al. al. require the states of the system to avoid certain regions in the operation of the plant, model-based FDI methods may approaches this problem by using a hyperplane require the states of the system to avoid certain regions in (2015) that actually intersect with the obstacles. Stoican ettoal.a (2015) approaches this problem by using aa hyperplane arrangement scaffolding for obstacles, which leads the operation of the plant, model-based FDI methods may require the states of the system to avoid certain regions in (2015) approaches this problem by using hyperplane state space. Note that these sets can be non-convex require the states of the system to avoid certain regions in arrangement scaffolding for obstacles, which leads to a the state space. Note that these sets can be non-convex (2015) approaches this(MIP) problem by MPC. using a hyperplane arrangement scaffolding for obstacles, obstacles, which leads to a mixed integer program in the Note also that require the states of thethat system to sets avoidcan certain regions in arrangement the state space. Note these be non-convex scaffolding for which leads to a even for linear systems (see, e. g., Stoican et al. (2015)). the state space. Note that these sets can be non-convex mixed integer program (MIP) in the MPC. Note also that even for linear systems (see, e. g., Stoican et al. (2015)). arrangement scaffolding for obstacles, which leads to a mixed integer program (MIP) in the MPC. Note also that in the context of FDI, hierarchical approaches usually refer the state space. Note that these sets can be non-convex even for linear systems (see, e. g., Stoican et al. (2015)). mixed integer program (MIP) in the MPC. Note also that even task for linear systems certain (see, e. g., Stoican etstate al. (2015)). in the context of FDI, hierarchical approaches usually refer The of avoiding sets in the space is mixed integer program (MIP) in the MPC. Note also that in the context of FDI, hierarchical approaches usually refer to different supervisor levels, as e.g. in Zhou et al. (2008). even task for linear systems certain (see, e. g., al. (2015)). The of avoiding setsStoican in theetstate space is to in the context of FDI, hierarchical approaches usually refer different supervisor levels, as e.g. in Zhou et al. (2008). The avoiding certain sets in space is in itstask core of similar to the the obstacle avoidance problem for the context of(2014), FDI, hierarchical approaches usually refer Theits task ofsimilar avoiding certain sets avoidance in the the state state spacefor is in to different supervisor levels, as e.g. in et al. (2008). Adetola et al. e. g., propose aaZhou hierarchical fault in core to obstacle problem to different supervisor levels, as e.g. in Zhou et al. (2008). Adetola et al. (2014), e. g., propose hierarchical fault The avoiding certain sets avoidance in the approaches state spaceare is to in core to obstacle problem for autonomous vehicles, where hierarchical different levels, as e.g.approach inaaZhou et al. (2008). in its itstask core ofsimilar similar to the the obstacle avoidance problem for Adetola et supervisor al. (2014), (2014), e. g., g.,control propose hierarchical fault tolerant model predictive in the sense autonomous vehicles, where hierarchical approaches are Adetola et al. e. propose hierarchical fault model predictive control approach in the sense in its core the obstacle problem for tolerant autonomous vehicles, where hierarchical approaches are often used similar for thetogeneration generation of avoidance collision-free trajectoAdetola et al. (2014), e. g.,control propose a hierarchical fault autonomous vehicles, where hierarchical approaches are tolerant model predictive approach in sense that aa supervisory FDI updates the based on often used for the of collision-free trajectotolerant model predictive control approach in the the sense that supervisory FDI unit unit updates the model model based on autonomous vehicles, where hierarchical approaches are often used for the generation of collision-free trajectories. In general, the top layer calculates an (optimal) tolerant model predictive control approach in the sense often used for the generation of collision-free trajectothat a supervisory FDI unit updates the model based on sensor data. Set points obtained in this manner are then ries. In general, the top layer calculates an (optimal)* sensor that a supervisory FDI unit updates the model based on data. Set points obtained in this manner are then often used for the generation of collision-free trajectories. In general, the top layer calculates an (optimal) trajectory based on e.g. shortest path methods like A that a supervisory FDI unit updates the model based on ries. In general, the top layer calculates an (optimal) sensor data. Set points obtained in this manner are then * used as references in the system’s local controllers. sensor data. Set points obtained in this manner are then trajectory based on e.g. shortest path methods like A used as references in the system’s local controllers. * ries. In general, the e.g. topshortest layer(2009); calculates an (optimal) * trajectory based on path methods like A (Khorrami and Krishnamurthy Nieuwenhuisen and sensor data. Set points obtained in this manner are then used as references in the system’s local controllers. trajectory based on e.g. shortest path methods like A used as references in the system’s local controllers. (Khorrami and Krishnamurthy (2009); Nieuwenhuisen and* In this paper, a multiple time-scales hierarchical control trajectory based on e.g. shortest pathNieuwenhuisen methods like and A (Khorrami and (2009); Behnke dynamic (Peterson used as paper, references in the system’s localhierarchical controllers.control In this a multiple time-scales (Khorrami and Krishnamurthy Krishnamurthy (2009); Nieuwenhuisen and Behnke (2014)), (2014)), dynamic programming programming (Peterson (1991)), (1991)), In aa multiple time-scales hierarchical control that guarantees diagnosability by In this this paper, paper, multiple fault time-scales hierarchical control (Khorrami and Krishnamurthy (2009); Nieuwenhuisen and approach Behnke (2014)), dynamic programming (Peterson (1991)), or model predictive control (MPC) based approaches (Beapproach that guarantees fault diagnosability by avoiding avoiding Behnke (2014)), dynamic programming (Peterson (1991)), or model predictive control (MPC) based approaches (Be- In this paper, a multiple time-scales hierarchical control approach that guarantees fault diagnosability by avoiding non-convex sets in the state space is proposed for linear approach that guarantees fault diagnosability by avoiding Behnke (2014)), dynamic programming (Peterson (1991)), or model predictive control (MPC) based approaches (Bemporad and Rocchi (2011); Cowlagi and Tsiotras (2012); non-convex sets in the state space is proposed for linear or model predictive control (MPC) based approaches (Bemporad and Rocchi (2011); Cowlagi and Tsiotras (2012); approach that guarantees fault diagnosability byfor avoiding non-convex sets in the state space is proposed linear systems with bounded disturbances. The resulting probnon-convex sets in the state space is proposed for or model predictive control (MPC) based approaches (Bemporad and Rocchi (2011); Cowlagi and Tsiotras (2012); Gao et al. (2010); Liu and Chen (2013)). The major differwith bounded disturbances. The resulting linear probmporad and Rocchi Cowlagi andThe Tsiotras Gao et al. (2010); Liu(2011); and Chen (2013)). major(2012); differ- systems non-convex sets in the state space is proposed for linear systems with bounded disturbances. The resulting problem setup has similarities to the one in Scott et al. (2014) systems with bounded disturbances. The resulting probmporad and Rocchi (2011); Cowlagi and Tsiotras (2012); Gao et al. (2010); Liu and Chen (2013)). The major differences are where and how the actual obstacle avoidance is lem setup has similarities to the one in Scott et al. (2014) Gao etare al. where (2010);and Liuhow and the Chen (2013)). The major differences actual obstacle avoidance is systems with bounded disturbances. The resulting problem setup has similarities to the one in Scott et al. (2014) for active FDI. However, instead of reducing the comsetup has similarities toinstead the oneofinreducing Scott et al. (2014) Gao al. where (2010); Liuand andTsiotras Chen (2013)). The major differencesetare are where and how the actual obstacle avoidance is lem performed: Cowlagi (2012) introduces timefor active FDI. However, the comences and how the actual obstacle avoidance is performed: Cowlagi and Tsiotras (2012) introduces time- lem setup has similarities to the one in Scott et al. (2014) for active FDI. However, instead of reducing the computational burden by approximating the zonotopes, this for active FDI. However, instead of reducing the comences are where and how the actual obstacle avoidance is performed: Cowlagi and Tsiotras (2012) introduces timevarying constraints that represent obstacles, while Bemputational burden by approximating the zonotopes, this performed: Cowlagi and Tsiotras (2012) introduces timevarying constraints that represent obstacles, while Bem- for active FDI. However, instead of the reducing the computational burden by approximating zonotopes, this work proposes a hierarchical approach with a high-level putational burden by approximating the zonotopes, this performed: Cowlagi and Tsiotras (2012) introduces timevarying constraints that represent obstacles, while Bemporad and Rocchi (2011) and Gao et al. (2010), e. g., add proposes a hierarchical approach with a high-level varying constraints that represent obstacles, while porad and Rocchi (2011) and Gao et al. (2010), e. g.,Bemadd work putational burden by approximating the zonotopes, this work proposes a hierarchical approach with a high-level reference governor that operates on a sampling time large work proposes a hierarchical approach with a high-level varying constraints that represent obstacles, while Bemporad and Rocchi (2011) and Gao et al. (2010), e. g., add additional terms (potential-field approaches) that penalize reference governor that operates on a sampling time large porad and terms Rocchi(potential-field (2011) and Gao et al. (2010), g., add work additional approaches) thate.penalize proposes a hierarchical approach with a high-level reference governor that operates on a sampling time large enough to perform the optimal trajectory planning. On reference governor that operates on a sampling time large porad and terms Rocchi (2011) and Gao et al. (2010), g., add enough to perform the optimal trajectory planning. On the additional terms (potential-field approaches) thate.penalize penalize small to obstacles the of the additional (potential-field that small distances distances to obstacles to to approaches) the cost cost function function of the the reference thatoptimal operates on a sampling time large enough togovernor perform the optimal trajectory planning. On the lower level, aa local controller with aa higher sampling rate is enough to perform the trajectory planning. On the additional terms (potential-field approaches) that penalize small distances to obstacles to the cost function of the top-layer MPC. Nieuwenhuisen and Behnke (2014) also lower level, local controller with higher sampling rate is small distances to obstacles to the cost function of the top-layer MPC. Nieuwenhuisen and Behnke (2014) also enough to for perform the optimal trajectory planning. On the lower level, aa local controller with aa higher sampling rate is then used reference tracking. The low-level trajectories lower level, local controller with higher sampling rate is small distances to obstacles to the cost function of the top-layer MPC. Nieuwenhuisen and Behnke (2014) also uses potential fields around obstacles but employs them used for reference tracking. The low-level trajectories top-layer MPC.fields Nieuwenhuisen and Behnke (2014)them also then uses potential around obstacles but employs lower level, a local controller with a higher sampling rate is then used for reference tracking. The low-level trajectories may, however, deviate from the ones on the high level. then used for reference tracking. The low-level trajectories top-layer MPC. Nieuwenhuisen and Behnke (2014) also uses potential fields around obstacles but employs them on the lower level. And Khorrami and Krishnamurthy may, however, deviate from the ones on the high level. uses potential fields And around obstaclesand butKrishnamurthy employs them then on the lower level. Khorrami used for reference tracking. The low-level trajectories may, however, deviate from the ones on the high level. may, however, deviate from the ones on the high level. uses potential fields around obstacles but employs them on the the lower lower level. level. And And Khorrami Khorrami and and Krishnamurthy Krishnamurthy on may, however, deviate from the ones on the high level. on the lower Khorrami and of Krishnamurthy 2405-8963 © 2018 2018,level. IFAC And (International Federation Automatic Control) Copyright © IFAC 1105Hosting by Elsevier Ltd. All rights reserved. Copyright © under 2018 IFAC 1105Control. Peer review responsibility of International Federation of Automatic Copyright © 2018 2018 IFAC IFAC 1105 Copyright © 1105 10.1016/j.ifacol.2018.09.729 Copyright © 2018 IFAC 1105

