Admissible model matching fault tolerant control based on LPV fault representation

: In this paper, an approach to design an Admissible Model Matching (AMM) Fault Tolerant Control (FTC) based on Linear Parameter Varying (LPV) fault representation is proposed. The main contribution of this approach is to consider the fault as a scheduling variable that allows the controller reconﬁguration online. The fault is expressed as a change in the system dynamics (in particular, in the model parameters). The suggested strategy is an active technique that requires the fault to be detected, isolated and estimated by the FDI scheme. In case the fault estimation is not available, a passive strategy based on a single AMM FTC controller could be designed. The FTC controller is designed using LMI regional pole placement. The effectiveness and performances of the method have been illustrated in simulation considering a thermal hydraulic system.


INTRODUCTION
Fault Tolerant Control (FTC) is a new idea recently introduced in the research literature (Blanke et al., 2003) which allows to maintain current performances close to desirable performances and preserve stability conditions in the presence of component and/or instrument faults.Accommodation capability of a control system depends on many factors such as severity of fault, the robustness of the nominal system and mechanisms that introduce redundancy in sensors and/or actuators.Generally speaking, FTC systems can be categorized into two main groups: active and passive.The passive FTC techniques are control laws that take into account the fault appearance as a disturbance.Passive FTC technique is designed with the consideration of a set of presumed faults modes.The resulting control system performance tends to be conservative.It also has the limitation to deal with unanticipated faults.In Chen et al. (1998), among many others, a complete description of passive FTC approach can be found.On the other hand, the active FTC techniques consist on adapting the control law using the information given by the Fault Detection and Isolation (FDI) block (Blanke et al., 2003).With this information, some automatic adjustments are done trying to reach the control objectives.Active FTC is characterized by on-line FDI scheme and an automatic control reconfiguration mechanism.Two main potential advantages of Active FTC are: 1) the ability to deal with previously unknown faults with explicit Fault Diagnosis and Controller Reconfiguration; and 2) the possibility to achieve the optimal performance.However, the price to pay for these nice features is that the overall system becomes more complicated (Zhang and Jiang, 2006).Fault accommodation has been addressed in the literature considering many different control objectives and using many different solution techniques.The interested reader can see Zhang and Jiang (2008), Noura et al. (2009) for a recent review.In model matching approaches, the control objective is defined in terms of similarity of the closed-loop system matrix of the accommodated system to a given reference.In the Pseudo-Inverse Method (PIM) (Ostroff, 1985), a model matching formulation provides a solution that minimizes a distance between the closed-loop matrices of the accommodated and the nominal systems.An exact model matching can be obtained in particular cases, but in the general case the optimality of the obtained solution does not guarantee stability.The Admissible Model Matching (AMM) approach was initially proposed in Staroswiecki (2005a) and later extended in Staroswiecki (2005b).The main idea is to search the solution in a set of closed-loop behaviors that are considered as admissible for the accommodated system, instead of finding the best approximation to an ideal one.This paper proposes the development of AMM FTC approach for LTI plants subject to faults that allows to specify the set of admissible faults that the controller is able to tolerate with an admissible degradation.This is one of the contributions of the paper.The fault effect can be modeled either as a parametric uncertainty or as a scheduling variable that should be estimated on-line.In case that the fault is considered as a scheduling variable, the faulty plant can be considered as a LPV system.Then, an active FTC strategy can be designed using LPV control theory that requires the fault to be detected, isolated and estimated by the FDI scheme and the controller be redesigned accordingly.This is the second contribution of this paper.On the other hand, in case that the fault effect could not be estimated because of the unavailability of the FDI system, the fault effect can be considered as parametric uncertainty and a passive FTC strategy can be used alternatively.

