Dominique Sauter,
Fr6dBric Hamelin,
and Didier Theilliol
au It  ~ ~ ~ e ~ a n t
JApplication to a Winding Machine
ver the past two decades. the grow
ing demand for reliability in indus
tri al processes has drawn
increasing attention to the prob
lem of fault detection and isolation
(FDI), but only a lew studies have
been dedi cated to the rel ated
faulttolerant control (FTC) problem. A fault (abrupt or
incipient) is any kind of malfunction or degradation in
the plant that can lead to a reduction in performance or
loss of Important functions, impairing safety. Therefore,
actions, isverylarge. Second, theoccurrence of afault can
make the system evolve far from its normal operating con
ditions and can lead to a drastic change in system behav
ior. It is often a rapi d change, and the ti me for
accommodation isveryshort. Furthermore, correct isola
tion of the faulty component is required to react success
fully, a rather difficult problem in the case of closedloop
systems. Finally, FTC is a multivariable problem, with
strong coupling between the different variables.
Various approaches lor faulttolerant control have
been suggested in the literature [40]. From the applica
FTC can be motivated by different goals de
,/
pending on the application under consid
eration; for instance, safety in flight
.
,,//
control or reliability, or quality improve
ments in industrial processes.
Although FK Isa recent research topic in
control theory, the idea of controlling a system that devi
ates from its nominal operatingconditions has been inves
tlgated by many researchers, The methods for dealing
with this problem usually stem from linearquadratic,
adaptive, or robust control. The problems to consider in
the design of a faulttolerant controller are quite particu
iar. First, the number of possible faults, and consequently
tion viewpoint, flightcontrol systems have represented
the main area of research, and only a few studies have
been devoted to industrial processes. One of the main
goals of this article is to show that these approaches are
appropriate to such systems.
Faulttolerant control systems are characterized here
by their capabilities, alter fault occurrence, to recover
znnn 33
Normal Operating
Conditions
/
Performance
It
/ I / I
I i
Figure 1. The jculrtolerant control probl em.
performance close to the nominal desired performance. In
addition, their ability to react successfully (stably) during a
transient period between the fault occurrence and the per
formance recovery is an important feature. Accommoda
tion capability of acontrol system depends on many factors
such as the severity of the failure, the robustness of the
nominal system, and the actuators' redundancy.
Actually, faulttolerant control concepts can be sepa
rated into "passive" and "active" approaches. The passive
approach uses robust control techniques to ensure that a
closedloop system remains insensitive to certain faults.
When redundant actuators are available, methods dealing
with this approach are also called reliable control methods
[ X I , [48], [56]. Inthe active approach, a new set of control
parameters is determined such that the faulty system
reaches the nominal system performance. The principle of
active approaches, illustrated by Fig. 1, is very simple. After
the fault Occurrence, the system deviates from its nominal
operating point defined by its inputjoutput variables (u0 ,yo)
to a faulty one (U, , y, ). The goal ol faulttolerant control is to
determine a new control law that takes the degraded system
parameters into account and drives the system to a new op
eratingpoint(u,,y,)such that themain performance param
eters (stability, accuracy, etc.) are preserved (i,e,, are as
close as possible to the initial parameters). It is, therefore.
important to define precisely the degraded modes that are
acceptable with regard to the required performance param
eters, since alter the occurrence of faults, conventional
feedbackcontrol design may result in unsatislactory perfor
mance such as tracking error, instability, and so on.
When the exact model of the failed system is known, the
control system can be accommodated so that system per
formance parameters are recovered and the new system be
haves as initially specified. Gao and Antsaklis [ 171, [18] and
Morse and Ossman [31] suggest a basic approach based on
what theycall the pseudoinverse method. In practice, how
ever, the faults are unanticipated and the model of the im
paired system is not available.
To overcome the limitations of conventional feedback
control, new controllers have been developed with accom
modati on capabi l i ti es or tol erance to faul ts. These
faulttolerant controllers belong to different categories:
Adaptive control seems to be the most natural ap
proach to accommodate faults; the faults' effects ap
pear as model parameter changes and are identified
online, and the control law isreconfigiired automati
cally based on new parameters [8], [%I , [42], [55].
Wu et al. [54] consider a loss of effectiveness in actu
ators ancl suggest using an augmented state Kalman
filter to estimate both the faultfree state and the
faulty parameters. The estimated faulttree state is
used to feed the controller. All these approaches
have theadvantage of not requiringthat thel aul ts be
categorized a priori, although the design of robust
identification and control algorithms presents signif
icant challenges.
Integrated approaches represent another tread [33].
They integrate fault monitoring and control proce
dures. In this case, the possible actuator or sensor
faults are represented by signals and are estimated by
the same algorithm that computes the control law
[32], [44], [47]. The faults are modeled first, then the
controller isbuilt to be insensitive to these faults, but
the operator should be aware of possible faults
through the alarmmonitoring function.
* The faulttolerant control problem can also be formu
lated as a multiobjective problem based on the as
sumption that, like the uncertainties, the faults' effects
can be expressed by means of linear fractional trans
formation (LFT). Following this methodology, a linear
matrix inequality formulation for faulttolerant control
ler synthesis has been recently introduced by Chen et
al. [IO]. Another approach based on convex optimiza
tion has been also considered where an LQ controller
is used and the reconfiguration is achieved by choos
ing new values of the weighting matrices in the perfor
mance index to olfset the effect of faults (291, [43].
Finally, another way to achieve faulttolerant control
relies on supervised control where an FDI unit pro
vides information about the location and time occur
rence of any fault. Faults are compensated via an
appropriate control iaw triggered according to the di
agnosis of the system. This can he achieved by using
gain scheduling [24] or compensation via additive in
put design [34], [46].
Methods combining modelbased and knowledgebased
or heuristic techniques were also successfully used to tune
thecontroller [l], [Z], (271, [40].
The faulttolerant control method described in this arti
cle aims to compensate lor both actuator and sensor faults.
