Automatica 45 (2009) 2319–2324

Contents lists available at ScienceDirect

Automatica

journal homepage: www.elsevier.com/locate/automatica

Brief paper

Supervisory fault tolerant control for a class of uncertain nonlinear systemsI

Hao Yang a, Bin Jiang a,∗, Marcel Staroswiecki ba College of Automation Engineering, Nanjing University of Aeronautics and Astronautics, 29 YuDao Street, Nanjing, 210016, Chinab SATIE, ENS Cachan, USTL, CNRS, UniverSud, 61 avenue du Président Wilson, 94235 Cachan Cedex, France

a r t i c l e i n f o

Article history:Received 1 August 2008Received in revised form28 May 2009Accepted 9 June 2009Available online 31 July 2009

Keywords:Fault detection and isolationFault tolerant controlNonlinear systemsSwitching control

a b s t r a c t

This paper focuses on the design of a unique scheme that simultaneously performs fault isolation andfault tolerant control for a class of uncertain nonlinear systems with faults ranging over a finite cover.The proposed framework relies on a supervisory switching among a family of pre-computed candidatecontrollers without any additional model or filter. The states are ensured to be bounded during theswitching delay, which ends when the correct stabilizing controller has been selected. Simulation resultsabout a flexible joint robotic example illustrate the efficiency of the proposed method.

© 2009 Elsevier Ltd. All rights reserved.

1. Introduction

Fault detection and isolation(FDI) is aimed at detecting andisolating faults while fault-tolerant control (FTC) guarantees thesystem goal to be achieved in spite of faults, see Blanke, Kinnaert,Lunze, and Staroswiecki (2006) for an ontology of the field. Veryfew papers consider the effect of time delays due to FDI and FTC onthe stability of the system. When a fault occurs, the faulty systemworks under nominal control until the fault is detected, isolatedand fault accommodation is performed, which may cause severeloss of performance and stability. In Shin and Belcastro (2006) theeffect of the FDI delay is analyzed for linear systems and an upperbound of such effect is provided. Our previous work (Staroswiecki,Yang, & Jiang, 2007) develops a progressive accommodationscheme to reduce the loss of performance resulting from the FTCdelay.This paper addresses the FDI and FTC issues for a class of

uncertain nonlinear systems. The explicit robust FTC design can

I This work is partially supported by National Natural Science Founda-tion of China (60874051,60811120024), Natural Science Foundation of JiangsuProvince (BK2007195) and Graduate innovation research funding of JiangsuProvince(CX07B-112z). The material in this paper was not presented at any con-ference. This paper was recommended for publication in revised form by AssociateEditor Edward P. Gatzke under the direction of Editor Frank Allgöwer.∗ Corresponding author. Tel.: +86 25 84892305x6041; fax: +86 25 84892300.E-mail addresses: younghao82@yahoo.com.cn (H. Yang), binjiang@nuaa.edu.cn,

ebjiang@yahoo.com (B. Jiang), marcel.staroswiecki@univ-lille1.fr(M. Staroswiecki).

0005-1098/$ – see front matter© 2009 Elsevier Ltd. All rights reserved.doi:10.1016/j.automatica.2009.06.019

be found in the literature (Mhaskar, 2006; Tang, Tao, & Joshic,2007; Yang, Cocquempot, & Jiang, 2009b) etc. We assume that theplant model belongs to a pre-specified set of models including thenominal situation and all possible faulty situations, and that thereexists a finite family of candidate controllers such that each plantmodel in the set is stabilized by at least one of these candidatecontrollers. We propose a supervisory FTC approach which hastwo novelties: (1) The functionality of the system operation ispreserved throughout the FDI/FTC process; (2) A series of modelsor filters for FDI is not required. The proposed scheme integratesfault isolation and FTC by using a simple controller switchingscheme.

