Reference governor design for tracking problems with fault detection guarantees

Reference governor design for tracking problems with fault detection guarantees

Journal of Process Control 22 (2012) 829–836 Contents lists available at SciVerse ScienceDirect Journal of Process Control journal homepage: www.els...
Download PDF
672KB Sizes 1 Downloads 24 Views
Report

Journal of Process Control 22 (2012) 829–836

Contents lists available at SciVerse ScienceDirect

Journal of Process Control journal homepage: www.elsevier.com/locate/jprocont

Reference governor design for tracking problems with fault detection guarantees Florin Stoican a,∗ , Sorin Olaru a , María M. Seron b , José A. De Doná b a b

SUPELEC Systems Sciences (E3S) – Automatic Control Department, Gif sur Yvette, France CDSC, School of Electrical Engineering and Computer Science, The University of Newcastle, NSW 2308, Australia

a r t i c l e

i n f o

Article history: Received 22 April 2011 Received in revised form 7 January 2012 Accepted 12 February 2012 Available online 3 April 2012 Keywords: Reference governor Fault tolerant scheme Invariant sets

a b s t r a c t The present paper deals with the reference tracking problem for processes with linear dynamics and multisensor information subject to abrupt sensor faults. A key point for fault tolerance will be the separation between healthy and faulty closed-loop behavior upon a set-characterization approach. This is achieved through set theoretic operations involving the healthy/faulty behavior of residual signals related to the system dynamics. As a main contribution, a reference governor scheme is designed using a receding horizon technique. It is shown that fault detection guarantees can be achieved by appropriate adjusting of the governor’s delay/prediction window under mild assumptions on the fault scenario. © 2012 Elsevier Ltd. All rights reserved.

1. Introduction Nowadays the use of redundant sensors in applications is becoming increasingly more common. In modern control applications there are strict requirements on the stability and performance criteria. Malfunctions in actuators, sensors or other systems components might lead to unsatisfactory performance or even instability. There are safety-critical systems in which this behavior is not merely inconvenient but can become catastrophic (well known examples of malfunctioning in aircraft incidents are discussed in [6]). As a consequence, a great deal of effort has been put into developing closed-loop systems which can tolerate faults, while maintaining desirable performance and stability properties [18]. Any fault tolerant control (FTC) scheme relies on two fundamental mechanisms: the fault detection and isolation (FDI) block and the control reconfiguration block. The solutions employed usually implement active FTC schemes which react to a detected fault and reconfigure the control actions so that stability and performance can be satisfied. Set membership techniques for fault detection have been recently proposed in the literature. In [9] parameter variances and bounded disturbances are considered in order to obtain a robust detection of faults. A new approach was proposed in [11], which uses a deterministic description of the sensor behavior in order to obtain fault tolerance guarantees upon invariant set separation. The approach utilizes bounded disturbance and noise descriptions, and derives a switching control which ensures closed-loop fault tolerant stabilization. The main advantage is the use of invariant sets

which minimizes the online computations (only set membership testings) and offers global stability guarantees. Usually [18], the detection and reconfiguration parts of a fault tolerant control (FTC) scheme are treated separately thus neglecting reciprocal influences and substandard behavior (e.g., missed faults). The proposed scheme, based on invariant set separation, integrates all the FTC components, and analyzes their interactions, to create an overall system with guaranteed fault tolerance properties. A limitation present in the initial versions of this scheme (see [11,7]) is the a priori fixed range of the reference signal. Consequently, an unfortunate choice of reference may render the FDI block infeasible, in which case the scheme fails to function properly. In the present paper, building upon results in [14], a set of feasible reference values is determined. In addition we improve our previous results by introducing the following new features. Firstly, we make use of information from previous instants of time to construct the residuals and associated sets, thus increasing the range of feasible reference values. Secondly, the technique is extended to a reference governor employing a receding horizon optimization procedure to deliver a reference which guarantees fault detection. The required robust positive invariant (RPI) sets for the FTC mechanisms are computed with the help of methods described in [3] due to their ease of use and good precision. 1.1. Notation Let R, Z and Z+ denote the field of real numbers, the set of integers and the set of non-negative integers, respectively. Let



∗ Corresponding author. E-mail addresses: fl[email protected], fl[email protected] (F. Stoican). 0959-1524/$ – see front matter © 2012 Elsevier Ltd. All rights reserved. doi:10.1016/j.jprocont.2012.02.004

x[c1 ,c2 ]



x(k + c1 ) . ⎦, = ⎣ .. x(k + c2 )