Revision
The main idea of AMM FTC approach proposed in Staroswiecki (2005a) is that instead of looking for a controller that provides an exact (or best) matching to a given single behavior after the fault appearance, a family of closed-loop behaviors that present an acceptable is specified.
In order to recall the principle of Admissible Model Matching, let us consider a LTI system that can be expressed as It is assumed that the nominal behavior is characterized by a given pair of matrices (A n , B n ), the fault affects the system in such a way the post-fault behavior is characterized by a different pair (A f , B f ) and a classical state feedback control law is considered u Moreover, let assume that for the nominal system operation a state gain feedback K n that satisfies some nominal control specifications has been obtained.Then: (3) and M * is known as the reference model.
For faulty operations, a set of matrices M is defined such any solution x(k + 1) = M x(k), M ∈ M (4) is admissible, i.e. it has acceptable dynamic behavior.The set M is a family of closed-loop behaviors that are acceptable.This set is defined off-line.Depending on the problem, M can be defined independently or specifying a neighborhood of a given optimal behavior M * such that the performance degradation is guaranteed not to exceed a certain level.It is obvious that set M must only contain stable matrices.
For a given fault (A f , B f ), the goal of the fault accommodation is to find a feedback gain K f that provides an admissible closed-loop behavior: Fig. 1 summarizes graphically the operating principle of fault accommodation using approximate model matching.
The nominal controller K n can be designed to provide an optimal closed-loop behavior M * for the nominal system (A n , B n ).When a fault appears, the system behavior changes to (A f , B f ) and this situation will be identified by the FDI module.Then, accommodation is achieved by calculating a new feedback gain K f to maintain an acceptable closed-loop behavior in M.
In Staroswiecki (2005b), a characterization of M in terms of inequality constraints is proposed where Φ : R n×n → R d is a given vector function.It is proved that the solution can then be found by solving the constrained optimization problem: subject to: Φ(M ) ≤ 0 with where a i f and m i are respectively the i th columns of A f and M .In the case that the solution M f satisfies J(M f ) = 0, the fault is recoverable and the new feedback gain can be calculated AMM approach can be extended to the tracking problem by adding an integrator in order to eliminate steady-state errors.The use of integral control eliminates the need to catalog nominal values or to reset the control.Rather, the integral term can be thought of as constantly calculating the value of the control required at the set point to cause the error to go to zero.To accomplish the design of the feedback gains for the integral and the original state vector, an augmented model is proposed by Franklin et al. (1997).The augmented model can be determined with the state x I (k) and the integral error, e(k) = y(k) − r(k).The discretized integral is implemented as a summation of all past values of e(k), which results in the difference equation: ) where r(k) ∈ R nr and the augmented model can be expressed: where x(k) ∈ R nx+nr is the augmented state vector.
Then, the control law is: where N x = C T I.

Recoverability
Let the fault tolerance control specification be defined by a subset of faults f ∈ F that must be tolerated.Thus, the whole set of fault models that must be handled by the controller can be specified as follows recalling that pair (A f , B f ) denotes the change of system matrices due to the fault f that acts as parameter.
It follows from the definition of admissibility that (A f , B f ) is recoverable if and only if the set: 15) and the FTC specification can be met if and only if (Staroswiecki, 2006):

Motivation
The goal of the AMM FTC is to maintain acceptable control performances under the presence of the pre-established set of faults.In case that AMM approach is combined with an active strategy, once a fault has appeared, its magnitude will be estimated by the FDI module and the controller will be adapted accordingly (accommodation), trying to maintain acceptable performance.This leads to the control structure shown in Fig. 2 that can be view equivalent to a gain-scheduling control structure where the fault f is the scheduling variable and the FDI module is the parameter estimation algorithm.This suggests that gain-scheduling LPV theory can be used for the design of active AMM FTC.Moreover, this approach allows to be applied to systems whose behavior can be represented by a LPV model.Then, the controller must be adapted not only according to faults but also according to the operation conditions.In case that the FDI module is not available, a passive FTC approach should be used and a single (robust) controller should be design to maintain acceptable performance for the whole set of admissible faults.

Admissible fault definition
According previous discussion, let us consider the system (11) and its LPV representation using the fault f as the scheduling variable: Note that when f = 0 corresponds to the fault-free case while f = 0 the faulty case.Let assume that (17) vary affinely in a polytope with the fault (Apkarian et al., 1995).
In particular, the state-space matrices range in a polytope of matrices defined as the convex hull of a finite number of matrices N (N = 2 nf ) where n f is the number of faults.Each polytope vertex corresponds to a particular value of scheduling variable f .In other words, with α j (f ) ≥ 0 and N j=1 α j (f ) = 1.Consequently, the LPV system (17) can be expressed as: where α j (f ) = α j (f (k), k) and f (k) is the value of f at the sample k, (see, f.e.(Rodrigues et al., 2005) for more details about LPV polytopic representation).Here Āj and Bj are constant matrices defined for j th model, where each model is an admissible fault representation.
The polytopic system is scheduled through functions designed as follows: α j (f ), ∀j ∈ [1, . . ., N ] that lie in a convex set: There are several ways to implement (18) depending on how α j (f ) functions are defined (Murray-Smith and Johansen, 1997).Here, the approach in Baranyi et al. (2003) is used: The polytopic formulation in (18) assumes that the effect of faults is included in the model through scheduling parameters ] that evolve within known bounds: f j ≤ f j (k) ≤ f j , j = 1, ..., n f .From a practical point of view, these bounds can be prespecified to define the subset of the possible faults that must be tolerated by the FTC system.Note that it is possible that the control performances specified through M can not be satisfied for all the range of faults defined by [f j , f j ].In this case, the performances can be reduced (less restrictive M) or the range of tolerable faults must be reduced.

