- Email: [email protected]
Tolerance of intermittent controller faults via hybrid system approach1
8th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes (SAFEPROCESS) August 29-31, 2012. Mexico City, Mexico
Tolerance of intermittent controller faults via hybrid system approach 1 Hao Yang ∗ , Bin Jiang ∗ , Vincent Cocquempot ∗∗ , Youmin Zhang ∗∗∗ , Huajun Gong ∗ ∗
College of Automation Engineering, Nanjing University of Aeronautics and Astronautics, China ∗∗
LAGIS, UMR CNRS 8219, Universit´e Lille 1 : Sciences et Technologies, France ∗∗∗ Department of Mechanical and Industrial Engineering, Concordia University, Canada. Abstract: This paper addresses the tolerance issue of intermittent controller faults in the system level. A control system with intermittent faults is modeled by a stochastic hybrid system, whose stability is shown equivalent to the fault tolerability of the original system. A “global dissipativity” concept is introduced for the hybrid system to derive its stability condition, which can be checked easily via the proposed “gain technique”. Our results show that it may not be necessary to apply the fault tolerant scheme in spite of intermittent faults. A spacecraft attitude control example is taken to illustrate the efficiency of the proposed method. 1. INTRODUCTION 1.1 Background Intermittent faults occur frequently and irregularly, commonly due to manufacturing residuals, oxide degradation, process variations, in-progress wear-out, etc. They appear in many real applications just like automotive, avionics, telecommunications and computers, see Braun and Koeppl (2010); Hamel et al. (2004); Bennett et al. (1999) to name a few. Unlike permanent faults that have been extensively researched in the control field, an intermittent fault may be active for a period of time causing a malfunction of the system or may be inactive in another period allowing the system to work correctly. Most of the faults occurring in electronic and digital systems are intermittent faults as described in Gracia et al. (2008). With the continuous decrease of semiconductor’s cost, feature size and threshold voltage, microprocessors have been widely used in control systems. This however increases system’s failure rates due to intermittent faults that may appear in controllers, actuators, sensors or the plant. Solder joints electrically connecting these components to the board can become cracked and intermittently connected due to physical wear over time. Fruitful results have been reported on modeling, detection and diagnosis of intermittent faults, see Su et al. (1978); Ismaeel and Bhatnagar (1997); Contant et al. (2004); Bondavalli et al. (2000). Some recovery techniques have 1
This work is supported by National Natural Science Foundation of China (61104116), Doctoral Fund of Ministry of Education of China (20113218110011) and NUAA Research Funding (NS2011016). Email: [email protected]. (H. Yang), [email protected] (B. Jiang), [email protected] (V. Cocquempot), [email protected] (Y. M. Zhang), [email protected] (H. Gong).
978-3-902823-09-0/12/$20.00 © 2012 IFAC
836
also been presented for intermittent faults in the computer science area, e.g., in Yang et al. (2005); Kandasamy and Hayes (2003). Most of these techniques run in the equipment level. In Mhaskar et al. (2006) and Bennett et al. (1999), fault tolerant control schemes are developed to accommodate the intermittent sensor faults in the system level. In this paper, we focus on the tolerance problem of the intermittent controller fault in the system level. The fault occurs in the control processor and directly results in a deviation of controller output. Existing fault tolerant control (FTC) techniques designed for permanent faults are difficult to be used for such fault due to three reasons: 1. FTC largely relies on the control reconfiguration, a healthy controller is a basic requirement. It is hard to adjust the controller to accommodate the fault in itself. 2. FTC often takes control cost. Since an intermittent fault may occur frequently, if we apply the FTC scheme every time when there is an intermittent fault, much control effort has to be made. This is often not admissible in practical application. 3. Frequent FTC actions may bring large overshoots and oscillations of the system signals. This degrades the system performance and even destroys the stability of the system. 1.2 The main idea A natural question arises: Is it possible to find an effective, economical and gentle solution to accommodate intermittent controller faults? The answer is positive as it will be shown in this work. We model the control system with the considered faults and noises by a stochastic hybrid system where each 10.3182/20120829-3-MX-2028.00057
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
mode is described by a stochastic differential equation that represents the healthy or faulty situation, the mode switching is governed by a Markov process since the activating/inactivating rates of intermittent faults often follow Markovian jumping rule as in Su et al. (1978). The main benefits of using such a model are twofold: 1. We analyze the performance of the control system throughout the entire process whenever the fault occurs, rather than investigate pre-fault and postfault situations separately. The transient behavior due to faults can be taken into account by using hybrid system theories. 2. The fault tolerance problem of the original system can be transferred into the stability problem of the hybrid system with unstable modes. Some useful analysis tools for switched and hybrid systems can be used. It is well known that the whole hybrid system may be stable even with some unstable modes see, e.g. Yang et al. (2010). Correspondingly, even the intermittent fault destabilizes the system temporarily, the overall control performance may still be maintained without taking any FTC action. This property can help to check whether the FTC law should be applied in the current faulty conditions. For the considered stochastic hybrid system, we propose a “global dissipativity” concept which means that the total energy stored by the system is less than the total energy supplied from the outside. The novelty of global dissipativity is that it emphasizes the energy balance throughout the overall system process rather than in each mode of the hybrid system (i.e., when the control system is healthy or faulty). The stability of the system can be achieved via global energy dissipativity. We further provide a “gain technique” to check easily the global dissipativity, consequently, the fault tolerability can be checked. The rest of the paper is organized as follows: Section 2 presents some preliminaries. Section 3 analyzes the global dissipativity and proposes a “gain technique”. Section 4 applies the result to spacecraft attitude control, followed by conclusions in Section 5. 2. PRELIMINARIES 2.1 Notations Let R denote the field of real numbers, Rr the rdimensional real vector space. | · | the Euclidean norm. P(·) is the probability, whereas E[·] represents the expectation. C 2 (Rn ; R+ ) denotes the set of all nonnegative functions with continuous 2nd derivatives. Class K is a class of strictly increasing and continuous functions [0, ∞) → [0, ∞) which are zero at zero. Class K∞ is the subset of K consisting of all those functions that are unbounded. β : [0, ∞) × [0, ∞) → [0, ∞) belongs to class KL if β(·, t) is of class K for each fixed t ≥ 0 and decreases to 0 as t → ∞ for each fixed s ≥ 0. t− denotes the left limit time instant of t. (·)> is the transposition. Tr[·] denotes the trace.
