Sie sind auf Seite 1von 17

By Hassan Noura,

Dominique Sauter,
Fr6dBric Hamelin,
and Didier Theilliol
au It - ~ ~ ~ e ~ a n t
JApplication to a Winding Machine
ver the past two decades. the grow-
ing demand for reliability in indus-
tri al processes has drawn
increasing attention to the prob-
lem of fault detection and isolation
(FDI), but only a lew studies have
been dedi cated to the rel ated
fault-tolerant control (FTC) problem. A fault (abrupt or
incipient) is any kind of malfunction or degradation in
the plant that can lead to a reduction in performance or
loss of Important functions, impairing safety. Therefore,
actions, isverylarge. Second, theoccurrence of afault can
make the system evolve far from its normal operating con-
ditions and can lead to a drastic change in system behav-
ior. It is often a rapi d change, and the ti me for
accommodation isveryshort. Furthermore, correct isola-
tion of the faulty component is required to react success-
fully, a rather difficult problem in the case of closed-loop
systems. Finally, FTC is a multivariable problem, with
strong coupling between the different variables.
Various approaches lor fault-tolerant control have
been suggested in the literature [40]. From the applica-
FTC can be motivated by different goals de-
,/
pending on the application under consid-
eration; for instance, safety in flight
-.
,,//
control or reliability, or quality improve-
ments in industrial processes.
Although FK Isa recent research topic in
control theory, the idea of controlling a system that devi-
ates from its nominal operatingconditions has been inves-
tlgated by many researchers, The methods for dealing
with this problem usually stem from linear-quadratic,
adaptive, or robust control. The problems to consider in
the design of a fault-tolerant controller are quite particu-
iar. First, the number of possible faults, and consequently
tion viewpoint, flight-control systems have represented
the main area of research, and only a few studies have
been devoted to industrial processes. One of the main
goals of this article is to show that these approaches are
appropriate to such systems.
Fault-tolerant control systems are characterized here
by their capabilities, alter fault occurrence, to recover
znnn 33
Normal Operating
Conditions
/
Performance
It
/ I / I
I i
Figure 1. The jculr-tolerant control probl em.
performance close to the nominal desired performance. In
addition, their ability to react successfully (stably) during a
transient period between the fault occurrence and the per-
formance recovery is an important feature. Accommoda-
tion capability of acontrol system depends on many factors
such as the severity of the failure, the robustness of the
nominal system, and the actuators' redundancy.
Actually, fault-tolerant control concepts can be sepa-
rated into "passive" and "active" approaches. The passive
approach uses robust control techniques to ensure that a
closed-loop system remains insensitive to certain faults.
When redundant actuators are available, methods dealing
with this approach are also called reliable control methods
[ X I , [48], [56]. Inthe active approach, a new set of control
parameters is determined such that the faulty system
reaches the nominal system performance. The principle of
active approaches, illustrated by Fig. 1, is very simple. After
the fault Occurrence, the system deviates from its nominal
operating point defined by its inputjoutput variables (u0 ,yo)
to a faulty one (U, , y, ). The goal ol fault-tolerant control is to
determine a new control law that takes the degraded system
parameters into account and drives the system to a new op-
eratingpoint(u,,y,)such that themain performance param-
eters (stability, accuracy, etc.) are preserved (i,e,, are as
close as possible to the initial parameters). It is, therefore.
important to define precisely the degraded modes that are
acceptable with regard to the required performance param-
eters, since alter the occurrence of faults, conventional
feedbackcontrol design may result in unsatislactory perfor-
mance such as tracking error, instability, and so on.
When the exact model of the failed system is known, the
control system can be accommodated so that system per-
formance parameters are recovered and the new system be-
haves as initially specified. Gao and Antsaklis [ 171, [18] and
Morse and Ossman [31] suggest a basic approach based on
what theycall the pseudo-inverse method. In practice, how-
ever, the faults are unanticipated and the model of the im-
paired system is not available.
To overcome the limitations of conventional feedback
control, new controllers have been developed with accom-
modati on capabi l i ti es or tol erance to faul ts. These
fault-tolerant controllers belong to different categories:
Adaptive control seems to be the most natural ap-
proach to accommodate faults; the faults' effects ap-
pear as model parameter changes and are identified
online, and the control law isreconfigiired automati-
cally based on new parameters [8], [%I , [42], [55].
Wu et al. [54] consider a loss of effectiveness in actu-
ators ancl suggest using an augmented state Kalman
filter to estimate both the fault-free state and the
faulty parameters. The estimated fault-tree state is
used to feed the controller. All these approaches
have theadvantage of not requiringthat thel aul ts be
categorized a priori, although the design of robust
identification and control algorithms presents signif-
icant challenges.
Integrated approaches represent another tread [33].
They integrate fault monitoring and control proce-
dures. In this case, the possible actuator or sensor
faults are represented by signals and are estimated by
the same algorithm that computes the control law
[32], [44], [47]. The faults are modeled first, then the
controller isbuilt to be insensitive to these faults, but
the operator should be aware of possible faults
through the alarm-monitoring function.
* The fault-tolerant control problem can also be formu-
lated as a multiobjective problem based on the as-
sumption that, like the uncertainties, the faults' effects
can be expressed by means of linear fractional trans-
formation (LFT). Following this methodology, a linear
matrix inequality formulation for fault-tolerant control-
ler synthesis has been recently introduced by Chen et
al. [IO]. Another approach based on convex optimiza-
tion has been also considered where an LQ controller
is used and the reconfiguration is achieved by choos-
ing new values of the weighting matrices in the perfor-
mance index to olfset the effect of faults (291, [43].
Finally, another way to achieve fault-tolerant control
relies on supervised control where an FDI unit pro-
vides information about the location and time occur-
rence of any fault. Faults are compensated via an
appropriate control iaw triggered according to the di-
agnosis of the system. This can he achieved by using
gain scheduling [24] or compensation via additive in-
put design [34], [46].
Methods combining model-based and knowledge-based
or heuristic techniques were also successfully used to tune
thecontroller [l], [Z], (271, [40].
