Toward Fault-Tolerant Vehicle Motion Control for Over-Actuated Automated Vehicles: A Non-Linear Model Predictive Approach

Automated driving systems operated at SAE levels 4 and 5 require a far-reaching fault-tolerant design. To meet this need at the actuator level, we present an integrated vehicle motion control approach that is able to tolerate a wide range of different actuator degradations and failures as well as tire blowouts in vehicles featuring four wheel-individual steering, drive, and brake actuators. The approach, which is based on non-linear model predictive control (MPC), tracks a temporal sequence of reference poses. Fault tolerance is achieved by reconfiguration of the MPC’s constraints, weights, and prediction model, which consists of a double-track vehicle and a brush tire model. The evaluation of the approach is based on two reference trajectories. The example of a simple single lane change trajectory in IPG CarMaker demonstrates the basic functionality of the approach. The example of a demanding decelerated single lane change trajectory shows that the approach is subject to limitations when tolerating different degradations and failures. Still, the observed limitations can be explained by the interplay of the specific degradation or failure and the demanding nature of the trajectory. Therefore, the results indicate that the suitability of fault-tolerant vehicle motion control as part of a system-wide safety concept is strongly connected to the range of possible driving scenarios that an automated driving system can encounter.


I. INTRODUCTION
Automated driving systems according to SAE levels 4 and 5 [1] demand a high degree of fault tolerance throughout the processing chain, since their safety argumentation cannot rely on human intervention. At the actuator level, fault tolerance strategies are typically based on redundant actuator implementations, which come with drawbacks such as an increased installation space, weight, system complexity, and cost. Another means to achieve fault tolerance against degraded or failed actuators is fault-tolerant vehicle motion control. Exploiting the over-actuation that is common in modern vehicles, fault-tolerant vehicle motion control compensates for the effects of degraded and failed actuators by using The associate editor coordinating the review of this manuscript and approving it for publication was Wonhee Kim . the remaining healthy actuators. Thus, fault-tolerant vehicle motion control either can serve as an additional safety layer, or allows for fail-operational strategies at the actuator level to be replaced by fail-safe or fail-degraded strategies [2].
In this paper, we present a fault-tolerant vehicle motion control approach for vehicles featuring four wheel-individual steering, drive, and brake actuators. The approach is a further development of our earlier work [3] and presents four contributions to the field of fault-tolerant vehicle motion control. Based on non-linear model predictive control (MPC), the control approach is explicitly designed for handling the full range of degradation and failure types of steering, drive, and brake actuators encountered in the literature, whereas other publications take only a selected subset of the full range into account. Hence, the tolerated range of degradations and failures is the most far-reaching compared to the literature, VOLUME 11, 2023 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ which is the first contribution. Additionally, the approach is able to tolerate tire blowouts, which leads to the second contribution. The approach is one of the first to integrate fault tolerance against tire blowouts as well as degradations and failures of actuators into one control scheme. The third and the fourth contribution are architectural in nature. The third contribution is the approach's control target of tracking a temporal sequence of reference poses, where pose means a position plus heading in a horizontal plane. This control target corresponds to the interface to the upstream trajectory generation. It allows for a direct realization of the reference trajectories generated with frequently presented spatio-temporal trajectory generation approaches, e.g., [4], and [5]. However, this control target is rarely found in literature presenting fault-tolerant vehicle motion control approaches to date. Finally, the work is the only fault-tolerant vehicle motion control approach for a highly over-actuated vehicle known to us that is purely based on model predictive control and does not need an underlying control allocation layer to create the manipulated variables forwarded to the downstream control loops of four steering and four drive/brake actuators.
In the remainder of this paper, Section II summarizes the published literature related to the present work while highlighting our contribution. Section III describes the non-linear MPC scheme and contains a description of basic requirements, the selected prediction model, the employed cost function, as well as the reconfiguration strategy that allows adaptation to different degradation and failure types. Finally, the evaluation is conducted in Section IV using the example of tracking two different reference trajectories in the presence of various degradation and failure types.

II. RELATED WORK
Fault-tolerant vehicle motion control is a widely investigated field. However, the published approaches differ quite significantly with respect to the considered actuator topology, the employed control techniques, the regarded degradation and failure types, and the control targets [6].
In this section, we concentrate on publications in the field of fault-tolerant vehicle motion control that are related to the present work, either by using the same actuator topology or by using model predictive control (MPC) as control scheme. Still, the general statements made in this section hold true for a wider body of literature as the comprehensive overview in [6] reveals. We briefly highlight the employed control techniques and structures, the ranges of tolerated degradation and failure types, as well as the corresponding control targets.
In context of the present work, the recent contribution of Liu et al. [7] is particularly interesting as both contributions share properties that are unique in the field of fault-tolerant vehicle motion control. First, to our best knowledge, the work of Liu et al. is the sole contribution that investigates the handling of tire blowouts using the over-actuated actuator topology that is in the focus of the present work. At the same time, it is the only other work known to us that features fault tolerance against failed actuators and tire blowouts in a single control approach [6]. Finally, the approach of Liu et al. [7] aims at tracking a temporal sequence of reference poses, which has only been investigated in the field of fault-tolerant vehicle motion control in our previous work in [3]. Though, Liu et al. do not demonstrate the ability of their approach to track a temporal sequence of reference poses during their evaluation.
A smaller number of publications outline approaches with a single control layer, where the researchers use techniques based on sliding mode control [31], [32], optimal control allocation [33], model-free adaptive control [34], and Lyapunov's theory [35].
Again, MPC is mostly used as the upper control layer in hierarchical two-layer control structures, where the lower control layer features optimal control allocation [36], [37], [40], or sliding mode control [39]. MPC as the sole control technique is only found in fault-tolerant control approaches targeting tire blowouts, which purely rely on front-axle steering [41], [42], [43], [44], [45]. Table 1 illustrates that the control approaches considered in the previous paragraphs achieve fault tolerance against a varying range of degradation and failure types. However, there is no publication available that covers the entire range of the categories listed above. This fact also applies to the body of literature in the field of fault-tolerant vehicle motion control that has been reviewed in [6].

