Performance-Based Switching for Fault Tolerant Control1

Performance-Based Switching for Fault Tolerant Control1

IFAC [:0[> Copyright 10 IFAC Fault Detection, Supervision and Safety of Technical Processes, Washington, D.C., USA, 2003 Publications PERFORMANCE-BA...

882KB Sizes 0 Downloads 41 Views

IFAC [:0[>

Copyright 10 IFAC Fault Detection, Supervision and Safety of Technical Processes, Washington, D.C., USA, 2003

Publications PERFORMANCE-BASED SWITCmNG FOR FAULT TOLERANT CONTROL 1 Josepb J. Yam~, Mimel Kinnaert

www.clsevier.comllocatelifac

Service d'Automatique et d'AnaJyse des SlIstemes, CP 165 Fac. des sciences appliquees, UniversiM libre de Bruxelles, 50 av. F.D. Roosevelt, Brossels-1050, Belgium Fax:32-2-650.26.77, email: [email protected] Abstract: This paper presenu an approach to acti've fault-tolerant control (FTC)

based on online c1011ed-loop performance monitoring and experimental data without an explicit fault detection and isolation algorithm . The proposed approach !lets forth the theory of unfalsified control to achieve a real-time control reconfiguration which is consistent with the performance objectives for a clau of system faults. The obtained FTC scheme is an alternative or might be a complement to FTC method8 based on explicit fault detectors and providett a precise and direct characterization of 8uitable real-time controllers for reconfiguration . Copyright © 2003 IFAC

Keywords: Fault tolerant control, reconfigurable control, performance monitoring, supervisory 8witching, behaviors 1. INTRODUCTION With the growing requirement on a high degree of reliability and safety for automatic controlled systems, fault tolerance must be achieved when unexpected changes, such as malfunctions in sensors or actuactors ·and failures in controllers or in the process components, occur in the real-time operation of these systems. This means that the control system should be able to maintain or gracefully degrade the control objectives despite the occurrence of faults (Patton, 1997). In essence, fault tolerant control (ITC) systems can be viewed as self-adaptive or self-organizing systems that achieve an objective via exception management and changes in the closedloop system. An impOrtant approach to obtain fault tolerance is reconfigurable control which is a strategy able to change the controller at run-time to react to failures or accommodate changes in the control objectives. A key component in reconfigurable systems for fault tolerant control (ITC) is a fault detection and isolation (FDI) module which explicitly monitors the state of the plant and passes information to a supervision mechanism to make a proper decision. The information output by the fault detector is an estimate of the plant mode based on the processing of all available data. The detectors are mainly based on linear observer techniques, parity space approach, Kalman filtering or parameter estimation algorithms which operate in real time to produce a fault residual vector. Such detectors need usually a sufficiently accurate model of the plant and knowledge of the system disturbances which are seldom available for applications in the process industries. The inevitable discrepancies between the plant and the model used for FDI system design are sources of difficulties such as false or missed alarms which corrupt the FDI system performance and can lead to instability or undesirable behavior of the overall ITC system. An1 Tbis work is partly supported by the project CELOFA (Wallonia Region) and by the European project IFATIS (Information Society Technology Reeearch programme IST20(1)

525

other important aspect of fault detectors due to their dynamical nature is their transient behavior which can be expressed in terms of the response or speed of convergence of the detection algorithm following a fault occurence. Such response should be rapid enough for reconfiguration in the time interval before any detrimental effect takes place in the controlled systems. Moreover, after a fault has been detected and the reconfiguration process has been enabled, not only a new control should be triggered but the running FDI algorithm should also be readapted to the new situation. It is clear that even though the above real-time ITC scheme is conceptually appealing and implements in a natural way an ITC development procedure, the combination of the FDI and the supervisory logic gives rise to some complexity and requires intensive on-line computations for the implemented algorithms. Such a computational burden and the complexity of the scheme can decrease the overall ITC system reliability. In this paper, guided by the main requirement that the system should maintain acceptable level of performance subsequently to a malfunction, we develop a new supervisory scheme for reconfigurable control which is fast and reliable. The reconfiguration mechanism is based on the recently developed unIalsified control theory (Safonov and Tsao, 1997), but includes some modifications that make it more suitable for fault-tolerant control. The supervisory logic decides when to turn off the running controller and to which controller to switch on from a bank of candidate controllers. The latter decision is based on a closedloop performance measure and on the experimental data. It does not require any on-line model-based detection algorithm. 2. PROBLEM FORMULATION An important and almost mandatory prerequisite for achieving fault tolerance is to have good knowledge of the system via an analysis and development pn>cedure which aims to give a complete coverage of possible faults that can occur in the plant as well