2. Preliminaries

The considered nonlinear system takes the general form

x(t) = G(x(t), u(t), d(t), f (u(t), x(t))

)(1)

with measurable states x ∈ Rn, inputs u ∈ Rp, unknown butbounded uncertainties d ∈ Rl such that |d(t)| ≤ d for someknown constant d ≥ 0, where | · | denotes the Euclidean norm.Process and/or actuator faults are represented by the function f :Rp×Rn → F whereF ⊂

⋃i∈M={1,...,M} Fi ⊂ Rq andFi is the set

of fault vectors associated with fault mode i,M is a finite number,the fault free operation is FM = {0}.The property that is wished to be invariant under the faults in

F is that system (1) remains Input to State Stable (ISS) (Sontag &

2320 H. Yang et al. / Automatica 45 (2009) 2319–2324

Wang, 1996) w.r.t. d as inputs whatever the fault mode i ∈ M,i.e., ∃βi ∈ KL,1 αi, γi ∈ K∞ such that

αi (|x(t)|) ≤ βi (|x0| , t)+ γi(d)∀t ≥ t0. (2)

ISS means that bounded inputs imply bounded states, thus theFTC performance is closely related to d. Suppose there is a set ofcontrol laws ui(t), each law being associated with a fault mode i ∈M. Let tik denote the kth time at which controller ui(t) is applied.Specially, define a class GKL function γ : [0,∞) × [0,∞) →[0,∞) if γ (·, t) is of class K for each fixed t ≥ 0 and γ (s, t)increases as t →∞ for each fixed s ≥ 0.

Assumption 1. For any i, j ∈ M, there exists a family ofcontinuous non-negative functions Vi(x) : Rn → R≥0, andfunctions αi1, α

i2, γ ∈ K∞, φ

i1 ∈ KL, and φi2 ∈ GKL such that

αi1 (|x|) ≤ Vi(x) ≤ αi2 (|x|) (3)

u = ui(t), f ∈ Fi

H⇒ Vi(x (t)) ≤ φi1 (Vi (x (tik)) , t − tik)+ γ (d) (4)u = ui(t), f ∈ Fj, j 6= i

H⇒ Vi(x (t)) ≤ φi2 (Vi (x (tik)) , t − tik)+ γ (d). (5)

Remark 1. Assumption 1 implies that for faults f ∈ Fi, thecontroller ui(t) stabilizes the plant in the sense of ISS as in (4).Note that if there is no controller satisfying the specification forthe faulty plant, the fault is not recoverable, then the systemobjective should be reconfigured, e.g. by using the ‘‘safe parking’’framework proposed in Mahmood, Gandhi, and Mhaskar (2008).The existence of Vi is discussed in Sontag and Wang (1996), whichcan be systematically designed for classes of nonlinear systems asshown in Yang, Jiang, and Cocquempot (2009a). For faults f 6∈ Fi,Vi may increase which implies that xmay escape to a large regionor infinity. Note that Vi are not required to be differentiable.

3. FDI and FTC design

The supervisory FTC approach based on a bank of pre-computedcontrol laws ui(t) first identifies the current fault mode i ∈M andthen switches to the pre-computed controller ui(t). This schemeobviously introduces a FDI delay. During this delay the faultysystem is controlled by an inappropriate controller, which mayresult in unstable behavior. Moreover the actual fault mode maybe mis-isolated, possibly leading to fatal consequences. In theproposed scheme as shown in Fig. 1, the fault isolation and FTC areintegrated via a switching algorithm. A sequence of controllers isswitched, until the appropriate one is found. The delay in settingthe correct controller (referred to as the ‘‘setting delay’’ in thesequel) still exists, but there is no individual isolation algorithm,which makes the scheme simpler and more easily verifiable.Moreover, the setting delay can be controlled according to thedesign parameters, the state remains bounded during this delay aswill be shown.

3.1. Fault detection

Let us consider a time window where the control law and thefault mode are in adequacy, therefore (4) holds, and a simple faultdetection law is given by

Vi(x (t)) > φi1 (Vi (x (tik)) , t − tik)+ γ (d). (6)

1 Recall that Class K is a class of strictly increasing and continuous functions[0,∞)→ [0,∞)which are zero at zero. ClassK∞ is the subset ofK consisting ofall those functions that are unbounded. β : [0,∞)× [0,∞)→ [0,∞) belongs toclassKL if β(·, t) is of classK for each fixed t ≥ 0 and β(s, t) decreases to 0 ast →∞ for each fixed s ≥ 0.

Plant

Controller 1

Controller M

Controller 2

Faultdetection

Switching scheme

. . . . . .