830

F. Stoican et al. / Journal of Process Control 22 (2012) 829–836

Fig. 1. Multisensor fault tolerant control scheme.

with c1 , c2 ∈ Z denote a column vector of elements whose index increases monotonically and where k ∈ Z+ denotes the current instant of time. Whenever c1 = c2 = c the shorthand notation x[c] may be employed. Notation x+ (x− ) denotes the successor (predecessor) element to the current value of x. If x = x[0] ∈ Rn , x+ + denotes x+ = x[1] , whereas x[c ∈ R(|c1 −c2 |+1)×n denotes the vec,c ] 1

+ tor x[c − x[c

1 ,c2 ]

1 ,c2 ]

2

= x[c1 +1,c2 +1] . A similar definition is employed for x− and

.

The Minkowski sum of two sets, A and B is denoted as

A ⊕ B = {x : x = a + b, a ∈ A, b ∈ B}

The control problem is to design of a closed-loop control scheme such that the state of the plant (1) tracks a reference signal xref which obeys the nominal dynamics + xref = Axref + Buref

where uref is a known (stabilizing in case that A is not stable) signal. The pair of state/input reference signals (xref , uref ) is provided by a reference governor such that the given constraints are respected and an ideal reference is followed as closely as possible (see Section 4.4). The plant tracking error is given by the difference between the state (1) and its respective reference signal (2): + z + = x+ − xref = Az + B(u − uref ) + Ew.

whereas the Pontryagin difference is given by

 

conv(S) denotes the convex hull of set S. Notation S c = S × S × · · · × S for any c ∈ Z≥1 , where S is a set, denotes the c-times

 c

(3)

v

A  B = {a ∈ A : a + b ∈ A, for all b ∈ B}.



(2)



cross product of S. Inequalities and absolute values of vectors and matrices are considered elementwise. The remainder of the paper is organized as follows. The multisensor plant and the relevant invariant sets are described in Sections 2 and 3, respectively. The fault tolerant tracking scheme is described in Section 4. An illustrative example is given in Section 5 and some conclusions are drawn in Section 6.

2.2. Sensor description and estimator dynamics The state of the plant (1) is measured by means of a bank of N (redundant) sensors Si associated with linear combinations of the system state, Ci x ∈ Rpi , i ∈ I with I , {1, . . . , N}. The sensors are assumed to have significantly faster dynamics than those of the plant model; thus, they can pertinently be assumed to be static, with the associated output signal yi affected by a bounded measurement noise i ∈ i ⊂ Rpi , with i a bounded polyhedral set: yi = Ci x + i .

(4)

We make the following assumption. Assumption 1. Each pair (A, Ci ) associated to the ith sensing channel is observable.

2. Multisensor scheme 2.1. Plant dynamics and the tracking control problem The multisensor control scheme considered in the present paper is depicted in Fig. 1. The plant P has a linear discrete-time state space model:

To each sensor output yi we associate a state estimator Ei , i ∈ I (see Fig. 1). The corresponding state estimations xˆ i will be constructed to provide an adequate dynamic behavior: xˆ i+ = Aˆxi + Bu + Li (yi − Ci xˆ i ) = (A − Li Ci )xˆ i + Bu + Li i + Li Ci x.

 

(5)

AL

i

+

x = Ax + Bu + Ew

(1)

where x ∈ Rn is the system state, u ∈ Rm is the control input, and the model is affected by a bounded process disturbance w ∈ W ⊂ Rr , with W a bounded polyhedral set.

The gains Li are chosen such that matrices ALi are strictly stable (always possible by the observability assumption). In virtue of (1) and (5), the estimation error x˜ i , x − xˆ i

(6)

F. Stoican et al. / Journal of Process Control 22 (2012) 829–836

831

maxima of sets W and i , respectively (i.e., w = max|w| and i =

associated to the ith sensor satisfies the relation:

w∈W

x˜ i+ = x+ − xˆ i+ = ALi x˜ i + Ew − Li i .

(7)

For further use we define the estimation tracking error as zˆi , xˆ i − xref .