The fault-tolerant control method described in this arti-
cle aims to compensate lor both actuator and sensor faults.
An actuator fault, for instance, a loss in effectiveness, acts
on the system as a disturbance. In the nominal control law,
the presence of an integrator in the controller may compen-
sate only for the static error but not for the loss i n dynamic
performance.
34 IEEE Control Systems Magazine February 2OOU
In the fault-free case, the measurements issued from the
sensors are equal to the real outputs. When a sensor fault
occurs, the integral control law makes the tracking error
(the error between the measurements and thereferenceval-
ues) go tozero. Hence,therealoutput is far fromthedesired
value. The usual recommendation is to replace this mea-
surement either by another one, if a redundant sensor is
available, or by its estimation obtainedviaastateestimator.
This is not always the best solution, however, since the
state estimator is driven by measurements.
A natural way to cope with the FTC problem is to modify
the controller parameters according to an online identifica-
tion of the system parameters when a fault occurs. How-
ever, due to difficulties inherent to the online multivariable
identification in closed-loop systems, such as noise or the
lack of excitation signals, we propose an alternative based
on the computation of a new control law to be added to the
nominal one. But since this new control law isnot the same
for both cases, an FDI module is necessary to isolate the
faulty element accurately.
for fault-tolerant control, the aim is to compensate for all
faults, whatever their types.
A classical way of representing component faults is to
consider variations in the parameters of the system.
Therefore, the component faults (i.e., internal faults) that
are due to changes in the process coefficients are as-
sumed to produce deviations in the parameters of the sys-
tem. After the fault occurrence, the model of the system
becomes
x,(k +1) =A,x,(k) +B,u ( k )
y,(k) =Ctxr(fz), (2)
where f denotes the faulty index. The various matrices in-
volved in the system description are modified according to:
(3)
A, = A + U , B, =B+6B, C, =C+SC,
where U, 6B, and SC are the parameter deviations from the
nominal oDeratine values.
-
In the sequel, onlyactuator and sen-
sor faults are considered. Additive
faults are usually described using an
unknown input vector f E I Wk acting di-
rectly on the dynamics or on the mea-
S
U
surements of the system For instance,
an actuator fault should be repre- t s a
This article is organized as follows. First, we describe the
fault effects on the system, and then we review the tracking
nominal control design. Next, we describe the principle of
the fault-tolerant control method in the presence of actua-
tor and sensor faults, and then we present the fault diagno-
sis architecture used to isolate the faulty element. After
summarizing thegeneral FTC scheme, we present the exper-
imental results of applying this method to a winding ma-
chine. Finally, concluding remarks are given.
Fault Description
Consider the discrete linear system given by the following
state-space representation:
x ( k +1) =Ax ( k ) +Bu( k )
Y ( k ) =Cx(k), (1)
sented by
(4)
E, =B(I +diag(a(k))),
wi tha=[a, ... a, ... a,J T,andinthecaseofcompI eteloss
of the ith actuator,a, =-1. As B, isan unknown matrix, the
state-space representation of the faulty system requires the
definition of an unknown input f a, which is equal to zero in
the fault-free case
x ( k +1) =Ax ( k ) + Bu( k) +F, f , ( k )
(5)
y ( k ) =Cx(k).
Likewise, in the presence of a sensor fault characterized
by changes of matrix C,
(6)
C, =(I +diag(P(k)))C ,
wherex E R is the state vector,^E R the output observa-
tion vector, U E W the input vector, and A, B, and Care
withp =[p, ... p, ... p,],thestate-spacerepresentationis
known matrices of appropriate dimensions. Different addi-
tive and/or multiplicative faults may affect the system due
to abnormal operation or to material aging. Additive faults
characterize sensor or actuator faults, while the muitipiica-
tive ones designate component faults.
In the fault-diagnosis literature, a distinction should be
made between additive and multiplicative faults; however,
x ( k + l ) =A x ( k ) +B u ( k )
y( k) =Cx(k)+F,S(k).
(7)
Before handling faults that can occur on the system, the
objective is to design a nominal tracking control where out-
puts are required to track reference inputs.
Februvry 2000 IEEE Control Systems Magarl ne 35
Nominal Tracking Control Design
In tracking control, the number of outputs that have to foi-
low a reference input vector, y, , must be less than or equal
to the number of control inputs [ 121. Thus, the output equa-
tion in ( 1 ) can be rewritten as:
puted using the estimated state variables obtained, for
instance, by a Kaiman filter.
Fault-Tolerant Control
Once the FDi module indicates which sensor or actuator is
faulty, the fault magnitude isestimated and a new control
law is added to the nominal one to thwart the fault effect on
the system. As sensor and actuator faults do not act in the
same way on the system, the additive control law is not the
same for both cases. Thus, in the se-
(8)
quel, the first part deals with actuator
faults and then sensor faults are cnn-
sidered. Moreover, only one fault is as-
sumed to occur at the same time.
is i fi
ave a zero s~at i c
Actuator Fault Estimation
Inthe presence of an actuator fault and
according to (5) and ( 1 l ) , the augmented state-space repre-
sentation of the system is written as
where y , E Rp ( p <m) represents the vector of p outputs
that arerequired to foliowthereferenceinputvectory,.The
feedback controller is required to cause the output vector
y , to track the reference input vector in the sense that in
steady state,
(9)
To achieve this task, a comparator and integrator vector
z is added to satisfy the following relation:
To estimate the fault magnitude t,, the system given by
where is the sampling interval. Therefore. the open-loop (13) is considered i n the following form:
svstem is governed bv the auemented state and outnut
I I
equations, where I,, is an identity matrix of dimension p:
Fc,.?,(k+ 1) =2, y,,(k)+ 8, U( k) + C,y,(k),
(14)
The nominal feedback control law of this system can be
computed by:
where:
rI., o -~.i r~ 0 0 1
.=[% / ! , I
(15)
with 2 =[ x ~ =TIT and K =[K, K,J being the feedback gain
matrix for instance, by ,,ole assignment, linear mation of the
quadratic optimization, and so on. To achieve this control
singular-value
law, the statevariables are assumed to be available for mea-
surement. Moreover, the state space considered here isthe
one where the outputs are the state variables (Cis the iden-
tity matrix I,,). In the opposite case, the control law iscom-
In (14), 2" is a matrix of full column rank. Thus, the esti-
fault magnitude fa makes use of the following
CSvD) 15], [201.