C. TOLERATED DEGRADATIONS AND FAILURES
Following the terminology of ISO 26262 [46, Part 1], degradation and failures are observable consequences of one or multiple faults. They can be distinguished based on a system's ability to provide its specified functionality and the available performance when providing its functionality. A degradation reflects that a system is still able to provide its functionality, yet with reduced performance. In contrast, a failure refers to a system that is not able to provide its functionality at all. A similar distinction can be made for fault tolerance regimes such as fail-degraded and fail-safe [2].
Different failure and degradation categories can be formed in order to determine the range of fault tolerance provided by different control approaches. The categories that describe non-nominal behavior according to [6] yield, on the one hand, five failure categories, which are F1: zero wheel torque, F2: unintended wheel torque, F3: locked or spinning wheel, F4: unintended steering angle, and F5: zero steering torque. Failure F5 is referred to as ''complete steering failure'' by some scholars [39]. On the other hand, the corresponding degradation categories are D1: reduced wheel torque range, D2: reduced steering angle range, D3: reduced steering dynamics, and D4: tire blowouts. Please note that we consider tire blowouts as a degradation since blown tires can still provide their force transfer functionality, albeit with significantly reduced performance.

III. NON-LINEAR FAULT-TOLERANT MODEL PREDICTIVE VEHICLE MOTION CONTROL
In this section, we outline the fault-tolerant vehicle motion control approach based on non-linear model predictive control (MPC). The approach is meant to be embedded in an overall automated driving system as illustrated in Fig. 1, which depicts a simplified generic functional system architecture. In terms of this architecture, motion control underlies behavior planning and trajectory generation, which internally determines the desired vehicle behavior and calculates the corresponding reference trajectory as its output. Both are accompanied by the environment and self-perception, where the latter includes a fault detection and identification functionality, cf. [47]. The environment and self-perception block processes vehicle-wide sensor data and provides vehicle state information as well as degradation and failure information to the motion control functionality. Its interface to behavior planning and trajectory generation, referred to as a scene according to Ulbrich et al. [48], summarizes environment, vehicle states, as well as degradation and failure information.
For the present work, we focus purely on the part of motion control and, thus, do not consider the reciprocal interaction with other architectural entities. Consequently, we presume a given reference trajectory generated by superimposed architectural layers in terms of a temporal sequence of reference poses. Further presumptions are available vehicle state information, such as the actual pose and the actual vehicle dynamics, as well as degradation and failure information. Still, the interaction between fault-tolerant vehicle motion control and superimposed architectural layers as well as its interaction with fault detection and isolation approaches are further interesting areas of research.
Internally, the approach outlined in this section comprises three functional components: the actual non-linear model predictive control scheme, a reconfiguration block, and a trajectory pre-processing block. The reconfiguration block (re-)configures the MPC's prediction model, its constraints, and its weights based on the degradation and failure information. The trajectory pre-processing block reconditions the reference trajectory such that it can be used within the MPC scheme. Steering commands and common brake/drive commands serve as output, where the latter are distributed to brakes and drives of each wheel by means of a torque allocation functionality. Please note that this functionality is not part of the present work and, thus, is another presumption, Ulbrich et al. [50]. Interfaces: ⃝ a sensor data; ⃝ b scene representation; ⃝ c degradation and failure information; ⃝ d state information; ⃝ e reference trajectory; ⃝ f reference values; ⃝ g reconfigured model, weights, and constraints; ⃝ h combined brake and drive commands; ⃝ i brake commands; ⃝ j drive commands; ⃝ k steering commands.
After stating the basic requirements for the control scheme in Section III-A, Sections III-B and III-C outline the employed non-linear vehicle model. The cost function is introduced along with reference values and constraints in Section III-D, whereas the reconfiguration schemes for enabling fault tolerance are outlined in Section III-E.

A. REQUIREMENTS
For designing the control scheme, different requirements apply. The target of investigating the suitability of fault-tolerant vehicle motion control leads to the first requirement: RQ 1: The approach shall allow for fault tolerance against the range of actuator degradations and failures mentioned in Section II as well as against tire blowouts. Moreover, as pose tracking has rarely been used as control target, we demand: RQ 2: The approach shall track a given reference trajectory consisting of a temporal sequence of reference poses with reference positions (x(t),ŷ(t)) and reference headingsψ(t). Further requirements are derived from the capabilities of the over-actuated topology in the focus of this paper: RQ 3: The approach shall facilitate the utilization of the motion potential of over-actuation. In particular, it shall enable the explicit setting of the sideslip angleβ as part of the reference trajectory . RQ 4: The usage of the adhesion potential on all tires shall be evenly distributed between the tires. Requirement RQ 4 targets an equal force potential reserve per wheel, cf. for instance [20], [53], [54], [55].
In order to consider a potential real-world implementation, the following requirements are taken into account: RQ 5: The approach shall use steering angles and wheel torques as manipulated variables. RQ 6: The approach shall rely on as few measured quantities as possible. Still, although important for a real-world implementation, the following requirements are not in the focus of the present work and are thus only partially addressed: RQ 7: The approach's computational complexity shall have the potential for a real time implementation. RQ 8: The approach shall be robust against parameter variation, external disturbances, and noisy inputs.