IFAC SAFEPROCESS 2018 1106 Warsaw, Poland, August 29-31, 2018

Florin Stoican et al. / IFAC PapersOnLine 51-24 (2018) 1105–1110

Therefore, the predicted low-level system trajectories are explicitly taken into account in the high-level optimization. This results in a bilevel optimization approach with an explicit formulation of the inner problem using KKT conditions in order to guarantee fault diagnosability. Notation For a vector xk , the concatenated sequence of consecutive elements xk−N1 , . . . , xk−N2 is denoted as    . x[k−N1 ,k−N2 ] = x k−N1 . . . xk−N2 For matrices X, Y, Z of appropriate dimensions, we denote     XZ ... 0 XY  XY Z . . . 0   ..  N  ΘN .. . , .. X,Y =  .  , ΦX,Y,Z =  . ..  . N XY XY N −1 Z . . . XZ   and diag(X)N = diag X, . . . , X .    N elements

For a set P ∈ R and N ∈ N+ , P [N ] = P × · · · × P . The Minkowski sum of two sets X, Y is X ⊕ Y = {x + y : x ∈ X, y ∈ Y }. n

2. PRELIMINARIES We briefly recapitulate here a standard multi-sensor plant used in a series of papers dealing with set-based fault tolerant control strategies, see, e.g., Stoican and Olaru (2013); Stoican et al. (2012). The overall fault tolerant control (FTC) scheme is depicted in Figure 1 with the various components described hereinafter. 2.1 Multi-sensor plant dynamics Let us consider the discrete-time (with the associated sampling time ∆) multi-sensor plant dynamics: xk+1 = Axk + Buk + Ewk (1a) yki = C i xk + ηki (1b) where xk , xk+1 ∈ Rn are the current and successor states, uk ∈ Rm is the input, yki ∈ Rp are the outputs 1 and wk ∈ W ⊂ Rr , ηki ∈ V i ⊂ Rp are bounded process disturbance and measurement noises respectively. Matrices A, B, C i are of appropriate dimensions. Index i enumerates through a finite collection of pairs (C i , V i ).

with estimation error x ˜ik  xk − x ˆi dynamics given by 2 :   i k i i i i i x ˜k+1 = A − L C x (5) ˜k − L ηk + Ewk . To close the loop, we define the control law   k uk = u (6) ¯k + K x ¯k−τ +1 − x ˆik−τ +1 composed from the feedforward term u ¯k and the delayed  k feedback corrective term K x ¯k−τ +1 − x ˆik−τ +1 . Note that the latter uses delayed information (from time instant k − τ + 1) based on a decision taken at the current time instant (index ik ). Both of these design choices will be justified by the latter implementation of the fault detection and isolation mechanism 3 . ˆik = x ˜ik − zk Introducing (6) in (3) and noting that x ¯k − x leads to   ik zk+1 = Azk + BK x ˜k−τ +1 − zk−τ +1 + Ewk . (7) Remark 1. Note that (7) has become a dynamic with fixed delay and that the existence of a stabilizing static feedback K, even if the pair (A, B) is controllable, is no longer guaranteed (Bara and Boutayeb, 2005).  2.2 Fault scenario and residual design Hereinafter we assume total output sensor failures as fault events: F AU LT yki = Ci xk + ηki −−−−−→ yki = 0 · xk + ηki,F (8)