Let
36 I EEE Control Systems Magazine February 2000
betheSVD of z" and partitionT =[T, 7J . Thus, Sis adiago-
nal and nonsingular matrix, and T and Mare orthogonal
matrices.
be obtained by the following relation i f matrix B is of full
row rank
(22)
Usirlg this SVD and replacing it in (14) leads to
~ " , ~ ( k ) =-B'F,f,(k),
with
X" (k+l )= A"Xce(k)+ Bc, U(k)+"y'(k)' (16) whereB' is Theexistence of
a solution uOd is discussed in the Appendix.
where E,: is the pseudo-inverse of matrix E,,.
Hence, solving (16) gives an estimation (, of the fault
magnitude f a, which is the last component of the ang-
mented state vector 2,. This estimation is then used to de-
termine the aclditive control law able to reduce the fault
effect on thesystem outputs. Noticefromrelatlon (15) that
the estimation of the fault magnitude f , at instant ( k ) dc-
pends on the system outputs y at instant ( k +l). To avoid
this problem, computation of the fault estimation is de-
layed by one sample.
Actuator Fault Compensation
Replacing the nominal control law (12) in the equations of
the system affected by an actuator fault ( 5) leads to the
closed-loop state-space representation
Sensor Fault Estimation
If a sensor fault occurs on the system, the nominal control
l awui s modified to haveazerostati c error. But in this case,
the real output is far from its nominal value. Hence. in the
presence of a sensor fault, this control law must be pre-
vented from reacting, unlike thc case of an actuator fault.
This can be achieved by canceling the fault effect nn the con-
trol input.
For sensor faults, the output equation given in (7) is de-
composed according to (8):
In this case, the integral error vector z is described by
~ ( k + 1) = ~ ( k ) + T. (Yr(k) -Y,(k))
=2 (It) +K. ( Yr ( k ) -Eix(Jz)FFq> f,(k)).
(24)
The sensor fault magnitude can be estimated in a way simi-
lar to actuator fault estimation, by describing the aug-
mented system as follows:
We propose computing anew control lawcr,, to be added
to the nominal one to compensate for the fault effect on the
system. Therefore, the total control law applied to the sys-
tem isgiven by
z s X, ( h +1) =z $ X, ( k ) +B, U(k) +C*y, ( k ) ,
(25)
where:
u( k ) =- [ K, KJ i ( k ) +UJ k ) . 1, o n A 0 0
E, = n I,> o A, = -T, E I, , -TvF,,
c,
[ I,, 0 F, ] [ 0 0 0 1 :]
Hence, the closed-loop state equation becomes
x( k t-1) =( A- BK, ) x ( k ) -BK,z(k)+ F, ( , ( k) +Bn,,(k).
c ( k ) =1 ''" 1,
?,(kl =[:E]
Y (k +11
(20)
(26)
The additional control law und must be computed such
that the faulty system isas close as possible to the nominal
one. In other terms, uad must satisfy
Hence, using the SVD ofga, as described under "Actuator
Fault Estimation," allows an estimation of the sensor fault
magnitude t ,
(21)
Bu,,,$(k) +F, f , ( k ) =0.
Sensor Fault Compensation
Using the esti mati on of the fault magni tude de-
scri bed in the previous secti on, the solution of (21) can
in the same way, when a sensor fault occurs, an additive
control law is added to the nominal one
~ e b ~ ~ ~ ~ y zooo IEEE Control Systems Magazine 37
gure 2. Fault diagnosis architecture
(27)
U ( k ) =-K, x( L) - K, z ( k ) +u,,(k).
In the presence of a sensor fault, both the output y and
the integral error z are affected such that
~ ( k ) =x ( k ) =~n(k)+ F, f s ( k )
z ( k ) =z, ( k) +f (k)
j ( k ) =f ( k -1) - T,F, l t ( k -I),
(28)
wherex, and zo are the fault-free values of xand z, and 7
is the integral of -F,,f,. This leads the control law to be
given by
Clearly, since the sensor fault magnitude [ is estimated,
the fault effect can becanceled by computingu,, such that
It has been shown that the new control law added to the
nominaloneisnot thesamein thecaseofanactuatororsen-
sorfault.Thus, theabilityofthis FTCmethodtocompensate
for faults is closely related to the results given by the FDI
I .
igure 3. Fault-tolerant control scheme
module concerning the decision of whether a sensor or an
actuator fault has occurred.
Fault Diagnosis
Diagnosis is the primary stage of fault-tolerant control sys-
tems. Its goal is to perform two main decision tasks: fault de-
tection, consisting of deciding whether or not a fault has
occurred, and fault isolation, consisting of deciding which
element of the system has failed. The general procedure
comprises the following three steps:
Residual generation-the process of associating, with
the pair model-observation, features that allow us to
evaluate the difference with respect to normal operat-
ing conditions.
Residual eualuation-the process of comparing resid-
uals to some predefined thresholds according to a
test and at a stage where symptoms are produced.
Decision maki wthe process of deciding, based on the
symptoms, which elements are faulty (i.e., isolation).
This implies designing residuals that are (a) close to zero
in fault-free situations while clearly deviating from zero in
the presence of faults, and (b) able to discriminate between
all possible modes of faults (which explains the use of the
term isolation). Fig. 2 shows the fault diagnosis architecture.
Residual Generation
Consider a discrete linear system described by the general
state-space representation, including the presence of dis-
turbances and sensor and actuator faults
x(k +1) =A x ( k ) +Bu ( k ) +F," P( k) +F; f ' ( k )
(31)
y( k) =C x( k) + F,"f"(k)+ F;f' (k),
I
Table Ub). Inference metrlx when the mslduals are
I
I- robust to unrellafntles, -
38 IEEE Control Systems Magazine F ~I X W ~ znnn
where the unknown input f' t R" represents all disturbances or
faults that do not correspond to those E" E R" to be detected.