dx = f (x, uσ (x))dt + g(x, uσ (x))dW
(1)
where the state x ∈ Rn , W is an r-dimensional standard Brownian motion. The input is denoted by uσ(t) , where σ(t) is a switching function representing the healthy and faulty controller cases. Such switching function is described by a right-continuous Markov chain that takes values in a finite state space M = {0, 1, 2, ..., m}. σ = 0 denotes the healthy controller case, while σ = i (i = 1, ..., m) denotes the ith intermittent faulty case of the controller. We further have ½ ρij ∆ + o(∆) i 6= j P{σ(t + ∆) = j|σ(t) = i} = (2) 1 + ρii ∆ + o(∆) i = j where 0 ≤ ρij < 1 represents the fault occurrence P rate from mode i to mode j if i 6= j, and ρii = − j6=i ρij . ∆ > 0 is the infinitesimal transition time interval and o(∆) is composed of infinitesimal terms of order higher than that of ∆ > 0. The model of uσ (x) is quite general and can represent any state feedback control law, and also covers the intermittent controller faults. We do not restrict uσ into any form in the presence of faults. For each fixed σ, both f and g satisfy the Lipschitz and the linear growth conditions which guarantees that each mode has a unique solution. We assume that σ is independent of the Brownian motion W . Assumption 1: There exist α1p , α2p ∈ K∞ and m + 1 functions Vp ∈ C 2 (Rn ; R+ ) associated with the mode p of the system (1) such that α1p (|x|) ≤ Vp (x) ≤ α2p (|x|), ∀p ∈ M
(3)
under u0 =⇒ LV0 (x) ≤ −η0 V0 (x)
(4)
under ui , i ∈ M − {0} =⇒ LVi (x) ≤ η1 Vi (x) (5) where η0 , η1 > 0, and ∂Vp (x) 1 ∂ 2 Vp (x) LVp (x) , fp (x) + Tr[gp> (x) gp (x)] (6) ∂x 2 ∂x2 Assumption 1 implies that in the healthy condition, the controller u0 (x) stabilizes the control system as in (4). This can be achieved by many existing control methods. However, during the period when the ith intermittent fault is active, the faulty input ui may not stabilize the system, Vi may increase and x may escape to a large region or infinity as in (5). The system may even become uncontrollable. According to the generalized Itˆo formula in Skorohod (1989), one has i h Zt2 LVσ(t) (x(t))dt E[Vσ(t2 ) (x(t2 ))] = E[Vσ(t1 ) (x(t1 ))] + E t1
for any stopping times t1 , t2 as long as the involved integrals exist and are finite. In the following, we assume that the integrals in the above equation always exist and are finite for any 0 ≤ t1 ≤ t2 < ∞. Definition 1: The equilibrium x = 0 of the system (1) is stable at t ≥ 0 in probability if ∀² > 0, there exists a function γ ∈ K∞ such that ∀x(0) ∈ Rn \ {0}
2.2 Problem formulation Consider a stochastic hybrid system: 837
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
³ ´ P |x(t)| < γ(|x(0)|) ≥ 1 − ²
(7)
Our objective is to provide the fault tolerance conditions of the system (1), such that the origin of overall control system process is always stable in the sense of (7) even without any FTC scheme.
Since r(s) ≤ 0, inequality (9) means that the total stored energy is still dissipative in spite of some faulty modes. The decreasing of the supplied energy during [0, T ) can compensate for the increasing energy due to faults as shown in Fig. 1. Global dissipativity balances the total energy, while no individual dissipativity of each mode is required.
3. GLOBAL DISSIPATIVITY
energy decrease
energy increase
In this section, we introduce the dissipativity concept to the stochastic hybrid system and derive a new stability condition with its checking method.
non dissipative
dissipative
non dissipative
non dissipative
......
3.1 Dissipativity and stability
Fig. 1. Energy variation of different modes
Definition 2 Thygesen (1999): A system Σ : dx = f (x)dt + g(x)dW , x ∈ Rn is dissipative if there exists a nonnegative function V : Rn → R, which satisfies V (0) = 0, called the storage function, and a supply rate r(x), such that for all initial states x(0) ∈ Rn and stopping time t ≥ 0 h Zt i E[V (x(t))] − V (x(0)) ≤ E r(x(s))ds (8) | {z } 0 stored energy | {z } supplied energy
Theorem 1: If the hybrid system (1) is globally dissipative at t, then the origin of (1) is stable at t. i hR T Proof (sketch): Since r(s) ≤ 0, E 0 r(s)ds ≤ 0. Thus
where x(t) are the states at time t. r(x) in Definition 2 represents some quantity sent to the system from its environment. The inequality (8) formalizes the property that the increase in stored energy is never greater than the amount of energy supplied by the environment. It has been proved in Thygesen (1999) that if r(x) ≤ 0 ∀x, then the dissipativity implies the stability of the system Σ. Now we extend the above definition to the switching case. Definition 3: A hybrid system (1) is globally dissipative at the stopping time T ≥ 0 if there exist m + 1 storage functions Vq for q ∈ M satisfying Assumption 1 such that ∀x(0) ∈ Rn h ZT i E[Vσ(T ) (x(T ))] − Vσ(0) (x(0)) − ψtr (x(0)) ≤ E r(s)ds 0
(9) where r(s) ≤ 0. ψtr is bounded by a constant and tends to zero as x(0) goes to origin. The right side of (9) denotes the total supplied energy of all modes. The left side of (9) represents the sum of stored energies, which could also be written as Nσ(T ) i X h E Vσ(t− ) (x(t− )) − V (x(t )) k σ(t ) k k+1
γ ¯ (|x(0)|)
This further results in ³ ´ Vσ(0) (x(0)) + ψtr (x(0)) P |x(T )| < γ¯ (|x(0)|) ≥ 1 − (11) γ(|x(0)|)2 Note that ψtr is bounded by a constant and tends to zero as x(0) goes to origin. For any given γ(|x(0)|), we can always find a γ¯ ∈ K∞ to satisfy (7). 3.2 Gain technique One obstacle appears when we use (9) since we are not sure whether there is a bound of the total transient energy ψtr at any time t. In the following, we propose a “gain technique” to check the condition (9) more easily. This technique relies on the trade-off among the fault occurrence transition rate, the frequency of switching, and the gain of Lyapunov functions along the solution of the system. For the sake of convenience, we put (4) and (5) in Assumption 1 together as: LVp (x) ≤ ηVp (x) , ∀p ∈ M (12)
k+1
k=0
with Nσ(t) representing the number of switchings in [0, t), t0 = 0, tNσ(T ) +1 = T . The total transient energy is Nσ(T )
ψtr =
E[Vσ(T ) (x(T ))] ≤ Vσ(0) (x(0)) + ψtr (x(0)) According to Chebyshev’s inequality (Skorohod (1989)), we have for any γ(|x(0)|) ∈ K∞ , ³ 1 ´ V σ(0) (x(0)) + ψtr (x(0)) 2 P Vσ(T ) (x(T )) ≥ γ(|x(0)|) ≤ γ(|x(0)|)2 It follows from (3) that ³ 1 ´ 2 P Vσ(T (x(T )) < γ(|x(0)|) ) ³ ´ 1 σ(T ) 2 −1 ≤ P |x(T )| < (α1 ) ◦ (γ(|x(0)|) (10) {z } |
X
k=1
h
i E Vσ(tk ) (x(tk )) − Vσ(t− ) (x(t− )) k k
where η = −η0 or η1 depending on different modes. It follows that ∀p ∈ M i h Zt2 ηVp (x)dt E[Vp (x(t2 ))] − E[Vp (x(t1 ))] ≤ E t1
838
(13)
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
Remark 1: Condition (12) is more general than that in Chatterjee and Liberzon (2007) where η < 0 for all modes. Moreover, unlike Chatterjee and Liberzon (2007), we do not impose µ-constraint on the ratio relations between Vp and Vq , i.e. Vp ≤ µVq for p, q ∈ M, µ ≥ 1. We denote the jth switching instant by tj , j = 1, 2, ..., t0 = 0. Nσ(t) represents the finite number of switchings in the time interval [0, t). Also denote η ⊗ (t1 − t2 ) , η0 ∆t1 + η1 ∆t2