An actuator fault, for instance, a loss in effectiveness, acts
on the system as a disturbance. In the nominal control law,
the presence of an integrator in the controller may compen
sate only for the static error but not for the loss i n dynamic
performance.
34 IEEE Control Systems Magazine February 2OOU
In the faultfree case, the measurements issued from the
sensors are equal to the real outputs. When a sensor fault
occurs, the integral control law makes the tracking error
(the error between the measurements and thereferenceval
ues) go tozero. Hence,therealoutput is far fromthedesired
value. The usual recommendation is to replace this mea
surement either by another one, if a redundant sensor is
available, or by its estimation obtainedviaastateestimator.
This is not always the best solution, however, since the
state estimator is driven by measurements.
A natural way to cope with the FTC problem is to modify
the controller parameters according to an online identifica
tion of the system parameters when a fault occurs. How
ever, due to difficulties inherent to the online multivariable
identification in closedloop systems, such as noise or the
lack of excitation signals, we propose an alternative based
on the computation of a new control law to be added to the
nominal one. But since this new control law isnot the same
for both cases, an FDI module is necessary to isolate the
faulty element accurately.
for faulttolerant control, the aim is to compensate for all
faults, whatever their types.
A classical way of representing component faults is to
consider variations in the parameters of the system.
Therefore, the component faults (i.e., internal faults) that
are due to changes in the process coefficients are as
sumed to produce deviations in the parameters of the sys
tem. After the fault occurrence, the model of the system
becomes
x,(k +1) =A,x,(k) +B,u ( k )
y,(k) =Ctxr(fz), (2)
where f denotes the faulty index. The various matrices in
volved in the system description are modified according to:
(3)
A, = A + U , B, =B+6B, C, =C+SC,
where U, 6B, and SC are the parameter deviations from the
nominal oDeratine values.

In the sequel, onlyactuator and sen
sor faults are considered. Additive
faults are usually described using an
unknown input vector f E I Wk acting di
rectly on the dynamics or on the mea
S
U
surements of the system For instance,
an actuator fault should be repre t s a
This article is organized as follows. First, we describe the
fault effects on the system, and then we review the tracking
nominal control design. Next, we describe the principle of
the faulttolerant control method in the presence of actua
tor and sensor faults, and then we present the fault diagno
sis architecture used to isolate the faulty element. After
summarizing thegeneral FTC scheme, we present the exper
imental results of applying this method to a winding ma
chine. Finally, concluding remarks are given.
Fault Description
Consider the discrete linear system given by the following
statespace representation:
x ( k +1) =Ax ( k ) +Bu( k )
Y ( k ) =Cx(k), (1)
sented by
(4)
E, =B(I +diag(a(k))),
wi tha=[a, ... a, ... a,J T,andinthecaseofcompI eteloss
of the ith actuator,a, =1. As B, isan unknown matrix, the
statespace representation of the faulty system requires the
definition of an unknown input f a, which is equal to zero in
the faultfree case
x ( k +1) =Ax ( k ) + Bu( k) +F, f , ( k )
(5)
y ( k ) =Cx(k).
Likewise, in the presence of a sensor fault characterized
by changes of matrix C,
(6)
C, =(I +diag(P(k)))C ,
wherex E R is the state vector,^E R the output observa
tion vector, U E W the input vector, and A, B, and Care
withp =[p, ... p, ... p,],thestatespacerepresentationis
known matrices of appropriate dimensions. Different addi
tive and/or multiplicative faults may affect the system due
to abnormal operation or to material aging. Additive faults
characterize sensor or actuator faults, while the muitipiica
tive ones designate component faults.
In the faultdiagnosis literature, a distinction should be
made between additive and multiplicative faults; however,
x ( k + l ) =A x ( k ) +B u ( k )
y( k) =Cx(k)+F,S(k).
(7)
Before handling faults that can occur on the system, the
objective is to design a nominal tracking control where out
puts are required to track reference inputs.
Februvry 2000 IEEE Control Systems Magarl ne 35
Nominal Tracking Control Design
In tracking control, the number of outputs that have to foi
low a reference input vector, y, , must be less than or equal
to the number of control inputs [ 121. Thus, the output equa
tion in ( 1 ) can be rewritten as:
puted using the estimated state variables obtained, for
instance, by a Kaiman filter.
FaultTolerant Control
Once the FDi module indicates which sensor or actuator is
faulty, the fault magnitude isestimated and a new control
law is added to the nominal one to thwart the fault effect on
the system. As sensor and actuator faults do not act in the
same way on the system, the additive control law is not the
same for both cases. Thus, in the se
(8)
quel, the first part deals with actuator
faults and then sensor faults are cnn
sidered. Moreover, only one fault is as
sumed to occur at the same time.
is i fi
ave a zero s~at i c
Actuator Fault Estimation
Inthe presence of an actuator fault and
according to (5) and ( 1 l ) , the augmented statespace repre
sentation of the system is written as
where y , E Rp ( p <m) represents the vector of p outputs
that arerequired to foliowthereferenceinputvectory,.The
feedback controller is required to cause the output vector
y , to track the reference input vector in the sense that in
steady state,
(9)
To achieve this task, a comparator and integrator vector
z is added to satisfy the following relation:
To estimate the fault magnitude t,, the system given by
where is the sampling interval. Therefore. the openloop (13) is considered i n the following form:
svstem is governed bv the auemented state and outnut
I I
equations, where I,, is an identity matrix of dimension p:
Fc,.?,(k+ 1) =2, y,,(k)+ 8, U( k) + C,y,(k),
(14)
The nominal feedback control law of this system can be
computed by:
where:
rI., o ~.i r~ 0 0 1
.=[% / ! , I
(15)
with 2 =[ x ~ =TIT and K =[K, K,J being the feedback gain
matrix for instance, by ,,ole assignment, linear mation of the
quadratic optimization, and so on. To achieve this control
singularvalue
law, the statevariables are assumed to be available for mea
surement. Moreover, the state space considered here isthe
one where the outputs are the state variables (Cis the iden
tity matrix I,,). In the opposite case, the control law iscom
In (14), 2" is a matrix of full column rank. Thus, the esti
fault magnitude fa makes use of the following
CSvD) 15], [201.
