Control Reconfiguration After Actuator Failures ... - Semantic Scholar
1590
IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 51, NO. 10, OCTOBER 2006
Control Reconfiguration After Actuator Failures Using Disturbance Decoupling Methods Jan Lunze, Member, IEEE, and Thomas Steffen
Abstract—This paper addresses the control of a system after an actuator has failed: A reconfiguration of the control structure is sought which keeps the system operational. The goal is to find a different set of actuators for controlling the plant and to use them in such a way that the plant output is identical to the output of the nominal closed-loop system. It is further required that the nominal controller remains part of the reconfigured control loop. This paper shows that this reconfiguration problem is equivalent to a disturbance decoupling problem which is solved by means of the geometric approach. The resulting solution is a reconfiguration block, which generates suitable inputs for the faulty plant based on the output of the nominal controller. The feasibility of this approach is demonstrated by a physical experiment with a helicopter model.
Compared to previous treatments, the approach presented here differs with respect to the pursued goal and to its implementation. The objective is to precisely reproduce the output trajectory of the system despite of actuator failures. The approach leads to a unique separation of the reconfiguration problem into two parts. The first part is the control of the nominal plant, for which the nominal controller can be used. The second part refers to the reconfiguration by means of a disturbance decoupling problem, which can be solved in real time. Thus, the approach can be used to find a solution online, after the fault has been detected. No manual intervention is necessary, and no predesigned alternative controller is required.
Index Terms—Actuator faults, disturbance decoupling, fault-tolerant control (FTC), linear control, reconfiguration.
A. Literature
I. INTRODUCTION ECHNICAL systems are invariably subject to faults. In a controlled system, the effect of the fault can be spread through the control loop and affect parts of the system which are not directly connected to the location of the fault. This can render the system inoperable until the fault is repaired, causing an expensive downtime. The field of fault-tolerant control deals with this situation. Several solutions have been elaborated [4]. The passive approach uses a robust controller, which ensures the closed-loop stability and satisfactory performance under a number of fault cases (usually at the cost of nominal control performance). The active approach changes the controller parameters and, if necessary, the control configuration in response to the fault. Control reconfiguration includes the selection of new actuators or sensors and the redesign of the control law with respect to the new control configuration. This approach is investigated here for actuator failures that make one or more actuators completely inoperable and, hence, render the control loop ineffective. The reconfiguration has to close the control loop by means of actuators that have not been used in the nominal control loop.
T
Manuscript received February 4, 2004; revised February 18, 2005. Recommended by Associate Editor M. A. Demetriou. This work was supported by the Deutsche Forschungsgemeinschaft under Grant Lu462/14. J. Lunze is with the Institute of Automation and Computer Control, RuhrUniversität Bochum, 44780 Bochum, Germany (e-mail: [email protected]). T. Steffen was with the Institute of Automation and Computer Control, RuhrUniversität Bochum, 44780 Bochum, Germany. He is now with mBalance, 1105 BJ Amsterdam ZO, The Netherlands (e-mail: [email protected]). Color versions of Figures 3–7, 9, 10, and 12–15 are available online at http:// ieeexplore.ieee.org. Digital Object Identifier 10.1109/TAC.2006.882938
Fault-tolerant control is currently an important research area. It involves both the detection of faults and the reconfiguration of the control structure (or a similar countermeasure). Historically, the first approach to the reconfiguration problem was the pseudoinverse method [7]. It is applicable both to actuator and to sensors faults, but it can only provide an approximation of the nominal system matrix. The result may not be stable, and additional steps are necessary to guarantee stability. Model-matching methods can solve the stabilisation, as shown in [5]. However, because this approach relies on the transfer function of the system, the mathematical treatment is complex, and the resulting algorithms are difficult to implement. The system property of reconfigurability has been treated only recently. A structural analysis can be found in [8], and a related analysis based on the control energy of linear state-space systems is developed in [20]. A detailed study of the reconfigurability after faults in discrete actuators can be found in [11]. The latter two references are especially interesting because they cover actuator limits. For every isolated fault, it is possible to solve the reconfiguration problem by redesigning a new controller for the faulty system. In [11], [13], and [18] it is shown that an optimal controller can be redesigned with the same optimisation problem as in the nominal case. The same idea has also been applied to hybrid systems, as detailed in [19] and [12]. However, the redesign step becomes too complex for the application to large systems. For more complex systems, it is possible to predesign controllers for the anticipated fault cases, and switch to the corresponding controller once a fault is detected. Both [3] and [24] demonstrate the feasibility of this approach. This paper builds on the state–space analysis. By keeping the nominal controller in the loop, a complete controller redesign is made unnecessary. This becomes possible by using a virtual actuator as introduced in [4], [15], and [16]. It has already been