)(1 xk

)(2 xk

)(xkM

ux x

Fig. 1. FTC framework.

Denote tfd as the first time at which inequality (4) is violated. Notethat x(tfd) is still bounded. Fault detection obviously does not takeplace as long as the controller is switching in its search for theappropriate fault mode.

3.2. Supervisory FTC with integrated fault isolation

In a class of active FTC methods, a series of filters is oftendesigned for fault isolation, where each filter is sensitive to onecertain kind of fault and not affected by others as in Zhang,Polycarpou, and Parisini (2008). We propose a novel SupervisoryFTC scheme with integrated Fault isolation. Using a series of pre-computed controllers, the fault isolation boils down to finding thecorrect controller, which can be directly applied once it is selected.Define σ(t) : [0,∞) → M as the switching function of

the controllers, which is assumed to be a piecewise constantfunction continuous from the right. N(ts,te) represents the numberof switchings during [ts, te). We will use φσ(ti) instead of φ

σ(ti)1 in

(4) and φσ(ti)2 in (5) if there is no confusion. Moreover, φt−tiσ(ti),

φσ(ti)(Vσ(ti)(x(ti)), t − ti), Vtσ(ti)

, Vσ(ti)(x(t)), t− denotes the left

limit of t . Specially, φtσ(0) , φσ(0)(Vσ(0)(x(0)), t).

Lemma 1. Under Assumption 1, x is always bounded within a finiteinterval [0, t) under a given switching law σ(t), if there exists aconstant β > 0 such that

N(0,t)∑k=0

(N(0,t)∏i=k

φti+1−tiσ(ti)

V tiσ(ti)

)≤ β, t ≥ 0, tN(0,t)+1 , t (7)

where t0 = 0, tj (j = 1, 2, . . .) denotes the jth switching instant ofthe controllers. N(0,t) is finite.

Proof. Consider t ∈ [0, t1), we have V tσ(0) ≤φtσ(0)

V0σ(0)V 0σ(0) + γ (d).

Condition (7) ensures thatφtσ(0)

V0σ(0)≤ β . It follows from (4) and (5)

that

|x(t1)| ≤ (ασ(0)1 )−1 ◦ β ◦ α

σ(0)2︸ ︷︷ ︸

ϑt1

(|x(0)|)+ (ασ(0)1 )−1 ◦ γ︸ ︷︷ ︸Ξt1

(d)

for ϑt1 ,Ξt1 ∈ K∞, thus Vt1σ(t1)≤ V t1

σ(t−1 )+ αt1(|x(0)|) + ηt1(d) for

αt1 , ηt1 ∈ K∞. For t ∈ [t1, t2), we have

V tσ(t) ≤φt−t1σ(t1)

V t1σ(t1)

φt1σ(0)

V 0σ(0)V 0σ(0) +

φt−t1σ(t1)

V t1σ(t1)αt1(|x(0)|)

+φt−t1σ(t1)

V t1σ(t1)

(γ (d)+ ηt1(d)

)+ γ (d). (8)

Since V 0σ(0) andαt1(|x(0)|) are bounded, this togetherwith (7) leadsto |x(t2)| ≤ ϑt2(|x(0)|) + Ξt2(d) for ϑt2 , Ξt2 ∈ K∞, thus we haveV t2σ(t2) ≤ V

t2σ(t−2 )+ αt2(|x(0)|)+ ηt2(d) for αt2 , ηt2 ∈ K∞.

H. Yang et al. / Automatica 45 (2009) 2319–2324 2321

By induction, we find that under (7) there exist functions α, η ∈K∞ such that at each ti > 0, i = 1, 2, . . . ,N(0,t)

Vσ(ti)(x(ti)) ≤ Vσ(t−i )(x(ti))+ α(|x(0)|)+ η(d) (9)

where α(|x(0)|) = maxi=1,2,...,N(0,t) [αti(|x(0)|)].Denote j = N(0,t), it follows from (4) and (5) that

Vσ(t)(x(t)) ≤N(0,t)∏s=0

φts+1−tsσ(ts)

V tsσ(ts)Vσ(0)(x(0))+ γ (d)

+

N(0,t)∑k=1

(N(0,t)∏i=k

φti+1−tiσ(ti)

V tiσ(ti)

) (α(|x(0)|)+ η(d)+ γ (d)

). (10)

Based on (3) and (9), there exists a K∞ function α such thatα(|x(0)|) = max[ασ(0)2 (|x(0)|), α(|x(0)|)]. One further has from (7)that

Vσ(t)(x(t)) ≤ βα(|x(0)|)+ β(η(d)+ γ (d)

)+ γ (d). (11)

The result follows from (3). �

Now we design the switching law using Lemma 1. Toexhaustively span all controllers,wepick anon-repeated switchingsequence as in the following definition.