Let
36 I EEE Control Systems Magazine February 2000
betheSVD of z" and partitionT =[T, 7J . Thus, Sis adiago
nal and nonsingular matrix, and T and Mare orthogonal
matrices.
be obtained by the following relation i f matrix B is of full
row rank
(22)
Usirlg this SVD and replacing it in (14) leads to
~ " , ~ ( k ) =B'F,f,(k),
with
X" (k+l )= A"Xce(k)+ Bc, U(k)+"y'(k)' (16) whereB' is Theexistence of
a solution uOd is discussed in the Appendix.
where E,: is the pseudoinverse of matrix E,,.
Hence, solving (16) gives an estimation (, of the fault
magnitude f a, which is the last component of the ang
mented state vector 2,. This estimation is then used to de
termine the aclditive control law able to reduce the fault
effect on thesystem outputs. Noticefromrelatlon (15) that
the estimation of the fault magnitude f , at instant ( k ) dc
pends on the system outputs y at instant ( k +l). To avoid
this problem, computation of the fault estimation is de
layed by one sample.
Actuator Fault Compensation
Replacing the nominal control law (12) in the equations of
the system affected by an actuator fault ( 5) leads to the
closedloop statespace representation
Sensor Fault Estimation
If a sensor fault occurs on the system, the nominal control
l awui s modified to haveazerostati c error. But in this case,
the real output is far from its nominal value. Hence. in the
presence of a sensor fault, this control law must be pre
vented from reacting, unlike thc case of an actuator fault.
This can be achieved by canceling the fault effect nn the con
trol input.
For sensor faults, the output equation given in (7) is de
composed according to (8):
In this case, the integral error vector z is described by
~ ( k + 1) = ~ ( k ) + T. (Yr(k) Y,(k))
=2 (It) +K. ( Yr ( k ) Eix(Jz)FFq> f,(k)).
(24)
The sensor fault magnitude can be estimated in a way simi
lar to actuator fault estimation, by describing the aug
mented system as follows:
We propose computing anew control lawcr,, to be added
to the nominal one to compensate for the fault effect on the
system. Therefore, the total control law applied to the sys
tem isgiven by
z s X, ( h +1) =z $ X, ( k ) +B, U(k) +C*y, ( k ) ,
(25)
where:
u( k ) = [ K, KJ i ( k ) +UJ k ) . 1, o n A 0 0
E, = n I,> o A, = T, E I, , TvF,,
c,
[ I,, 0 F, ] [ 0 0 0 1 :]
Hence, the closedloop state equation becomes
x( k t1) =( A BK, ) x ( k ) BK,z(k)+ F, ( , ( k) +Bn,,(k).
c ( k ) =1 ''" 1,
?,(kl =[:E]
Y (k +11
(20)
(26)
The additional control law und must be computed such
that the faulty system isas close as possible to the nominal
one. In other terms, uad must satisfy
Hence, using the SVD ofga, as described under "Actuator
Fault Estimation," allows an estimation of the sensor fault
magnitude t ,
(21)
Bu,,,$(k) +F, f , ( k ) =0.
Sensor Fault Compensation
Using the esti mati on of the fault magni tude de
scri bed in the previous secti on, the solution of (21) can
in the same way, when a sensor fault occurs, an additive
control law is added to the nominal one
~ e b ~ ~ ~ ~ y zooo IEEE Control Systems Magazine 37
gure 2. Fault diagnosis architecture
(27)
U ( k ) =K, x( L)  K, z ( k ) +u,,(k).
In the presence of a sensor fault, both the output y and
the integral error z are affected such that
~ ( k ) =x ( k ) =~n(k)+ F, f s ( k )
z ( k ) =z, ( k) +f (k)
j ( k ) =f ( k 1)  T,F, l t ( k I),
(28)
wherex, and zo are the faultfree values of xand z, and 7
is the integral of F,,f,. This leads the control law to be
given by
Clearly, since the sensor fault magnitude [ is estimated,
the fault effect can becanceled by computingu,, such that
It has been shown that the new control law added to the
nominaloneisnot thesamein thecaseofanactuatororsen
sorfault.Thus, theabilityofthis FTCmethodtocompensate
for faults is closely related to the results given by the FDI
I .
igure 3. Faulttolerant control scheme
module concerning the decision of whether a sensor or an
actuator fault has occurred.
Fault Diagnosis
Diagnosis is the primary stage of faulttolerant control sys
tems. Its goal is to perform two main decision tasks: fault de
tection, consisting of deciding whether or not a fault has
occurred, and fault isolation, consisting of deciding which
element of the system has failed. The general procedure
comprises the following three steps:
Residual generationthe process of associating, with
the pair modelobservation, features that allow us to
evaluate the difference with respect to normal operat
ing conditions.
Residual eualuationthe process of comparing resid
uals to some predefined thresholds according to a
test and at a stage where symptoms are produced.
Decision maki wthe process of deciding, based on the
symptoms, which elements are faulty (i.e., isolation).
This implies designing residuals that are (a) close to zero
in faultfree situations while clearly deviating from zero in
the presence of faults, and (b) able to discriminate between
all possible modes of faults (which explains the use of the
term isolation). Fig. 2 shows the fault diagnosis architecture.
Residual Generation
Consider a discrete linear system described by the general
statespace representation, including the presence of dis
turbances and sensor and actuator faults
x(k +1) =A x ( k ) +Bu ( k ) +F," P( k) +F; f ' ( k )
(31)
y( k) =C x( k) + F,"f"(k)+ F;f' (k),
I
Table Ub). Inference metrlx when the mslduals are
I
I robust to unrellafntles, 
38 IEEE Control Systems Magazine F ~I X W ~ znnn
where the unknown input f' t R" represents all disturbances or
faults that do not correspond to those E" E R" to be detected.
The matrices Fy", Fi , Fe, and Fi, assumed to be known, charac
terize the distribution of the unhown inputs f' and f " acting di
rectly on the clyuamics and the measurements, respectively.