with ηki,F ∈ V i,F ⊂ Rp denoting the under-fault measurement noise. For the subsequent fault detection and isolation (FDI) we require the construction of a residual signal (Blanke et al., 2006) which is sensitive to fault occurrences and robust to disturbances and noise. While the output estimation error yˆki − yk is a usual choice, we prefer here to construct a residual which considers a finite number of consecutive outputs (thus simultaneously avoiding the filter behavior of a Luenberger observer and the loss of information characteristic to parity equations):

i τ rki = y[k−τ ¯k−τ + ΦτC i ,A,B u ¯[k−τ,k−1] (9) +1,k] − ΘC i ,A x

with rki ∈ Rp·τ .The next lemma (based on a result from (Stoican et al., 2012) and on similar work from the state of the art) shows that the i-th residual (9) characterizes a fault occurrence in terms of known quantities. Lemma 2. Assuming a persistent fault (i.e, (8) remains unchanged for at least τ instants of time), it follows that the i-th residual (9) lies in one of two possible values:

The goal is for the plant’s state (1) to track a reference signal x ¯ which verifies the nominal plant dynamics xk + B u ¯k , (2) x ¯k+1 = A¯ such that the tracking error zk  xk − x ¯k dynamics ¯k ) + Ewk , (3) zk+1 = Azk + B (uk − u rest in a neighborhood of the origin (bounded by a set to be characterized later). To each sensor we attach an observer which provides a state estimation x ˆik with dynamics   xik + Buk + Li yki − yˆki , (4a) x ˆik+1 = Aˆ yˆki = C i x ˆik ,

1

(4b)

Without any loss of generality we assume that the output dimension is the same for all sensors.

i) healthy “steady state”: rki,H =ΘτC i ,A zk−τ

i[k−τ,k−1] ˜[k−2τ + ΦτC i ,A,BK x − z [k−2τ +1,k−τ ] +1,k−τ ] i + ΦτC i ,A,E w[k−τ +1,k−1] + η[k−τ +1,k] ;

(10)

ii) faulty “steady state”:

i,F τ rki,F = η[k−τ ¯k−τ + ΦτC i ,A,B u ¯[k−τ,k−1] ; +1,k] − ΘC i ,A x (11) 2 We assume that each pair (A, C i ) is observable and hence there exists a static feedback Li which stabilizes the observer dynamics. 3 Assuming an exact FDI mechanism, the control reconfiguration reduces to selecting a state estimation (4a) from a pool of indices guaranteed to be healthy, as shown, e.g., in Stoican and Olaru (2013).

1106

IFAC SAFEPROCESS 2018 Warsaw, Poland, August 29-31, 2018

Florin Stoican et al. / IFAC PapersOnLine 51-24 (2018) 1105–1110

η1 C x v r

x ˆ1 +

w + v∗

u ¯

u

y

1

y

2

η2

···

y2

x ˆ2 +

S2 + y

.. .

N

Low-level FDI

v∗

C x

x ¯

zˆ1



zˆ2

.. . ηN

+

N



u

+

C 2x

P

+

u ¯

˘ Slow sampling time ∆

y1

S1 +

x ¯

High-level reference governor

u

+

1

1107

SW

zˆ∗

K

.. . u

yN

x ˆN +

SN +



zˆN

IH

Fast sampling time ∆

Fig. 1. Hierarchical fault tolerant plant control scheme with high-level optimal reference governor (cf. Sec. 3). Lined boxes represent observers of the individual sensors. SW is a switch choosing one of the healthy state estimations from the index set IH for the state feedback. Proof. Residual (9) is in fact a difference between τ i consecutive sensor outputs (y[k−τ +1,k] ) and τ conseci τ ¯k−τ + utive reference outputs (¯ y[k−τ +1,k]  ΘC i ,A x τ ΦC i ,A,B u ¯[k−τ,k−1] ). Expressing the former in the form of i the latter we have in the healthy case that y[k−τ +1,k] = τ τ τ ΘC i ,A xk−τ + ΦC i ,A,B u[k−τ,k−1] + ΦC i ,A,E w[k−τ,k−1] + i η[k−τ +1,k] . Conversely, if the i-th sensor was under fault for the last τ instants, the right hand side of (8) api,F i plies and we have that y[k−τ +1,k] = η[k−τ +1,k] . Fur¯[k−τ,k−1] + ther using (6) we have that u[k−τ,k−1] = u i

[k−τ,k−1] diag(K)τ x ˜[k−2τ +1,k−τ ] − z[k−2τ +1,k−τ ] . Combining all these elements we reach (10) and (11) respectively, thus concluding the proof. 

A couple of remarks are in order. i Remark 3. While at first glance, at time instant k, yk+1 is available for measurement and subsequent analysis, in fact this assumes that uk has already been ‘decided’ and applied to the plant dynamics. This negates the scope of the analysis, which is to decide on whether a certain state estimation is of use for the current control action design. Remark 4. Whenever τ , the length of the observation window, is large enough such that ΘτC i ,A is full-rank there is no loss of information by multiplying with its inverse (an issue when using parity equations as residuals). 