B. PREDICTION MODEL
The over-actuated actuator topology necessitates to employ a double-track model for the model predictive control algorithm. Based on the work of Orend [53] and neglecting roll and pitch motion, the prediction model describes the planar vehicle motion in relation to a temporal sequence of reference poses. In the following sections, the superscript a ∈ {O, V, W} denotes the reference coordinate system, whereby O is the global, V the vehicle, and W a wheel coordinate system. A subscript b ∈ {x, y, z} denotes a translational or rotational quantity along or around the axis b. The subscripts i = (f, r) and j = (l, r) denote the front and rear axle as well as the vehicle's left or right side, respectively. We adopt the tire model presented by Hindiyeh and Gerdes [56], which is based on Fiala's brush tire model [57]. On the one hand, it allows complying with requirement RQ 5, which demands wheel torques and steering angles as manipulated variables. On the other hand, it covers the coupling of longitudinal and lateral tire forces, even in high slip conditions, e.g., in case of a locked wheel. The resulting relations for the lateral tire forces F W y,ij are where α ij is the wheel's slip angle, which calculates as , with the wheel's longitudinal and lat- is the tire slip angle at which the tire force potential utilization saturates. F z,ij denotes the wheel's normal force, C α,ij the cornering stiffness, µ ij the friction coefficient, and ξ ij = The longitudinal tire force F W x,ij in the derating factor ξ ij is determined through which allows for using the wheel torque τ ij as manipulated variable (requirement RQ 5). Here, r ij ,ω ij , J W y,ij , and f r,ij denote the wheel's effective radius, rotational acceleration, rotational inertia, and rolling resistance coefficient.
Please note that we introduce the cornering stiffnesses C α,ij , the rotational accelerationsω ij , and the normal forces F z,ij as time-varying parameters, on which we give further details in Section III-C.
The wheel's longitudinal and lateral velocities v W x,ij and v W y,ij in tire coordinates are related to those in vehicle coordinates, v V x,ij and v V y,ij , as depicted in Fig. 2b via so that the wheel's steering angle δ ij can be used as manipulated variable (requirement RQ 5). The wheel's velocities in vehicle coordinates are obtained from the vehicle's longitudinal and lateral velocities v V x and v V y and the vehicle's yaw rateψ through Here, p ij = (−s l , s r , −s l , s r ) and q ij = (l f , l f , −l r , −l r ) describe the geometric relation between the vehicle's center of gravity and the wheels' positions as illustrated in Fig. 3b. Summarizing the tire forces at the center of gravity, cf. Fig. 2a and 3a, allows the vehicle dynamics to be expressed as the derivative of the longitudinal and lateral velocities as well as of the yaw rate as follows:  where m denotes the vehicle's mass, J z its yaw inertia, and x 2 the aerodynamic drag with the drag coefficient c d , the air density ρ, and the cross-sectional area A. The last part of the prediction model consists of the vehicle's motion in relation to the given temporal sequence of reference poses . We transfer this reference trajectory, e.g., given in Cartesian coordinates, to a Frenet representation. Then, the vehicle motion in relation to can be approximated by the path length s, the lateral deviation d, and the heading or yaw angle ψ by means oḟ as depicted in Fig. 4.ψ t denotes the portion of the heading angle referenceψ that is tangential to the path of the reference trajectory and therefore represents the vehicle's desired course angle.
The remaining portionψ + =ψ −ψ t of the yaw angle referenceψ allows to set a specific sideslip angle referenceβ ̸ = 0, as demanded by requirement RQ 3. With conventional front axle steering, creating high sideslip angles β in a stable manner is restricted to highly trained drivers and specialized control approaches [58]. In contrast, all-wheel steering allows an vehicle operation with relatively high sideslip angles while providing a stable vehicle motion. The sideslip angle range that allows for a stable vehicle motion is determined by the available steering angle range and the current curvature of the driven path. For instance, on a straight lane segment, sideslip angles up to the smallest maximum steering angle are possible. Consequently, we useψ + to create a defined sideslip angleβ viaψ + = −β.
The state and control vectors x and u of the prediction model assemble to Using the steering ratesδ ij as manipulated variables and including the steering angle δ ij into the state vector enables the consideration of degraded steering dynamics in the fault-tolerant control scheme, cf. Section III-E. The output vector y contains the state and manipulated variables, which are supplemented with additional quantities: In addition to tracking the reference trajectory , the output vector y can be used to implement secondary control targets. Summarizing the longitudinal and lateral velocities has proven to be beneficial in case of huge lateral deviations from the reference trajectory . Still, the relation between longitudinal and lateral velocity is part of the output vector by means of the sideslip angle β. The steering angle differences δ i = δ il −δ ir target the avoidance of opposing steering angles at one axle, e.g.a deceleration by turning both wheels inwards. Finally, the slip angles α ij can be used to prevent adverse lateral slip conditions.

C. TIME-VARYING MODEL PARAMETERS
In order to account for requirement RQ 6, which demands reliance on as few measured quantities as possible, we introduce the wheels' rotational accelerationsω ij , the wheels' normal forces F z,ij , and the tires' normal force-dependent cornering stiffnesses C α,ij as time-varying parameters of the prediction model. At the same time, this partially addresses requirement RQ 7 by reducing the computational complexity of the MPC scheme as we avoid the otherwise necessary extension of the state vector x.
To provide an estimation ofω ij , F z,ij , and C α,ij for each sampling step of the prediction horizon, we employ measured quantities of the current sampling step together with predicted states from the previous prediction step. We derive the wheels' rotational accelerationω ij by forming the difference quotient of the wheels' rotational velocities ω ij = v W x,ij /r ij over the prediction horizon while assuming zero slip con- x,ij is calculated by means of the measured and predicted quantities yaw rateψ, steering angle δ ij , as well as longitudinal and lateral wheel velocities v V x and v V y in accordance with (3) to (5).
To account for the change in normal force over the prediction horizon, we use the following relations [59, pp. 98 sqq.] to determine the normal forces F z,ij : , and (15) where h CG denotes the height of the center of gravity. a x and a y are the longitudinal and lateral acceleration, which can be derived by forming the difference quotients of the measured and predicted velocities v x and v y . We approximate the degressive normal force dependency of the cornering stiffnesses C α,ij [60, pp. 36 sq.], through which is illustrated in (5). p 1,ij , p 2,ij , and p 3,ij are parameters that, e.g., can be pre-computed during an offline tire characteristics identification. Consequently, the estimates ofω ij , F z,ij , and C α,ij rely exclusively on vehicle motion states. The deviations between the predicted and actual values ofω ij , F z,ij , and C α,ij have proven to be sufficiently small to allow for a good prediction of the state vector x.