as the corresponding remedial actions. We assume that such a systematic ITG analysis and development procedure, as described for instance in (Blanke et al., 2000), has already been done and we are concerned with the implementation of the real-time fault tolerant system. Remedial actions for faulttolerant control usually consist in accomodating or reconfiguring the controller (i.e., changes in controller parameters or structure) and/or modifications in the input/output pairing between the controller and the plant (i.e., the interconnection structure of the overall automated system). In the latter case, the sets of available inputs and outputs and hardware components can change and the control specifications may also change (Blanke, Staroswiecki and Wu, 2(01). Here, we focus on the first case where it is assumed that the interconnection structure remains invariant but the controller needs to be reconfigured in real time for compensating occurring faults in the system. The class of such faults excludes total actuactor faults and defects in sensors which need hardware removing from the control loop as well as changes or switching in the interconnexion structure of the system but consists possibly in faults in control algorithms, faults manifested as changes or jumps in the plant dynamics, actuators faults such as stick-slip friction in valves, partial loss in control effectiveness, etc... We assume, from the analysis and development phase, that for the healthy situation as well as for all faults covering the possible abnormal behaviors of the plant, a finite set of controllers

e=

{C}, .... ,CN}

(1)

has been constructed in such a way so that in each functioning or faulty mode of the plant, there is a least one controller in that set which has the appropriate corrective action and is able to satisfy the control objectives. The above assumption is justified given the maturity of control design methodologies for large classes of linear and nonlinear systems. With this assumption, the behaviors (normal and abnormal) of the plant can be viewed as the (possibly non-disjoint ) union of "control modes" where a control mode is meant to be the operation of the plant under a controller that is guaranteed to meet the given performance objectives. More explicitly the plant including its actuators and sensors, referred to as P, can be described by (2)

;=}

where

e;M,

er = {PI

P= {Mo: nen}

(4)

where the M~s are the models of the plant and n is a parametrization set which is a subset of some real or complex space such as Rm for some m or a matrix space. The covering of the plant by control induces in fact some kind of equivalence modes relation on the parametrization set or equally on the models set {Mo} oEO'

{er}

n

With the collection of controllers (1) available, the real-time FTC-based control reconfiguration prolr lem is to accomplish the high level task of switching appropriately between the low-level control laws Cl from the measured data of the unknown operating plant P. 3. AROmTECI'URE OF THE ITO SYSTEM The covering (2) of the operating space of the plant P by control modes suggests an on-line FTO scheme which attempts to reconfigure directly the control law without trying to estimate explicitly the faulty mode as it is done with a fault detector in FDI-based supervisory controls. Since it is assumed that the hardware components in the loop remain invariant with respect to fault scenarios, the main idea is to make the reconfiguration mechanism aware of a fault in the controlled system through the inconsistency of the measured data with the desired closed-loop behavior.

er

Consider the generalized plant of figure 1 which involves four (possibly vector) signals of fundamental significance in control problems. These are the exogeneous input w, which might represent disturbances or references, the control signal u, the sensed output y which provides the input to the controller and the regulated variable or performance signal z. Note that the objective signal z need not be physically measured, however it should contain every signal about which we would like to express a specification or a constraint. The control architecture as depicted in figure 1 is a layered structure with a basic lowlevel control for command following and disturbance attenuation realized by the usual feedback path from the sensed output y to the controlled plant input u. The "high-level" supervisory control implements the fault tolerant capability of the system based on the (real-time) performance signal z. The path from the performance signal z to the supervisor shows a stream of information but this path may be nonphysical since signal z is not necessarily measured although it depends on the measured or avall&ble signals 'g, u and possibly on w. The desired closed-loop behavior specifies a requirement on the input/output (i/o) map from the exogenous signal to the objective

N

P=Uer

operating space (Berge, 1997). The fact that the whole operating space of the plant P is covered by a finite set of N control modes does not mean that the plant evolves amongst N different models; actually the plant might evolve amongst an infinite number or a continuum of models. For instance, P could be represented by the infinite set

the ith control mode, is defined as (P, Cl) meets the performance specs} (3)

with (P,C;) designating the operation of the plant P under the feedback controller Ci . The family of control modes {ef1} can be viewed as generating a topology on 'P which enforces via relation (2) some compactness property (finite covering) of the 526

signal; this map depending on the controller Ci in the loop.