   BK E A 0 . . . 0 −BK  0 0 I 0 . . . 0 0   , Ψ →  . .  , (12) Γ →  . . . . .  .. ..   .. .. . . .. ..  0 0 ... I 0 0 0 lead to the invariant set Szτ (i.e, z[k−τ +1,k] ∈ Szτ implies that z[k−τ ++1,k+] ∈ Szτ , ∀ ≥ 0). Since zk−τ appears in (10) we also consider the auxiliary bounding set Szτ,∗ :    τ,∗ τ Sz = ConvexHull (13) Proj Sz |z . 

=0...τ −1

Construction (13) is based on the fact that whenever z[k−τ +1,k] ∈ Szτ holds we have that zk− ∈ Szτ,∗ , ∀ = 0 . . . τ − 1 also holds. Corollary 5. Assuming that the state estimations and the tracking error lie inside their bounding sets (˜ xik ∈ S˜i , z[k−τ +1,k] ∈ Szτ ) allows to characterize the healthy and faulty residual sets: i) healthy “steady state”:   [τ ] Rki,H =V i,[τ ] ⊕ ΘτC i ,A Szτ,∗ ⊕ ΦτC i ,A,BK S˜i ⊕ ΦτC i ,A,BK {−Szτ } ⊕ ΦτC i ,A,E W [τ ] ;

(14)

ii) faulty “steady state”:

Rki,F =V i,F,[τ ]   ⊕ −ΘτC i ,A x ¯k−τ − ΦτC i ,A,B u ¯[k−τ,k−1] ;

(15)

2.3 Set characterizations Assuming bounded disturbances and noises leads to bounded estimation error, tracking error and residuals. To alleviate the computational burden we consider the notion of invariant sets associated to a dynamic (Blanchini, 1999). Definition 1. A set Ω ⊂ Rn is called a robust positively invariant set for dynamics x+ = Γx + Ψδ with Γ ⊂ Rn×n , Ψ ⊂ Rn×m and δ ∈ ∆ ⊂ Rm iff ΓΩ ⊕ Ψ∆ ⊆ Ω holds.   Applying Definition 1 to (5) for Γ → A − Li C i , Ψ∆ → i i i ˜ ˜k ∈ S˜i L V ⊕ EW leads to the invariant set Si (i.e, x i ˜ implies that x ˜k+ ∈ Si , ∀ ≥ 0). Next, the lifted tracking error dynamics of (7) with state variable z[k−τ +1,k] where

Proof. The proof is straightforward: (14)–(15) mirror (10)– (11) and that all variables are either known (the references x ¯k−τ , u ¯[k−τ,k−1] ) or are bounded (measurement and process noises; estimation and tracking errors).  3. HIERARCHICAL REFERENCE GOVERNOR WITH ACTIVE FDI With the previous section’s notation it follows that separation condition Rki,H ∩ Rki,F = ∅, ∀i (16) is a sufficient condition for exact FDI: since the residual rki has to lie in either Rki,H or Rki,F (after at least τ time instants have passed since the latest switch in (8)), (16)

1107

IFAC SAFEPROCESS 2018 1108 Warsaw, Poland, August 29-31, 2018

Florin Stoican et al. / IFAC PapersOnLine 51-24 (2018) 1105–1110

means that the set membership exclusion rki ∈ / Rki,H is an unambiguous FDI signal.

˘¯[k,k+Np −1] = arg min u

˘ u ¯[k,k+Np −1]

Np    ˘¯k++1 , u ˘¯k+ C x

(22a)

=1

Further noticing that (15) is parametrized after state and input references and that Rki,H is time invariant allows to reformulate (16) as 4   ΘτC i ,A x ¯k−τ + ΦτC i ,A,B u ¯[k−τ,k−1] ∈ / −V i,F,[τ ] ⊕ Ri,H . (17) (17) serves as constraint enforcing FDI in a constrained optimization problem (thus, an active FDI scheme).

¯ u ¯ ˘¯k++1 ∈ X, ˘¯k+ ∈ U, s.t. x (22b) (18),(20) hold for k˘ ← k + ,  = 0 . . . Np − 1 (22c) where Np is the length of the prediction horizon; C(·, ·) : Rn×p → R is a, usually quadratic, scalar cost involving the ¯ ⊂ Rn , U ¯ ⊂ Rp are bounding reference states and inputs; X sets for the reference state and input.

3.1 Hierarchical active FDI validation

3.2 Guaranteed fault diagnosability for intra-sample behavior

While (17) is a popular formulation, it is often inefficiently implemented. In here, we propose a hierarchical approach where we separate between the computation of the reference values (higher level) and the FDI validation (lower level). This is justified both by the difficulties of solving (17), a problem with non-convex constraints, and by the fact that a reference should not be updated more often than it is necessary. Hence, we propose to consider at the higher level a larger sampling time (to which corresponds ˘ = N ∆. To this a slower update of the reference values) ∆ sampling time correspond reference dynamics: ˘u ˘ ˘ ˘ x ¯k+1 = A˘x ¯k + B ¯k , (18)