D. COST FUNCTION, REFERENCE VALUES, CONSTRAINTS, AND WEIGHTS
The fundamental optimization problem of the MPC scheme can be described on the basis of a non-linear system according toẋ where x denotes the state vector, u the control vector, and y the output vector. f and h are the non-linear transition and output functions. Then, the fundamental optimization problem results in Here, J is the cost function, x 0 contains the current system state, and T p is the prediction horizon. z as well as r together with the slack variable ϵ are non-linear functions to implement hard and soft constraints, respectively. The cost function J used for solving the optimal control problem is time-discrete and contains an end term. It presents itself as follows: where N c and N p denote the control and the prediction horizon. n y is the number of elements of the output vector y, respectively.ŷ k,l denotes the reference values for each output variable and e n,l the corresponding normalization values, which allow a more intuitive weighting. w ll and w f,ll are the main diagonal entries of the weight matrices, with the index f for the end term.
The reference values are generated either based on the reference trajectory or based on considerations with regard to safety and comfort: •ŝ,ψ , andψ t are part of the reference trajectory . •d = 0, since no lateral deviation is desired. • |v|,ψ, andβ are either contained in or can be derived from a time-discrete through |v| = ŝ t ,ψ = ψ t , andβ = −ψ + .
• δ i = 0 avoids opposing usage of steering actuators at an axle.
• As a measure for motion stability,α ij = 0 aims at avoiding excessive wheel slip angles. In order to reach a safe and stable vehicle motion, manipulated and selected output variables are constrained. First of all, actuators are subject to physical limitations. Thus, the steering angles δ ij ∈ δ ij ,δ ij and ratesδ ij ∈ ¯δ ij ,δ ij are constrained. The limitations of brakes and drives are represented by means of the available wheel torque range τ ij ∈ τ ij ,τ ij . To target motion stability, the lateral slip is constrained as well: α ij ∈ ᾱ ij ,ᾱ ij . Here,ᾱ ij andᾱ ij are chosen to keep the slip to values equal or smaller than those of maximum friction. However, the constraint on α ij is soft becauseᾱ ij or α ij can be quickly exceeded in adverse driving conditions, which would lead to an infeasible optimization problem. VOLUME 11, 2023  Please note that we only partially account for requirement RQ 4, which demands a balanced adhesion potential usage on all tires. The force potential usage on the tires is implicitly represented in the cost function J via weights on the slip angles and on the wheel torques. Thus, the utilization can be unbalanced in dynamic driving situations. However, the overall performance of the pose tracking desired by requirement RQ 2 is improved in comparison to an explicit representation of the force potential usage in the cost function.
Finally, the weights used in the cost function are identified experimentally.