Definition 1. Consider a switching function σ(t), and switchingtimes t0, t1, t2, . . ., a switching sequence is non-repeated if σ(ti) 6=σ(tj) for i ≥ 0, j ≥ 0, and i 6= j. �

Assumption 2. There exists a known constant χ ≥ 1 such that

χ = maxj∈M, k=1,2...

φj(Vj(x(tjk)), 0)Vj(x(tjk))

. (12)

Remark 2. Assumption 2 means that the initial gain of Vj isbounded when uj is just switched on at t = tjk. In most situations,φj(Vj(x(tjk)),0)Vj(x(tjk))

is independent fromVj(x(tjk))whereχ can be obtaineda priori.

The following theorem provides a supervisory switching lawbased upon a given cost function Ji(x(t), t) that is relevant to thepurpose of selecting the next controller. φσ(ti) will be taken insteadof φσ(ti)2 in (5) only.

Theorem 1. Consider a nonlinear system (1) and a family ofcontrollers satisfying (3)–(5) and Assumptions 1 and 2. Suppose thata fault f ∈ Fι, ι ∈ M occurs at t = tf and is detected at t = tfd viathe threshold (6), then there exists a control switching scheme suchthat x is bounded for all t ≥ tf and the system is ISS w.r.t. d after thecorrect controller uι(t) is applied.

Proof. Choose a constant β > max[(M − 2)(1 + χ)χM−2, (M −2)(M − 3)χM−3], where χ is defined in (12). The switching law isdesigned as:

Algorithm 11. Denote t0 = tfd; Let s = 0; Define M? , M − {σ(tf )}; Setσ(t0) = i? where

i? = argmaxi∈M?

Ji(x(t0), t0). (13)

2. Choose t1+s such that

s∑k=0

s∏j=k

φtj+1−tjσ(tj)

Vtjσ(tj)

≤ β

(M − 2− s)χM−2−s− 1. (14)

If Vσ(ts)(x(t1+s)) ≤ φσ(ts)1 (Vσ(ts)(x(ts)), t − ts)+ γ (d)

then apply the controller uσ(ts)(t)∀t ≥ t1+s;Stop theswitchingelse, go to 3.

3. Let M?=M?

− {σ(ts)}; Set σ(t1+s) = i? where

i? = argmaxi∈M?

Ji(x(t1+s), t1+s). (15)

Apply the controller uσ(t1+s)(t) at t = t1+s; Let s =s+ 1; Go to 2. �

Note that the cost based switching sequence obtained from(13) and (15) is non-repeated, since at each switching instant,the destabilizing controller activated before has been removedfrom M?. At most M − 1 switchings occur before the controlleruι(t) related to f ∈ Fι is applied. We consider the worst casethat σ(tM−2) = ι. The results for other cases are obtainedstraightforwardly.Since β > (M − 2)(1 + χ)χM−2 and χ ≥ 1, one gets

χ <β

(M−2)χM−2− 1. We can choose t1 > t0 such that

φt1σ(0)

V0σ(0)≤

β

(M−2)χM−2− 1. Applying uσ(t1) at t = t1 results in

φσ(t1)(Vt1σ(t1)

,0)

Vt1σ(t1)

(φt1−t0σ(t0)

Vt0σ(t0)+ 1

)≤

β

(M−2)χM−3.

Since β > (M − 2)(M − 3)χM−3, we have β

(M−2)χM−3<

β

(M−3)χM−3−1. Thuswe can choose t2 > t1 such that

φt2−t1σ(t1)

Vt1σ(t1)

(φt1−t0σ(t0)

Vt0σ(t0)+

1)≤

β

(M−3)χM−3− 1.