Enforcing (20) in (22) reduces to (17) whenever k − τ is a ˘ In the rest of the cases, the validation of (17) multiple of k. is no longer guaranteed (from the point of view of (18)(20) this is an intra-sample behavior and thus completely ignored). In the motion planning parlance, this is called cutting the corner : a collision avoidance constraint may be verified at the sampling times and still be invalid at other times (i.e., “cuts the corner of the obstacle”). Within the paper’s framework the corner cutting translates to the FDI no longer being guaranteed to be exact (a major drawback as FDI decisions are required at each ∆ sampling time to update the control action (6)).

where the “breve” modifier signifies that the variables and associated matrices correspond to the higher-level ˘ That is, x ˘ ¯kN , A˘ = AN sampling time ∆. ¯k corresponds to x N −1 ˘= and B As B. s=0

˘ = N ∆ time instants Note that updating the input at ∆ constrains the ∆-sampled references (2) as follows: ˘ ¯k˘ + x ¯k+ = A x

−1 

˘ As B u ¯k˘ ,

(19a)

s=0

˘ u ¯k+ = u ¯k˘ for  = 0, . . . N − 1 and k˘ =

(19b)

k N

.

˘ While (18) and (19) allow to express (17) in the ∆sampling representation regardless of the relation between the FDI-induced delay τ and the sampling multiplier N , it is less cumbersome if we take the latter as greater than the former 5 : N > τ . Under this assumption the sequence u ¯[k−τ,k−1] remains constant (see (19b)) and (17) becomes 6   i,F,[τ ] ˘τ i ˘τi x ˘ ˘ ¯ u ¯ ⊕ Ri,H , + Φ ∈ / −V (20) Θ ˘ ˘ C ,A k C ,A,B k where

˘ τ i = Θτ i , Θ C ,A C ,A

(21a) 

τ ˘τ i Φ C ,A,B = ΦC i ,A,B · [I . . . I] .

(21b)

We can now write the top-level reference governor: 4

To emphasize that the right-hand of (16) is time-invariant we used Ri,H instead of Rki,H . 5 This is a reasonable simplification since both τ and N are parameters selected by the supervisor. 6 Note that we switched to index k ˘ since the delay τ is no longer relevant and index k corresponds to the ∆-sampled dynamics.

Therefore, we propose here a reformulation of constraint (20) such that (17) is guaranteed to hold under restrictions (19) at each sampling time ∆. Using the same reasoning as in Stoican et al. (2015); Richards and Turnbull (2015) we modify the separation condition (22c) into:   ˘τ i ˘τi x ˘˘ + Φ ˘¯k+ αk+ Θ ˘ ˘ C ,A ¯k+ C ,A,B u   ˘τ i ˘τ ˘¯k++1 ˘¯k++1 + (1 − αk+ +Φ ˘ ) ΘC i ,A x ˘ ˘ C ,A,B u   ∈ / −V i,F,[τ ] ⊕ Ri,H , (23) for 0 ≤ αk+ ≤ 1 and  = 1, . . . , Np . ˘

(23) simply states that no point on the segment defined by the state/input combination at times k˘ +, k˘ ++1 should intersect the region where FDI in undecidable. In other words, no such point should sit in the “shadow” made by the current point with the obstacle. Assuming that the intermediary points (19) do not deviate from this segment, this means that (17) holds at each sampling time ∆. To proceed  further we consider the half-space representa tion of −V i,F,[τ ] ⊕ Ri,H = ζ ∈ Rn : H i ζ ≤ hi , with H i ∈ RNi ×n , hi ∈ RNi ×1 and denote for compactness with ξk+ the segment’s end-points from (23) which ˘ , ξk++1 ˘ becomes, with these notations:   + (1 − αk+ (24) ≤ hi . H i αk+ ˘ ξk+ ˘ ˘ )ξk++1 ˘ It is known (see, e.g., Scott et al. (2014)) that the exclusion constraint (24) is equivalent with the feasibility test of: = mini λik+ (25a) λik+ ˘ ˘

1108

αk+ ,λ ˘ ˘

k+

s.t. 1 ≤ λik+ ˘ ,

(25b)

0 ≤ αk+ ≤ 1, (25c) ˘   i i i + (1 − αk+ ≤ λk+ H αk+ ˘ ξk+ ˘ ˘ )ξk++1 ˘ ˘ h . (25d)

IFAC SAFEPROCESS 2018 Warsaw, Poland, August 29-31, 2018

Florin Stoican et al. / IFAC PapersOnLine 51-24 (2018) 1105–1110

If (25) is feasible it means that the line segment has intersected the obstacle for a supraunitary scaling factor λik+ ˘ , i.e., the obstacle does not actually intersect the segment. Replacing (22c) with (25) in (22) leads to a bilevel optimization problem: at each step in the optimization procedure the outer problem solves Np inner problems, that is, (22c) is replaced by ≥1 (26a) λik+ ˘ where λik+ are solutions to (25) ˘

(26b)

The bi-level formulation can be reformulated by writing the inner problem in its Karash-Kuhn-Tucker (KKT) form:      0 −1 1 (H i (ξk++1 − ξk+ 1 ˘ ˘ )) + =0, (27a) µik+ ˘ 0 −1 0 0 (−hi ) ≥ 0, µik+ ˘ µik+ ˘

g(ξ, λ, α) ≤0, (27b)

× g(ξ, λ, α) =0, (27c)

with g(ξ, λ, α) the shorthand notation for inequalities the associated vector of Lagrangian (25b)–(25d), µik+ ˘ multipliers and “×” the elementwise complementarity operator. The vector in (27a) is the gradient of the cost (25b), i.e., ∇(λik+ ˘ ) and the matrix is the gradient of the inequalities (25b)–(25d), i.e., ∇g(ξ, λ, α).