...............

.

~

The first task is easily performed from the routine operating data (w, u, y), but the second task is not a trivial problem since the mode in which the unknown plant is evolving is not determined. A natural way to decide to which controller to switch on is to compute the performance functional indexes {ikh
:

t . . . . . . . . . . . . . . . . . . . . . . . . ..

figure 1. Conceptual structure of a performance-based ITC scheme Such a requirement is a constraint put on the objective signal z which might be expressed with the aid of a control performance functional J:V R z ~ J(z)

(5)

4. SUPERVISOR DESIGN

The design of the supervisor will be based on the main assumption that the whole operating space of the unknown plant is covered with control rrwde8 defined in (3). Since no plant model is used online to estimate the current plant operation, we will focus on the available data and performance goals to constrain the selection of the corrective controller. The appropriate mathematical framework for dealing with model-free representation of dynamical systems is the behavioral paradigm of J.C. Willems which describes systems directly on the basis of observed data using set-theoretic tools (J.C. Willems, 1991; Poldennan and Willems, 1998).

This constraint is usually an inequality to be satisfied by the values J (z) of the functional, e.g. J (z) 5 "y where "y is some threshold below which the performance is satisfactory. Common examples of performance functionals, depending on the end-user control applications, are integrated absolute error (IAE), output variance, average HMS power in z, peak value of z, etc...The performance signal z being a function of the signals y, u and w, the domain Vof the functional J is in fact the space of operating data (w,u,y), i.e, V = {(w,u,y):WEW,uEU,yEY} where W, U, and Y are appropriate spaces for the reference/disturbance, control and sensed process output signals. The constraint on the performance functional is therefore equivalent to the following set of signals

BJ = {(w,u,y) E W x U x Y: J(w,u,y) 5

"y}

• The monitoring module computes the actual closedloop performance functional tuing the observed real-time data to validate or invalidau tlu! on-line controller. If the controller is not invalidated by the experimental data, then it is performing well and therefore it should be maintained in the loop. • If the actual performance functional is out of tIu! .pec. ificotions, this &erve& QJl an experimental evidence that .. ome kind of deterioration ha& occured in the feedback loop . In that co&e, the correct remedial controller in the bank should be retrieved and placed in the feedback loop to compen ..ate the deterioration and recover the control objectives.

4.1 Mathematical framework

The basic philosophy of the behavioral paradigm is to view a dynamical system as a collection of trajectories rather than as an operator or a signal processor which maps input signals to output signals. A formal definition of a dynamical system is the following (Polderman and Willerns, 1998):

(6)

The shift from a requirement on the desired (closedloop) ilo mapping to an equivalent set of operating signals is of paramount importance and allows online control performance assessment of the closedloop behavior solely based on available signals without knowledge (given by the map) of the plant. The shifting from the classical operator (mapping) viewpoint to a set-theoretic approach to systems will be further developed in the next section and will be the main trick for designing the reconfiguration mechanism. From the above, a practical implementation of the conceptual structure of figure 1 may use the measured data (u, y) to feed the performance monitoring module of the supervisor. The performance monitoring module has two main tasks: to decide when to reconfigure the system and to which controller the switching should take place. This is done through the following steps:

Definition 1. A dynamical system E is a triple E = (T, S, B) where T is a subset of R, called the time axis, S a set called the signal space, and B a subset of ST called the behauior. (ST is the set of all S-valued time trajectories)

The set S specifies the space in which the system time-signals take on their values and the behavior B ~ ST is simply a family of S-valued time trajectories and constitutes the essential feature of the system. The elements of B are precisely the signals s : T - S which can occur and which are compatible with the laws governing the dynamical system E

527

whilst those outside B cannot occur. With the above definition, a plant 9 represented as a dynamical system E~ = (T, S, Bc;;) is a law which recognizes a certain subset Bc;; of the trajectories set ST. Now, consider a controller C as a dynamical system Ec = (1', S, Bc) acting on the same time axis T and the same signal space S as g. When these two systems are brought into contact, in which case the obtained dynamical system is called an interconnected system and denoted by Ec;; 1\ Ec, the plant signals are constrained to obey the laws of both the plant and the controller. The behavior of the interconnection Eg 1\ Ec consists simply of those trajectories 8 : T -+ S that are compatible with the laws of E~ (i.e., 8 E Bc;;) and those of Ec (i.e., 8 E Bc), i.e., E~ 1\ Ec = (T,S,B~

nBc)

(7)