By induction, for s = 1, . . . ,M − 4, we have β

(M−2−s)χM−3−s<

β

(M−3−s)χM−3−s− 1. Choose t2+s as (14). Finally, we verify condition

(7) with t = tM−2. It follows from Lemma 1 that x is boundedduring [t0, tM−2). The fault detection threshold (6) also leads to theboundedness of x in [tf , t0), thus x is bounded during [tf , tM−2).Since σ(tM−2) = ι, the correct controller uι(t) is applied aftert = tM−2, we further have from (4) that

Vι(x(t)) ≤ φι(Vι(x(tM−2)), t − tM−2)+ γ (d)

the ISS result follows. �

Remark 3. Compared with Seron, Zhuo, De Dona, and Martinez(2008), Yoon, Kim, and Morse (2007) and Zhang and Jiang (2001),there is no need to design any additional model or filter to isolatethe fault. In fact, inequalities (4) and (5) can be regarded as a ‘‘filter’’for the overall FDI/FTC design rather than the FDI only. If a FDI filterwere used, an appropriate control law has still to be designed oncethe fault is detected, isolated, and identified. The FDI filtermay alsoresult in false alarms. In our proposal, the control laws are directlyapplied. This can be done for systems that satisfy assumptions 1and 2, thus simplifying the overall Diagnosis/FTC architecture.

Remark 4. The transient behavior during the setting delay obvi-ously depends on Ji(x(t), t), i ∈ M? that is optimized in (13) and(15). A few examples of relevant costs are given: (1) Ji(x(t), t)is the probability that fault i occurs in state x (t) at time t . Theswitching policy selects the most likely fault mode; (2) Ji(x(t), t)is a control cost that we wish to minimize if fault mode i occurs.The switching policy assumes that the worst fault mode has oc-curred, and selects first the associated control, the sooner theworstsituation is recognized, the smaller the risk of an excessive con-trol cost. On the opposite, the ‘‘optimistic’’ switching policy i? =argmini∈M Ji(x(t), t) bets on the occurrence of the best faultmode;(3) i? = Random {i ∈M? (t)} is always a possible option, if no costfunction can be elaborated.

2322 H. Yang et al. / Automatica 45 (2009) 2319–2324

0 0.5 1 1.5 2 2.5 3

t/s

The

traj

ecto

ry o

f V5

and

thre

shol

d

V5threshold

Fault is detected

0

5

10

15

20

25

Fig. 2. Fault detection.

3.3. Enhancement of transient behavior

Under Algorithm 1, the transient behavior during the settingdelaymay be not satisfactory if the number of fault cases increases,leading to a possibly large number of switchings. In this section,the transient behavior is improved by reducing the number ofswitchings.

Assumption 3. There exists a family of continuous non-negativefunctions Vi(x) : Rn → R≥0, ∀i ∈ M and γ ∈ K∞, ξi ∈ GKLsuch that

Vi(x(t)) ≤ ξi(Vi(x(tjk)), t − tjk)+ γ (d)

∀f ∈ Fi, u = uj(x), j 6= i, t ≥ tjk, k = 1, 2, . . . (16)

Algorithm 21. Denote t0 = tfd; Let s = 0; Define M? , M − {σ(tf )}; Setσ(t0) = i? where

i? = argmaxi∈M?

Ji(x(t0), t0).

2. Choose t1+s such that

s∑k=0

s∏j=k

φtj+1−tjσ(tj)

Vtjσ(tj)

≤ β

(M − 2− s)χM−2−s− 1. (17)

If Vσ(ts)(x(t1+s)) ≤ φσ(ts)1 (Vσ(ts)(x(ts)), t − ts)+ γ (d)

then apply the controller uσ(ts)(x)∀t ≥ t1+s;Stop theswitchingelse, let M?

=M?− {σ(ts)}; Go to 3.

3. Set σ(t1+s) = i? where

i? = argmaxi∈M?

Ji(x(t1+s), t1+s).

If Vσ(ti? )(x(t1+s)) > ξσ(ti? )(Vσ (ti?)(x(ts)), t − ts)+ γ (d)then let M?