The matrices Fy", Fi , Fe, and Fi, assumed to be known, charac-
terize the distribution of the unhown inputs f' and f " acting di-
rectly on the clyuamics and the measurements, respectively.
According to this representation, the objective isto gen-
erate residuals sensitive to certain faults f " and insensitive
to an unknown input vector F' in order to isolate faults. A
wide variety of model-based approaches have been devei-
oped [3], [13], [53]. It is recognized that FDI model-based
methods can be separated into two categories. The first is
based on state estimation and includes detection filters [7].
[ 2 5 ] , [44], [52];parityspaceapproaches [l l ], [19], [37];and
diagnostic, observer-based methods 1151, [%I , [NI, [511.
Parameter estimation techniques [23] belong to the second
category. I n practice, the two kinds of methods do not apply
to the same FVI proble~ns: parameter estimation is espe-
cially suitable for multiplicative faults, whereas state esti-
mations are preferred for additive faults.
In this article, the problem is how to design a diagnosis
procedure that makes it possible to detect and isolate a par-
ticular fault among several others. Numerous model-based
approaches have been proposed to solve this problem.
For structured types of faults, tile current literature pro-
poses a variety of solutiolis to achieve isolation. The geo-
metrical approaches [30], (521 and the techniques of
fault-effect decoupling based on observers with unknown
inputs [16], [38], [39], [49] or robust parityrelations devel-
oped in Ill], [ZI ], [30] constitute the most relevant ap-
proaches for achieving enhanced robustness. When it is not
possible to totally decouple the effects of faults, we often re-
sort to optimization.
The robustness of the residual generator resides in its
sensitivity tu faults and its ability to distinguish between dif-
ferent faults i n the presence of uncertain parameters. The
parity space approach isused here.
Thus, starting with the model given in (31), the idea is to
generate a residual of the form
y ( h - s ) u ( k - s )
r ( h) =uT[ [ i I-/,\[ I],
where the parityvectoruis acomponent vector of the parity
space F defined as follows:
Y ( k ) u ( k ) (32)
(33)
P = { U I ~ H , =q,
s is the parity space order, and
Figure 4. Winding rnnchine
p;It:, WindingMachine
Figure 5. /npuir/oufprrta ofthc wnrl mg machine
I I
J
- 0 1
-02
4
I I
0 40 60 80 20
0 7
0.6
0 5
I I
i
02
01
U3
I I
0 20 40 60 80
Time (s)
(a)
0 5
o h - 20 40 60 80
1, I
0.5
n2
20 40 60 80
. . . . - - . . 1
. . . .. . . . . ... . .. . .~ ..
.- - -. -.,.. .
Table 2. TheoreUeal inference matrix.
L
1 l o I 1 1
0.6
0.55 } 4
0.5 L
0.45 0.4 buyq Angular Velocity
0.35
0 20 40 60 8C
Time( s)
(a)
05
Control Input U,
Time (s)
(b)
- 01
20 40 60 80
Indeed, with the model given by (31), the residual (32)
can be expressed in terms of the state vector and the un-
known inputs f'(k) and f "( k) :
where
and
0
F; 0 1' (36)
Due to the parity space definition, the residual r(k) is in-
dependent ofthestatevector but depends iinearlyonf'and
the faults f" via the matrices HZ and H3, respectively. Since
thepurposeoftheresiduaigeneratoristodetectafauit, the
following equations must be satisfied:
uT H,=OanduT H,+-0. (3 7)
However, the constraints (33) and (37) are generally very
restrictive, and it is possible to compute a solution U only in
an ideal case. Hence, the residual is practically nonzero
even in the fault-free case. This problem could be overcome
Figure 7. (ai: Nominulaackedout/~ii~,~; ( b j n ~ ~ ~ ~ n a l ~ ~ n r ~ o l i ~ ~ ~ ~ ~ f , ~ . by replacing the vector U by Pu in the relation (37). In this
case, r(k)must he as smaii as possible if no fault occurs and
40 I EEE Control Systems Magazine February 2000
as large as possible otherwise. A natural criterion for
achieving this goal isthat U has to minimize the followiiig
performance index:
4.02
-0.04
4.06-
A procedure for solving this optimization problem is pro-
posed using generalized singular-value decomposition
(GSVD) [13], [ZO].Themainadvantageoftliis toolisthat it is
numerically reliable and can easily handle the near-singular-
ity case where the product P'H,, is almost rank deficient.
Residual Evaluation and Decision Maki ng
Fault isolation requires the generation of arcsidual set scii-
sitive to some faults and insensitive to others with respect
to isolable structural conditions. Thus, several parity rela-
tions are then synthesized accnrding to the dynamic
-
,
model of the plant (31). Subsequently, residual evaluation
is based on tlie assuniption that i f afaui t iiccurs, the statis-
tical characteristic of a sensitive residual is modified. Con-
sequently, it involves the use of statistical tests such as the
Page Hinkley-test, the limit-checking test, the generalized
likelihood ratio test, and the trend analysis test [4]. Here,
each residual q produced by tlie ith parity relation may be
usedtodetect afauitaccordingtoastatisticaitest. Asymp-
tomS(r,(k))associated with this residualisequal tozeroi n
thc fault-free case and is set to one when a fault is detected.
An output vector of the statistical test, called the coiier-
eiiccvectorS(r(k)), can thenbebui l t from thehankof m re-
sidual generators
(39)
S( r(k)) =[S( r, ( k ) ) . . . S( q,8 ( h ) ) 1'.
Two different approaches must be developed according
to the accuracy of the inndel and the amplitude of the per-
2
0
-7
-
30 35 40 45 50 55
Time (s)
-0.02
.0.04
.0.06
-0.08
-0.02 1 1
0.04
~10- 3
30 35 40 45 50 55
Time (s)
4 2 O _ - i
- 04
x i n-3
0
-5
30 35 40 45 50 55
Time (s)
0
- 0 2
-04 ' Y2 i
-0 6 [ L A
-0 8
XIO-3
10
5
0
-5
30 35 40 45 50 55
Time (s)
....... ................... _. . - - .. -- - - ...