(14)
for any two time instants t1 , t2 . ∆t1 denotes the total time period in [t1 , t2 ] when mode 0 is active, while ∆t2 is the total time period when other modes are active. To present our result, we need the following lemma: Lemma 1 Chatterjee and Liberzon (2007): Suppose that σ is a Markov chain satisfying (2). It holds that ∀t ≥ 0, ∀k ∈ N ˜ ¯ k e−λt (λt) P(Nσ (t) = k) ≤ k! ¯ , max{|ρii ||i ∈ M}, λ ˜ , max{ρij |i, j ∈ M}. where λ Theorem 2: Under Assumption 1, the origin of the system (1) is stable at t under σ(t) if there exists a constant β > 0 such that Nσ(t)
X ³
η⊗(tNσ(t) +1 −tk )
e
´
˜
¯
≤ βe(λ−λ)t ,
∀t ≥ 0
(15)
k=0
Remark 2: eη⊗(ti+1 −ti ) is the bound of the gain of function Vσ(ti ) when mode σ(ti ) is activated. Condition (15) gives a relation among the gains of all activated modes. The origin of the hybrid system is stable if the product of gains from all activated modes to the terminated mode is bounded, and the sum of these products is also bounded. Roughly speaking, condition (15) implies that the activating period of mode 0 (healthy mode) is long enough compared with that of other modes. Proof of Theorem 2 (sketch): We first prove that the system is globally dissipative, then the stability follows from Theorem 1. Consider t ∈ [0, t1 ). Since ity (12) yields
d dt E[V
(x)] = E[LV (x)], inequal-
E[Vσ(0) (x(t1 ))] ≤ eηt1 Vσ(0) (x(0))
(16)
From (3) we also have σ(t1 )
t1 t1 ] + E[α2 ] ≤ E[Vσ(0) E[Vσ(t 1) |
σ(t− 1 )
(|x(t1 )|) − α1 {z
(|x(t1 )|)] }
ϑt1 (|x(t1 )|)
¯ ≥ λ, ˜ condition (15) ensures where ϑt1 ∈ K∞ . Note that λ that eηt1 ≤ β. It follows from (16) and the proof of Theorem 1 that we can find a δt1 ∈ K∞ such that for any given κ > 0 ³ ´ P ϑt1 (|x(t1 )|) < δt1 (|x(0)|) ≥ 1 − κ (17) It follows that E[ϑt1 (|x(t1 )|)] ≤ αt1 (|x(0)|)
(18) 839
where αt1 ∈ K∞ . For t ∈ [t1 , t2 ), we have t ] ≤ eηt Vσ(0) (x(0)) + eη(t−t1 ) αt1 (|x(0)|) E[Vσ(t) 0 and αt1 (|x(0)|) are bounded, this together with Since Vσ(0) (15) lead to that t2 t2 E[Vσ(t ] ≤ E[Vσ(t − ] + αt2 (|x(0)|) 2) ) 2
for αt2 ∈ K∞ . By induction, we find that under condition (15) there exists a function α ∈ K∞ such that at each switching instant ti > 0, i = 1, 2, ... E[Vσ(ti ) (x(ti ))] ≤ E[Vσ(t− ) (x(ti ))] + α(|x(0)|) (19) i
where α(|x(0)|) = maxi=1,2,... [αti (|x(0)|)]. Denote j = Nσ(t) for t ≥ 0, j ≥ 0, it follows from (12) that £ ¤ E[Vσ(t) (x(t))] ≤ E eη⊗t Vσ(0) (x(0)) Nσ(t) ³ ´ X η⊗(t Nσ(t) +1 −tk ) +E e α(|x(0)|) (20) k=1
Based on (3) and (19), there exists a K∞ function α ¯ such that h i σ(0) α ¯ (|x(0)|) = max α2 (|x(0)|), α(|x(0)|) (21) Substituting (21) into (20), together with conditions (15) and Lemma 1, yields Nσ(t) ³ ´ X η⊗(t −t ) N +1 k σ(t) α e E[Vσ(t) (x(t))] ≤ E ¯ (|x(0)| k=0
≤
∞ X
P(Nσ(t) = s)
s=0
s ³ X
´ eη⊗(ts+1 −tk ) α ¯ (|x(0)|)
k=0
≤ βα ¯ (|x(0)|)
(22)
We can obtain straightly from (22) that E[Vσ(t) (x(t))] − Vσ(0) (x(0)) − $(x(0)) ≤ 0
(23)
where $(x(0)) , β α ¯ (|x(0)|) − Vσ(0) (x(0)). Since β is a constant, α ¯ ∈ K∞ , it follows that $(x(0)) is bounded by a constant and tends to zero as x(0) goes to origin. Thus the hybrid system is globally dissipative. The stability result can be obtained from Theorem 1. Remark 3: Generally, the condition (15) can not be used to verify a priori whether the system is fault tolerable. This is due to the randomness of fault occurrence rate, Nσ (T, t) is not determined at each time T . However, inequality (15) is very useful and convenient to check online the fault tolerance of the system (with an effective fault diagnosis scheme) in the current situation. Remark 4: β in (15) could be an arbitrary positive constant. It can be seen from Definition 1 and (23) that the larger β is, the larger γ(|x(0)|) is. β could be chosen according to the practical bound of x that is acceptable for the control system. If inequalities (3),(4) and (5) in Assumption 1 are satisfied with a common function V0 , then the stability condition become simpler as given below:
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
Corollary 1: If Assumption 1 is satisfied with a common V0 , the origin of the system (1) is stable at t under σ(t) if there exists a constant β > 0 such that η⊗tNσ(t) +1
e
˜
¯
≤ βe(λ−λ)t ,
∀t ≥ 0
(24)
Proof : Since a common V0 is used, it is not necessary to introduce the difference α(|x(0)|). Following the similar way as in the proof of Theorem 1, one has that E[V0 (x(t))] ≤ βα20 (|x(0)|) (25) The result follows.
Define a Lyapunov candidate function V0 = ω > ω + q > q + q˜4> q˜4 , one has that LV0 = (−2k1 + 1)ω > ω + ≤ −η0 V0
ω> ω (−k2 q > q − k3 q˜4 > q˜4 ) ω> ω + ² (31)
where η0 > 0. The last inequality can be obtained by appropriate selections of k1 , k2 and k3 . Now we consider an intermittent fault occurring in one operational amplifier of the controller, that leads to
4. SPACECRAFT ATTITUDE CONTROL A spacecraft attitude control system (ACS) is a typical safety critical system, whose fault tolerant control problem have attracted a lot of attentions, e.g., Jiang et al. (2008); Cai et al. (2008); Hu et al. (2011); Xiao et al. (2011), to name a few. Among these schemes, various control reconfiguration schemes are developed and applied once a fault occurs. Consider a spacecraft ACS with reaction wheels being the actuators. The controller generates the torque command voltage and sends it to the motor, which consequently drives the reaction wheel to control the attitude of the spacecraft. We pay attention to the intermittent faults occurring in the controller unit. The fault directly results in a deviation of the torque command voltage from normal, and subsequently affect the motor torque and reaction torque. This makes the attitude control performance significantly degraded or even unacceptable. A spacecraft’s attitude model originated from Wie (2008) with state feedback controller and intermittent faults is given ×
(26) J ω˙ = −ω Jω + uσ (ω, q, q4 ) 1 × 1 q4 + 1)ω + ω q q˙ = (˜ (27) 2 2 1 q˜˙ 4 = − ω > q (28) 2 where ω ∈ R3 , [ω1 ω2 ω3 ]> represents the inertial angular velocity vector. q ∈ R3 , [q1 q2 q3 ]> , q4 is a scalar, q1 , q2 , q3 and q4 denote the quaternions. q˜4 , q4 − 1. J = J > is the positive definite inertia matrix. The cross product is defined as: " # 0 −ω3 ω2 × 0 −ω1 ω , ω3 (29) −ω2 ω1 0 The actual control torques generated by the reaction wheel are denoted by uσ(t) . It is clear that the origin of the ACS (26)-(27), (28) is ω = q = 0, q4 = 1. In the simulation, let g(x) = [ω > 0]> . A simple nominal controller originated from Wie (2008) is given as follows: 1 u0 = ω × Jω − k1 Jω − Jq 2 Jω + (−k2 q > q − k3 q˜4 > q˜4 ) 2(ω > ω + ²)
where k1 , k2 , k3 > 0, and ² > 0 is an arbitrarily small constant.