0018-9286/$20.00 © 2006 IEEE
LUNZE AND STEFFEN: CONTROL RECONFIGURATION AFTER ACTUATOR FAILURES
demonstrated that the virtual actuator can be designed and applied automatically after the fault has been detected. What sets this paper apart from earlier work on the virtual actuator is the pursued goal: The objective for the virtual actuator design is to reproduce the output trajectory of the plant. In this, it is similar to the model-matching approach, but it is formulated and solved completely in state space. Due to this goal, the considered reconfiguration problem belongs to the class of problems defined by the “disturbance decoupling problem” (DDP). The classical solution to DDP, based on the geometric approach, is presented in [23]. Previous work [13], [14], [17] has explored different formulations of the reconfiguration problem and the resulting solutions. Several of the recent approaches to reconfiguration have been applied to the Three-Tank Benchmark Problem defined in [1]. The reconfiguration approach can be simplified if it is assumed that the fault affects only the parameters of the system, but it does not significantly change its structure. In that case, adaptive control has been shown to keep the control loop stable in [10]. However, for major actuator faults as described in [6], adaptive control is not a suitable solution.
1591
Fig. 1. Nominal control loop.
Fig. 2. Reconfigured control loop.
B. Overview In Section II, the reconfiguration problem considered in this paper is defined. In Section III, the reconfiguration problem is transformed into a disturbance decoupling problem. Since this is a well studied problem, known solutions can be used. In Section IV, the geometric approach to disturbance decoupling is summarised. The result can be used to find the solution to the original reconfiguration problem using an inverse transformation. In Section V, the results of this paper are applied to a physical helicopter model. The reconfiguration approach is illustrated step by step, and the reconfiguration solution is tested in a simulation and in a physical experiment. II. THE RECONFIGURATION PROBLEM A. The Idea of a Virtual Actuator The aim of control reconfiguration is to prevent a fault in one component (like an actuator) from causing a failure of the whole system. Without reconfiguration, actuator faults can lead to a disruption of the normal operation, which may require a shutdown or even cause physical damage. The approach presented here aims at canceling the effect of the fault before it reaches the output of the plant. The only way to do this is by changing some inputs of the plant (see Figs. 1 and 2). The idea followed in this paper is to place a block between the controller output and the vector of all available actuators. Since the goal of this block is to generate a signal which has the same effect as the broken actuator would have in the nominal system, the block is called a virtual actuator. If the virtual actuator is successful, the behaviour of the reconfigured plant, which consists of the faulty plant and the virtual actuator, is indistinguishable from the nominal plant. Therefore, the nominal controller can be used to control the reconfigured plant. As a consequence, the virtual actuator can be designed based on the open-loop behaviour, although its purpose
Fig. 3. Nominal plant.
is to work in a closed-loop system. Therefore, the reconfiguration problem will be restated in terms of the open-loop system. While this approach may seem more complex, it has a significant advantage over the redesign of the controller. Typically, the controller design is a lengthy process, which involves several cycles of deriving and testing new controller parameters. Thus, the redesign cannot be performed on-line after the fault has been discovered. Here, the virtual actuator is used in addition to the original controller. The knowledge accumulated in the controller during its design is preserved and the reconfigured control loop can leverage on it. The design of the virtual actuator itself has a much more limited scope. It presents fewer degrees of freedom and it is therefore easier to automate than a complete controller redesign. B. Model of the Nominal and Faulty Plant The following information is given for the reconfiguration is modelled in problem. The nominal plant state–space form (1a) (1b) (1c) with the state , the input , the output and the initial state (see Fig. 3). The system matrices have , and corresponding dimensions: . The nominal plant is assumed to be stabilizable. Together with the nominal controller it forms a stable control loop (Fig. 1). No further assumptions have to be made; the system matrices are not required to have full rank.
1592
IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 51, NO. 10, OCTOBER 2006
Fig. 4. Faulty plant.
Since actuator failures are considered, the faulty plant differs (Fig. 4). from the nominal plant in the input matrix The resulting model of the faulty plant is Fig. 5. Reconfiguration goal.