According to this representation, the objective isto gen
erate residuals sensitive to certain faults f " and insensitive
to an unknown input vector F' in order to isolate faults. A
wide variety of modelbased approaches have been devei
oped [3], [13], [53]. It is recognized that FDI modelbased
methods can be separated into two categories. The first is
based on state estimation and includes detection filters [7].
[ 2 5 ] , [44], [52];parityspaceapproaches [l l ], [19], [37];and
diagnostic, observerbased methods 1151, [%I , [NI, [511.
Parameter estimation techniques [23] belong to the second
category. I n practice, the two kinds of methods do not apply
to the same FVI proble~ns: parameter estimation is espe
cially suitable for multiplicative faults, whereas state esti
mations are preferred for additive faults.
In this article, the problem is how to design a diagnosis
procedure that makes it possible to detect and isolate a par
ticular fault among several others. Numerous modelbased
approaches have been proposed to solve this problem.
For structured types of faults, tile current literature pro
poses a variety of solutiolis to achieve isolation. The geo
metrical approaches [30], (521 and the techniques of
faulteffect decoupling based on observers with unknown
inputs [16], [38], [39], [49] or robust parityrelations devel
oped in Ill], [ZI ], [30] constitute the most relevant ap
proaches for achieving enhanced robustness. When it is not
possible to totally decouple the effects of faults, we often re
sort to optimization.
The robustness of the residual generator resides in its
sensitivity tu faults and its ability to distinguish between dif
ferent faults i n the presence of uncertain parameters. The
parity space approach isused here.
Thus, starting with the model given in (31), the idea is to
generate a residual of the form
y ( h  s ) u ( k  s )
r ( h) =uT[ [ i I/,\[ I],
where the parityvectoruis acomponent vector of the parity
space F defined as follows:
Y ( k ) u ( k ) (32)
(33)
P = { U I ~ H , =q,
s is the parity space order, and
Figure 4. Winding rnnchine
p;It:, WindingMachine
Figure 5. /npuir/oufprrta ofthc wnrl mg machine
I I
J
 0 1
02
4
I I
0 40 60 80 20
0 7
0.6
0 5
I I
i
02
01
U3
I I
0 20 40 60 80
Time (s)
(a)
0 5
o h  20 40 60 80
1, I
0.5
n2
20 40 60 80
. . . .   . . 1
. . . .. . . . . ... . .. . .~ ..
.  . .,.. .
Table 2. TheoreUeal inference matrix.
L
1 l o I 1 1
0.6
0.55 } 4
0.5 L
0.45 0.4 buyq Angular Velocity
0.35
0 20 40 60 8C
Time( s)
(a)
05
Control Input U,
Time (s)
(b)
 01
20 40 60 80
Indeed, with the model given by (31), the residual (32)
can be expressed in terms of the state vector and the un
known inputs f'(k) and f "( k) :
where
and
0
F; 0 1' (36)
Due to the parity space definition, the residual r(k) is in
dependent ofthestatevector but depends iinearlyonf'and
the faults f" via the matrices HZ and H3, respectively. Since
thepurposeoftheresiduaigeneratoristodetectafauit, the
following equations must be satisfied:
uT H,=OanduT H,+0. (3 7)
However, the constraints (33) and (37) are generally very
restrictive, and it is possible to compute a solution U only in
an ideal case. Hence, the residual is practically nonzero
even in the faultfree case. This problem could be overcome
Figure 7. (ai: Nominulaackedout/~ii~,~; ( b j n ~ ~ ~ ~ n a l ~ ~ n r ~ o l i ~ ~ ~ ~ ~ f , ~ . by replacing the vector U by Pu in the relation (37). In this
case, r(k)must he as smaii as possible if no fault occurs and
40 I EEE Control Systems Magazine February 2000
as large as possible otherwise. A natural criterion for
achieving this goal isthat U has to minimize the followiiig
performance index:
4.02
0.04
4.06
A procedure for solving this optimization problem is pro
posed using generalized singularvalue decomposition
(GSVD) [13], [ZO].Themainadvantageoftliis toolisthat it is
numerically reliable and can easily handle the nearsingular
ity case where the product P'H,, is almost rank deficient.
Residual Evaluation and Decision Maki ng
Fault isolation requires the generation of arcsidual set scii
sitive to some faults and insensitive to others with respect
to isolable structural conditions. Thus, several parity rela
tions are then synthesized accnrding to the dynamic

,
model of the plant (31). Subsequently, residual evaluation
is based on tlie assuniption that i f afaui t iiccurs, the statis
tical characteristic of a sensitive residual is modified. Con
sequently, it involves the use of statistical tests such as the
Page Hinkleytest, the limitchecking test, the generalized
likelihood ratio test, and the trend analysis test [4]. Here,
each residual q produced by tlie ith parity relation may be
usedtodetect afauitaccordingtoastatisticaitest. Asymp
tomS(r,(k))associated with this residualisequal tozeroi n
thc faultfree case and is set to one when a fault is detected.
An output vector of the statistical test, called the coiier
eiiccvectorS(r(k)), can thenbebui l t from thehankof m re
sidual generators
(39)
S( r(k)) =[S( r, ( k ) ) . . . S( q,8 ( h ) ) 1'.
Two different approaches must be developed according
to the accuracy of the inndel and the amplitude of the per
2
0
7

30 35 40 45 50 55
Time (s)
0.02
.0.04
.0.06
0.08
0.02 1 1
0.04
~10 3
30 35 40 45 50 55
Time (s)
4 2 O _  i
 04
x i n3
0
5
30 35 40 45 50 55
Time (s)
0
 0 2
04 ' Y2 i
0 6 [ L A
0 8
XIO3
10
5
0
5
30 35 40 45 50 55
Time (s)
....... ................... _. .   ..    ...
1 Table S..PracU$al lnfepnce malrix. ...
..
7.
 .