(8)

max |i |, where the max operation is taken elementwise).

i ∈i

Similarly, an invariant set has to be constructed for the tracking error dynamics (12). Since this is a delay difference equation, an extended state model has to be considered in order to apply the invariant set description of [3]:



2.3. Control action The control mechanism has a switching1 module (indicated as SW in Fig. 1), which selects at each instant of time one of the estimation tracking errors (8) from the set of available sensors (all of them assumed to be governed by healthy measurement equations as in (4)) such that a given cost function will be minimized: ∗

zˆ =

T minzˆi[−] P zˆi[−] i∈I

(9)

where P  0 (non-negative definite) can be arbitrarily chosen and the scalar  denotes a delay factor whose necessity will be detailed in Section 4. Further, the control action has the form: u = uref + v∗ = uref + K zˆ ∗ ,

(10)

+ z[−,0]

(11)

for some l ∈ I selected by the switching mechanism (9). Substituting in (3), leads to +

z = Az + BKz [−] + Ew − BK x˜ l[−] .

(12)

Remark 1. Eq. (12) describes a linear delay difference equation affected by a switched disturbance. The global stability of the plant tracking errors is guaranteed if there exists a gain matrix K such that an equivalent augmented LTI system is stable (see e.g., [4]). In this case the state trajectory asymptotically converges to the origin in the absence of disturbances or to a bounded invariant set [1] in the case of bounded disturbances.

⎡ ⎢

Az, = ⎣



I ... ... ... 0 ... 0 ...

0 0 BK

0 ... 0 0

0

⎤ ⎥

I ⎦ A

,



Bz,

0 ⎢··· =⎣ 0 −BK



0 ···⎥ . 0 ⎦ E

To the extended system (14) the following invariant set can be associated: Sz[−,0]



=









−1 −1 z[−,0] : Vz, z[−,0] ≤ (I − |z, |)−1 Vz, Bz, max

 

l∈I

x˜ l w

(15) where Vz, and z, denote the matrices obtained from the Jordan −1 decomposition Az, = Vz, z, Vz, and x˜ l , w denote the elementwise maxima of sets S˜ l and W, respectively (i.e., x˜ i = max|˜xi |). The x˜ i ∈S˜ i

operator max (elementwise maximum) is introduced in order to l

account for all possible sensors that can participate in the control action. It follows then that a bounding set, in which the tracking error, z, is guaranteed to reside as long as z[−,0] ∈ Sz[−,0] , can be defined: Sz = conv





j=−,...,0

where the projz[j]



For further use throughout the paper we need to guarantee the confinement of certain variables inside known regions of their associated space. We prefer to use invariant sets since, as per their definition, once the signal is inside such a domain, and as long as it is governed by the same dynamics, it remains inside at all future instants. There are various methods for computing invariant sets for a linear system affected by bounded disturbances. These constructions can be “arbitrarily precise”, in the sense that they can approximate, with any desired precision, the “smallest possible” invariant set associated with the system (see, e.g., [7]). To the estimation error (7) the following invariant set is associated:



(14)

projz[j] (Sz[−,0] )

(16)

operator denotes the projection of its

argument along the given subspace z[j] , i.e., projz[j] (Sz[−,0] ) =

3. Invariant sets

S˜ i =



where Az, and Bz, are defined as

where K is an appropriately selected feedback gain (see Remark 1 below). Then, using (6), (10) can be reformulated as u = uref + K(z[−] − x˜ l[−] )

= Az, z[−,0] + Bz,l

x˜ l[−] w







x˜ i : VL−1 x˜ i ≤ (I − |Li |)−1 VL−1 E i

i

−Li

 

w 

(13)

i

where VLi and Li denote the matrices obtained from the Jordan

decomposition ALi = VLi Li VL−1 and w, i denote the elementwise i

1 Note that, as discussed in [10] the switching has a leveling effect, in the sense that the response is comparable with fusion strategies that use information from all sensors to compute the feedback law.

0 . . . 0 I 0 . . . 0 Sz[−,0] , with the identity matrix I located in the j +  + 1 position.

Remark 2. Under some structural constraints related to the contractiveness of the difference-delay Eq. (14), invariant sets can be obtained directly in the original state space of z. Such constructions avoid the computational complexity related to the augmented state space in (14) and the projection mechanism in (16). However, their existence is guaranteed only under restrictive conditions (see [5]). 4. Fault tolerant control In this section we describe the components of the fault tolerant control scheme and detail the interactions which will permit an optimum balance between reference tracking and fault detection guarantee. The components of the fault tolerant control scheme are • the FDI (fault detection and isolation) block which detects changes to/from faulty functioning; • the reconfiguration mechanism which changes the structure of the control action in order to mitigate or eliminate the effects of a fault; • the reference governor which provides a reference guaranteeing fault detection.