(2a) (2b) (2c) and a corresponding matrix with the input . The initial state is assumed to be identical to the . The input is available initial state of the nominal plant includes all available for reconfiguration. It is important that inputs to the plant, even the ones not used by the nominal controller. For the scope of this paper, it is assumed that the failed actuator has already been identified. Therefore, the model of the is known. This implies that the faulty plant reconfiguration solution is not applicable before the fault has been detected, which is a restriction shared by all active faulttolerant methods. C. Reconfiguration Goal Given the plant models, a virtual actuator has to be found, which restores the performance of the control loop despite of the fault (Fig. 2). The requirements are given in the terms of the closed-loop behaviour of the reconfigured plant. 1) The reconfigured loop has to be stable. 2) The output of the faulty plant in the reconfigured loop shall be the same as the output of the nominal plant in the nominal loop. Due to this second requirement it is possible to find a solution without knowing the behaviour of the controller. Since the input to the controller will be the same in the nominal and in the reconfigured control loop, so will be the output of the controller. However, because the controller is the same in the nominal and in the reconfigured loop, it is possible to restate the requirements in terms of the open-loop behaviour of the reconfigured plant. If the behaviour of the reconfigured plant is identical to that of the nominal plant, it follows that the behaviour of the reconfigured control loop is identical to that of the nominal loop. A similar argument can be made for the stability: given the identical behaviour, the stability of the reconfigured loop depends on the internal stability of its components and the stability of the nominal loop. Thus, the following two requirements on the reconfigured plant are sufficient for a successful reconfiguration.
Definition 1: A plant is called successfully reconfigured, if the system consisting of the virtual actuator and the faulty plant (“reconfigured plant”) satisfies the following two properties. 1) The reconfigured plant has the same behaviour as the nom, the output trajectories of inal plant. Given any input the reconfigured and the nominal plant are equal (Fig. 5)
(3) 2) The reconfigured plant is stabilizable: Hence
all hidden modes are stable
(4)
Three points are worth highlighting. First, even if a solution is will usufound and implemented, the state of the faulty plant ally differ from the state of the nominal plant . It was shown in [21] that many relevant reconfiguration problems are not solvable if both are required to be equal. Second, it follows from the requirements that this problem is not solvable if the faulty plant is not stabilizable. However, it is possible to treat a plant which is not fully controllable, if the uncontrollable part is stable. Third, as linear systems are considered here, it is not possible to deal directly with the problem of actuator saturation. Since this is an important practical problem, some reconfiguration approaches are mainly concerned with saturation [18]. The best approximation in a linear framework is to consider the required control energy. A low controllability Grammian (or the resulting high controller amplification) indicates that saturation issues are likely to appear. III. RECONFIGURATION USING A VIRTUAL ACTUATOR In this section, the required structure of the virtual actuator is deduced from the problem definition. Finding the parameters for this structure will lead to a disturbance decoupling problem, which is treated in the next section.
LUNZE AND STEFFEN: CONTROL RECONFIGURATION AFTER ACTUATOR FAILURES
1593
Fig. 6. Reconfigured plant based on a parallel model.
A. Parallel Model Consider the comparison of the output of the faulty plant with the output of the nominal model (shown in Fig. 5). The joint system is
Fig. 7. Reconfigured plant based on a difference model.
B. Difference Model In (7), both the feedback
(5a) (5b) (5c) (5d) (5e) disappear, a controller is Since the objective is to make introduced to make the faulty plant follow the behaviour of the nominal plant. The feedback term in the control law is based on the difference between the state of the nominal plant and the of the faulty plant. The feedforward term depends on state the nominal input . The resulting control law is
(6) and of appropriate dimensions. The system with matrixes including the control law (shown in Fig. 6) is described by the following equations:
(7a) (7b) (7c) (7d) (7e) (7f)
and The choice of the feedback and feedforward matrices is not an ordinary control problem. Instead, it belongs to the more difficult class of disturbance decoupling problems, which will be discussed in more detail in the next section.
(8) and the output (9) are related to the difference (10) Therefore, a state transformation
(11) instead of and keeps unis used, which introduces changed. This simplifies the system to the following set of equations: (12a) (12b) (12c) (12d) (12e) (12f) (12g) The corresponding structure is shown in Fig. 7. The state equation for represents the faulty plant, while the equation models the difference between the state of the nominal in
1594
IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 51, NO. 10, OCTOBER 2006
plant and the faulty plant. This model together with the control law (6) is the virtual actuator
(13a) (13b) (13c) (13d) Note that the virtual actuator has the correct input and output signals as shown in Fig. 2. Based on this structure, the reconfiguration goals given in Definition 1 can now be stated in terms of the virtual actuator. has to be stable. 1) The state of the virtual actuator 2) The output deviation has to be zero for all time . and have to be chosen such that these two The parameters requirements are satisfied.