E. RECONFIGURATION
The control scheme can be reconfigured in order to account for requirement RQ 1, which demands fault tolerance against degradations and failures at the actuator level as well as against tire blowouts. Again, the fundamental prerequisite is a working fault detection and isolation functionality, which, however, is not the focus of the present work. To achieve fault tolerance, the model predictive control scheme is reconfigured by adapting the prediction model, the constraints, and the weights depending on the degradation and failure type, as we summarize in Table 2. Degraded actuator capabilities, such as a reduced torque or steering angle range or reduced steering dynamics (degradations D1 to D3 in Table 2), are simply handled by adjusting the corresponding actuator constraints.
Failure types with an unintended manipulated variable (failures F1 to F4) require three reconfiguration measures. To begin with, the prediction model is updated so that the affected manipulated variable turns into a disturbance. For zero and constant torques (failures F1 and F2), this is done by setting the manipulated variable to the corresponding constant value. Model updates targeting constant steering angles (failure F4) follow the same idea: The steering rateδ ij is set to zero, the steering angle δ ij to the value of the constant steering angle. Locked or spinning wheels (failure F3) due to brake or drive torques that exceed the tires' friction capabilities are addressed by setting the longitudinal tire force in the prediction model to denotes the longitudinal slip. Here, µ ij F z,ij reflects the maximum wheel force, whereas the coupling of longitudinal and lateral tire forces is represented through the wheel's slip angle α ij .
The second and third reconfiguration measures targeting failures with unintended manipulated variables concern constraints and weights. Voiding the corresponding constraints prevents an infeasible optimization problem. For that same reason, the constraints on the wheel's slip angle are also eliminated at a constant steering angle (failure F4). Zeroing the weight on the wheel torque w τ,ij (failures F1 to F3) or on the steering angle w δ,ij (failure F4) removes the influence of the constant value on the cost function J . Furthermore, zeroing the weight on the steering angle difference w δ,i allows opposing steering angles at the axle at which the constant steering angle of failure F4 is present.
In case of zero steering torque τ δ,ij = 0 (failure F5), a wheel's motion around its vertical axis is determined by the forces at the tire-road contact patch together with the suspension kinematics, as sketched in Fig. 6. The wheel's force center usually is not identical with the intersection of the steering's pivot axis and the road plane. Neglecting vertical vehicle motion as well as potential damping effects through a steering actuator, a wheel's motion around its vertical axis can be expressed by Here, F W x,ij and F W y,ij denote the longitudinal and lateral tire forces and J W z,ij the rotational inertia around the wheel's vertical axis. r s is the scrub radius, while t m and t p denote the mechanical and pneumatic trail, respectively. The self-aligning moment F W y,ij (t m + t p ) causes a steering angle δ ij that follows the vehicle motion, provided t m + t p > 0.
In contrast to the lateral force F W y,ij , which results from the vehicle motion, the longitudinal force F W x,ij is determined by drive and brake actuators. Thus, brake and drive can potentially steer the wheel via the scrub radius r s , which is, however, undesired here. Consequently, the reconfiguration measures for zero steering torque (failure F5) target a wheel that is free of any intentionally applied forces: The wheel FIGURE 6. Simplified force relations at the wheel, which neglect damping effects of the steering system as well as effects of suspension kinematics and motion, i.a. those due to camber. P is the pivot point of the steering motion.
torque τ ij and the wheel slip angle α ij are set to zero. The latter measure removes the influence of the steering actuator on the prediction model since it prevents lateral force being created with the steering angle δ ij . Moreover, the constraints for wheel torqueτ ij andτ ij , steering angleδ ij andδ ij , as well as wheel slip angleᾱ ij andᾱ ij are voided. Additionally, the weights w τ,ij , w δ,ij , and w δ,i on wheel torque, steering angle, and steering angle difference are zeroed in order to remove the influence of the wheel's quantities on the cost function J .
Finally, the control scheme can be reconfigured to tolerate tire blowouts (degradation D4). First, the model is reconfigured such that the relevant effects of a tire blowout are taken into account. To address the increased rolling resistance coefficient f r,ij and the decreased effective wheel radius r ij after a tire blowout, their values are changed to f * r,ij and r * ij in the prediction model. We presume that both values are predetermined or estimated by a fault detection and isolation functionality for tire blowouts (see Appendix). Furthermore, a predetermined or estimated constant value F z is subtracted from or added to the normal forces F z,ij : F * z,ij = F z,ij ± F z . This measure accounts for the normal force rearrangement after tire blowouts as described by Patwardhan [61, pp. 25 sqq.]. The subtraction applies to the wheel with the blown tire and diagonally opposite wheel, whereas the addition applies to the other two wheels. The consideration of the normal force rearrangement is an improvement in comparison to the work of Liu et al. [7], who neglect the phenomenon.
Further measures in presence of a tire blowout aim at avoiding excessive wheel forces in order to prevent a separation of tire and rim. The wheel torque τ ij and its weight w τ,ij are zeroed, which prevents actively demanding longitudinal forces from the blown-out tire. The corresponding constraintsτ ij andτ ij are voided. Similarly, increasing the weight w α,ij significantly to w * α,ij penalizes the slip angle α ij , which ensures that the lateral force F W y,ij is notably reduced. This is supported by zeroing the weight on the steering angle difference w δ,i , which allows for deviating steering angles at the affected axle. Additionally, the steering dynamic con-straints¯δ ij andδ ij are reduced to¯δ * ij andδ * ij .

IV. EVALUATION
The evaluation of the control approach in presence of different degradation and failure types is conducted in simulation at the example of two single lane change reference trajectories, where Section IV-A describes the basic simulation set-up. Section IV-B demonstrates the fundamental pose tracking capability of the presented control approach and the reconfiguration measures outlined in Section III-E at the example of a dynamically undemanding single lane change at constant speed. In contrast, the decelerated single lane change investigated in Section IV-C enables the dedicated investigation of the approach in dynamically demanding driving scenarios.

A. EXPERIMENTAL SET-UP
The experiments are executed in a Matlab/Simulink-IPG CarMaker co-simulation environment. Based on the fundamental considerations presented in Sections III-B to III-E, we implement the control approach using the ACADO toolkit [62], [63] together with the qpOASES solver [64]. The controller runs with an average execution time of 1.9 ms to 6.7 ms on an Intel i7-6850K CPU (3.6 GHz). Thereby, the average execution time increases with the degree to which the controller is challenged by the combination of desired dynamics and severity of the specific degradation or failure. A similar relationship can be observed for the peak execution times, which can exceed the average execution times considerably. The considerably higher peak execution times could impede a potential real-time implementation, which, however, is not in the focus of the present work and is therefore not further addressed (cf. pre-text of requirement RQ 7).
We adapted the IPG CarMaker simulation environment [65], which features complex multi-body vehicle models, to our needs. The generic vehicle model was extended to enable the over-actuated capabilities of our experimental vehicle MOBILE [66] with four individually controllable steering, drive, as well as brake actuators, which is illustrated in Fig. 7. Moreover, we added the capability to simulate a freely running wheel without any applied forces and moments stemming from steering, brake, and drive using a model of Halfmann and Holzmann [67, pp. 35 sq.]. Thereby, the suspension is camber-free and the scrub radius is zero (r s = 0). The sum of mechanical and pneumatic trail t m + t p is in the range of 2 cm under normal driving conditions and can be close to zero under high tire force conditions. The simulation parameters, the control algorithm's weights, and its constraints are described in the Appendix.
Within the simulation environment, the tire dynamics are simulated by Pacejka's magic formula [68] using the MFeval toolbox [69]. Since tire properties change significantly after tire blowouts, we switch to a model of a blown out tire. We neglect the transient behavior of the blowout process, as we assume a rapid blowout process in the order of a few hundred milliseconds as, e.g., determined in experiments by Blythe et al. [70]. We have adjusted the magic formula model such that the rolling resistance is increased by a factor of 30 after a tire blowout, whereas cornering stiffness, longitudinal stiffness, and radial stiffness are decreased by factors 0.25, 0.28, and 0.067, respectively [70,IV], [71,IV]. Additionally,  Pose error ε = ε t , ε n , ε ψ with its tangential, normal, and yaw components ε t , ε n , and ε ψ . The figure is adopted from [72]. the normal force rearrangement following a tire blowout due to the change in effective wheel radius is modeled according to Patwardhan [61, pp. 25 sqq.].