The interconnected system Eg 1\ Ec is much related to the intersection of behaviors. The problem of control is to choose a controller Ec so as to impose that Egl\Ec behaves like a desired dynamical system EJ = ('lI', S, BJ) where BJ ~ ST is the set of signals constrained by the requirement on the performance functional J. It is now evident that in the behavioral framework, the plant and the control laws as well as the performance specifications are put on an equal footing and considered simply as sets of signals (the behaviors). The following proposition is quite obvious. Proposition 2. A necessary and sufficient condition for the controller Ec to implement a controlled system Eg I\Ec which behaves as the desired dynamical system EJ is simply

BJ 2 Bg n Bc =F 0

(8)

dynamical system. The evolving feature of dynamical systems makes the observation process explicitly dependent on time, e.g. signals can be measured only till the present time (the future being unknown). Moreover, not all the compOnents of the signals involved in the dynamical systems are measured. In order to account for this, the observation process will be described as an operator acting on the trajectories set ST to produce time-dependent subsets V.,. of V with T E JR, i.e., 0.,. : ST -+ ST where 0.,. is a "time and spatial" projector on ST such that (0.,.8) E 1).,. for 8 in sT. The set 1).,. is the data set up to time T and its prc-image under 0.,., denoted by 0; (V.,.), is the set

0; (V.,.)

= {818 E B; (0.,.8) E 1).,. }

(9)

that is the set of all trajectories in B such that O.,.B ~ V.". Based on the available data up to time T and without further modeling assumptions on the plant Ec;;, it is logically impossible to conclusively verify that a controller Ec will implement an interconnected system E~ 1\ Ec which behaves as the desired dynamical system EJ. However, this conclusion might be considered as a tentative hypothesis which can be given a high measure of corroboration by the experimental data up to time T and may be provisionally retained as the best available controller until it is falsified (or refuted) or possibly superseded by a better controller. This idea has its roots in what is known as the problem of demarcation of scientific theories formulated by Popper (1991) and the resulting methodology has been introduced for controller tuning in reference (Safonov and Tsao, 1997). Whenever the controller is not refuted by the experimental data, it is said to be unfalsified. On the light of proposition 2, the following proposition is trivial: Proposition 9. A necessary and sufficient condition for a controller E c , implementing a controlled system Eg 1\ Ec, to be unfalsified by the experimental data V.,. produced by Ec;; and with respect to the desired behavior E J is

Until now, we have considered all signals which can occur as outcomes of dynamical systems, however only observed data or measurement from the exPerimental setting are available for actual rwming systems. These measurements give a partial knowledge about the systems and might be thought as representing a somewhat small set of the behavior of a dynamical system. Measurements form the information about the dynamical system which is accessible from outside and can be formalized (J.C. Willems, 1991) by viewing it as a nonempty subset V of ST. The importance of the data set V produced by dynamical systems relies on the fact that the behavior should in the first place be considered as a descriptive pattern which has not necessarily an interpretative power. A key point is that the behavior should be able to explain the data which in turn confers to the latter the position of making the right selection between possible behaviors of a dynamical system. This leads to the concept of falsification (J.C. Willems, 1986). A behavior B is said to be unfalsified by the data V ~ ST iIV ~ B.

BJ ;2 0; (V.,,) nBc =F 0

(10)

Notice that the observed data V.,. is not related to any particular experimental setting, hence a deep consequence of proposition 3 is that a controller Ec can be tested even if it is not actually interconnected to the plant. This fact is a powerful tool for evaluating the ability of an off-the-shelf controller to perform corrective actions and satisfy performance objectives following an unexpected change in a feedbaclc loop.

4.2 Generator of performance indexes Let us fix the low-level standard structure as in figure 2 corresponding to the basic classical control problem involving reference and disturbance signals r and d collected in the vector signal w with components Wl = r and W2 = d. The signal space W might be considered as a cartesian product 'R.xD where 'R. and D are appropriate signal space respectively

The subset V is actually obtained as a result of an observation process of signals produced by the 528

for T and d. The component d is a free unknown signal, meaning that any function d : '][' --D can occur as the second component of the variable W of the generalized plant g; moreover the entry point of signal d into the generalized plant is unknown. The controller input y is the vector composed of the measured output yp of the unknown plant P and the reference signal T. Similarly, the signal space Y might be viewed as the cartesian product 'R x Yp for some appropriate space Yp. The set of all trajectories of the dynamical system E~ = er, s, B~) we are interested in is given by ST = W X U x y . Genero/izal plalll

g

u

COllI,O//~,

C

figure 2. Low-level feedback loop In this setting, controller C is the dynamical system Ec = ('][',S,Bc) with behavior given by Bc

= {s =

(w,u,y) E

§TI u

= [0'"1- C/Jy}

(11)

V.,.