Fig. 8. Solution of the disturbance decoupling problem.
and can be used in the control law. It is a decoupling problem with stability, because the resulting system has to be stable. The solution of the disturbance decoupling problem is known to be a control law of the form (Fig. 8)
IV. RECONFIGURATION AS DISTURBANCE DECOUPLING PROBLEM This section shows that the choice of the parameters for the virtual actuator is a disturbance decoupling problem. Therefore, known methods can be applied to find these parameters, which then lead to the solution of the reconfiguration problem. A. Design of the Virtual Actuator as Disturbance Decoupling Reconfiguration goals 1) and 2) pose a disturbance decoupling problem for the system (13). In terms of disturbance decoupling, the nominal input is is the disturbance (because it is given), and the actual input the input used to decouple the output . Note that is also the output of the virtual actuator, but no requirement is based on this signal. Therefore, the disturbance decoupling problem can be formulated as follows. Problem 1: Disturbance decoupling Given: The system with inputs
and
and output
is known.
Find: An input trajectory depending on such that the output vanishes
which is in line with the results from the previous section. There are several methods for choosing the two parameter matrices and . As a state-space model is given here, the geometric approach provides a natural way to address the problem. In Section IV-B, the decoupling part of the problem is solved, and in Sections IV-C and IV-D the stabilisation of the decoupled system is treated. Sections IV-E and IV-F demonstrate how this solves the original reconfiguration problem. Remark: The disturbance decoupling problem is the dual problem to unknown input observation [2]. The latter is often used for fault-tolerant control of a plant with sensor faults and disturbance. It is difficult to define the duality between the reconfiguration problem after actuator faults and after sensor faults, because the boundary conditions are usually not symmetric. For a more in-depth treatment of this issue, cf. [21]. B. Solution of the Disturbance Decoupling Problem Using the Geometric Approach
(14a) (14b) (14c) where the input trajectory
(16)
and
(15) and the system is stable. This specific problem definition is known in literature as the known disturbance decoupling problem with stability (often abbreviated to DDP/S or DDPS). It is classified as a known disturbance decoupling problem, because the disturbance is known
The geometric approach to disturbance decoupling is centred around the notion of a controlled invariant subspace defined in [22]. A subspace is called invariant if the system state never leaves the subspace once it has entered it. It is called controlled invariant if there exists a state feedback such that the subspace is invariant. For the disturbance decoupling problem, the subspace to be . It has to be -infound is usually denoted by variant (also called controlled invariant) and it has to be con(unobservable). Additionally, the disturtained within bance has to be contained within this subspace. These three requirements can be formally written as
invariant unobservable undisturbed
and
(17a) (17b) (17c)
LUNZE AND STEFFEN: CONTROL RECONFIGURATION AFTER ACTUATOR FAILURES
1595
where “ ” denotes the image of a transformation (the set of ” denotes the kernel of a transpossible output values) and “ formation (the set of inputs without effect). The first condition guarantees that a control (shown by ) can be found to make the subspace invariant. It depends on the dynamics of the system as defined by . The second condition requires that all states within the subspace lead to a vanishing system output . The third condition means that even in the presence of disturbance (shown by ), the invariance of can be maintained. Lemma 1: The known DDP as specified in goal (15) can be solved if and only if there exists a such that the conditions (17) are met. This lemma implies that if and only if a subspace exists which solve the disturbance satisfying (17), matrices and decoupling problem can be calculated. Proofs can be found in [9] and [22]. The typical algorithm to solve the problem consists of two -invariant subspace in steps. First, the maximum is calculated. It can be found by iteratively removing any part which is not controlled invariant from
is prois constructed such that is an orthogonal matrix, , and the noninvariant subspace is projected onto jected onto . The transformed difference system is described by
(18a) (18b) (18c)
(23a) (23b)
steps Lemma 2: The series (18) becomes stationary after is the maximum subspace which and the resulting subspace satisfies both (17a) and (17b). The second step of the algorithm is to check whether the disturbance effect can be contained in the invariant subspace:
(19) If the result is positive, all requirements (17) are fulfilled and and can be suitable feedback and feedforward matrices generated as follows:
(20a) (20b) has to make the subspace invariant for the The choice of controlled autonomous system. Matrix has to be chosen in such a way that the disturbance effect is moved into this invariant subspace. Both existence conditions hold because they are equivalent to the decoupling properties (17a) and (17c). C. Analysis of the Decoupled System In order to simplify the system given by (14) and (16), the invariant subspace is split from the noninvariant part. For this purpose a state transformation
(21)
(22a) (22b) (22c) with the following matrix substitutions:
After the transformation, the requirements (20) for become
and
, , , and are submatrices occurring acwhere , act cording to the transformation. The submatrices , maps from the subvector , and upon the subvector is the coupling from the latter to the former. Expanding in (22) leads to this equation for
It follows from (23) that the submatrices vanish. Therefore, the subvector and
,
,
becomes autonomous. Since the initial state is zero, will always be zero and can be eliminated. The resulting reduced system is given by
(24a) (24b) (24c) can be deThese equations show how the free input termined from the reduced system state. The output equation means that the disturbance has been canceled out and that, therefore, the reconfiguration is successful. and have been found which Theorem 1: If two matrices satisfy (23), then the virtual actuator defined by (24) makes the reconfigured plant meet the requirement (3) for a successful reconfiguration.