832

F. Stoican et al. / Journal of Process Control 22 (2012) 829–836

The first two components above are standard ([2]), while the reference governor is a new element introduced in this paper. Usually in the literature [18], the fault tolerant problem is not treated as a whole: either the detection block or the reconfiguration block is discussed separately. This “piece-wise” analysis of a block rests on sometimes questionable assumptions for the other blocks of the FTC scheme (e.g., the reconfiguration is made by assuming that the FDI mechanism is exact). Thus, effects induced by the interactions and influences between the component blocks are typically not considered. We provide here an FTC mechanism which interacts as a whole and present the necessary conditions for an exact fault detection. To guarantee this, we build upon previous results described in [11,7] where invariant sets are used for translating the fault detection and isolation task into set membership tests. Compared with other uses of set membership techniques in the literature (e.g., [9]) the invariant-set approach avoids computationally demanding calculations during the on-line implementation since it eliminates the need to actualize the topology of the state regions at each sample of time. 4.1. Fault description The faults considered here are abrupt total2 sensor output outages. The failure is then represented by the following switch in the structure of the observation equation:

yi = Ci x + i

RECOVERY



yi = Fi .

(17)

The noise affecting the observation channel during the fault, Fi ∈ ⊂ Rpi , with Fi a bounded polyhedral set, may be different from the one during the healthy functioning, i .

Fi

... ... ... ...

0 ⎢ Ci B

i, = ⎣

Ci

A−1 B

0 0 ... Ci B



0 0⎥ 0

, . . . , C ). ⎦ , Ci, = diag(C  i  i

(19)

+1

To simplify the analysis, the following assumption is made: Assumption 2. The faults persist for at least  consecutive samples of time. The residual signal under healthy, respectively faulty,3 functioning take the form: riH = i, z[−] + i, w[−,0] + i[−,0] riF = −i, xref[−] − i, (uref[−,0] + v[−,0] ) + Fi[−,0]

(20)

with the matrices i, and i, defined as follows:



i,



Ci ⎢ Ci A ⎥ =⎣ , ... ⎦  Ci A



0 ⎢ Ci E

i, = ⎣

Ci

A−1 E

... ... ... ...

0 0 ... Ci E



0 0⎥

⎦.

(21)

0

From (3), (10) and (11) it follows that

v[−,0] = diag(K, . . . , K)zˆl[−2,−] = diag(K, . . . , K)





+1







+1

(22)

where l denotes the varying index minimizing the cost function (9) (with some abuse of notation we have just denoted l, but note that the index l can vary along the time window [− , 0]). Using the above results we are now able to construct the sets containing the values of the residual signal under healthy, respectively faulty functioning: +1

4.2. Fault detection and isolation From the classical fault detection and isolation point of view [2], a signal called residual, sensitive to fault occurrences and with a manageable dependence on the disturbances, can be defined for the detection of faults. In principle, one can use the estimation provided by the observers (5) as a residual signal. In favor of this approach is the fact that the residual will have the same dimension as the state of the plant. On the other hand, the observer is also a filter and thus any detection of a fault, even of an abrupt one, may be delayed by the internal dynamics of the observer. Additionally, the estimation is constructed by taking into account the entire “history” of the input signals which may, in turn, lead to unpredictable results if the fault occurrences repeat frequently. In light of these remarks we consider that it is more convenient to use directly the output of the sensor and the reference signals to construct a residual. However, the sensor output is often of lower dimension than the plant state, which means that any residual signal which uses information from only the output will be a projection from the original state space. To combine the best aspects of both approaches we propose here an “extended residual signal” which uses current and previous data such that the dimension of the information provided by the state is recovered: ri = yi[−,0] − Ci, xref[−,0] − i, v[−,0]



× (z[−2,−] − x˜ l[−2,−] )

FAULT

yi = Ci x + i → yi = Fi

where  represents the length of the horizon of the stored information and matrices Ci, and i, are defined as follows:

RiH = i, Sz ⊕ i, W +1 ⊕ i RiF = {−i, xref[−] − i, uref[−,0] − i, v[−,0] } ⊕ (Fi )+1 .