1 Table S..PracU$al lnfepnce malrix. ...
..
7-.--
- -.
.Kr,l 1
General Scheme
The general concept of this approach is summarized by Fig,
3. The PDI module consists of residual generation. residual
evaluation, and finally the decision as to which sensor or ac-
tuator is faulty. The fault estimation and compensation
module starts the computation of the additive control law
and is only able to reduce the fault effect on the system once
the fault is detected and isolated. Obviously, the fault detec-
tion and isolation must be achieved as soon as possible to
avoid huge losses in system performance or catastrophic
consequences
0 1 0 1
p r " , ) 10 1 1 0 Application
. . . . . . . . . . . . . . . . . . . . . . .
1 Table 4. Theomtical Inference matrix.
I ' (no fault)
I 1 I
I I I I
/,(nofault)
turbations. If the effects of the unstructured uncertainties
are very weak, and i f the model outputs are close to the real
measurements, each residual is synthesized to be sensitive
to only one fault, and the coherence vector is then com-
pared to the fault signatures S,,,,,, associated with the fault
defining the inference matrix (Table la). In contrast to this
ideal case, the residual generators are built to produce a sig
nal sensitive to all faults except one, as represented on the
inference matrix (Table lb). In this case, they are more ro-
bust to uncertainties, which corrupt the residual value.
Decision making is then realized according to an elemen-
tarylogic [ZX] that can be described as follows: an indicator
I (~.)isequaitooneifS(r(k))isequaltotheithcolumnofthe
incidence matrix (Sr e,,,,) and is equal to zero otherwise. The
element associated with the indicator equal to one is then
declared to be faulty.
Process Descri pti on
The method proposed i n this article has been applied to a
winding machine representing a subsystem of many indus-
trial systems such as sheet and film processes [9], steel in-
dustries [ZZ], and so on. The system iscomposed of three
reels driven by dc motors (M,, M,, and MJ , gear reduction
coupled with the reels, and a plastic strip (Fig. 4). Motor M,
corresponds to the unwinding reel, M, is the rewinding reel,
and M, is the traction reel. The angular velocity of motor M,
(Q,) and the strip tensions between the reels (q, T,) are
measured using a tachometer and tension-meters, respec-
tively. Each motor is driven by a local controller. Torque
control is achieved for motors M, and M,, while speed con-
trol is realized for motor M, [ 6 ] . For a multivariable control
appl i cati on, a dSPACE board associ ated wi th
MATLABISimulink software isused.
The control inputs of the three motors are U,, U*, and U3,
U, and U, correspond to the current set points I, and I , of
the local controller. U> is the input voltage of motor M,. In
winding processes, the main goal usually consists of con-
trolling tensions TI and and the linear velocity of the strip.
Here, the linear velocity is not available for measurement,
but since the traction reel radius isconstant, the linear ve-
locity can be controlled by the angular velocity a,. Figure 5
illustrates a simplified multivariable block diagram of the
winding machine.
- - . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . __ _- .__ . . . . . . . . . . . . . . - . -.
- - . . . . . . . .
Table 5, Global - declrlon table.
................. -
I FirstBank I
Second Bank
42
System Identification
The system is considered to be linear aroiind a given operat-
ing point. arid the correspnrrding analytical model is obtained
using an ARX structure. This model describes the dynamic be-
havior of the system in terms of input/output variations ALI
aodAyarourid the operating point (uo,y0). For simplicityof no-
tation, (U , y) are used instead of (An, Ay). The data set used for
the parameter-identification step is cumposed oi pseudo-raii-
doin binary sequence signals applied to the system and thcir
corresponding outputs. This ddta set isdisplayed in Fig. 6. The
sampling interval is T, =0.1 s. The signals collected via the
dSPACE board arc given in the intcrval [-1,1], corresponding
to [-10V, 10V].Therefore, theliriearizedmodelofthewinding
machine around the operating point ( U", yo) is given by the fol-
lowing discrete state-space representation:
U , =[-0.15 0.6 0,151' yo =[0.G 0.55 0.4Ir
(40)
x(k +I ) =Ax ( k ) + Bu ( k )
Y ( k ) =CxOz), (41)
with
1
0.4126 0 -0.0196
= n, , = U, , A = 0.0333 0.5207 -0.0413 ,
Ll 13 I -n.oioi o 0.2571
1
-1.7734 0.0696 0.0734
onws 0.4658 0.1051 .
-0.0424 -0.093 2.0752
Ci s the identity matrix I,,. Thc system described by these
matrices is completely observable and controllable.
Nominal Control Results
A nominal control law isfirst set up according to the track-
ing control design described earlier. The feedback control
gain matrixKis computed using the 14Ql techniquesuch that
the iollowing cost iunction is minimized:
The weighting matrices Q anti R are nonnegative symmet-
ric and positive definite symmetric matrices, Q =0.05/,, and R
=0,11,, respectively. Pig. 7(a) and 7(b) show thc dynamic re-
sponses of the tracked outputs and their cnrrespnnding con-
trol inputs for step changes in the reference inputs.
FDI Results
Actuator and Sensor Faults. Actuator and scnsor faults
have been created on the system to ilhistrate the theory de-
0
-0.05
- 01
4 04
-0 06
4:E -0 08 104
15 p I '
30 35 40 45 50 55
Time (s)
(a)
veloped above. First, wc consider an actuator fault, which
curresponds to a Iuss in the it11actuator efiectiveness. To
do so without breaking the system, the ith control input U,
applied tothesystemi sequal to thecontrolinput computed
by the controller. multiplied by a constant coefficient
k j ( O <k, <1). In this application, the effectivencss oi the
third actuator M,,isreduced by70%(1z:, =03)andappears at
an instant 32 s. According to the actuator fault description
givenearlier, this fault corresponds toacoefficientn,, =-0.7
and appcars abruptly on tile system.
l'herr, in a similar way, a fault on thc sensor measuring
the strip terrsion 7; has been created with the same experi-
mental conditions
F ~ I x ~ ~ ~ ~ ~ ~ moo I EEE Control Systems Magazine 43
Second Bank
I Table 4 1
FDI Module
0.3451
' lleTs 112
Figure 10. FDl r ~r ~~hi t ecnr r ~~
0.3453 0.3506
where T, is the real value of the strip tension and 6T, is the
fault magnitude that affects the sensor. Here, a constant
bias 6T, (k) =-01 appears at an instant 32 8.