(30) 840
1 u1 = ω × Jωk1f Jω − Jq 2 Jω (−k2f q > q − k3f q˜4 > q˜4 ) + 2(ω > ω + ²)
(32)
where k1f , k2f , k3f > 0. The feedback gain changes due to such an intermittent fault. Consequently we have LV0 ≤ η1 V0
(33)
where η1 > 0. To this end, the operation of the ACS can be regarded as a stochastic hybrid system with two modes, σ(t) = 0 or 1, depending on whether the ACS is in the normal operating condition or the controller faulty condition. Assumption 1 is satisfied with a common V0 . σ(t) is modeled as a Markov chain with generator −ρ00 = ρ01 > 0 and −ρ11 = ρ10 > 0. ¯ = λ. ˜ This means that λ In the simulation, the (2008): " 1200 J = 100 −200
inertia matrix is chosen as in Wie # 100 −200 2200 300 kg · m2 300 3100
(34)
The initial parameters are (ω1 , ω2 , ω3 ) = (0.2, −0.1, 0.1) (rad/s), (q1 , q2 , q3 , q4 ) = (0.5, 0.5, 0.5, −0.5). Suppose that −ρ00 = ρ01 = 0.5 and −ρ11 = ρ10 = 0.8. β = 2, ² = 0.001. k1 = k2 = k3 = 10, k1f = 5, k2f = k3f = 3. Fig. 2 shows the trajectories of the spacecraft under the healthy conditon, it can be found that the system is stable. Fig. 3 represents the switching function σ(t), under which the condition (15) is satisfied. The trajectories are illustrated in Fig. 4, from which we can see that the states are always bounded in spite of the fault. 5. CONCLUSION For a control system in practical application, hardware and software redundancy should be implemented for the FTC purpose. This paper provides a fault tolerance analysis method from the hybrid system point of view. This can help us to check whether it is necessary to apply the FTC law in the current faulty situation. Such method could be potentially combined with existing FTC techniques to provide a comprehensive FTC framework.
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
0.25
1.6 q1 q2 q3 q4
1.4
0.2
1 Quaternions
angular velocities (rad/s)
1.2 0.15 0.1 0.05
0.8 0.6 0.4
0 0.2 −0.05 −0.1
0
0
2
4
t/s
−0.2
6
0
2
t/s
4
6
Fig. 2. State trajectories in the healthy situation 1.5
Switching function
1
0.5
0
−0.5
0
5
10 t/s
15
20
Fig. 3. State trajectories 0.2
1.6 ω1 ω2 ω3
0.15
1.2 1
0.05
Quaternions
Angular vlocities (rad/s)
0.1
0 −0.05
0.8 0.6 0.4
−0.1
0.2
−0.15 −0.2
q1 q2 q3 q4
1.4
0
0
5
10 t/s
15
20
−0.2
0
5
10 t/s
15
20
Fig. 4. State trajectories REFERENCES S. M. Bennett, R. J. Patton, and S. Daley. Sensor fault-tolerant control of a rail traction drive. Control Engineering Practice, 7(2):217–225, 1999. A. Bondavalli, S. Chiaradonna, F. D. Giandomenico, and F. Grandoni. Threshold-based mechanisms to discriminate transient from intermittent faults. IEEE Transactions on Computers, 49(3):230–244, 2000. D. Braun and G. S. Koeppl. Intermittent line-to-ground faults in generator stator windings and consequences on neutral grounding. IEEE Transactions on Reliability, 841
25(2):876–881, 2010. W. Cai, X. Liao, and Y. D. Song. Indirect robust adaptive fault-tolerant control for attitude tracking of spacecraft. Journal of Guidance, Control and Dynamics, 31(5): 1456–1463, 2008. D. Chatterjee and D. Liberzon. On stability of randomly switched nonlinear systems. IEEE Transactions on Automatic Control, 52(12):2390–2394, 2007. O. Contant, S. Lafortune, and D. Teneketzis. Diagnosis of intermittent faults. Discrete Event Dynamic Systems: Theory and Applications, 14:171–202, 2004. J. Gracia, L. Siaz, J. Baraza, D. Gil, and P. Gil. Analysis of the influence of intermittent faults in a microcontroller. pages 1–6. Workshop on Design and Diagnostics of Electronic Circuits and Systems, Bratislava, Slovakia, 2008. A. Hamel, A. Gaudreau, and M. Cˆot´e. Intermittent arcing fault on underground low-voltage cables. IEEE Transactions on Power Delivery, 19(4):1862–1868, 2004. Q. Hu, B. Xiao, and Y. M. Zhang. Fault-tolerant attitude control for spacecraft under loss of actuator effectiveness. Journal of Guidance, Control, and Dynamics, 34(3):927–932, 2011. A. A. Ismaeel and R. Bhatnagar. Test for detection & location of intermittent faults in combinational circuits. IEEE Transactions on Reliability, 46(2):269–274, 1997. T. Jiang, S. Tafazoli, and K. Khorasani. Parameter estimation-based fault detection, isolation and recovery for nonlinear satellite models. IEEE Transactions on Control Systems Technology, 16(4):799–808, 2008. N. Kandasamy and J. P. Hayes. Transparent recovery from intermittent faults in time-triggered distributed systems. IEEE Transactions on Computers, 52(2):113– 125, 2003. P. Mhaskar, A. Gani, C. McFall, P. D. Christofides, and J. F. Davis. Fault-tolerant control of nonlinear systems subject to sensor data losses. pages 3498–3505. 45th IEEE Conference on Decision and Control, New Orleans, USA, 2006. A. V. Skorohod. Asymptotic Methods in the Theory of Stochastic Differential Equations. American Mathematical Society, Providence, 1989. S. Su, I. Koren, and Y. K. Malaiya. A continuousparameter markov model and detection procedures for intermittent faults. IEEE Transactions on Computers, C-27(6):567–570, 1978. U. H. Thygesen. On dissipation in stochastic systems. pages 1430–1434. 1999 American Control Conference, California, USA, 1999. B. Wie. Space Vehicle Dynamics and Control (2nd Edition). AIAA, 2008. B. Xiao, Q. Hu, and Y. M. Zhang. Fault-tolerant attitude control for flexible spacecraft without angular velocity magnitude measurement. Journal of Guidance, Control, and Dynamics, 34(5):1556–1561, 2011. H. Yang, B. Jiang, and V. Cocquempot. Fault Tolerant Control Design For Hybrid Systems. Springer-Verlag, Berlin Heidelberg, 2010. J. Yang, Q. Jiang, and D. Manivannan. A fault-tolerant distributed channel allocation scheme for cellular networks. IEEE Transactions on Computers, 54(5):616– 629, 2005.