(23)

By checking if ri belongs to RiH , we can affirm that the ith sensor has had healthy functioning at  time instants in the past as long as condition RiH ∩ RiF = ∅

(24)

is verified. Remark 3. In the above relations we have made use of Assumption 2 to discard the transitory behavior of the residual signal during the first  steps after the occurrence of a fault. While the fault is not yet propagated along the entire length of the horizon, the location of the residual is indeterminate. This does not affect the correct functioning of the scheme since: • if the residual remains in RH the sensor is considered healthy, i which is safe since the information provided by the sensor can only be used by the controller  steps in the future; • if the residual jumps outside of RH (not necessarily in RF ) then the i i fault is detected and the sensor is discarded with anticipation. Remark 4. In the current setting we assume that the gain matrix K is already fixed (see Remark 1) but K can actually be used to satisfy the separation condition (24) in the following way. We could start

(18)

2 The developments can be readily extended to the case of partial outages but we stay in the framework of total outages for the sake of simplicity.

3 By “faulty residual” we denote a residual signal for which all measurements yi over the horizon are under faulty functioning. That is, we are not trying to represent intermediate residual signals, where the fault is not yet propagated along the entire length of the horizon.

F. Stoican et al. / Journal of Process Control 22 (2012) 829–836

by using a given set Sz conveniently chosen such that (24) (cf. (23)) is satisfied, and then we can find a matrix K such that the set is invariant. An analysis was carried out for the LTI case in [12] using results from [17]. To ensure the validity of all computed sets, a sensor’s associated estimation may be used for the control action if the sensor has a healthy functioning (4) and its estimation error (7) belongs to its invariant set (13). Considering these elements we are able to provide a partitioning of the set of sensor indices I which describes the healthy, under recovery and faulty sensors: • IH , all the sensors acknowledged healthy (i.e., with healthy functioning (4) and estimation error (7) inside its invariant set (13)):

IH = {i ∈ I− : ri ∈ RiH } ∪ {i ∈ I− : x˜ i[−] ∈ S˜ i , ri ∈ RiH } H R where I− , I− indicate the sets of healthy, respectively, under H R recovery, sensors at the previous time instant. • IF , all the sensors acknowledged faulty (i.e., with faulty functioning (17)):

833

4.4. Reference governor Previous works [11,7] assume that Eq. (2) is already bounded by a given set and use this information to analyze the feasibility of condition (24). Here, by considering that condition (24) needs to hold for each sensor we obtain a time-varying set, describing the admissible reference values: Dref = {(xref[−] , uref[−,0] ) : (24) holds ∀i ∈ I}.

Since we constrain the state and input references to take values only from their admissible set (26) we may no longer follow the desired trajectory. Consequently, a pair of input/state references will be sought which satisfy dynamics (2) and minimize the trajectory mismatch between an ideal trajectory and the constraints imposed in Dref . To this end we propose the use of a reference governor, implemented through receding horizon techniques which take properly into account the constraints upon the reference signals. Using (23) we rewrite the set (26) as: Dref = {(xref[−] , uref[−,0] ) : [{−i, xref[−] − i, (uref[−,0] + v[−,0] )} ⊕ (Fi )+1 ] ∩ [i, Sz ⊕ i, W +1 ⊕ i = ∅, ∀i ∈ I}.

/ RiH } IF = {i ∈ I : ri ∈ • IR , all the sensors under recovery (i.e., with healthy functioning and estimation error not yet inside its invariant set): IR = I \ (IH ∪ IF )

such that I = IH ∪ IR ∪ IF and IH ∩ IF = ∅, IH ∩ IR = ∅ and IR ∩ IF = ∅, with the assumption that IH is not empty along the closed loop functioning (in order to guarantee the existence, at all times, of reliable information for feedback). Remark 5. Note that the above relations are defined recursively and the transition of an index from a subset to another is decided by set membership testings. Moreover, as long as condition (24) holds for i ∈ I the subset IH contains only healthy sensors at  time instants in the past, thus making the FDI mechanism exact. The analysis of inclusion of unknown values x˜ i[−] into set S˜ i is required only when a previously faulty sensor regains its healthy functioning (IR → IH ). Extensive details and an algorithm to correctly perform the required transitions between the healthy, under recovery and faulty sets can be found in [13].