Fault Detection and Isolation. In this article, we assume
that only a single fault (actuator or sensur fault) may occur
at a given time. Hence, the unknown input f " considered i n
(31) is a scalar.
In the case of an ith actuator fault, the system can be rep-
resented according to (31) by
x(k +1) =Ax ( k ) + Ru( k) + D,f"(k)+ [q
O] f ' ( k )
y( k) =cx( k) +[ n i ] f " ( k) , (44)
11% 112 1
ller, 112
whercn, is theithcoluinnofmatrixRandB, ismatrixBwith-
out the ith column.
In the same spirit, for aj th sensor fault, the system is de-
scribed as
0.1187 o.ii9n 0.1196
0.4127 0.7913 1.4692
x( h+ 1) =Ax ( k ) +Ru( k) t [B O] f ' ( k)
y ( k ) =Cx ( k ) +E, f " ( k ) + [0 E, ] f * ( k ) , (45)
where E, =[O . . . l . . .Of' represents thc j th sensor fault effect
on the output vector and I?, is tlie identity matrix without
the j th column.
In this application, using the parity space approach, a
bank of six residuals ((I +in) can be set up; three of them
(noted r. are reneratecl usiiir (441 and the others (noted
Fault on 32.4 s
sensor 3
Fault on 32.6 s
actuator 3
-. . - . . ,
[Table . 7. Tracking error '' nom. I
.
I
bank of residuals.
S(r", )represents the symptom obtained from evaluation
of the residual r-, , and S,,,,,", represents the fault signature
associated wit11the ith actuator lor (T =11 and the ith sensor
i ura =y.l'heset ofrcsidualsobtained in thepresenccofthe
third sensor and actuator faults is illustrated by Fig. 8.
For tlie fault on sensor three, residuals ',,, and rv, are
close to zero, but normally, tlie residual c,, must not be of
zero mean because, i n the residual synthesis, dI f> 0 (37).
Also note that these residuals are different from zero at the
time the actuator fault occurs. l hese features do not corre-
spond to thc expected results. Thus, rather than implement-
ing a complex isolation method able to avoid false alarms
and missed detection, the residual evaluation is adapted to
be insensitive to this behavior by using a Page-Hinkley test.
Moreover, another residual bank is established to perform
the complete isolation task as described later.
44 IEEE Control Systems Magazine F CI XW~ mo o
StripTension TI With (black) and Without (purple) FTC
072 1
I
0.7
0.68
0.66
0.64
0.62
0.6
0.58
0 20 40 60 80
Time(s)
StripTension T3With (black) and Without (purple) FTC
0.7 j I
n s I
_.._
0 PO 40 60 80
Time (s)
Angular Velocity Cl, With (black) and Without (purple) FTC
0.5
0 49
0 48
0 47
0 46
0 45
0 44
0.43
0 PO 40 60 80
Time(s)
0.6
0.7
0.6
0.5
0.4
0.3
0.2
0.1
Control Input U, - With (black) and Without (purple) FTC
h I
0 20 40 60 80
Time(s)
-
The same experiments have bcen conducted on the I O ' I i ' 1
other sensors and actuators and tlie same remarks can he
noted; the fault signature for an ith sensor fault or ith actua-
tor fault are identical. Therefore, based on an experimental
data set, a practical inference matrix is built (see Table 3),
where S,e,,, ,,,,, ,", represents the fault signature associated
with the ith actuator or with the ith sensor.
An ciementary logic is used to localize and generate
fault indicators associated with each fault signature.
Then, to distinguish the ith faulty actuator from the ith
faulty sensnr, another bank of residuals is considered. It
-0 2
-0 3
-0 4
4 5
-0 6
0 20 40 60 8C
Time(s)
is based on the principle that an it11residual is driven by
all inputs and outputs except thc ith output. With this
'
Figure 12. Acmat or,roul r mo,q,ritudc est i mat i on.
bank. it is possible to localize tlie faulty sensor or detect a
possible faulty actuator (but withnut actuator isolation).
Tablc 4 shows the associated infercnce matrix, where
S(rd,) represents the symptom obtained from tire evalua-
tion of the residual 5,', generated wi ng all inputs and out-
puts y , ( j t i ) , S',c.i,a, represents the faul t si gri aturc
associated with tire three actuators.
The set of residuals obtai ned in the prescnce of the
thi rd sensnr and actuator faults is illustrated by Fig. 9.
These resi dual s are evaluated using the Page-Hinkley
test. The same experi ments have been conducted on
the other sensors and actuators, and tlie same conclu-
si ons can be estabi i shed: these resul ts correspond to
those expected in the theoreti cal i nference matrix
(Tablc 4). An ei ementaryl ogi c is again used for the deci-
sion-making task.
These two banks are used in parallel. and a global dcci-
sion based on i he fault indicators of cach bank is set up to io-
calize the fault such that
- If the fault indicator / ( f i r , orry,) issued from the first
bank is active (equal to one) and the fault indicator
issued from the second bank isactive, then a
global fault indicator I s(&, ) is activated that corre-
sponds to a fault on tile rth sensor.
Pel " 2000 I EEE Control Systems Magazine 45
If/'(fu)is active,thenaglobaifault indicator/,(fu,jis
activated corresporlding to a fault on the ith actuator
(Table 5).
The PDI inotluie repreeented by Fig. 10 has been imple-
mented and has given good results in terms of detection and
isolation delays as shown in Table 6.
Actuator Fault Compensation
Once the fault is isolated, thc corresponding fault estima-
tion and compensation module isswitched on to reduce the
fault's effect on the system.
Fig. 11 illustrates dynamic responses of the plant to step
changes in the reference inputs around the operating point
considered above. The figures clearly show the FTC
method's ability to compensate for such faults. Indeed,
since an actuator fault acts on the system as a perturbation,
and clue to the presence of the integral errnr in the control-
ler, the system outputs again reach their riominal values
even without fault compensation.