.Kr,l 1
General Scheme
The general concept of this approach is summarized by Fig,
3. The PDI module consists of residual generation. residual
evaluation, and finally the decision as to which sensor or ac
tuator is faulty. The fault estimation and compensation
module starts the computation of the additive control law
and is only able to reduce the fault effect on the system once
the fault is detected and isolated. Obviously, the fault detec
tion and isolation must be achieved as soon as possible to
avoid huge losses in system performance or catastrophic
consequences
0 1 0 1
p r " , ) 10 1 1 0 Application
. . . . . . . . . . . . . . . . . . . . . . .
1 Table 4. Theomtical Inference matrix.
I ' (no fault)
I 1 I
I I I I
/,(nofault)
turbations. If the effects of the unstructured uncertainties
are very weak, and i f the model outputs are close to the real
measurements, each residual is synthesized to be sensitive
to only one fault, and the coherence vector is then com
pared to the fault signatures S,,,,,, associated with the fault
defining the inference matrix (Table la). In contrast to this
ideal case, the residual generators are built to produce a sig
nal sensitive to all faults except one, as represented on the
inference matrix (Table lb). In this case, they are more ro
bust to uncertainties, which corrupt the residual value.
Decision making is then realized according to an elemen
tarylogic [ZX] that can be described as follows: an indicator
I (~.)isequaitooneifS(r(k))isequaltotheithcolumnofthe
incidence matrix (Sr e,,,,) and is equal to zero otherwise. The
element associated with the indicator equal to one is then
declared to be faulty.
Process Descri pti on
The method proposed i n this article has been applied to a
winding machine representing a subsystem of many indus
trial systems such as sheet and film processes [9], steel in
dustries [ZZ], and so on. The system iscomposed of three
reels driven by dc motors (M,, M,, and MJ , gear reduction
coupled with the reels, and a plastic strip (Fig. 4). Motor M,
corresponds to the unwinding reel, M, is the rewinding reel,
and M, is the traction reel. The angular velocity of motor M,
(Q,) and the strip tensions between the reels (q, T,) are
measured using a tachometer and tensionmeters, respec
tively. Each motor is driven by a local controller. Torque
control is achieved for motors M, and M,, while speed con
trol is realized for motor M, [ 6 ] . For a multivariable control
appl i cati on, a dSPACE board associ ated wi th
MATLABISimulink software isused.
The control inputs of the three motors are U,, U*, and U3,
U, and U, correspond to the current set points I, and I , of
the local controller. U> is the input voltage of motor M,. In
winding processes, the main goal usually consists of con
trolling tensions TI and and the linear velocity of the strip.
Here, the linear velocity is not available for measurement,
but since the traction reel radius isconstant, the linear ve
locity can be controlled by the angular velocity a,. Figure 5
illustrates a simplified multivariable block diagram of the
winding machine.
  .  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . __ _ .__ . . . . . . . . . . . . . .  . .
  . . . . . . . .
Table 5, Global  declrlon table.
................. 
I FirstBank I
Second Bank
42
System Identification
The system is considered to be linear aroiind a given operat
ing point. arid the correspnrrding analytical model is obtained
using an ARX structure. This model describes the dynamic be
havior of the system in terms of input/output variations ALI
aodAyarourid the operating point (uo,y0). For simplicityof no
tation, (U , y) are used instead of (An, Ay). The data set used for
the parameteridentification step is cumposed oi pseudoraii
doin binary sequence signals applied to the system and thcir
corresponding outputs. This ddta set isdisplayed in Fig. 6. The
sampling interval is T, =0.1 s. The signals collected via the
dSPACE board arc given in the intcrval [1,1], corresponding
to [10V, 10V].Therefore, theliriearizedmodelofthewinding
machine around the operating point ( U", yo) is given by the fol
lowing discrete statespace representation:
U , =[0.15 0.6 0,151' yo =[0.G 0.55 0.4Ir
(40)
x(k +I ) =Ax ( k ) + Bu ( k )
Y ( k ) =CxOz), (41)
with
1
0.4126 0 0.0196
= n, , = U, , A = 0.0333 0.5207 0.0413 ,
Ll 13 I n.oioi o 0.2571
1
1.7734 0.0696 0.0734
onws 0.4658 0.1051 .
0.0424 0.093 2.0752
Ci s the identity matrix I,,. Thc system described by these
matrices is completely observable and controllable.
Nominal Control Results
A nominal control law isfirst set up according to the track
ing control design described earlier. The feedback control
gain matrixKis computed using the 14Ql techniquesuch that
the iollowing cost iunction is minimized:
The weighting matrices Q anti R are nonnegative symmet
ric and positive definite symmetric matrices, Q =0.05/,, and R
=0,11,, respectively. Pig. 7(a) and 7(b) show thc dynamic re
sponses of the tracked outputs and their cnrrespnnding con
trol inputs for step changes in the reference inputs.
FDI Results
Actuator and Sensor Faults. Actuator and scnsor faults
have been created on the system to ilhistrate the theory de
0
0.05
 01
4 04
0 06
4:E 0 08 104
15 p I '
30 35 40 45 50 55
Time (s)
(a)
veloped above. First, wc consider an actuator fault, which
curresponds to a Iuss in the it11actuator efiectiveness. To
do so without breaking the system, the ith control input U,
applied tothesystemi sequal to thecontrolinput computed
by the controller. multiplied by a constant coefficient
k j ( O <k, <1). In this application, the effectivencss oi the
third actuator M,,isreduced by70%(1z:, =03)andappears at
an instant 32 s. According to the actuator fault description
givenearlier, this fault corresponds toacoefficientn,, =0.7
and appcars abruptly on tile system.
l'herr, in a similar way, a fault on thc sensor measuring
the strip terrsion 7; has been created with the same experi
mental conditions
F ~ I x ~ ~ ~ ~ ~ ~ moo I EEE Control Systems Magazine 43
Second Bank
I Table 4 1
FDI Module
0.3451
' lleTs 112
Figure 10. FDl r ~r ~~hi t ecnr r ~~
0.3453 0.3506
where T, is the real value of the strip tension and 6T, is the
fault magnitude that affects the sensor. Here, a constant
bias 6T, (k) =01 appears at an instant 32 8.