1596
IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 51, NO. 10, OCTOBER 2006
D. Stabilisation The remaining task is to stabilise the difference system. This is important, because the poles of the difference system remain hidden from the input–output behaviour of the reconfigured plant, which means that they are not stabilised by the nominal controller. Requiring both disturbance decoupling and stabilisation at the same time is a more difficult problem than reaching either property alone. The stabilisation can only be performed once the decoupling is done, because it depends on the remaining degrees of freedom in the input [9]. The first step is to determine the freedom in the choice of the , which has to satisfy (23a). Adding any feedback matrix matrix to does not affect this condition. For is introduced such that notational reasons a new matrix
(25) Assume that
satisfies (23a). Then
Fig. 9. Reconfigured plant.
(26) is an admissible feedback matrix for any . Therefore, the can be used for stabilisation. The autonomous dychoice of namics of the difference model depends on the poles of
It is possible to place the poles in the left half plane if and only if the pair
Given: Nominal and faulty plant
and
Find: A virtual actuator satisfying (3) and (4) using (18). 1) Find the maximum invariant subspace . 2) Use (21) to eliminate the noninvariant subspace 3) Find and according to (23). If no exists, (3) cannot be satisfied. by using (25). 4) Construct . 5) Use a controller design method to find If no stable solution exists, (4) is impossible. Result: The solution (24) and (26) (Fig. 9).
is stabilizable
(27)
Under this condition, any controller design approach can be used to find . The resulting feedback matrix is then used to implement the difference system (Fig. 9). If the decoupling requirements (17) and the stabilisation requirement are fulfilled, the reconfiguration problem is solved. is found for Theorem 2: If a stabilising feedback matrix the pair (27), then the virtual actuator (24) leads to a stabilizable reconfigured plant. Thus, the requirement (4) for a successful reconfiguration is fulfilled. Note that contrary to the initial structure (depicted in Fig. 7), . the difference system considered here has the reduced state The behavior is identical to the corresponding full difference system, because the removed part of the state–space does not contribute to the behavior of the system. E. Reconfiguration Algorithm The goal of the reconfiguration algorithm is to find a difference system such that both reconfiguration requirements (3) and (4) are fulfilled. To achieve this, the steps used in the previous derivation have to be performed in the following order. Algorithm 1: Reconfiguration after actuator failures
It follows from Theorems 1 and 2 that the resulting system satisfies the reconfiguration goal given in Definition 1. F. Proofs The reconfiguration goal in Definition 1 consists of two separate conditions. For this reason, the algorithm contains two conditions which have to be met, and the proof of the theorems above also has two parts. Proof: (For Theorem 1: The reconfigured plant behaves like the nominal plant.) Equations (2) and (24) describe the behavior of the reconfigured plant. By applying the state transformation
to the state of the faulty plant, the following model results: (28a) (28b) (28c) (28d)
LUNZE AND STEFFEN: CONTROL RECONFIGURATION AFTER ACTUATOR FAILURES
1597
Similarly to the step in (24) this model can be simplified by into two parts and by expanding splitting (29a) (29b) (29c) (29d) (29e) The model can be further simplified by introducing a new instead of state Fig. 10. Flight model.