=M?− {σ(ti?)}; Go to 3

else, apply the controller uσ(t1+s)(x) at t = t1+s; Lets = s+ 1; Go to 2. �

Themain idea behindAlgorithm2 is that at each switching time,we remove incorrect candidate controllers that satisfy (16) fromthe switching sequence.We shall prove that Algorithm 2 improvesthe transient behavior w.r.t. Algorithm 1. Denote x(tA1)σ (tA1)and tA1|s (respectively x(tA2)σ (tA2) and tA2|s) the state trajectory,switching function and the sth switching time under Algorithm1(respectively Algorithm 2).

Corollary 1. Consider a nonlinear system (1) and a family ofcontrollers satisfying (3)–(5) and Assumptions 1–3. Suppose that afault f ∈ Fι, ι ∈ M occurs at t = tf and is detected at t = tfd viathe threshold (6), then (1) Algorithm 2 guarantees that x is boundedfor all t ≥ tf and the system is ISS w.r.t. d after the correct controlleruι(t) is applied. (2) If σA2(tA2|s) = σA1(tA1|r) = ι, then |xA2(tA2|s)| ≤|xA1(tA1|r)|.

Proof. (1) can be obtained from Theorem 1. We shall prove (2).Since the correct controller is selected after s + 1 number ofswitchings under Algorithm 2, it can be concluded that s ≤ r ≤M−2. Consider the worst case that r = M−2. Choose tA2|s as (17),we obtain

s−1∑k=0

s−1∏j=k

φtA2|j+1−tA2|jσ(tA2|j)

VtA2|jσ(tA2|j)

≤ β

(M − 1− s)χM−1−s− 1. (18)

Since s ≤ M − 2, we verify condition (7) with β∗ instead of βwhere β∗ = β

M−1−s ≤ β at t = tA2|s. The result follows from (11).For the case r < M − 2, the result is obtained following the aboveprocedure. �

3.4. Without full state measurements

If a faulty mode is observable, observer-based FTC techniquescan be applied, e.g., Jiang, Staroswiecki, and Cocquempot (2006),Mhaskar et al. (2006) and Yang et al. (2009a,b). Denote x asthe estimated state, since Vi and φi1 are continuous w.r.t. x,and assuming the observer converges fast enough, we can findconstants ε > 0 and ε > 0 such that |x−x| ≤ ε⇒ |Vi(x)−Vi(x)| ≤ε and |φi1(x, t − tik)− φ

i1(x, t − tik)| ≤ ε.

The fault detection law (6) can be modified as Vi(x (t)) >φi1(Vi(x (tik)

), t − tik

)+ 2ε + γ (d). This detection law involves

x and the error ε, thus some faults may be detected with a delay.However x(tfd) is still bounded.Consider a particular case where the estimation error of the

observer is not affected by the faults and controller switching asdesigned in Yang et al. (2009b). Algorithms 1 and 2 can bemodifiedby taking into account the estimation error as a disturbance. Inthe presence of false alarms (e.g. the observation error has stillnot converged), Algorithms 1 and 2 remain available if the currentmode σ(tf ) is not removed from M?. For more general cases,during each transient period we must first design an effectiveobserver to estimate the state, some related identificationwork notaddressed in this paper, can be found in Yang et al. (2009a).

4. A flexible joint robotic example

Consider a one-linkmanipulator presented in Jiang et al. (2006).The measurable states are the angular positions and velocities ofthe motor and of the link x = [θm, ωm, θ1, ω1]>, where (·)> is thetransposition. The control u is the torque delivered by the motor.The state-space model is

θm = ωm

ωm = −κ

Jm(θ1 − θm)−

bJmωm +

cJmu

θ1 = ω1

ω1 = −κ

J1(θ1 − θm)−

mghJ1sin(θ1)+ d

where Jm and J1 denote respectively the inertia of the motor and ofthe link. κ is the elasticity constant, b denotes the related viscousfriction coefficient, and c is the amplifier gain. The modelinguncertainty d is assumed to be a 10% error in the mass of the link,i.e. d = 0.1(mgh/J1) sin(θ1). The parameters are: Jm = 0.935 kgm2,

H. Yang et al. / Automatica 45 (2009) 2319–2324 2323

0 2 4 6 8t/s

2 4 6 8t/s

0 2 4 6 8

t/s

0 2 4 6 8t/s

Algorithm 1Algorithm 2Standard FI

Algorithm 1Algorithm 2Standard FI

Algorithm 1Algorithm 2Standard FI

Algorithm 1Algorithm 2Standard FI

–0.5

0

0.5

1

–0.5

0

0.5

1

1.5

0

–6

–4

–2

0

2

4

6

–0.3

–0.2

–0.1

0

0.1

0.2

angu

lar

velo

city

of t

he m

otor

angu

lar

velo

city

of t

he li

nk

angu

lar

posi

tion

of th

e m

otor

angu

lar

posi

tion

of th

e lin

k

Fig. 3. State trajectories.