Tolerance of intermittent controller faults via hybrid system approach 1 Hao Yang ∗ , Bin Jiang ∗ , Vincent Cocquempot ∗∗ , Youmin Zhang ∗∗∗ , Huajun Gong ∗ ∗
College of Automation Engineering, Nanjing University of Aeronautics and Astronautics, China ∗∗
LAGIS, UMR CNRS 8219, Universit´e Lille 1 : Sciences et Technologies, France ∗∗∗ Department of Mechanical and Industrial Engineering, Concordia University, Canada. Abstract: This paper addresses the tolerance issue of intermittent controller faults in the system level. A control system with intermittent faults is modeled by a stochastic hybrid system, whose stability is shown equivalent to the fault tolerability of the original system. A “global dissipativity” concept is introduced for the hybrid system to derive its stability condition, which can be checked easily via the proposed “gain technique”. Our results show that it may not be necessary to apply the fault tolerant scheme in spite of intermittent faults. A spacecraft attitude control example is taken to illustrate the efficiency of the proposed method. 1. INTRODUCTION 1.1 Background Intermittent faults occur frequently and irregularly, commonly due to manufacturing residuals, oxide degradation, process variations, in-progress wear-out, etc. They appear in many real applications just like automotive, avionics, telecommunications and computers, see Braun and Koeppl (2010); Hamel et al. (2004); Bennett et al. (1999) to name a few. Unlike permanent faults that have been extensively researched in the control field, an intermittent fault may be active for a period of time causing a malfunction of the system or may be inactive in another period allowing the system to work correctly. Most of the faults occurring in electronic and digital systems are intermittent faults as described in Gracia et al. (2008). With the continuous decrease of semiconductor’s cost, feature size and threshold voltage, microprocessors have been widely used in control systems. This however increases system’s failure rates due to intermittent faults that may appear in controllers, actuators, sensors or the plant. Solder joints electrically connecting these components to the board can become cracked and intermittently connected due to physical wear over time. Fruitful results have been reported on modeling, detection and diagnosis of intermittent faults, see Su et al. (1978); Ismaeel and Bhatnagar (1997); Contant et al. (2004); Bondavalli et al. (2000). Some recovery techniques have 1
This work is supported by National Natural Science Foundation of China (61104116), Doctoral Fund of Ministry of Education of China (20113218110011) and NUAA Research Funding (NS2011016). Email: [email protected]. (H. Yang), [email protected] (B. Jiang), [email protected] (V. Cocquempot), [email protected] (Y. M. Zhang), [email protected] (H. Gong).
978-3-902823-09-0/12/$20.00 © 2012 IFAC
836
also been presented for intermittent faults in the computer science area, e.g., in Yang et al. (2005); Kandasamy and Hayes (2003). Most of these techniques run in the equipment level. In Mhaskar et al. (2006) and Bennett et al. (1999), fault tolerant control schemes are developed to accommodate the intermittent sensor faults in the system level. In this paper, we focus on the tolerance problem of the intermittent controller fault in the system level. The fault occurs in the control processor and directly results in a deviation of controller output. Existing fault tolerant control (FTC) techniques designed for permanent faults are difficult to be used for such fault due to three reasons: 1. FTC largely relies on the control reconfiguration, a healthy controller is a basic requirement. It is hard to adjust the controller to accommodate the fault in itself. 2. FTC often takes control cost. Since an intermittent fault may occur frequently, if we apply the FTC scheme every time when there is an intermittent fault, much control effort has to be made. This is often not admissible in practical application. 3. Frequent FTC actions may bring large overshoots and oscillations of the system signals. This degrades the system performance and even destroys the stability of the system. 1.2 The main idea A natural question arises: Is it possible to find an effective, economical and gentle solution to accommodate intermittent controller faults? The answer is positive as it will be shown in this work. We model the control system with the considered faults and noises by a stochastic hybrid system where each 10.3182/20120829-3-MX-2028.00057
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
mode is described by a stochastic differential equation that represents the healthy or faulty situation, the mode switching is governed by a Markov process since the activating/inactivating rates of intermittent faults often follow Markovian jumping rule as in Su et al. (1978). The main benefits of using such a model are twofold: 1. We analyze the performance of the control system throughout the entire process whenever the fault occurs, rather than investigate pre-fault and postfault situations separately. The transient behavior due to faults can be taken into account by using hybrid system theories. 2. The fault tolerance problem of the original system can be transferred into the stability problem of the hybrid system with unstable modes. Some useful analysis tools for switched and hybrid systems can be used. It is well known that the whole hybrid system may be stable even with some unstable modes see, e.g. Yang et al. (2010). Correspondingly, even the intermittent fault destabilizes the system temporarily, the overall control performance may still be maintained without taking any FTC action. This property can help to check whether the FTC law should be applied in the current faulty conditions. For the considered stochastic hybrid system, we propose a “global dissipativity” concept which means that the total energy stored by the system is less than the total energy supplied from the outside. The novelty of global dissipativity is that it emphasizes the energy balance throughout the overall system process rather than in each mode of the hybrid system (i.e., when the control system is healthy or faulty). The stability of the system can be achieved via global energy dissipativity. We further provide a “gain technique” to check easily the global dissipativity, consequently, the fault tolerability can be checked. The rest of the paper is organized as follows: Section 2 presents some preliminaries. Section 3 analyzes the global dissipativity and proposes a “gain technique”. Section 4 applies the result to spacecraft attitude control, followed by conclusions in Section 5. 2. PRELIMINARIES 2.1 Notations Let R denote the field of real numbers, Rr the rdimensional real vector space. | · | the Euclidean norm. P(·) is the probability, whereas E[·] represents the expectation. C 2 (Rn ; R+ ) denotes the set of all nonnegative functions with continuous 2nd derivatives. Class K is a class of strictly increasing and continuous functions [0, ∞) → [0, ∞) which are zero at zero. Class K∞ is the subset of K consisting of all those functions that are unbounded. β : [0, ∞) × [0, ∞) → [0, ∞) belongs to class KL if β(·, t) is of class K for each fixed t ≥ 0 and decreases to 0 as t → ∞ for each fixed s ≥ 0. t− denotes the left limit time instant of t. (·)> is the transposition. Tr[·] denotes the trace.