Fault Detection and Isolation. In this article, we assume
that only a single fault (actuator or sensur fault) may occur
at a given time. Hence, the unknown input f " considered i n
(31) is a scalar.
In the case of an ith actuator fault, the system can be rep
resented according to (31) by
x(k +1) =Ax ( k ) + Ru( k) + D,f"(k)+ [q
O] f ' ( k )
y( k) =cx( k) +[ n i ] f " ( k) , (44)
11% 112 1
ller, 112
whercn, is theithcoluinnofmatrixRandB, ismatrixBwith
out the ith column.
In the same spirit, for aj th sensor fault, the system is de
scribed as
0.1187 o.ii9n 0.1196
0.4127 0.7913 1.4692
x( h+ 1) =Ax ( k ) +Ru( k) t [B O] f ' ( k)
y ( k ) =Cx ( k ) +E, f " ( k ) + [0 E, ] f * ( k ) , (45)
where E, =[O . . . l . . .Of' represents thc j th sensor fault effect
on the output vector and I?, is tlie identity matrix without
the j th column.
In this application, using the parity space approach, a
bank of six residuals ((I +in) can be set up; three of them
(noted r. are reneratecl usiiir (441 and the others (noted
Fault on 32.4 s
sensor 3
Fault on 32.6 s
actuator 3
. .  . . ,
[Table . 7. Tracking error '' nom. I
.
I
bank of residuals.
S(r", )represents the symptom obtained from evaluation
of the residual r, , and S,,,,,", represents the fault signature
associated wit11the ith actuator lor (T =11 and the ith sensor
i ura =y.l'heset ofrcsidualsobtained in thepresenccofthe
third sensor and actuator faults is illustrated by Fig. 8.
For tlie fault on sensor three, residuals ',,, and rv, are
close to zero, but normally, tlie residual c,, must not be of
zero mean because, i n the residual synthesis, dI f> 0 (37).
Also note that these residuals are different from zero at the
time the actuator fault occurs. l hese features do not corre
spond to thc expected results. Thus, rather than implement
ing a complex isolation method able to avoid false alarms
and missed detection, the residual evaluation is adapted to
be insensitive to this behavior by using a PageHinkley test.
Moreover, another residual bank is established to perform
the complete isolation task as described later.
44 IEEE Control Systems Magazine F CI XW~ mo o
StripTension TI With (black) and Without (purple) FTC
072 1
I
0.7
0.68
0.66
0.64
0.62
0.6
0.58
0 20 40 60 80
Time(s)
StripTension T3With (black) and Without (purple) FTC
0.7 j I
n s I
_.._
0 PO 40 60 80
Time (s)
Angular Velocity Cl, With (black) and Without (purple) FTC
0.5
0 49
0 48
0 47
0 46
0 45
0 44
0.43
0 PO 40 60 80
Time(s)
0.6
0.7
0.6
0.5
0.4
0.3
0.2
0.1
Control Input U,  With (black) and Without (purple) FTC
h I
0 20 40 60 80
Time(s)

The same experiments have bcen conducted on the I O ' I i ' 1
other sensors and actuators and tlie same remarks can he
noted; the fault signature for an ith sensor fault or ith actua
tor fault are identical. Therefore, based on an experimental
data set, a practical inference matrix is built (see Table 3),
where S,e,,, ,,,,, ,", represents the fault signature associated
with the ith actuator or with the ith sensor.
An ciementary logic is used to localize and generate
fault indicators associated with each fault signature.
Then, to distinguish the ith faulty actuator from the ith
faulty sensnr, another bank of residuals is considered. It
0 2
0 3
0 4
4 5
0 6
0 20 40 60 8C
Time(s)
is based on the principle that an it11residual is driven by
all inputs and outputs except thc ith output. With this
'
Figure 12. Acmat or,roul r mo,q,ritudc est i mat i on.
bank. it is possible to localize tlie faulty sensor or detect a
possible faulty actuator (but withnut actuator isolation).
Tablc 4 shows the associated infercnce matrix, where
S(rd,) represents the symptom obtained from tire evalua
tion of the residual 5,', generated wi ng all inputs and out
puts y , ( j t i ) , S',c.i,a, represents the faul t si gri aturc
associated with tire three actuators.
The set of residuals obtai ned in the prescnce of the
thi rd sensnr and actuator faults is illustrated by Fig. 9.
These resi dual s are evaluated using the PageHinkley
test. The same experi ments have been conducted on
the other sensors and actuators, and tlie same conclu
si ons can be estabi i shed: these resul ts correspond to
those expected in the theoreti cal i nference matrix
(Tablc 4). An ei ementaryl ogi c is again used for the deci
sionmaking task.
These two banks are used in parallel. and a global dcci
sion based on i he fault indicators of cach bank is set up to io
calize the fault such that
 If the fault indicator / ( f i r , orry,) issued from the first
bank is active (equal to one) and the fault indicator
issued from the second bank isactive, then a
global fault indicator I s(&, ) is activated that corre
sponds to a fault on tile rth sensor.
Pel " 2000 I EEE Control Systems Magazine 45
If/'(fu)is active,thenaglobaifault indicator/,(fu,jis
activated corresporlding to a fault on the ith actuator
(Table 5).
The PDI inotluie repreeented by Fig. 10 has been imple
mented and has given good results in terms of detection and
isolation delays as shown in Table 6.
Actuator Fault Compensation
Once the fault is isolated, thc corresponding fault estima
tion and compensation module isswitched on to reduce the
fault's effect on the system.
Fig. 11 illustrates dynamic responses of the plant to step
changes in the reference inputs around the operating point
considered above. The figures clearly show the FTC
method's ability to compensate for such faults. Indeed,
since an actuator fault acts on the system as a perturbation,
and clue to the presence of the integral errnr in the control
ler, the system outputs again reach their riominal values
even without fault compensation.