Fig. 11 shows that, without FTC, the strip tension r, (the
output mnre affected by thc fault) reaches its corrcspond-
ing reference input about 18 s after the fault occurrence,
whereas it takesonlyabout 4susingtheFTC method. These
0.55
0.5
0.45
0.4
0.35
Strip Tension T3 With (black) and Without (purple) FTC
U
20 40 60 80
Time(s)
Control Input U, With (bia&) and Without (purple) FTC
0.7
I
Time(s)
Real (purple) and Measured (black) T3 Without FTC
0 55
0 5
0 45
04
I
0 20 40 60 80
Time(s)
Control Input U,
0.22 8 I
0.12 1
I I
0 20 40 60 80
Time(s)
Real (purple) and Measured (black) T3 With FTC
0.55 I R
0 5
0 45
04
Fault Magnitude(purple) and ItsEstimation (black)
0.02 I I
0
-0 02
-0.04
-0 06
-0 08
-0 1
-0 121
0 20 40 60 80
Time(s)
I'chruury 2000 46 IEEE Control Systems Magazine
results can be confirmed by examining the control input U3.
Without the FTC method, it increases slowly due tu the inte-
gral error trying to compensate for the fault effect. On the
other hand, the FTC method makes this control input in-
crease quickly and enables the rapid fault compensation.
The fault estimation given by the singular-value decom-
position technique presented under "Actuator Fault Estima-
tion" isshown by Fig. 12. It isequal to zero i n the fault-free
case and to(k:, -l)U3 when the fault is isolated.
Moreover, looking at the dynamic behavior in Pig. 11,
with a step change of the reference input at 56 s. where the
fault isstill present, we cansee that without fault compensa-
tion, the time response i s much greater than with the FTC
method. The analysis of the tracking error norm also em-
phasizes the performances of the fault-tolerant control
method compared to the nominal cnntroi in the presence of
an actuator fault (Table 7) . It is easy to see that the tracking
error norm using the FTC method is smaller than that with-
out fault compensation.
This method can also compensate for actuator ramp
faults, which areusuallydue to material agingand often met
in practice. The nominal control law cannot compensate for
such faults, although they appear gradually on the system.
In the beginning, their effect is not noticeable on the out-
puts, but as this slope increases, a nonzero static error ap-
pears. To illustrate this effect, an additive ramp fault on the
third actuator has been created:
The effect of this fault on the strip tension T, appears im-
mediately; thestaticerror is35% of the referenceinputstep.
Figure 13shows that once the fault isisolated (almost 2 s af-
ter its occurrence), the FTC method is able to maintain
these outputs at their reference input values as long as the
control inputs remain within their physical limits (here
these limits are -1 and 1). It is a way to avoid stopping the
system immediately after the fault detection.
Sensor Fault Compensation
For the sensor fault considered in the section on actuator
and sensor faults, the faulty measurement q, isan input of
the controller. Although the goal is to maintain the real out-
put T, at its reference input value, without fault compensa-
tion, the controller brings the faulty measurement T,, back
to this corresponding reference value due to the integral er-
ror. Hence, the real output is far from the desired value (see
Fig. 14). But once the fault is identified by the FDI module,
the sensor fault estimation is selected and the compensa-
tion control law U",, is computed and added to the nominal
one to cancel the sensor fault effect on the system. Thc sen-
sor fault magnitude 6T, and its estimation are also iiius-
trated. The smaii di fference between the real faul t
magnitude and its estimation is duc to modeling errors.
Conclusions
The general fault-tolerant control method described i n this
article addresses actuator and sensor faults, which oltcn af-
fect highly automated systems. These faults correspond to a
loss of actuator effectiveness or fault sensor measurements.
After describing tiicse faults, a fault estimation and compen-
sation method was proposed. Inaddition to providing infor-
mation to operators concerning the system operating
conditions, thc fault diagnosis module is especially impor-
tant in fault-tolerant control systems where one needs to
know exactly which element isfaulty to react safely.
The method's abilities to compensate for such faults
were illustrated by applying it to a winding machine, which
represents a subsystem of many industrial systems. The re-
sults show that once the fault is detected and isolated, it is
easy to reduce its effect on the system, and process control
isresumeti with degraded performances close to nominal
ones. Thus, stopping the system immediately can be
avoided. However, the limits of this method are reached
when there is the complete loss of an actuator. In this case,
only a hardware redundancy is effective and could ensurc
performance reliability.
The method proposed here assumes the availability of
thc state variables for measurement. Future studies will fo-
cus on development of this niethod to overcome this as-
sumption, which could be restrictive in practice.
References
[ i] C. Aubrun. U. Saute?. H. Noura. and M. Ilubert, "Fault rli~rgnosls aiid rec011-
figurvtiun of systcnis using fumy logic: Ap1,licution tu a thermal piaot,.l bit. J
.Yystem Science.?. mi. 24, no. 10, pp. 1945-1954. 1993.
12) F. BaII.5 M. Fisher, I). Fussel. 0. Neiles. and R. iseimanir. "lntcgrated c w
trol diagnosis antl reconfiguration nf B heat exchungcr,"l ~E~ConI r Sys. Ma&,
vo~. in, no. :I. I'p. 5 x 4 . mn.
[3] M. Rnsseville. "Detecting changes in signals antl systcms-a swvey. ' '
Aiilornolico. "01. 24, pp. 309.326, 1988.
[4j M. Rvssrviile and i. Nikiforov. Drieoliun ofAbnrpt C l m n ~ a , TI, eu~yundAp
plicrrlion. Englewoud Ciilfa, N.I: Prenticc Hail. IDL13.
[5] A. Russusg~Onuna. M. Uarouurh. and G. Kraakelu. "Optiinal estimation uf
state and inputs for stochastic dynamical systems with unknown inputs,"
ToofdrogS?, I n t Coni 011 I~hul IDi qnmi s, Touiousc. liriince. pi>. 267275. 1993.