Replacing (22c) with (27) leads to a single-level problem but at the price of introducing nonlinearities (foremost, the complementarity constraint (27c) but also the bilinear terms αk+ appearing in (27b)). While ˘ , αk+ ˘ ξk++1 ˘ ˘ ξk+ further processing is possible (e.g., relaxing the complementarity constraint into a mixed-integer formulation), we prefer here to leave it as a nonlinear optimization problem which will be further handled by specialized solvers. Remark 6. An aspect usually neglected in the literature is the trajectory’s curvature: the intra-sample points (computed at each ∆ time instant) do not actually lie on the ˘ time segment defined by the consecutive points taken at ∆ instants). In the following (since N is taken comparable with τ and thus, of small value), we simplify and only consider the line-segments. A more complete approach would be to compute the maximum curvature and enlarge with it the sets appearing in (17) thus coming back to a “straight lines” formulation but with larger sets.  4. ILLUSTRATIVE EXAMPLE For illustration purposes consider the system       1 0.1 0 0.5 0 xk + uk + w xk+1 = 0 1 1 1 0.1 k          A

B

E

with output matrices C {1,2,3} : C 1 = [1.5 0] , C 2 = [1 −1] , C 3 = [1.5 1] . The process and measurement bounding sets are W = {w : |w| ≤ 0.1}, i

i

i

V = {η : |η | ≤ 0.1}, V for i ∈ {1, 2, 3}.

i,F

= {η

(28)

i,F

: |η

i,F

(29) (30a)

| ≤ 0.1}, (30b)

For each sensor we construct an observer as in (4) with the gain matrices Li being the result of a pole placement procedure (with poles assigned between 0.9 and 0.95):

L1 =



1109

     0.148 0.078 0.100 , L3 = . , L2 = 0.033 0.033 0.033

(31)

Further, we take the feedback delay appearing in (6) as τ = 2 (which is enough to guarantee the invertibility of matrices ΘτC i ,A appearing in (10)–(11)). The static feedback is computed as in Bara and Boutayeb (2005) by representing (7) in extended form (in which case the static feedback with delayed information of (7) becomes an output static feedback):   −0.15 −0.15 K= . (32) 0.15 0.20 We apply Rakovi´c and Fiacchini (2008) to compute the RPI sets for the state estimation errors (S˜i ) and for the extended tracking error (Szτ ). These are further used to construct the bounding set Szτ,∗ as in (13), the healthy and faulty residual sets (14)–(15) and, lastly, the righthand region appearing in the FDI condition (17). For illustration purposes we depict in Figure 2a the sets S˜i (solid blue) together with the smallest box enclosing their union (dashed red), used latter in the construction of Szτ . Figure 2b illustrates the projections of Szτ (along each of the z components of the extended state z[k−τ +1,k] , solid blue) together with their bounding set, Szτ (dashed red).

2.5

0.5 0.4

2

0.3

1.5

S˜3

0.2

1 0.5

0.1 0

0

−0.1

−0.5

−0.2

S˜1

−0.3 −0.4 −0.5 −0.5 −0.4 −0.3 −0.2 −0.1

S˜2 0

0.1

0.2

0.3

0.4

0.5

(a) state estimation error sets

−1 −1.5

Proj Szτ |z2 Proj Szτ |z1

−2 −2.5 −3 −2.5 −2 −1.5 −1 −0.5

0

0.5

1

1.5

2

2.5

3

(b) tracking error sets

Fig. 2. RPI sets associated with the plant and observer dynamics. To highlight the analysis carried in Section 3 we consider a sample multiplier N = 2 and the reference governor (22) with prediction horizon Np = 3, input and state bounds ¯ = {¯ ¯ = {¯ (U u : |¯ u| ≤ 10}, X x : |¯ x| ≤ 50}) and weight matrices Q = R = I. To illustrate the result we provide an ideal reference to be tracked (points sampled along the circumference of a circle of radius r = 25). In Figure 3 we depict both the reference (green line with square markers) and the left-hand side ˘ τ i )−1 Φ ˘τ i ˘¯k˘ (blue line ˘¯k˘ + (Θ of (17), the sequence x C ,A C ,A,B u with bullet markers). As expected, the constraints (27) ensure the corner cutting avoidance constraint: no segment formed by a pair of consecutive points cuts the obstacles. Using (19a) we observe in Figure 4 that the the intersample reference states lie close to the straight-lines de˘ fined by the ∆-sampled reference states (for the chosen N = 2, close enough to validate the assumption that the inter-samples are stringed along the segments).