B. SINGLE LANE CHANGE AT CONSTANT SPEED
First, the single lane change reference trajectory illustrated in Fig. 9 allows to examine the effects of the designated reconfiguration measures against failures F1 to F5 and degradation D4 within the fault tolerance approach due to its undemanding dynamics. The nature of the trajectory is less suited to investigate fault tolerance against degradations D1 to D2, which are thus considered in Section IV-C.
The single lane change on a straight road with friction coefficients µ ij = 1 is executed at a constant speed of |v| = 50 km/h. After 0.75 s, the lane change sets in, yielding lateral accelerations of up to |â y | = 1.5 m/s 2 in both turns. Simultaneously, the faults are triggered at t F = 1 s, which  In our first experiment E1, whose results are illustrated in Fig. 10, we investigate the fault-free tracking of the single lane change at constant speed. The control approach tracks the reference trajectory closely. The maximum absolute longitudinal and lateral errors ε t,max and ε n,max are in the range of 10 cm, the maximum heading error ε ψ,max is below 1°. Fig. 10c and 10d reveal that the approach uses front steering angles with a magnitude of around 1°for creating the desired yaw motion, which are supported by counter-steering with smaller steering angles at the rear axle as well as differential torques at both axles.
The results of the fault-free trajectory tracking in experiment E1 serve as reference for experiments E2 to E41, which investigate the capabilities of the control approach to tolerate different manifestations of failures F1 to F5 and degradation D4 at the example of the constant-speed single lane change. Table 3 gives an overview of the resulting error metrics.
To begin with, the controller's behavior in presence of zero wheel torque (failure F1), an unintended wheel torque (failure F2), or a locked or spinning wheel (failure F3) is comparable, whereby the latter represent the extreme cases. Thus, the behavior is illustrated by means of the results of tracking the reference trajectory in presence of a locked front left wheel (experiment E10) in Fig. 11.
For the locked front left wheel, Fig. 11a shows that the controller is able to track the reference with and without control reconfiguration. Without reconfiguration, however, a permanent control deviation remains. The locked wheel causes an undesired deceleration as well as an undesired yaw moment, which both cannot be fully countered by the controller without proper reconfiguration. However, the remaining control deviation disappears when reconfiguring the controller according to the measures outlined in Section III-E. Then, the controller demands increased torques at the healthy wheels and increased steering angles at all wheels in order to compensate for both the undesired yaw motion and deceleration. Consequently, the control deviations of the reconfigured controller, which are depicted in Fig. 11b, are comparable to the results of the fault-free case in experiment E1.
Whereas failures F1 to F3 relate to brake and drive actuators, failures F4 and F5 relate to steering actuators. For unintended steering angles (failure F4), we investigate different failure manifestations corresponding either to unhandled faults or specific fault handling strategies. The small constant steering angles in experiments E14 to E25, for example, can be the outcome of a mechanical fault or an activated steering angle brake that locks the wheel in its current position shortly after fault occurrence, cf. e.g. [74]. The larger steering angles in experiments E26 to E33 may result from unintended steering torques that are large enough to drive the steering system into its mechanical end positions.
In general, Table 3 reveals that unintended steering angles are comparably challenging, even smaller constant steering angles can cause significant deviations from the reference trajectory. The outcomes of experiments E14 to E33 depend on the steering angle sign, steering angle magnitude, as well as the position of the affected wheel. Subsequently, we illustrate the effects at the example of different unintended steering angles at the front right wheel.
The controller is able to handle positive steering angles at the front right wheel, which invoke a yaw moment in the same direction as required for the first turn of the lane change.
As depicted in Fig. 12, the controller handles the positive steering angle δ fr = 5°= const. in experiment E19 with a control performance comparable to experiment E1. Even  for the larger unintended steering angle δ fr = 30°= const., experiment E27 yields only slightly increased error metrics, cf. Fig. 13a and 13b. In experiment E27, small lateral deviations occur during the first turn of the lane change, which disappear in the second turn, whereas the controller's overall good control performance is achieved at the expense of a continuous heading angle error, which is around ε ψ ≈ −5°.
The corresponding sideslip angle β ≈ 5°results from small positive steering angles at the healthy three wheels as shown in Fig. 13d. Positive wheel torques at all four wheels primarily compensate for the deceleration induced by the large unintended steering angle. Additionally, they also invoke a small yaw moment that supports the effects of the steering angles.    yaw rateψ and yaw rate referenceψ over time t encountered in experiment E35, which investigates the strategy to tolerate a front right steering system that is not able to produce steering torque at all. As intended, the steering angle of the front right wheel follows the yaw rate.
Whereas positive steering angles at the front right wheel can be handled by the controller, it struggles to maintain the reference trajectory with negative steering angles at the same wheel, which invoke yaw moments that counteract the desired vehicle motion of the first turn of the lane change. Fig. 14a shows significant lateral deviations during the lane change for the unintended steering angle δ fr = −5°= const. in experiment E23, though the control deviation is eliminated eventually. A further increase of the front right steering angle to δ fr = −30°= const. (experiment E31) deteriorates the control performance drastically: the vehicle skids as Fig. 14b illustrates. For experiment E31, it is noteworthy that the vehicle does not skid without reconfiguration, though the outcome is equally unacceptable because of the significant pose deviations.
In contrast to unintended steering angles (failure F4), failure F5 describes a state, where no steering torque at all can be applied by the steering system, be it due to a fault in the steering system, due to a corresponding fault handling strategy, or broken steering mechanics. The error metrics of experiments E34 to E37 in Table 3 show results that are very close to those of the fault-free case in experiment E1. Compared to small constant unintended steering angles, which are a potential strategy for handling faults in single-wheel steering systems [74], the resulting error metrics demonstrate a slightly better performance. This result indicates that it could be worth to have a closer look at torque-free steering actuators as a potential fault handling strategy for fail-safe single-wheel steering systems. However, the corresponding experiments in Section IV-C yield significant deviations from the dynamically demanding reference trajectory and, therefore, demonstrate that such a strategy is not applicable in any case. Hence, a torque-free steering actuator as a fail-safe strategy must be thoroughly argued. Please note that the same applies to a steering angle brake as fail-safe strategy, where already small constant steering angles yield significant deviations from the reference in the more demanding experiments of Section IV-C.
For experiment E35, where the front right steering actuator is torque-free, Fig. 15 illustrates that the wheel's steering motion without intentionally applied steering forces follows the lateral vehicle motion. Until fault occurrence at t F = 1 s, front right and front left steering angles match. The loss of the front right steering torque at t F leads to a loss of lateral force at the wheel and, thus, at first to a drop of the vehicle's yaw rateψ. After the fault detection and isolation time t FDI = 0.2 s, the reconfiguration measures yield an increased use of the front left steering angle compared to the fault-free case depicted in Fig. 10d. At the same time, the yaw rate slightly overshoots the reference yaw rate in order to compensate for the heading angle error caused by the missing lateral force. In its course after t F , the front right steering angle δ fr correlates with the yaw rateψ. Still, as can be observed for instance at the zero-crossing of the yaw rate ψ and the steering angle δ fr around t = 2.6 s, a small delay remains due to damping effects in the steering system (e.g., inertia, friction, and cogging torque of the steering motor).