J1 = 23.303 kg m2κ = 45.440 N m/rad, b = 1.169 N m s/rad,c = 20.196 N m/V.mgh = 7.760 N m/rad, d = 0.017.Considered four faulty cases: Case (1) b is changed within

[10 Nms/rad, 15 Nms/rad]; Case (2) κ reduces to 25%–50%;Case (3) κ reduces to 50%–75%; Case (4) c is changed within[30 Nm/V, 40 Nm/V]. Consequently, we divide F into five partsas F ⊂

⋃i∈M={1,2,...,5} Fi, where Fi is related to the fault values

in Case i. Case 5 denotes the fault-free situation. According to theFTC design in Jiang et al. (2006), we can design a nominal controlleru5(x) for the healthy plant and four candidate controllers ui(x), i =1, 2, 3, 4 for cases 1–4 respectively. The details are omitted. Foreach controller ui, we can obtain Vi(x) = x>Hix where Hi is apositive definite matrix. In the simulation, suppose that Case 1occurs, we further have for f ∈ F1 and t ≥ 0

V1(x(t)) ≤ e−1.1840tV1(x(0))+ γ (d), u = u1(x)V2(x(t)) ≤ e6.2893tV2(x(0))+ γ (d), u = u2(x)V3(x(t)) ≤ e18.8439tV3(x(0))+ γ (d), u = u3(x)V4(x(t)) ≤ e1.4031tV4(x(0))+ γ (d), u = u4(x)

which verifies Assumption 1. The system under fault mode 1is stabilized only by u1(x). Suppose that the initial states are[1 0.4 0.5 0.1]>. Case 1 occurs at t = 1.5 s, the simulationparameter b = 11.69 Nms/rad. Fig. 2 shows that the fault isdetected at t = 2.343 s using (6). It can be obtained from (12)that χ = 1. Ji(x(t)) =

∫ t0 x2(s) + 0.1u2i (s)ds. Since there are three

unstabilizing controllers that may be activated,M−2 = 3. Chooseβ = 6.5 > 3× 2. The non-repeated switching sequence obtainedfrom (13) and (15) is u2 → u3 → u4 → u1. Calculations based on(14) lead to the dwell periods: 0.0245 s for u2(x); 0.0020 s for u3(x);0.3750 s for u4(x). u1(x) is finally applied for t ≥ 2.7445 s. The solidlines in Fig. 3 show the state trajectories, it can be seen that the FTCgoal is achieved and x is always bounded in [1.5 s, 2.7445 s).Similar procedures can be applied to illustrate Algorithm 2.

The obtained switching sequence is the same as in Algorithm 1.However, at the second switching instant, the controller u3(x) isremoved from the sequence. It follows from (17) that the dwellperiod of controller u4(x) becomes 0.0269 s. The correct controlleru1(x) is applied for t ≥ 2.3944 s. The dash–dot lines in Fig. 3 showthe state trajectories under Algorithm2, the transient performanceis better than that under Algorithm 1.

The dotted lines in Fig. 3 show the state trajectories using an ac-tive FTCmethodwith fault isolation technique (Zhang et al., 2008).The fault is isolated at t = 2.82 s, then u1 is applied. The states con-verge faster than under Algorithm 1, but a large Overshoot occurs,since in [1.5 s, 2.82 s), the system is controlled by u5.

5. Conclusion

A novel FDI/FTC scheme that skips the fault isolation stepand only relies on a controller switching scheme has beenproposed. The state may oscillate in the setting delay due toa large switching number (a large number of potential faults)and switching frequency. Future work will focus on the trade-offbetween the simplicity of the switching algorithm and its effectson the transient performance.