Fig. 11 shows that, without FTC, the strip tension r, (the
output mnre affected by thc fault) reaches its corrcspond
ing reference input about 18 s after the fault occurrence,
whereas it takesonlyabout 4susingtheFTC method. These
0.55
0.5
0.45
0.4
0.35
Strip Tension T3 With (black) and Without (purple) FTC
U
20 40 60 80
Time(s)
Control Input U, With (bia&) and Without (purple) FTC
0.7
I
Time(s)
Real (purple) and Measured (black) T3 Without FTC
0 55
0 5
0 45
04
I
0 20 40 60 80
Time(s)
Control Input U,
0.22 8 I
0.12 1
I I
0 20 40 60 80
Time(s)
Real (purple) and Measured (black) T3 With FTC
0.55 I R
0 5
0 45
04
Fault Magnitude(purple) and ItsEstimation (black)
0.02 I I
0
0 02
0.04
0 06
0 08
0 1
0 121
0 20 40 60 80
Time(s)
I'chruury 2000 46 IEEE Control Systems Magazine
results can be confirmed by examining the control input U3.
Without the FTC method, it increases slowly due tu the inte
gral error trying to compensate for the fault effect. On the
other hand, the FTC method makes this control input in
crease quickly and enables the rapid fault compensation.
The fault estimation given by the singularvalue decom
position technique presented under "Actuator Fault Estima
tion" isshown by Fig. 12. It isequal to zero i n the faultfree
case and to(k:, l)U3 when the fault is isolated.
Moreover, looking at the dynamic behavior in Pig. 11,
with a step change of the reference input at 56 s. where the
fault isstill present, we cansee that without fault compensa
tion, the time response i s much greater than with the FTC
method. The analysis of the tracking error norm also em
phasizes the performances of the faulttolerant control
method compared to the nominal cnntroi in the presence of
an actuator fault (Table 7) . It is easy to see that the tracking
error norm using the FTC method is smaller than that with
out fault compensation.
This method can also compensate for actuator ramp
faults, which areusuallydue to material agingand often met
in practice. The nominal control law cannot compensate for
such faults, although they appear gradually on the system.
In the beginning, their effect is not noticeable on the out
puts, but as this slope increases, a nonzero static error ap
pears. To illustrate this effect, an additive ramp fault on the
third actuator has been created:
The effect of this fault on the strip tension T, appears im
mediately; thestaticerror is35% of the referenceinputstep.
Figure 13shows that once the fault isisolated (almost 2 s af
ter its occurrence), the FTC method is able to maintain
these outputs at their reference input values as long as the
control inputs remain within their physical limits (here
these limits are 1 and 1). It is a way to avoid stopping the
system immediately after the fault detection.
Sensor Fault Compensation
For the sensor fault considered in the section on actuator
and sensor faults, the faulty measurement q, isan input of
the controller. Although the goal is to maintain the real out
put T, at its reference input value, without fault compensa
tion, the controller brings the faulty measurement T,, back
to this corresponding reference value due to the integral er
ror. Hence, the real output is far from the desired value (see
Fig. 14). But once the fault is identified by the FDI module,
the sensor fault estimation is selected and the compensa
tion control law U",, is computed and added to the nominal
one to cancel the sensor fault effect on the system. Thc sen
sor fault magnitude 6T, and its estimation are also iiius
trated. The smaii di fference between the real faul t
magnitude and its estimation is duc to modeling errors.
Conclusions
The general faulttolerant control method described i n this
article addresses actuator and sensor faults, which oltcn af
fect highly automated systems. These faults correspond to a
loss of actuator effectiveness or fault sensor measurements.
After describing tiicse faults, a fault estimation and compen
sation method was proposed. Inaddition to providing infor
mation to operators concerning the system operating
conditions, thc fault diagnosis module is especially impor
tant in faulttolerant control systems where one needs to
know exactly which element isfaulty to react safely.
The method's abilities to compensate for such faults
were illustrated by applying it to a winding machine, which
represents a subsystem of many industrial systems. The re
sults show that once the fault is detected and isolated, it is
easy to reduce its effect on the system, and process control
isresumeti with degraded performances close to nominal
ones. Thus, stopping the system immediately can be
avoided. However, the limits of this method are reached
when there is the complete loss of an actuator. In this case,
only a hardware redundancy is effective and could ensurc
performance reliability.
The method proposed here assumes the availability of
thc state variables for measurement. Future studies will fo
cus on development of this niethod to overcome this as
sumption, which could be restrictive in practice.
References
[ i] C. Aubrun. U. Saute?. H. Noura. and M. Ilubert, "Fault rli~rgnosls aiid rec011
figurvtiun of systcnis using fumy logic: Ap1,licution tu a thermal piaot,.l bit. J
.Yystem Science.?. mi. 24, no. 10, pp. 19451954. 1993.
12) F. BaII.5 M. Fisher, I). Fussel. 0. Neiles. and R. iseimanir. "lntcgrated c w
trol diagnosis antl reconfiguration nf B heat exchungcr,"l ~E~ConI r Sys. Ma&,
vo~. in, no. :I. I'p. 5 x 4 . mn.
[3] M. Rnsseville. "Detecting changes in signals antl systcmsa swvey. ' '
Aiilornolico. "01. 24, pp. 309.326, 1988.
[4j M. Rvssrviile and i. Nikiforov. Drieoliun ofAbnrpt C l m n ~ a , TI, eu~yundAp
plicrrlion. Englewoud Ciilfa, N.I: Prenticc Hail. IDL13.
[5] A. Russusg~Onuna. M. Uarouurh. and G. Kraakelu. "Optiinal estimation uf
state and inputs for stochastic dynamical systems with unknown inputs,"
ToofdrogS?, I n t Coni 011 I~hul IDi qnmi s, Touiousc. liriince. pi>. 267275. 1993.
[GI T. Bastognc. ti. Noura, P. Sibiile. and A. Ilichard. "Multivarial,lc iclentificit~
tlon 01 a winding proress by subspace mcthoris far a tcnsioii control." Cont.