(26)

+1

] (27)

Remark 7. When  = 0 (i.e., when only current information is used in constructing the residuals) only conditions upon the present value of the state reference are necessary. From Assumption 1 it follows that for any pair (A, Ci ) there exists a finite scalar oi called index of observability such that matrix i,oi calculated as in (21) is full rank. Further, for a delay factor  that verifies  ≥ max oi

(28)

i∈I

we have that any of the matrices i, is full rank and has a number of rows greater than or equal to its number of columns. As a consequence, to each of them can be associated a full rank (pseudo)inverse, denoted as + , which allows us to rewrite (27) i, in a simpler, more direct, form: Dref = {(xref[−] , uref[−,0] ) : xref[−] + + i, × i, (uref[−,0] + v[−,0] ) ∈ / Pi , ∀i ∈ I}

(29)

where Pi is a shorthand notation for: +1

) ⊕ + (Fi )+1 . i,

4.3. Reconfiguration of the control law

(i, Sz ⊕ i, W +1 ⊕ i Pi = −+ i,

As seen in the previous subsection, if condition (24) holds, the healthy state of a sensor at  time instants in the past can be guaranteed. This permits the reconfiguration of the control action such that the scheme becomes fault tolerant. In the next subsection we provide a constructive procedure which assures the separation (24). As a consequence the selected index will be chosen from the pool of acknowledged healthy sensors and problem (9) becomes:

Remark 8. We observe that the proposed method does not require (28) to hold, but having a full rank i, is desirable in order to obtain larger (non-degenerate and connected) feasibility regions for the reference signals (see the illustrative example discussed in Section 5). It is not clear whether increasing the parameter  beyond the equality value in (28) will lead to larger regions, but an analysis to determine the optimal value of the parameter in each application can be carried out. However, this has to be weighed against the fact that an increased delay factor enlarges the tracking error invariant set and ultimately may cause the system to lose stability (for delay dependent stabilizability conditions see [4]).

T zˆ ∗ = minzˆi[−] P zˆi[−] . i∈IH

(25)

As long as IH = / ∅ there will always exist a feasible choice, which, by virtue of computations in Section 3 will keep the tracking error inside its invariant set. Remark 6. Additionally, this construction offers a justification for the use of delayed estimation to implement the controller. Since the FDI mechanism needs  instants of time for deciding the inclusion of an index into subset IH , the control action cannot safely use more recent information.

(30)

Note also that in formulation (29) the variables xref[−] , uref[−,0] and v[−,0] are already fixed for the current instant of time k. However, the relation can be shifted to an arbitrary instant of time, i.e., faults that may occur at time instant j −  are detectable at time instant jth in the future if the following condition holds: (xref[j−] , uref[j−,j] ) ∈ Dref[j]

(31)

834

F. Stoican et al. / Journal of Process Control 22 (2012) 829–836

Fig. 2. State reference domain (shaded region) for two values of the horizon, for sensor 1.

where Dref,[j] denotes the set Dref given as in (29) shifted j time instants ahead. Note that Dref in (29) corresponds to j = 0. In particular, for j ≥ , the reference signals xref[j−] and uref[j−,j] are no longer fixed and can be obtained as the result of an optimization problem.

Remark 10. One can observe that the set (29) is the union of N nonconvex regions (the complements of the polyhedral sets Pi ). As a consequence, the optimization problem has to be solved over a nonconvex set which imposes the use of mixed-integer techniques [8].

Remark 9. As per relation (22) we notice that v[j−,j] is known for j ≤ 2 whereas for j > 2 a prediction has to be used. A more conservative approach is to use the sets (13) and (15) in (22) in order to provide a set bounding v[j−,j] :

v[j−,j] ∈ V,



where V , diag(K, . . . , K) Sz[−,0] ⊕





+1





 i∈I

(−(S˜ i ) )

(32) which can be then introduced in the formulation of (26), its timeshifted versions Dref[j] , and in all subsequent relations concerning them. The feedforward action uref is provided by the reference governor, which has to choose a feasible reference signal (such that (24) will be verified) and, at the same time, follow an ideal reference as close as possible. This problem can be cast as the optimization of a cost function under constraints (as given in (29)), and it will be solved here in a model predictive control (MPC) framework: u∗ = arg min uref[0, ]



(||r[j] − xref[j] ||Qr + ||uref[j] ||Rr )

(33)

Fig. 3. Representations of set defined by the right hand side of (37) for delay factor values of  = 1, 3, 5.

j=0

subject to: + xref[j] = Axref[j] + Buref[j]

(xref[j−] , uref[j−,j] ) ∈ Dref[j]

(34)

where r ∈ Rn is the ideal reference to be followed, ≥  is the prediction horizon, and Qr ∈ Rn×n and Rr ∈ Rm×m are weighting matrices. The current value of the input reference signal, uref (k), is taken as the first element of the sequence u* . Note that the optimization problem requires an a priori knowledge of the ideal reference signal r for at least instants in the future. Also, we observe that in this scheme with fixed gain matrix, the signal v is only a parameter which is strictly known for j ≤ 2 or can be predicted based on previous values and the linear dependence (22). However, v can become a free variable in the control design if the restriction to a linear feedback control structure (22) is removed. Also note that any required input and state constraints on the reference trajectory can be readily included as additional constraints in the optimization problem (33).