dx = f (x, uσ (x))dt + g(x, uσ (x))dW
(1)
where the state x ∈ Rn , W is an r-dimensional standard Brownian motion. The input is denoted by uσ(t) , where σ(t) is a switching function representing the healthy and faulty controller cases. Such switching function is described by a right-continuous Markov chain that takes values in a finite state space M = {0, 1, 2, ..., m}. σ = 0 denotes the healthy controller case, while σ = i (i = 1, ..., m) denotes the ith intermittent faulty case of the controller. We further have ½ ρij ∆ + o(∆) i 6= j P{σ(t + ∆) = j|σ(t) = i} = (2) 1 + ρii ∆ + o(∆) i = j where 0 ≤ ρij < 1 represents the fault occurrence P rate from mode i to mode j if i 6= j, and ρii = − j6=i ρij . ∆ > 0 is the infinitesimal transition time interval and o(∆) is composed of infinitesimal terms of order higher than that of ∆ > 0. The model of uσ (x) is quite general and can represent any state feedback control law, and also covers the intermittent controller faults. We do not restrict uσ into any form in the presence of faults. For each fixed σ, both f and g satisfy the Lipschitz and the linear growth conditions which guarantees that each mode has a unique solution. We assume that σ is independent of the Brownian motion W . Assumption 1: There exist α1p , α2p ∈ K∞ and m + 1 functions Vp ∈ C 2 (Rn ; R+ ) associated with the mode p of the system (1) such that α1p (|x|) ≤ Vp (x) ≤ α2p (|x|), ∀p ∈ M
(3)
under u0 =⇒ LV0 (x) ≤ −η0 V0 (x)
(4)
under ui , i ∈ M − {0} =⇒ LVi (x) ≤ η1 Vi (x) (5) where η0 , η1 > 0, and ∂Vp (x) 1 ∂ 2 Vp (x) LVp (x) , fp (x) + Tr[gp> (x) gp (x)] (6) ∂x 2 ∂x2 Assumption 1 implies that in the healthy condition, the controller u0 (x) stabilizes the control system as in (4). This can be achieved by many existing control methods. However, during the period when the ith intermittent fault is active, the faulty input ui may not stabilize the system, Vi may increase and x may escape to a large region or infinity as in (5). The system may even become uncontrollable. According to the generalized Itˆo formula in Skorohod (1989), one has i h Zt2 LVσ(t) (x(t))dt E[Vσ(t2 ) (x(t2 ))] = E[Vσ(t1 ) (x(t1 ))] + E t1
for any stopping times t1 , t2 as long as the involved integrals exist and are finite. In the following, we assume that the integrals in the above equation always exist and are finite for any 0 ≤ t1 ≤ t2 < ∞. Definition 1: The equilibrium x = 0 of the system (1) is stable at t ≥ 0 in probability if ∀² > 0, there exists a function γ ∈ K∞ such that ∀x(0) ∈ Rn \ {0}
2.2 Problem formulation Consider a stochastic hybrid system: 837
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
³ ´ P |x(t)| < γ(|x(0)|) ≥ 1 − ²
(7)
Our objective is to provide the fault tolerance conditions of the system (1), such that the origin of overall control system process is always stable in the sense of (7) even without any FTC scheme.
Since r(s) ≤ 0, inequality (9) means that the total stored energy is still dissipative in spite of some faulty modes. The decreasing of the supplied energy during [0, T ) can compensate for the increasing energy due to faults as shown in Fig. 1. Global dissipativity balances the total energy, while no individual dissipativity of each mode is required.
3. GLOBAL DISSIPATIVITY
energy decrease
energy increase
In this section, we introduce the dissipativity concept to the stochastic hybrid system and derive a new stability condition with its checking method.
non dissipative
dissipative
non dissipative
non dissipative
......
3.1 Dissipativity and stability
Fig. 1. Energy variation of different modes
Definition 2 Thygesen (1999): A system Σ : dx = f (x)dt + g(x)dW , x ∈ Rn is dissipative if there exists a nonnegative function V : Rn → R, which satisfies V (0) = 0, called the storage function, and a supply rate r(x), such that for all initial states x(0) ∈ Rn and stopping time t ≥ 0 h Zt i E[V (x(t))] − V (x(0)) ≤ E r(x(s))ds (8) | {z } 0 stored energy | {z } supplied energy
Theorem 1: If the hybrid system (1) is globally dissipative at t, then the origin of (1) is stable at t. i hR T Proof (sketch): Since r(s) ≤ 0, E 0 r(s)ds ≤ 0. Thus
where x(t) are the states at time t. r(x) in Definition 2 represents some quantity sent to the system from its environment. The inequality (8) formalizes the property that the increase in stored energy is never greater than the amount of energy supplied by the environment. It has been proved in Thygesen (1999) that if r(x) ≤ 0 ∀x, then the dissipativity implies the stability of the system Σ. Now we extend the above definition to the switching case. Definition 3: A hybrid system (1) is globally dissipative at the stopping time T ≥ 0 if there exist m + 1 storage functions Vq for q ∈ M satisfying Assumption 1 such that ∀x(0) ∈ Rn h ZT i E[Vσ(T ) (x(T ))] − Vσ(0) (x(0)) − ψtr (x(0)) ≤ E r(s)ds 0
(9) where r(s) ≤ 0. ψtr is bounded by a constant and tends to zero as x(0) goes to origin. The right side of (9) denotes the total supplied energy of all modes. The left side of (9) represents the sum of stored energies, which could also be written as Nσ(T ) i X h E Vσ(t− ) (x(t− )) − V (x(t )) k σ(t ) k k+1
γ ¯ (|x(0)|)
This further results in ³ ´ Vσ(0) (x(0)) + ψtr (x(0)) P |x(T )| < γ¯ (|x(0)|) ≥ 1 − (11) γ(|x(0)|)2 Note that ψtr is bounded by a constant and tends to zero as x(0) goes to origin. For any given γ(|x(0)|), we can always find a γ¯ ∈ K∞ to satisfy (7). 3.2 Gain technique One obstacle appears when we use (9) since we are not sure whether there is a bound of the total transient energy ψtr at any time t. In the following, we propose a “gain technique” to check the condition (9) more easily. This technique relies on the trade-off among the fault occurrence transition rate, the frequency of switching, and the gain of Lyapunov functions along the solution of the system. For the sake of convenience, we put (4) and (5) in Assumption 1 together as: LVp (x) ≤ ηVp (x) , ∀p ∈ M (12)
k+1
k=0
with Nσ(t) representing the number of switchings in [0, t), t0 = 0, tNσ(T ) +1 = T . The total transient energy is Nσ(T )
ψtr =
E[Vσ(T ) (x(T ))] ≤ Vσ(0) (x(0)) + ψtr (x(0)) According to Chebyshev’s inequality (Skorohod (1989)), we have for any γ(|x(0)|) ∈ K∞ , ³ 1 ´ V σ(0) (x(0)) + ψtr (x(0)) 2 P Vσ(T ) (x(T )) ≥ γ(|x(0)|) ≤ γ(|x(0)|)2 It follows from (3) that ³ 1 ´ 2 P Vσ(T (x(T )) < γ(|x(0)|) ) ³ ´ 1 σ(T ) 2 −1 ≤ P |x(T )| < (α1 ) ◦ (γ(|x(0)|) (10) {z } |
X
k=1
h
i E Vσ(tk ) (x(tk )) − Vσ(t− ) (x(t− )) k k
where η = −η0 or η1 depending on different modes. It follows that ∀p ∈ M i h Zt2 ηVp (x)dt E[Vp (x(t2 ))] − E[Vp (x(t1 ))] ≤ E t1
838
(13)
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
Remark 1: Condition (12) is more general than that in Chatterjee and Liberzon (2007) where η < 0 for all modes. Moreover, unlike Chatterjee and Liberzon (2007), we do not impose µ-constraint on the ratio relations between Vp and Vq , i.e. Vp ≤ µVq for p, q ∈ M, µ ≥ 1. We denote the jth switching instant by tj , j = 1, 2, ..., t0 = 0. Nσ(t) represents the finite number of switchings in the time interval [0, t). Also denote η ⊗ (t1 − t2 ) , η0 ∆t1 + η1 ∆t2