AMM FTC design using LMI pole placement
According to Chilali and Gahinet (1996), a disk region LMI called D included in the unit circle with an affix (−q, 0) and a radius r such that (q + r) < 1 is fixed.These two scalars q and r are used to determine a specific region included in the unit circle.The LMI region can be expressed as follows: where A 0,j is the state matrix x(k + 1) = A 0,j x(k) for the j th model.A 0 is stable if and only if there exists a symmetric matrix such that X = X T > 0. It is obvious that well chosen LMI region is needed for ensuring stability and good results: the parameters q, r have to be defined by the engineer.
For each model, A 0,j is defined as: Thus, the inequalities can be written as follows: for all j ∈ [1, . . ., N ].Thus, by substituting W j = Kj X j it can be shown that: The design procedure boils down to solving the LMI (25), and then determining the set of gains Kj = W j X −1 j .Finally, the active AMM FTC control law is given by: where Kj = [K I,j K j ] and Ḡj = K j N x .Note that the evaluation of ( 26) just requires the computation of α j (f ) according to (21) and the solutions of the LMIs (25).Due to the simplicity of this computation, the real-time implementation of the controller reconfiguration is possible.
In case that FDI module is not implemented, a passive FTC control law can analogously be solved with the pole placement of the closed-loop system for all admissible faults of the models j ∈ [1, . . ., N ] in the LMI region defining A 0,j as: Proceeding in the same way than in the case of the ( 23), but substituting W = KX it is possible to obtain: The design procedure boils down to solving the set of N LMIs (28) by determining K = W X −1 .Finally, consider the gain K to calculate the control law: where K = [K I K] and Ḡ = KN x .

Process description
The FTC approach has been applied to a thermal hydraulic system (see Fig. 3).The goal of the process is to assure a constant water flow rate Q 0 with a given controlled temperature T 0 .

Fig. 3. Thermal Hydraulic System
The process is composed of a tank equipped with two heating resistors R 1 and R 2 .The inputs are the water flow rate Q i , the water temperature T i and the heater electric power P .The outputs are the water flow rate Q 0 and the temperature T which is regulated around an operating point.The temperature of the water T i is assumed to be constant.
The system can be represented by the following equations: 0.6 .The system (30) is linearized around the operating point given by q op in = q op out = α h op , P op = µC(q op in )(T op − T i ), T op = 50 o C, h op = 0.6.In this example, the level of the water h is used instead of the water flow rate Q 0 to obtain the linear model.With the previous conditions, the linear system in faultfree case can be specified by: with: Let consider sampling time equal to T s = 360s and the system (30) in discrete time can be defined by: where A = T s A c +I and B = T s B c using Euler approximation.
The augmented model in fault-free case can be determined as the closed-loop fault-free system (11): : The considered faults are expressed as a change in the system dynamics (32), i.e. changes in the parameters of A and B: In this application example, only a fault at a time has been considered to illustrate the effectiveness of the proposed strategy.However, it can also be applied to multiple faults.
The desired closed-loop poles of the controller are: , 2, 3, 4] Finally, for the AMM method is necessary to specify which is the set of admissible closed loop behaviors.In this example, a close-loop behavior is considered admissible if the eigenvalues lie in a disk around in 0.3 with a radius of 0.3 that corresponds to a 30% degradation of the nominal closed-loop behavior : ) In order to show the effectiveness of the proposed approach a passive and active FTC AMM controllers will be compared with a nominal controller designed using pole placement tools.