Experiments E38 to E41 investigate fault tolerance against tire blowouts for the single lane change at constant speed. The corresponding error metrics in Table 3 are only slightly increased compared to those of experiment E1. Fig. 16 displays the resulting wheel slip angles α ij in presence of a blowout of the rear right tire. As intended with the reconfiguration measures targeting tire blowouts (see Section III-E), the wheel slip angle α rr of the blowout-affected wheel is significantly reduced compared to the other slip angles. Otherwise, the course of α rr over time t would be analogous to the course of α rl , which would increase the probability of a tire-rim separation. The controller uses primarily the rear right steering angle δ rr to eliminate the rear right slip angle α rr . The effects of the tire blowout on the vehicle motion, particularly the deceleration and yaw moment induced by the increased rolling resistance, are compensated by the steering and drive actuators of the remaining ''healthy'' wheels. Apart from δ rr , the courses of wheel torques and steering angles correspond qualitatively to those of the locked wheel shown in Fig. 11, yet with smaller magnitudes, so we omit their depiction.
Altogether, the experiments with the constant-speed single lane change reference trajectory demonstrate the ability of the control approach to tolerate the desired range of degradations and failures. Still, a few experiments come with significant    Trajectory of the decelerated lane change without degradation or failure, yet with a heading referenceψ that points continuously in x-direction. This adapted reference trajectory demonstrates the capabilities of actively setting a sideslip angle referenceβ demanded by requirement RQ 3 through using the portionψ + ofψ, cf. Section III-D. Again, the vehicle follows the reference poses with small longitudinal and lateral position errors ε t and ε n as well as with a small heading error ε ψ .
(x ≈ 22.04 m, y ≈ 0.1 m) in Fig. 17a. Likewise, we again assume a fault detection and isolation time of t FDI = 0.2 s before the controller is reconfigured after a fault. Table 4 displays the error metrics of selected degradations and failures, especially those affecting the wheels at the front axle. For the chosen lane change trajectory, these are more critical due to the weight shift to the front caused by the deceleration, which increases the normal forces and, thus, amplifies the impact of degradations or failures. Experiment E42 in Table 4 represents the fault-free case depicted in Fig. 18, which again serves as a reference for the other experiments. Fig. 18 illustrates that the control approach tracks the reference closely if no fault is present in the system. Overall, the pose error is small. The tangential error ε t and the normal error ε n are in the order of a few tens of centimeters and the heading error ε ψ is close to 0°, cf. Fig. 18b. Very similar results can be observed when adopting the reference trajectory such that it demands significant sideslip anglesβ ̸ = 0. Fig. 19 illustrates this supplemental experiment. We changed the heading angle referenceψ to point permanently into the x-direction (ψ =ψ t +ψ + = 0), whereas the course demanded by the reference trajectory remains unchanged. Consequently, the approach features the ability to explicitly set a sideslip angle reference as demanded by requirement RQ 3.
The further experiments show that the approach is able to handle several degradation and failure types even for the demanding lane change, albeit not all of them. However, the failed experiments can be explained by the nature of the vehicle motion demanded by the reference trajectory and the specific degradation or failure type. Consequently, these investigations are particularly interesting as they can serve as an indication about the suitability of fault-tolerant control approaches in general.
Experiments E47, E48, E51 to E57, E59, E60, E63, E64, E69, and E70 result in pose errors that are comparable to those in experiment E42 without degradation or failure. The degradations considered in experiment E53 to E56 leave sufficient deceleration and yaw capability, which the controller exploits for tracking the reference trajectory closely. Unlike The control vehicle follows the reference with pose errors comparable to the fault-free case despite the significant failure of the steering system. The peaks of wheel torques τ ij right after t = t F is the transient response to the reconfiguration. In the second half of Fig. 20c and 20d, it can be observed that the front left steering actuator is used to create a counter-acting yaw moment, which is supported by the wheel torques. Furthermore, the wheel torques are used to overcome the deceleration caused by the turned wheel. these degradations, the failures considered in experiments E51, E52, E57, E59, E60, E63, E64, E69, and E70 invoke yaw moments and decelerations that directly support the desired vehicle motion in the first turn of the lane change and that the controller can control in the second turn. As an example, Fig. 20 illustrates the trajectory of tracking the reference in presence of a constant steering angle δ fr = 30°at the front right wheel (experiment E64).
In contrast to the experiments with small pose errors, several experiments yield pose errors that deviate significantly from those of experiment E42. These are, for one, experiments E58, E61, E62, E65, and E66, where a constant, mostly negative steering angle counteracts the desired vehicle motion especially at higher speeds during the first few seconds of the experiments. For another, in experiments E43 to E46, E49, E50, E67, and E68, the degradation, the failure, or the corresponding reconfiguration strategy reduces the total longitudinal deceleration capability of the vehicle such that the capability falls well below the demanded decelerationâ x = −7 m/s 2 . During these experiments, the controller is frequently not able to track the reference at all, while fewer experiments feature significant overshoots during the lane change before stabilizing on the reference.
The results of the fault-tolerating experiments with the dynamically demanding reference trajectory reveal that the suitability of fault-tolerant vehicle motion control depends on the actual driving scenario. Within a scenario, the combination of the demanded dynamics and the type and location of the degradation or failure is an important factor, which can be illustrated by means of the error metrics of experiments E43 and E51 in Table 4. For experiment E43, the metrics unveil that the torque-less wheel causes unstable vehicle behavior. In contrast, the controller is able to track the trajectory in presence of the locked wheel in experiment E51. Obviously, the locked wheel supports the desired vehicle motion, whereas the torque-free wheel at the front axle reduces the vehicle's deceleration capability excessively. Though, in another scenario, e.g., where a reference trajectory requires acceleration, the locked wheel counteracts the desired vehicle motion and, thus, is disadvantageous.
Furthermore, acceptably ''safe'' deviations from the reference trajectory are scenario-dependent as they are directly linked to the vehicle's environment. This dependency can be shown by experiments with a significant overshoot during the lane change. As Fig. 21 illustrates, the controller is eventually able to track the trajectory in experiment E61, where the front left steering angle is fixed at δ fl = −5°. Still, the vehicle temporarily leaves the road after changing lanes, which is reflected in the maximum tangential and normal errors of ε t,max = 1.31 m and ε n,max = 1.42 m, which could be acceptable on a wider lane. At the same time, this result shows that stability is a necessary yet not a sufficient prerequisite for the use of fault-tolerant vehicle motion control.
Overall, the presented control scheme can be used to investigate the range of degradation and failure types found in literature. The experiments indicate that fault-tolerant vehicle motions control cannot be used for arbitrary applications. Rather, the use of fault-tolerant vehicle motion control must be well-argued for a given application in combination with a set of permissible degradation and failure types defined in the design phase of an automated driving system.