Fig. 4. Ideal reference (green circle) versus “fault-tolerant” reference (blue ellipse) provided by the reference governor. (For interpretation of the references to color in this figure legend, the reader is referred to the web version of this article.)

F. Stoican et al. / Journal of Process Control 22 (2012) 829–836

835

Fig. 5. Snapshot of the first component (the position) of the state reference (black) and sensor estimations (green, red and blue, respectively). (For interpretation of the references to color in this figure legend, the reader is referred to the web version of this article.)

To alleviate the computational burden specific to these techniques one can reduce the number of auxiliary variables as in [15].

The gain matrices Li are chosen such that the estimator poles are placed in the interval [0.75, 0.90]. In order to extract the feasible region defining xref from (31) we consider the most favorable uref[0,] ∈ Uref (since this signal represents the degree of freedom in the reference management technique) and all realizations of v[0,] are available in order to account for all feedback control values permitted by its structure:

instability. The appropriate compromise has to be found between accuracy of fault detection and the performance of the closed loop dynamics. In this particular case, of a double integrator, the algorithm (see Remark 1) which provides a feedback gain matrix reports a feasible gain matrix for any value of the delay factor. We use an ideal reference r = 50 · sin t cos t in the reference governor cost function (33) with weight matrices Qr =  1 1 and Rr = 1. Using a horizon of length  = 1 we observe in 0 1 Fig. 4 that the ideal reference (green circle) does not respect the constraint given in (29). This means that a scheme that does not modify the reference signal to achieve fault tolerance (such as in [11,7]) is not applicable for this ideal reference since the separation condition (24) does not hold. The proposed reference governor, however, provides a corrected signal (blue ellipse) which will be tracked by the scheme even in the presence of faults. To test the performance of the scheme, a fault affecting the first sensor is applied between t1 = 4 s, t2 = 6 s and the sensor is recovered at t3 = 6.3 s. The fault is acknowledged at s1 = t1 = 4 s and the recovery at s2 = 9.2 s. A snapshot of the reference and sensor estimations is provided in Fig. 5 for the first of their components (the position). It can be seen that the fault is detected (the state estimation of the fault affected sensor is depicted in green; the estimation of the healthy functioning sensors is depicted in blue and respectively red; the state reference is depicted in black) and the tracking of the reference is achieved.

xref ∈ / Pi ⊕ (−+  V)  (−+  U ). i, i, i, i, ref

6. Conclusions

5. Illustrative example Consider the linear time invariant system



x+ =

1 0.1 0 1





x+

0 0.5





u+

0 0.1



w

(35)

which models the dynamics of a double integrator affected by a bounded noise w ∈ W = {w : −0.1 ≤ w ≤ 0.1} and controlled through the signal u. The state is measured by a collection of sensors, defined by their output matrices and bounds upon their measurement noises under healthy and faulty functioning:



C1 = 0.35 0.25 ,

C2 = 0.30 0.80 ,

C3 = 0.15 0.75 ,

|1 | ≤ 0.1, |2 | ≤ 0.1, |3 | ≤ 0.1,

|F1 | ≤ 1

|F2 | ≤ 1

(36)

|F3 | ≤ 1.

(37)

input reference set and V is as where Uref denotes an admissible

defined in (32), with K = 0.5141 0.6867 . For comparison purposes the admissible set of references will be considered for various constructions of residual signals. In Fig. 2(A) only current information is used for constructing the residual signal ( = 0 in (18)) whereas in Fig. 2(B) a horizon of length  = 1 is used (as per relation (28) this value suffices in recovering the entire information since the pairs (A, Ci ) are observable with observability indices oi = 1, i = 1, 2, 3). Note that by using a window of observation for constructing the residual signal we increase the state reference domain over which detection is possible. Note that in the set computations which produce the sets depicted in Fig. 2(A) and (B) different values of the sets Sz and Sz[−,0] bounding the tracking error and extended tracking error, respectively, were used. For  = 0 the sets coincide and can be obtained as in (13) by applying the techniques presented in [3] upon the tracking error dynamics (12). In turn for  ≥ 1 the construction detailed in Eqs. (14)–(16) has to be used. In Fig. 3 the set defined by the right hand side of (37) is shown for values 1, 3 and 5 of the delay factor . Recall that , as seen in (12), also influences the stabilizability of the system. An increase in the value of  increases the bounds of (16) and will eventually lead to