Set of admissible faults
To determine the set of admissible faults for a given controller and a given the set of admissible models M, the AMM FTC design procedure is applied by increasing iteratively the fault size.Then, the maximum admissible fault size is reached when the AMM FTC design problem has no solution.
Nominal controller: The nominal controller is designed using standard pole place tools considering that can be expressed the augmented model ( 33) and that the desired poles are (34).Then, the parameters of the control law ( 12 Before synthesizing the passive and active FTC controllers, the maximum fault size under which the closed-loop response is still acceptable in case of using the nominal controller is evaluated.In Blanke et al. (2003), a theoretical method is proposed in case of using a LQR control, being an open issue for other types of control.In this paper, the maximum admissible faults (that leads to a desired closed-loop response shown in Table 1) has been computed by an iterative process based on increasing the fault size and checking the admissibility, as discussed before.It this table, an interval or the maximum admissible fault in each parameter of matrices A and B is presented.For example, in nominal controller case a 1 ∈ [0.81, 0.99].In this table no limits corresponds to the case the FTC system performance is admissible for any fault size.
Finally, the obtained closed-loop pole migration is drawn in Fig. 4 where the desired region D α is also represented.
Table 1.Admissible faults: They are presented as the maximum possible variation of each parameter that leads to a desired closed-loop response.
Passive Controller: For comparison purposes with the nominal controller, a passive AMM FTC has been designed using the method presented in Section 3.3 using the LMI region (25) with one possible fault n f = 1, therefore N = 2 vertices.In this case, the LMIs (25) are defined considering the vertices matrices: The parameters q and r are defined by the set M in (34).
The maximum admissible fault size is evaluated using the procedure based on iteratively redesigning the control law by incrementing the fault and reevaluating admissibility.The results of this process are shown in Table 1 while the closedloop poles evolution varying the fault size for each parameter (see Fig. 5).Active Controller: Active AMM FTC has been designed using the method presented in Section 3.3 using the same LMI ( 28) and vertexes matrices than in the passive case.It is assumed that the FDI module is the ideal providing a perfect fault magnitude estimation.
As in the case of the nominal and passive controllers, the maximum admissible fault size is evaluated by iteratively redesigning by incrementing the fault and reevaluating admissibility.The results of this process are shown in Table 1 where the closed-loop poles evolution varying the fault size for each parameter.The pole migration for different fault sizes of f a1 , f a2 and f b2 are the same as those shown in Fig. 5(c), while f b1 and f b3 is drawn in Fig. 6.Comparison: Analyzing, the results of Table 1 corresponding to the interval of admissible faults that achieve the desired objectives (34), the following conclusions can extracted: The nominal controller is designed for the fault-free system.Therefore this controller accepts less variation in the parameters of matrices A and B than the two others.On the other hand, the active controller allows parameters a 1 , a 2 and b 2 vary without limits.While parameters b 1 and b 3 can vary in a larger interval than the nominal and passive controllers.

Result of simulations
To illustrate the effectiveness of the proposed AMM FTC approach, a fault in the parameter a 1 of matrix A has been simulated.In this case, the temperature response does not show significant changes.In the following, the results corresponding only to level response will be analyzed .The active and passive AMM FTC are designed using faultfree matrices B and C given (33) and matrix A is in the polytope of matrices defined by (35).Table 2 shows the admissible values of parameters of ( 35) and the fault magnitude.The first scenario (a f 1 =0.98) is shown in Fig. 7(a), the fault is admissible for all controllers and their temporal responses are similar.The Fig. 7(b) shows the second scenario (a f 1 =1.53),where the fault affects the performance of nominal and passive controller since this fault is out of their interval of admissible faults.The third fault (a f 1 =1.8) is shown in Fig. 7(b) that the nominal and passive controller can not stabilize this system fault.On the other hand, the active controller achieves the desired performance.To select between the passive and active approach, it is necessary to analyze the admissible faults (Table 2).For example if the system admits 20% of degradation, according to Table 2, the Passive FTC controller is sufficient.But, the system requires 50% of degradation, the active FTC controller should be used.
5. CONCLUSIONS In this paper, a new approach to design an AMM FTC has been proposed based on LPV fault representation.The active AMM FTC uses a LPV controller where the scheduling variables are the faults.Under these assumptions, the advantage of the approach is that allow the redesign of the controllers online by using a set of pre-established admissible faults.When the fault is in this interval admissible the system can be recovered with the performance desired.
If the fault estimation is not available, a passive AMM FTC approach can be used following same ideas than the active version.Passive approach determines a single controller that is able to cope with set of considered admissible faults.The drawback is that the size of the admissible faults is smaller compared to the active case.The AMM FTC controllers are designed such that admissible closed-loop behavior of the faulty plant is guaranteed by specifying a D region using LMI pole placement to design the gain of the controller.As a future work, this approach will be designed for non-linear systems.

Fig. 2 .
Fig. 2. AFTC for LPV systems where f (k) represents the fault magnitude estimation provided by FDI module.
µ m,2 = 1 − µ m,1 where f j m and f j m represents the upper and lower bounds of f m , respectively, and v is the number of scheduling variables (fault modes).
(a) Parameters of matrix A. (b) Parameters of matrix B.

Fig. 4 .
Fig. 4. Closed-loop pole migration for different fault sizes for nominal controller.The maximum admissible fault is shown in Table 1.(a) Fault f a1 or f a2 (b) Fault f b1 (c) Fault f b2 (d) Fault f b3 Fig. 5. Closed-loop pole migration for different fault sizes for passive controller.The maximum admissible fault is shown in Table 1.(a) Fault f a1 or f a2 (b) Fault f b1 (c) Fault f b2 (d) Fault f b3

Fig. 6 .
Fig. 6.Closed-loop pole migration for different fault sizes for active controller.The maximum admissible fault is shown in Table1.(a) Fault f b1 (b) Fault f b3 Level of the water response with fault in k = 40Ts.The fault parameter of: (a) a f = 0.981, (b) a f = 1.53 and (c) a f = 1.8