V. CONCLUSION AND OUTLOOK
The fault-tolerant vehicle motion control scheme presented in this paper demonstrates that a plethora of different degradation types can be handled by a single control approach for an over-actuated vehicle. The control target of tracking a temporal sequence of reference poses is another novelty in the context of fault-tolerant vehicle motion control. The evaluation at the example of two differently demanding lane change maneuvers illustrates, on the one hand, that the approach can handle actuator degradations, actuator failures, and tire blowouts in dynamically demanding scenarios. On the other hand, the evaluation also shows that fault-tolerant vehicle motion control is subject to limitations. The experiments indicate that the limitations' criticality strongly depends on the specific scenario, particularly on the combination of the demanded dynamics, the actual failure or degradation, as well as circumstances in the vehicle's environment.
The control scheme in general presents itself as suitable for our goal of evaluating safety strategies that replace physical redundancy at the actuator level with functional redundancy at the vehicle level by means of fault-tolerant motion control. However, the validity of the presented results is surely bounded by the quality of the simulation and some idealized assumptions. Therefore, our future research aims at improving the simulation environment. Improved models for sensors and actuators will allow for investigating the influence of measurement noise and more realistic actuator behavior after faults, e.g., modeling the wheel speed-dependent drag torque of synchronous drive motors, cf. i.a. [75]. The same applies to the tire blowout model, which is arguably the less dependable part of the simulation due to a lack of available well-tried models. Apart from model improvements, the robustness against parameter uncertainty and external disturbances should be further explored since they have only been investigated partially. Similarly, an analysis of numerical influences, e.g., by comparing different solvers, would contribute to the results' validity.
Another relevant aspect for a real-world implementation is the integration of the fault-tolerant vehicle motion control approach with a fault detection and isolation functionality, which was hitherto taken for granted in our research. In this regard, the influence of the fault detection and isolation time as well as the required parameter estimation accuracy corresponding to the degradations and failures on the control quality are interesting.
Moreover, the validity of the results would benefit from real-world experiments. Current work indicates that the presented control approach could run on a dSPACE MicroAutobox II. Here, the handling of the optimization's execution time peaks that exceed the available cycle time is the biggest challenge. In parallel, we are developing a less computationally intensive fault-tolerant vehicle motion control approach, which evolves the force allocation approach of Roppenecker [18], [19] and Moseberg [20] towards pose tracking and tolerating a similar range of degradation types as the approach presented in this paper.
Finally, future research should take a safety engineering perspective. This expands on the insight that the suitability of fault-tolerant vehicle motion control is strongly dependent on the set of driving scenarios that a vehicle can encounter. Hence, an argumentation is required that fault-tolerant motion control approach in combination with a set of safety strategies at the actuator level ensures safe behavior of the vehicle in any relevant scenario. In this context, we currently evolve an approach to create a set of reference trajectories [72] that represents the regular vehicle motion within a given operational design domain.

APPENDIX
See Tables 5 and 6.