(14)
for any two time instants t1 , t2 . ∆t1 denotes the total time period in [t1 , t2 ] when mode 0 is active, while ∆t2 is the total time period when other modes are active. To present our result, we need the following lemma: Lemma 1 Chatterjee and Liberzon (2007): Suppose that σ is a Markov chain satisfying (2). It holds that ∀t ≥ 0, ∀k ∈ N ˜ ¯ k e−λt (λt) P(Nσ (t) = k) ≤ k! ¯ , max{|ρii ||i ∈ M}, λ ˜ , max{ρij |i, j ∈ M}. where λ Theorem 2: Under Assumption 1, the origin of the system (1) is stable at t under σ(t) if there exists a constant β > 0 such that Nσ(t)
X ³
η⊗(tNσ(t) +1 −tk )
e
´
˜
¯
≤ βe(λ−λ)t ,
∀t ≥ 0
(15)
k=0
Remark 2: eη⊗(ti+1 −ti ) is the bound of the gain of function Vσ(ti ) when mode σ(ti ) is activated. Condition (15) gives a relation among the gains of all activated modes. The origin of the hybrid system is stable if the product of gains from all activated modes to the terminated mode is bounded, and the sum of these products is also bounded. Roughly speaking, condition (15) implies that the activating period of mode 0 (healthy mode) is long enough compared with that of other modes. Proof of Theorem 2 (sketch): We first prove that the system is globally dissipative, then the stability follows from Theorem 1. Consider t ∈ [0, t1 ). Since ity (12) yields
d dt E[V
(x)] = E[LV (x)], inequal-
E[Vσ(0) (x(t1 ))] ≤ eηt1 Vσ(0) (x(0))
(16)
From (3) we also have σ(t1 )
t1 t1 ] + E[α2 ] ≤ E[Vσ(0) E[Vσ(t 1) |
σ(t− 1 )
(|x(t1 )|) − α1 {z
(|x(t1 )|)] }
ϑt1 (|x(t1 )|)
¯ ≥ λ, ˜ condition (15) ensures where ϑt1 ∈ K∞ . Note that λ that eηt1 ≤ β. It follows from (16) and the proof of Theorem 1 that we can find a δt1 ∈ K∞ such that for any given κ > 0 ³ ´ P ϑt1 (|x(t1 )|) < δt1 (|x(0)|) ≥ 1 − κ (17) It follows that E[ϑt1 (|x(t1 )|)] ≤ αt1 (|x(0)|)
(18) 839
where αt1 ∈ K∞ . For t ∈ [t1 , t2 ), we have t ] ≤ eηt Vσ(0) (x(0)) + eη(t−t1 ) αt1 (|x(0)|) E[Vσ(t) 0 and αt1 (|x(0)|) are bounded, this together with Since Vσ(0) (15) lead to that t2 t2 E[Vσ(t ] ≤ E[Vσ(t − ] + αt2 (|x(0)|) 2) ) 2
for αt2 ∈ K∞ . By induction, we find that under condition (15) there exists a function α ∈ K∞ such that at each switching instant ti > 0, i = 1, 2, ... E[Vσ(ti ) (x(ti ))] ≤ E[Vσ(t− ) (x(ti ))] + α(|x(0)|) (19) i
where α(|x(0)|) = maxi=1,2,... [αti (|x(0)|)]. Denote j = Nσ(t) for t ≥ 0, j ≥ 0, it follows from (12) that £ ¤ E[Vσ(t) (x(t))] ≤ E eη⊗t Vσ(0) (x(0)) Nσ(t) ³ ´ X η⊗(t Nσ(t) +1 −tk ) +E e α(|x(0)|) (20) k=1
Based on (3) and (19), there exists a K∞ function α ¯ such that h i σ(0) α ¯ (|x(0)|) = max α2 (|x(0)|), α(|x(0)|) (21) Substituting (21) into (20), together with conditions (15) and Lemma 1, yields Nσ(t) ³ ´ X η⊗(t −t ) N +1 k σ(t) α e E[Vσ(t) (x(t))] ≤ E ¯ (|x(0)| k=0
≤
∞ X
P(Nσ(t) = s)
s=0
s ³ X
´ eη⊗(ts+1 −tk ) α ¯ (|x(0)|)
k=0
≤ βα ¯ (|x(0)|)
(22)
We can obtain straightly from (22) that E[Vσ(t) (x(t))] − Vσ(0) (x(0)) − $(x(0)) ≤ 0
(23)
where $(x(0)) , β α ¯ (|x(0)|) − Vσ(0) (x(0)). Since β is a constant, α ¯ ∈ K∞ , it follows that $(x(0)) is bounded by a constant and tends to zero as x(0) goes to origin. Thus the hybrid system is globally dissipative. The stability result can be obtained from Theorem 1. Remark 3: Generally, the condition (15) can not be used to verify a priori whether the system is fault tolerable. This is due to the randomness of fault occurrence rate, Nσ (T, t) is not determined at each time T . However, inequality (15) is very useful and convenient to check online the fault tolerance of the system (with an effective fault diagnosis scheme) in the current situation. Remark 4: β in (15) could be an arbitrary positive constant. It can be seen from Definition 1 and (23) that the larger β is, the larger γ(|x(0)|) is. β could be chosen according to the practical bound of x that is acceptable for the control system. If inequalities (3),(4) and (5) in Assumption 1 are satisfied with a common function V0 , then the stability condition become simpler as given below:
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
Corollary 1: If Assumption 1 is satisfied with a common V0 , the origin of the system (1) is stable at t under σ(t) if there exists a constant β > 0 such that η⊗tNσ(t) +1
e
˜
¯
≤ βe(λ−λ)t ,
∀t ≥ 0
(24)
Proof : Since a common V0 is used, it is not necessary to introduce the difference α(|x(0)|). Following the similar way as in the proof of Theorem 1, one has that E[V0 (x(t))] ≤ βα20 (|x(0)|) (25) The result follows.
Define a Lyapunov candidate function V0 = ω > ω + q > q + q˜4> q˜4 , one has that LV0 = (−2k1 + 1)ω > ω + ≤ −η0 V0
ω> ω (−k2 q > q − k3 q˜4 > q˜4 ) ω> ω + ² (31)
where η0 > 0. The last inequality can be obtained by appropriate selections of k1 , k2 and k3 . Now we consider an intermittent fault occurring in one operational amplifier of the controller, that leads to
4. SPACECRAFT ATTITUDE CONTROL A spacecraft attitude control system (ACS) is a typical safety critical system, whose fault tolerant control problem have attracted a lot of attentions, e.g., Jiang et al. (2008); Cai et al. (2008); Hu et al. (2011); Xiao et al. (2011), to name a few. Among these schemes, various control reconfiguration schemes are developed and applied once a fault occurs. Consider a spacecraft ACS with reaction wheels being the actuators. The controller generates the torque command voltage and sends it to the motor, which consequently drives the reaction wheel to control the attitude of the spacecraft. We pay attention to the intermittent faults occurring in the controller unit. The fault directly results in a deviation of the torque command voltage from normal, and subsequently affect the motor torque and reaction torque. This makes the attitude control performance significantly degraded or even unacceptable. A spacecraft’s attitude model originated from Wie (2008) with state feedback controller and intermittent faults is given ×
(26) J ω˙ = −ω Jω + uσ (ω, q, q4 ) 1 × 1 q4 + 1)ω + ω q q˙ = (˜ (27) 2 2 1 q˜˙ 4 = − ω > q (28) 2 where ω ∈ R3 , [ω1 ω2 ω3 ]> represents the inertial angular velocity vector. q ∈ R3 , [q1 q2 q3 ]> , q4 is a scalar, q1 , q2 , q3 and q4 denote the quaternions. q˜4 , q4 − 1. J = J > is the positive definite inertia matrix. The cross product is defined as: " # 0 −ω3 ω2 × 0 −ω1 ω , ω3 (29) −ω2 ω1 0 The actual control torques generated by the reaction wheel are denoted by uσ(t) . It is clear that the origin of the ACS (26)-(27), (28) is ω = q = 0, q4 = 1. In the simulation, let g(x) = [ω > 0]> . A simple nominal controller originated from Wie (2008) is given as follows: 1 u0 = ω × Jω − k1 Jω − Jq 2 Jω + (−k2 q > q − k3 q˜4 > q˜4 ) 2(ω > ω + ²)
where k1 , k2 , k3 > 0, and ² > 0 is an arbitrarily small constant.