[7] K.V. Beard. "liiilore accommiidalioii in linear systems tlirriugii selfreorga
niautian." P1i.D. dlssertation, Dcpt. Aero. Astro, M.I.T.. Cambridge, MA 1971
18) M. Bodson ant1 .I. Groszkiewiez. "Muitiviirinble adaptive algorlthrns lor IC
configurable ilight (.ontrol," IEEI: P ms . Cont. Sys. Tecii.. voi. 5. no. 2, pp
217229, 1997.
(91 K.11. Braatz. H.A. Ogumaike, and A.P. leatherstoiic, "Ideiitilicatioii, m t i ~
mstion and control of shcet and film pmcr sses; iii Plrru, 131117'rierenitnill~jlC
World Congress, San Riliicis'co, CA. 1996, pli. 3i9~324.
[i n] .I. CIWI. R.J . ~aito,~.antiz. CIE~, ,,~n~~~appro.lc.i,toiauit IOIW~CII C L N ~
trol of uncertai n s ys t e ms . " lj:W I.SlC/CiKA/I.SAS Joml Co,z/<~rrnce,
Gaithersburg, MD. pi). 375inn. i %n.
[ I I ] E.Y. ChnwandA. S. Willsky."Analytical redunciancyand t hrdesi gnoi 10
1bwt failure det crt i m systcmr, " IEEE Truns. Aetornnt. Cnri l ., vol. ACZY, pi'.
[i 2] .I. U'Azzo ant1 C.II. Houpi r.Li neorCo,rf ml Sysl e,nA,~rri ~si sa,i dUeri S,~, Con
uenriunal andModem (McGruwllill Serics in Electrical ;arid Cornlmter Rngi
neering). New York McGrawHill, 1995.
[ i 3] H.De Moor, J . Staar. atid J . Vai~lewallc. "Orientcrl energy arid Oriciited
signaltosignal ratio concepts iii the analysis oi vector sequences and time
E ~ S . proct., vo~. 6. no. 9. 10771088. m n .
603.~14, i m4.
February 200U I EEE Control Systems Magazine 47
Substituting (48) in (47) yields:
x , ( k+l ) =CA,,p ~, , K, , )x, , (k)B~, K, z(k)+(q, , Br,KT)xs(/z)
(494
x , ( k +1) =( A, , @K, )x, (k) BsKIz(R) +(A,,  4K, , ) x, , ( / z )
+<,,,t,(Q+ B,,u,,,(k)
+r<,,f"(k)+ B*l f ~<, ( / z) . (49b)
Here, the fault effect must he eliminated in the prioritystate
variables x,,. 7'lins, from rclatiorr (49a), this can be achievcd
by solving the following relation:
( A, B,,K)x,(k)+I.,,f,(k)+B,u,,,(k) =o. (50)
In this decomposition, if x , isnot available for measurement,
it can he computed from tlie output cquatlon in (47), because
IiereC, isafullcolumn rankmatrix.Then, usingtliefault esti
mation f,, tlie additive control law solution of (50) Is
u,,,j(/z) =Ri ' [ (AJpq R,,K,)x,(k)cr,,~~~,(k)l . (51)
The main goal is to annihilate tlie fault on the priority out
puts. This is realized by choosing tlie transformation matrix
7'siich that
Although thc secondary outpnts are not compensated for,
they must remain stable in the faulty case. Let us examine
these secondaryvariahles. Replacing (51) i n (49b) leads to:
x , ( k + l ) =(A,, B\Bi'A, , \)x*(/z) H\K,z(/z)
+(As,,  B*K,J x,,(/z)+(t,*  Kt$'~:,,JC,(/O. (52)
It Iseasyto see that tlie secondaryvariables are stablc i f and
only i f the elgcnvalurs of thc matrix (A,, B,B,,'A,,,) belong
to the unit circlc.
Hassun Nourn was liorii in Alilalr, Lebanon, in 1965. Here
celved his P1i.D. i n automatic coiitrol engineering from tlic
Henri I'oincarc! University, Nancy, France, in 1993. Hehas
been wllli the Research Center for Automatic Contrul of
Nancy antl has been an associatc professor since 1994. His
rescarch interests iiiclude fault diagnosis and faulttoler
ant control.
DorniniqueSuuteerreceived his P1i.L). in 1991 from the Uni
versity Henri Poincark, Nancy, France. Sincc 1993, he has
been afull professor at this univcrsity, where hc teaches au
tomatic control. He has been the dircctor of thc lnstitut
Univcrsitaire Profcssionnalisi: in electrical cngineering for
two years. Heis a member of the llcsearch Centcr in Auto
matic Control of Nancy (CIIAN), associated with tlie 1:rencli
National Center for Scientific Rescarch (CNRS). He is also a
member of tlie French Gcrman Institute on Automatics and
Robotics (IAR), wliere he chairs a working grnup on intelli
gent control and fault diagnosis. His currcrit research lnter
ests are focused on modelbased fault diagnosis and fault
tolerance with emphasis on industrial applications.
Fridkric Hai nel i n ohlaiiicd his Ph.U. i n automatic control
from the Henri Poincare Ilniversity, Nancy, I:rance, in 1995.
Hehas been an associate professor at this university. His
current research interests are robust fault diagnosis antl
faulttolerant control.
Didier Theilliol earned his P1i.D. in control engineering
from the Hcnri Poincar6 Universily, Nancy, France, in 1993.
Hehas been an associate professor at tlie Research Cciitre
for Automatic Control of Nancy since 1994. Theilliol's rc
search cxperience includes identification of nonlinear SlSO
systems wilh multilayer neural networks and decision sup
port systems witliin the framework of its participation in a
I;uropean projcct (Eureka Project KU 99fi Maine Dialogs) for
three years. Current research interests include robust fault
diagnosis ant1 faulttolerant control.
IEEE Control Systems Magazine 4Y
Viel mehr als nur Dokumente.
Entdecken, was Scribd alles zu bieten hat, inklusive Bücher und Hörbücher von großen Verlagen.
Jederzeit kündbar.