References

Blanke, M., Kinnaert, M., Lunze, J., & Staroswiecki, M. (2006). Diagnosis and fault-tolerant control (2nd ed.). Berlin: Springer Verlag.

Jiang, B., Staroswiecki,M., & Cocquempot, V. (2006). Fault accommodation for a classof nonlinear dynamic systems. IEEE Transactions on Automatic Control, 51(9),1578–1583.

Mahmood, M., Gandhi, R., & Mhaskar, P. (2008). Safe-parking of nonlinear processsystems: Handling uncertainty and unavailability of measurements. ChemicalEngineering Science, 63(22), 5434–5446.

Mhaskar, P. (2006). Robustmodel predictive control design for fault-tolerant controlof process systems. Industrial and Engineering Chemistry Research, 45(25),8565–8574.

Mhaskar, P., Gani, A., El-Farra, N. H.,McFall, C., Christofides, P. D., & Davis, J. F. (2006).Integrated fault detection and fault-tolerant control of process systems. AIChEJournal, 52(6), 2129–2148.

Seron, M. M., Zhuo, X. W., De Doná, J. A., & Martínez, J. J. (2008). Multisensorswitching control strategy with fault tolerance guarantees. Automatica, 44(1),88–97.

Shin, J.-Y., & Belcastro, C. M. (2006). Performance analysis on fault tolerant controlsystem. IEEE Transactions on Control Systems Technology, 14(5), 920–925.

Sontag, E., &Wang, Y. (1996). New characterizations of input-to-state stability. IEEETransactions on Automatic Control, 41(9), 1283–1294.

Staroswiecki, M., Yang, H., & Jiang, B. (2007). Progressive accommodation ofparametric faults in linear quadratic control. Automatica, 43(12), 2070–2076.

Tang, X., Tao, G., & Joshic, S. M. (2007). Adaptive actuator failure compensationfor nonlinear mimo systems with an aircraft control application. Automatica,43(11), 1869–1883.

Yang, H., Jiang, B., & Cocquempot, V. (2009a). A fault tolerant control frameworkfor periodic switched nonlinear systems. International Journal of Control, 82(1),117–129.

2324 H. Yang et al. / Automatica 45 (2009) 2319–2324

Yang, H., Cocquempot, V., & Jiang, B. (2009b). Robust fault tolerant trackingcontrol with applications to hybrid nonlinear systems. IET Control Theory andApplications, 3(2), 211–224.

Yoon, T.-W., Kim, J.-S., & Morse, A. S. (2007). Supervisory control using a newcontrol-relevant switching. Automatica, 43(10), 1791–1798.

Zhang, X., Polycarpou, M. M., & Parisini, T. (2008). Design and analysis of a faultisolation scheme for a class of uncertain nonlinear systems. Annual Reviews inControl, 32(1), 107–121.

Zhang, Y. M., & Jiang, J. (2001). Integrated active fault-tolerant control usingimm approach. IEEE Transactions on Aerospace and Electronic Systems, 37(4),1221–1235.

HaoYang was born in Nanjing, China, in 1982. He iscurrently a Ph.D. candidate in Nanjing University ofAeronautics and Astronautics, China andUniversity of Lille1, France. His research interest includes stability and faulttolerant control of switched and hybrid systems, discreteevent systems and Supervisory control with application tointelligent transportation systems.

Bin Jiangwas born in Jiangxi, China, in 1966. He obtainedthe Ph.D. in Automatic Control from Northeastern Univer-sity, Shenyang, China, in 1995. Currently he is a Full Pro-fessor and Vice Dean of College of Automation Engineer-ing in Nanjing University of Aeronautics and Astronautics.He serves as Associate Editor for International Journal ofSystem Science, International Journal of Control, Automa-tion and Systems, etc. His research interests include faultdiagnosis and fault tolerant control and their applications.

Marcel Staroswiecki was born in Melitopol (Ukraina) in1945. He obtained the Engineering Degree from EcoleNationale Supérieure des Arts et Métiers in 1968, thePh.D. in Automatic Control in 1970, and the DSc inPhysical Sciences in 1979. He is currently a full professorat University of Lille. His research at Ecole NormaleSupérieure de Cachan (SATIE) addresses Fault Detectionand Isolation and Fault Tolerance.