{s

= (w, u, y) E §TI (O.,.s) E V.,.}

= {(u,yp) E U x Yp: yp = Pu on

O'"WI

WI

+ cly~m) (t), map cr is

u(m)

0$ t$ r

(t) = -Cl y~m) (t), 0 $ t $

T

(18)

From (16) and (18), the controller behavior Bc cannot constrain (or forbid) the disturbance W2 to (or from) a certain subset. However, the measured process output y~m) actually embeds the effect of the disturbance, that is W2 can be viewed as internal to the process with effects manisfested in the output signal y~m). From these considerations and from proposition 3, the controller C is unfalsified by the experimental data V.,. produced by the unknown plant whenever 8 E B J, that is when the value of the performance functional J at 8 E STsatisfies J (S) = J (w,u(m),y) $ 'Y where signal 8 = (w,u(m),y) with W = (W},O) . Equation (16) defines a filter F which reconstructs the reference signal WI from the measurement of (u, yp). The above procedure can be applied to any off-the-shelf controller Ck = [Ckl ct] from a bank of N candidate controllers, thus yielding N performance indexes given by

{

J(SN)

(19)

= jN

with 8k = (W(k), u(m), Y(k»)' where W(k) E 'R is the output of the filter Fk given by equation (16) and corresponding to the kth-controller Ck and Y(k) = (W(k),y~m»). The performance monitor has the following structure depicted in figure 3.

(12)

(u,y)

r-----..- (w•• u.y)

(13)

Paf....-:c

...

v,}

pcnIOr

IId,mlCe sip) peI'IIOr

figure 3. Performance monitor The filters block is the bank of filters {Fk} running concurrently and producing the vector of estimated reference signals WI = (WI(k»). The triples (WI(k), U, Y) are the signals in §T which are compatible with the behavior obtained by interconnecting the controller Cl. to the unknown plant and the outputs of the generator are the values jk of the performance fUllctional corresponding to each Cl..

in 'R, or equivalently

(t) = u(m) (t)

For a pure disturbance attenuation problem, i.e. when the reference signal WI = r is zero, the constraint (16) imposed by the controller reduces to

y

[O,r]}

(17)

=jl J (82) = j2

The only thing known about the plant is that it generated the experimental data V.,. containing the measured signals (u,yp) = (u(m),y~m») on some time interval [0, r]. If a controller C were in the loop when the plant produced this data, then the constraint imposed by the controller behavior would have read u(m) (t) = C r WI (t) - Cl y~m) (t), 0 $ t $ T (14) for some

8 E Bc n 0; (V.,.)

J(sd

Note that the constraint imposed by the controller equation u = Cy recognizes a subset of the trajectories set §T that might occur and it forbids those signals S E ST that do not satisfy this equation. For the generalized dynamical system Ec = ('][',S,Bc), one has a set of measument data V.,. up to time r composed of the signals u and yp produced by the unknown plant P so that the behavior Bc contains the set 0; (V.,.) = where

The signal 8 = (w, u( m) , y) on the time interval [0, r], with w = (w}, W2) for some unknown W2 ED and y= (WI,y~m»), clearly belongs to the controller behavior Bc as well as to 0; (V.,.), i.e.,

(15)

Assuming that the one-to-one and its range contains all combinations of the form (u + Cl yp) for (u, yp) E U x Yp then there exists a transformation (cr)t such that (cr)t C r = In (identity map) on 'R and equation (15) has a solution

4.3 SelectoT and switching logic The reconfiguration procedure is enabled whenever the actual running controller is invalidated by the

iih (t) = (Cr)t (u(m) (t) + Cl y~m) (t)) , 0 $ t $ r (16) 529

real-time measurements. The controller invalidation is performed without any estimation of signals involved in the dynamical system since all needed signals are readily available for computing the performance functional value. Such control invalidation is a testimony of the occurence of unexpected changes in the feedback loop which requires a remedial action. The selector is a system whose input and output are respectively the set {jk} of the performance functional values and a piecewise constant signal (the switching signal) a (t) and whose job is to select the corrective controller and connect it in the feedback loop. In order to avoid arbitrary (small) switching times which can leave open the possibility of chattering and impact on the stability of the overall system, it is necessary to impose a lower bound on the lenght of intervals between successive switches. This is intuitively reasonable since it is known that each off-the-shelf controller Ck results in a "control mode" which is stable when used alone (i.e. not in a sequence). This minimum lenght of time in which a controller is active in the loop, the dwell time, can be fixed by collecting the measured data on time intervals {t., t. + T D) of lenght T D = ih for an integer i, with t. the instants of possible switchings and h the sampling period of the low-level feedback loop. The switching signal is a map from the time axis T to the controllers index set {1,2, ...N} , i.e. a: T -+ {1,2, ... N} and the dwell time-based switching logic enforces

a (t)