1109

IFAC SAFEPROCESS 2018 1110 Warsaw, Poland, August 29-31, 2018

35 30 25

Florin Stoican et al. / IFAC PapersOnLine 51-24 (2018) 1105–1110

R3,H ⊕ (−V 3,F,[τ ] )

real ideal

R2,H ⊕ (−V 2,F,[τ ] )

20 15 10 5 0 −5 −10 −15 −20 −25

R1,H ⊕ (−V 1,F,[τ ] )

−30 −35 −35 −30 −25 −20 −15 −10 −5

0

5

10

15

20

25

30

35

Fig. 3. Illustration of reference governor implementation with active FDI validation. The blue areas depict regions in the state space where FDI is not decidable. 40 ˘ ∆-sampled state reference ∆-inter-sampled state reference 35

30

25

20

0

5

10

15

20

25

˘ and ∆-sampled state reference. Fig. 4. Illustration of ∆ 5. CONCLUSIONS A hierarchical control approach with guarantees for active fault diagnosability (detection and isolation) was presented. Robust positive invariance notions were used to provide a set-membership test for FDI validation at the low level and sufficient constraints for guaranteeing FDI at the high level. The computational burden of the according bilevel optimization problem motivated the use of a larger sampling time for the high-level reference governor. Resulting corner cutting issues have been considered by explicitly taking into account predictions of the low-level system trajectories in the high-level optimization. A preliminary case study demonstrated the viability of the approach. Future advances will consider explicitly the curvature induced by the fast-sample behavior and different dynamics for the hierarchical control scheme. ACKNOWLEDGMENT This work has been partially funded by a grant of the Romanian National Authority for Scientific Research and Innovation, CNCS UEFISCDI, project number PN-II-RUTE-2014-4-2713 and by the European Union, European Social Fund ESF, Saxony. REFERENCES Adetola, V., Bengea, S., Kang, K., Kelman, A., and Leonardi, F. (2014). Model predictive control and fault detection and diagnostics of a building heating, ventilation, and air conditioning system. In International High Performance Buildings Conference.

Bara, G.I. and Boutayeb, M. (2005). Static output feedback stabilization with H∞ performance for linear discrete-time systems. IEEE Transactions on Automatic Control, 50(2), 250–254. Bemporad, A. and Rocchi, C. (2011). Decentralized hybrid model predictive control of a formation of unmanned aerial vehicles. In 18th IFAC World Congress. Blanchini, F. (1999). Set invariance in control. Automatica, 35(11), 1747–1767. Blanke, M., Kinnaert, M., Lunze, J., Staroswiecki, M., and Schr¨oder, J. (2006). Diagnosis and fault-tolerant control, volume 691. Springer. Cowlagi, R.V. and Tsiotras, P. (2012). Hierarchical motion planning with kinodynamic feasibility guarantees: Local trajectory planning via model predictive control. 2012 IEEE International Conference on Robotics and Automation, 4003–4008. Gao, Y., Lin, T., Borrelli, F., Tseng, E.H.Y., and Hrovat, D. (2010). Predictive control of autonomous ground vehicles with obstacle avoidance on slippery roads. In 3rd Dynamic Systems and Control Conference. Khorrami, F. and Krishnamurthy, P. (2009). A hierarchical path planning and obstacle avoidance system for an autonomous underwater vehicle. In American Control Conference, 3579–3584. Liu, C. and Chen, W.H. (2013). Hierarchical path planning and flight control of small autonomous helicopters using MPC techniques. In IEEE Intelligent Vehicles Symposium (IV), 417–422. Nieuwenhuisen, M. and Behnke, S. (2014). Hierarchical planning with 3D local multiresolution obstacle avoidance for micro aerial vehicles. In 41st International Symposium on Robotics, 1–7. Peterson, J.K. (1991). Obstacle avoidance using hierarchical dynamic programming. In 23rd Southeastern Symposium on System Theory, 192–196. Rakovi´c, S.V. and Fiacchini, M. (2008). Approximate reachability analysis for linear discrete time systems using homothety and invariance. IFAC Proceedings Volumes, 41(2), 15327–15332. Richards, A. and Turnbull, O. (2015). Inter-sample avoidance in trajectory optimizers using mixed-integer linear programming. International Journal of Robust and Nonlinear Control, 25(4), 521–526. Scott, J.K., Findeisen, R., Braatz, R.D., and Raimondo, D.M. (2014). Input design for guaranteed fault diagnosis using zonotopes. Automatica, 50(6), 1580–1589. Stoican, F., Grøtli, E.I., Prodan, I., and Oarˇa, C. (2015). On corner cutting in multi-obstacle avoidance problems. In 5th IFAC Conference on Nonlinear Model Predictive Control, 185 – 190. Stoican, F. and Olaru, S. (2013). Set-Theoretic Fault Tolerant Control in Multisensor Systems. Wiley - ISTE, London, Engineering & Materials Science edition. Stoican, F., Olaru, S., Seron, M., and DeDona, J. (2012). Reference governor design for tracking problems with fault detection guarantees. Journal of Process Control, 22(5), 829–836. Zhou, C., Kumar, R., and Jiang, S. (2008). Hierarchical fault detection in embedded control software. In 32nd IEEE International Computer Software and Applications Conference, 816–823.

1110