(30) 840
1 u1 = ω × Jωk1f Jω − Jq 2 Jω (−k2f q > q − k3f q˜4 > q˜4 ) + 2(ω > ω + ²)
(32)
where k1f , k2f , k3f > 0. The feedback gain changes due to such an intermittent fault. Consequently we have LV0 ≤ η1 V0
(33)
where η1 > 0. To this end, the operation of the ACS can be regarded as a stochastic hybrid system with two modes, σ(t) = 0 or 1, depending on whether the ACS is in the normal operating condition or the controller faulty condition. Assumption 1 is satisfied with a common V0 . σ(t) is modeled as a Markov chain with generator −ρ00 = ρ01 > 0 and −ρ11 = ρ10 > 0. ¯ = λ. ˜ This means that λ In the simulation, the (2008): " 1200 J = 100 −200
inertia matrix is chosen as in Wie # 100 −200 2200 300 kg · m2 300 3100
(34)
The initial parameters are (ω1 , ω2 , ω3 ) = (0.2, −0.1, 0.1) (rad/s), (q1 , q2 , q3 , q4 ) = (0.5, 0.5, 0.5, −0.5). Suppose that −ρ00 = ρ01 = 0.5 and −ρ11 = ρ10 = 0.8. β = 2, ² = 0.001. k1 = k2 = k3 = 10, k1f = 5, k2f = k3f = 3. Fig. 2 shows the trajectories of the spacecraft under the healthy conditon, it can be found that the system is stable. Fig. 3 represents the switching function σ(t), under which the condition (15) is satisfied. The trajectories are illustrated in Fig. 4, from which we can see that the states are always bounded in spite of the fault. 5. CONCLUSION For a control system in practical application, hardware and software redundancy should be implemented for the FTC purpose. This paper provides a fault tolerance analysis method from the hybrid system point of view. This can help us to check whether it is necessary to apply the FTC law in the current faulty situation. Such method could be potentially combined with existing FTC techniques to provide a comprehensive FTC framework.
SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico
0.25
1.6 q1 q2 q3 q4
1.4
0.2
1 Quaternions
angular velocities (rad/s)
1.2 0.15 0.1 0.05
0.8 0.6 0.4
0 0.2 −0.05 −0.1
0
0
2
4
t/s
−0.2
6
0
2
t/s
4
6
Fig. 2. State trajectories in the healthy situation 1.5
Switching function
1
0.5
0
−0.5
0
5
10 t/s
15
20
Fig. 3. State trajectories 0.2
1.6 ω1 ω2 ω3
0.15
1.2 1
0.05
Quaternions
Angular vlocities (rad/s)
0.1
0 −0.05
0.8 0.6 0.4
−0.1
0.2
−0.15 −0.2
q1 q2 q3 q4
1.4
0
0
5
10 t/s
15
20
−0.2
0
5
10 t/s
15
20
Fig. 4. State trajectories REFERENCES S. M. Bennett, R. J. Patton, and S. Daley. Sensor fault-tolerant control of a rail traction drive. Control Engineering Practice, 7(2):217–225, 1999. A. Bondavalli, S. Chiaradonna, F. D. Giandomenico, and F. Grandoni. Threshold-based mechanisms to discriminate transient from intermittent faults. IEEE Transactions on Computers, 49(3):230–244, 2000. D. Braun and G. S. Koeppl. Intermittent line-to-ground faults in generator stator windings and consequences on neutral grounding. IEEE Transactions on Reliability, 841
25(2):876–881, 2010. W. Cai, X. Liao, and Y. D. Song. Indirect robust adaptive fault-tolerant control for attitude tracking of spacecraft. Journal of Guidance, Control and Dynamics, 31(5): 1456–1463, 2008. D. Chatterjee and D. Liberzon. On stability of randomly switched nonlinear systems. IEEE Transactions on Automatic Control, 52(12):2390–2394, 2007. O. Contant, S. Lafortune, and D. Teneketzis. Diagnosis of intermittent faults. Discrete Event Dynamic Systems: Theory and Applications, 14:171–202, 2004. J. Gracia, L. Siaz, J. Baraza, D. Gil, and P. Gil. Analysis of the influence of intermittent faults in a microcontroller. pages 1–6. Workshop on Design and Diagnostics of Electronic Circuits and Systems, Bratislava, Slovakia, 2008. A. Hamel, A. Gaudreau, and M. Cˆot´e. Intermittent arcing fault on underground low-voltage cables. IEEE Transactions on Power Delivery, 19(4):1862–1868, 2004. Q. Hu, B. Xiao, and Y. M. Zhang. Fault-tolerant attitude control for spacecraft under loss of actuator effectiveness. Journal of Guidance, Control, and Dynamics, 34(3):927–932, 2011. A. A. Ismaeel and R. Bhatnagar. Test for detection & location of intermittent faults in combinational circuits. IEEE Transactions on Reliability, 46(2):269–274, 1997. T. Jiang, S. Tafazoli, and K. Khorasani. Parameter estimation-based fault detection, isolation and recovery for nonlinear satellite models. IEEE Transactions on Control Systems Technology, 16(4):799–808, 2008. N. Kandasamy and J. P. Hayes. Transparent recovery from intermittent faults in time-triggered distributed systems. IEEE Transactions on Computers, 52(2):113– 125, 2003. P. Mhaskar, A. Gani, C. McFall, P. D. Christofides, and J. F. Davis. Fault-tolerant control of nonlinear systems subject to sensor data losses. pages 3498–3505. 45th IEEE Conference on Decision and Control, New Orleans, USA, 2006. A. V. Skorohod. Asymptotic Methods in the Theory of Stochastic Differential Equations. American Mathematical Society, Providence, 1989. S. Su, I. Koren, and Y. K. Malaiya. A continuousparameter markov model and detection procedures for intermittent faults. IEEE Transactions on Computers, C-27(6):567–570, 1978. U. H. Thygesen. On dissipation in stochastic systems. pages 1430–1434. 1999 American Control Conference, California, USA, 1999. B. Wie. Space Vehicle Dynamics and Control (2nd Edition). AIAA, 2008. B. Xiao, Q. Hu, and Y. M. Zhang. Fault-tolerant attitude control for flexible spacecraft without angular velocity magnitude measurement. Journal of Guidance, Control, and Dynamics, 34(5):1556–1561, 2011. H. Yang, B. Jiang, and V. Cocquempot. Fault Tolerant Control Design For Hybrid Systems. Springer-Verlag, Berlin Heidelberg, 2010. J. Yang, Q. Jiang, and D. Manivannan. A fault-tolerant distributed channel allocation scheme for cellular networks. IEEE Transactions on Computers, 54(5):616– 629, 2005.