= a (t.)

for t. ::; t

< tHl

(20)

with the updating rule

(. )_

a t,+l -

{~(t.) if Cq(t. ) is not invalidated k . { ' I. }

= argmm

Jk Jk ::;

data of an wllmown plant with no on-line plant model for fault detection. An important concept introduced is that of "control modes" in which the unknown plant has been mapped onto, 80 that without an on-line FDI unit the real-time operating controller is implicitly indicative of the actual fault scenario. A performance functional plays the role of a detector of abnormal conditions or faults in the closed-loop system, however it has not the ability to diagnose or isolate a fault in real time. Therefore the proposed reconfiguration scheme is limited to cases where the hardware components in the loop remain invariant with respect to fault scenarios otherwise a FDI unit might be necessary to identify the failed hardware to be changed. Actually, the sole conclUBion which may be drawn from the performance functional is whether or not the closed-loop is functioning well. An interesting property with the supervisory scheme is that any controller in the bank which violates the perfomance objective is eliminated from being considered to be switched on. This clearly rules out the use of unsatisfactory controllers in the feedback loop as might be the case with false or missed alarms with standard FDI units thus increasing the reliability of the FTC system. Another interesting fact is that one has some control on the detection delay via the choice of the dwell time in the switching logic. Finally, the method is fast because no convergence process takes place in the supervisor algorithm as in FDIbased scheme using observers or parameter estimation techniques. Case studies applying the proposed FTC method are currently under consideration and simulation results will be reported elsewhere.

REFERENCES

'Y k~O'(t.)

Berge C.(1997), Topological Spaces. Dover Publications Inc., New York. Chen J . and R.J . Patton.(1999),Robust Model-based Fault Diagno.is for Dynamic Sy.tems. Kluwer Academic Publishers, Boston Blanke M., Staroswiecki M. and E. Wu.(2001), Concep~ and Methods in Fault-tolerant Control, Proceeding. of the American Control Conference Blanke M. It AI.(2000), What is Fault-Tolerant Control? Proceedings of the IFAC SA FEPR 0 CESS '00 Patton, R.J.(1997) , Fault-tolerant Control Systems: The 1997 Situation. Proceeding. of the IFAC SAFEPROCESS'97 Popper, K.(1991), La Connais.ance Objective. Flammarion, Paris Safonov M.G., Tsao T-C.(1997), The Unfalsified Control Concept and Learning. IEEE Transactions on Automatic Control, Vo!. 42, N°6, pp. 843-847 WillelD8. J.C.(1986) , From Time Series to Linear Systems. Part 11. Exact Modelling. Automatica, Vo!. 22,N°6, pp. 675-694 Willems, J .C.(1991). Paradigms and Puzzles in the Theory of Dynamical Systems. IEEE Transactions on Automatic Control, VD!. 36, N°3, pp. 259-294 Polderman, J .W., Willems J .C.(1998). Introduction to Mathematical Sy.tem. Theof71: A behavioral ApproQch. Springer-Verlag New York, Inc.

(21) Note that this is a run-to-run approach in which data collected in the previous run (i.e., on time interval {t.- It t'-l + TD]) are discarded in the data set of the current run. The above switching logic confers to the dwell time two properties: it lets the stable dynamics of the closed-loop switched system have enough time to decay before a next possible switching occurs and it bounds the detection delay, i.e. the time elapsed from the occurence of a fault to the controller invalidation. A short detection delay requirement will need a short dwell time T D for the selector logic which clearly confticts with the stability of the closed-loop switched system. The dwell time should result from a trade-off between the requirements on stability and the detection delay depending on the faults scenarios and their severity. time for reconfiguration, i.e. the time needed after a controller invalidation to the selection of the next controller is however quasi-instantaneous needing only the computation time.

The

5. CONCLUDING REMARKS In this paper, we have presented a control reconfiguration scheme which is solely based on the observed C.,f\