[GI T. Bastognc. ti. Noura, P. Sibiile. and A. Ilichard. "Multivarial,lc iclentificit~
tlon 01 a winding proress by subspace mcthoris far a tcnsioii control." Cont.
[7] K.V. Beard. "liiilore accommiidalioii in linear systems tlirriugii self-reorga-
niautian." P1i.D. dlssertation, Dcpt. Aero. Astro, M.I.T.. Cambridge, MA 1971
18) M. Bodson ant1 .I. Groszkiewiez. "Muitiviirinble adaptive algorlthrns lor IC
configurable ilight (.ontrol," IEEI: P ms . Cont. Sys. Tecii.. voi. 5. no. 2, pp
217-229, 1997.
(91 K.11. Braatz. H.A. Ogumaike, and A.P. leatherstoiic, "Ideiitilicatioii, m t i ~
mstion and control of shcet and film pmcr sses; iii Plrru, 131117'rierenitnill~jlC
World Congress, San Riliicis'co, CA. 1996, pli. 3i9~324.
[i n] .I. CIWI. R.J . ~aito,~.antiz. CIE~, ,,~n~~~appro.lc.i,toiauit IOIW~CII C L N ~
trol of uncertai n s ys t e ms . " lj:W I.SlC/CiKA/I.SAS Joml Co,z/<~rrnce,
Gaithersburg, MD. pi). 375-inn. i %n.
[ I I ] E.Y. ChnwandA. S. Willsky."Analytical redunciancyand t hrdesi gnoi 10-
1bwt failure det crt i m systcmr, " IEEE Truns. Aetornnt. Cnri l ., vol. AC-ZY, pi'.
[i 2] .I. U'Azzo ant1 C.II. Houpi r.Li neorCo,rf ml Sysl e,nA,~rri ~si sa,i dUeri S,~, Con-
uenriunal andModem (McGruw-llill Serics in Electrical ;arid Cornlmter Rngi-
neering). New York McGraw-Hill, 1995.
[ i 3] H.De Moor, J . Staar. atid J . Vai~lewallc. "Orientcrl energy arid Oriciited
signal-to-signal ratio concepts iii the analysis oi vector sequences and time
E ~ S . proct., vo~. 6. no. 9. 1077-1088. m n .
603.~14, i m4.
February 200U I EEE Control Systems Magazine 47
Substituting (48) in (47) yields:
x , ( k+l ) =CA,,p -~, , K, , )x, , (k)-B~, K, z(k)+(q, , -Br,KT)xs(/z)
(494
x , ( k +1) =( A, , -@K, )x, (k) -BsKIz(R) +(A,, - 4K, , ) x, , ( / z )
+<,,,t,(Q+ B,,u,,,(k)
+r<,,f"(k)+ B*l f ~<, ( / z) . (49b)
Here, the fault effect must he eliminated in the prioritystate
variables x,,. 7'lins, from rclatiorr (49a), this can be achievcd
by solving the following relation:
( A, -B,,K)x,(k)+I.,,f,(k)+B,u,,,(k) =o. (50)
In this decomposition, if x , isnot available for measurement,
it can he computed from tlie output cquatlon in (47), because
IiereC, isafull-column rankmatrix.Then, usingtliefault esti-
mation f,, tlie additive control law solution of (50) Is
u,,,j(/z) =-Ri ' [ (AJpq -R,,K,)x,(k)cr,,~~~,(k)l . (51)
The main goal is to annihilate tlie fault on the priority out-
puts. This is realized by choosing tlie transformation matrix
7'siich that
Although thc secondary outpnts are not compensated for,
they must remain stable in the faulty case. Let us examine
these secondaryvariahles. Replacing (51) i n (49b) leads to:
x , ( k + l ) =(A,, -B\Bi'A, , \)x*(/z)- H\K,z(/z)
+(As,, - B*K,J x,,(/z)+(t,* - Kt$'~:,,JC,(/O. (52)
It Iseasyto see that tlie secondaryvariables are stablc i f and
only i f the elgcnvalurs of thc matrix (A,, -B,B,,'A,,,) belong
to the unit circlc.
Hassun Nourn was liorii in Alilalr, Lebanon, in 1965. Here-
celved his P1i.D. i n automatic coiitrol engineering from tlic
Henri I'oincarc! University, Nancy, France, in 1993. Hehas
been wllli the Research Center for Automatic Contrul of
Nancy antl has been an associatc professor since 1994. His
rescarch interests iiiclude fault diagnosis and fault-toler-
ant control.
DorniniqueSuuteerreceived his P1i.L). in 1991 from the Uni-
versity Henri Poincark, Nancy, France. Sincc 1993, he has
been afull professor at this univcrsity, where hc teaches au-
tomatic control. He has been the dircctor of thc lnstitut
Univcrsitaire Profcssionnalisi: in electrical cngineering for
two years. Heis a member of the llcsearch Centcr in Auto-
matic Control of Nancy (CIIAN), associated with tlie 1:rencli
National Center for Scientific Rescarch (CNRS). He is also a
member of tlie French Gcrman Institute on Automatics and
Robotics (IAR), wliere he chairs a working grnup on intelli-
gent control and fault diagnosis. His currcrit research lnter-
ests are focused on model-based fault diagnosis and fault
tolerance with emphasis on industrial applications.
Fridkric Hai nel i n ohlaiiicd his Ph.U. i n automatic control
from the Henri Poincare Ilniversity, Nancy, I:rance, in 1995.
Hehas been an associate professor at this university. His
current research interests are robust fault diagnosis antl
fault-tolerant control.
Didier Theilliol earned his P1i.D. in control engineering
from the Hcnri Poincar6 Universily, Nancy, France, in 1993.
Hehas been an associate professor at tlie Research Cciitre
for Automatic Control of Nancy since 1994. Theilliol's rc-
search cxperience includes identification of nonlinear SlSO
systems wilh multilayer neural networks and decision sup-
port systems witliin the framework of its participation in a
I;uropean projcct (Eureka Project KU 99fi Maine Dialogs) for
three years. Current research interests include robust fault
diagnosis ant1 fault-tolerant control.
IEEE Control Systems Magazine 4Y