The paper has presented a fault tolerant control scheme based on a reconfigurable control action for LTI systems. The detection of abrupt faults was realized through set membership testing. The reference followed by the system was obtained through a reference governor which employs a receding horizon technique in order to determine a reference which guarantees correct fault detection at all times. References [1] F. Blanchini, S. Miani, Set-Theoretic Methods in Control, Birkhauser, 2007. [2] M. Blanke, M. Kinnaert, J. Lunze, M. Staroswiecki, Diagnosis and Fault-Tolerant Control, Springer, 2006. [3] E. Kofman, H. Haimovich, M.M. Seron, A systematic method to obtain ultimate bounds for perturbed systems, International Journal of Control 80 (2) (2007) 167–178. [4] W. Lombardi, A. Luca, S. Olaru, S. Niculescu, State admissible sets for discrete systems under delay constraints, in: Proceedings of the 29th American Control Conference, 30 June–2 July, IEEE, Baltimore, Maryland, USA, 2010, pp. 5185–5190. [5] W. Lombardi, S. Olaru, M. Lazar, S. Niculescu, On positive invariance for delay difference equations, in: 30th American Control Conference, San Francisco, California, USA, 29 June-1 July, 2011, pp. 3674–3679. [6] J. Maciejowski, C. Jones, MPC fault-tolerant flight control case study: flight 1862, in: Proceedings of the 4th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes. Washington, DC, USA, June, 2003, pp. 121–126.

836

F. Stoican et al. / Journal of Process Control 22 (2012) 829–836

[7] S. Olaru, J.A. De Doná, M.M. Seron, F. Stoican, Positive invariant sets for fault tolerant multisensor control schemes, International Journal of Control 83 (12) (2010) 2622–2640. [8] A. Osiadacz, Integer and combinatorial optimization, George L. Nemhauser and Laurence A. Wolsey, Wiley-Interscience Series in Discrete Mathematics and Optimization, New York, 1988, ISBN 0-471-82819-X, 763 pp, International Journal of Adaptive Control and Signal Processing 4 (4) (1990) 333–334. [9] P. Planchon, J. Lunze, Diagnosis of linear systems with structured uncertainties based on guaranteed state observation, International Journal of Control Automation and Systems 6 (June (3)) (2008) 306–319. [10] M.M. Seron, J.A. De Doná, S. Olaru, Fault tolerant control allowing sensor healthy-to-faulty and faulty-to-healthy transitions, IEEE Transactions on Automatic Control (July 2012), doi:10.1109/TAC.2011.2178716. [11] M.M. Seron, X.W. Zhuo, J.A. De Doná, J. Martinez, Multisensor switching control strategy with fault tolerance guarantees, Automatica 44 (1) (2008) 88–97. [12] F. Stoican, S. Olaru, G. Bitsoris, A fault detection scheme based on controlled invariant sets for multisensor systems, in: Proceedings of the 2010 Conference

[13]

[14]

[15]

[17]

[18]

on Control and Fault Tolerant Systems (Systol’2010), Nice, France, 6–8 October, 2010, pp. 468–473. F. Stoican, S. Olaru, J.A. De Doná, M.M. Seron, Improvements in the Sensor Recovery Mechanism for a Multisensor Control Scheme, in: Proceedings of the 29th American Control Conference, Baltimore, Maryland, USA, 30 June–2 July, 2011, pp. 4052–4057. F. Stoican, S. Olaru, M.M. Seron, J.A. De Doná, Reference governor for tracking with fault detection capabilities, in: Proceedings of the 2010 Conference on Control and Fault Tolerant Systems (Systol’2010), Nice, France, 6–8 October, 2010, pp. 546–551. F. Stoican, I. Prodan, S. Olaru, On the hyperplanes arrangements in mixedinteger techniques., in: Proceedings of the 30th American Control Conference, San Francisco, California, USA, 29 June–1 July, 2011, pp. 1898–1903. M. Vassilaki, J. Hennet, G. Bitsoris, Feedback control of linear discrete-time systems under state and control constraints, International Journal of Control 47 (6) (1988) 1727–1735. Y. Zhang, J. Jiang, Bibliographical review on reconfigurable fault-tolerant control systems, Automation and Remote Control 32 (2) (2008) 229–252.