Since vanishes according to (23), the part of the model is completely decoupled from the rest. The remaining part has the same behavior as the nominal system. The output trajectory is, therefore, identical if the initial conditions are
To keep the model as simple as possible, only one of the two main rotors is modelled, and the angular acceleration rate is considered the output of the system (although only the angular position is measurable). This reduces the system order from 7 to 3 without affecting the reconfiguration solution. The resulting model for the nominal case is
(30a) (30b) (30c)
Note that this condition is weaker than . Successful reconfiguration is still possible if the occurrence of the and the change is accounted for by fault changes the state of a corresponding value of with . Proof: (For Theorem 2: The reconfigured plant is stabilizable.) The hidden poles of the reconfigured plant are determined , and was chosen such that these poles by are stable. The remaining poles are identical to the poles of the nominal plant (see the aforementioned proof). Therefore, they are stabilised by the nominal controller. Consequently, the reconfigured control loop has poles in the left half plane only. V. APPLICATION EXAMPLE A. Reconfiguration Experiment The helicopter experiment described in [13] is used as an application example (Fig. 10). It consists of two main rotors positioned at the ends of a lever (Fig. 11). They can be rotated by two servo mechanisms, consisting of a motor, a sensor and a comparator/amplifier. In the reconfiguration experiment these servo mechanisms fails. The reconfiguration idea is to use the lateral instead, which are fixed, but speed controlled. Alrotors though they have different dynamics, the virtual actuator can generate the input signal required to produce exactly the intended effect (in terms of net momentum on the lever).
, the input , and the output mowith the state . The open-loop system has poles at mentum and 5. The fault case model is identical to the nominal model, but the main rotor servo is broken. This actuator failure is modelled by changing
to
The block diagram of the system and the position of the failed actuator is shown in Fig. 12. If no reconfiguration is performed, the system is completely uncontrolled. This is an important observation, which has two consequences. First, the fault detection and the reconfiguration algorithm have to be fast, because otherwise the system will leave the range of acceptable states. Second, because the system is unstable, the fault detection is rather simple. The faulty system will produce a trajectory that is markably different from its nominal behavior. In the complete system, the momentum is not directly measurable. Instead, the angular position of the lever (the double of the momentum) is measured and used by the integral phase lead (PD) controller to stabilise the system. For the purpose of the reduced plant model considered here, the double integrator can be considered as a part of the controller, leading to an integral controller. The controller acts on the servo input of
1598
IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 51, NO. 10, OCTOBER 2006
Fig. 11. Sketch of the flight model.
This is the final without further iterations. The orthogonal state transformation
leads to
Fig. 12. Nominal control loop.
the plant in order to attenuate disturbances and to follow the reference trajectory. The goal of the reconfiguration is to achieve the same system behaviour without using the servo input (only using the lateral rotor input). The resulting difference model is given by
The requirements (23) for
and
which leads to the following parameters for the virtual actuator:
(31a) The system equations (24) for the virtual actuator become (31b) (31c) where denotes the disturbance. The goal is to find an input vector such that the output vector remains all zero for every disturbance trajectory . B. Constructive Solution The first step is to find the maximum invariant unobservable subspace with respect to the input and the output . The iteration starts with the unobservable subspace
The stabilization part is trivial. It is obvious that and therefore holds. That is, no input variable is available for stabilization. Fortunately, the autonomous system matrix
has only stable eigenvalues . So the uncontrollable part is stable, and therefore the faulty plant is still stabilizable.
LUNZE AND STEFFEN: CONTROL RECONFIGURATION AFTER ACTUATOR FAILURES
1599
Fig. 13. Reconfigured control loop.
Fig. 15. Simulation and experiment: response of the reconfigured loop.
C. Experimental Results
Fig. 14. Simulation and experiment: response of the nominal loop.
The reconfigured control loop is shown in Fig. 13. The block diagram shows that a different signal path is used to control the system (lateral rotors instead of main rotors). The virtual actuator is necessary because the new signal path has a different transfer function. With the virtual actuator, the transfer function of the new signal path is identical to the transfer function of the original signal path. Both are
The result can easily be verified numerically to satisfy the reconfiguration goals from Definition 1. The simulation results using a linear system model are shown in the top half of Figs. 14 and 15. The output trajectory of the nominal control loop and of the reconfigured control loop are exactly identical within the numerical accuracy of the simulation. The practical test of the virtual actuator is more challenging, because the real experiment shows many effects which are not captured in the simple linear model. The result of the experiment for the nominal system is shown in the bottom half of Fig. 15. The input trajectory , the state of the servo mechanism and the lever position (which is a double integral of ) are shown in the graph. The behaviour is close to the simulation results, although there is a noticeable steady-state deviation caused by sticky friction. The corresponding experimental result for the reconfigured control loop is shown in the bottom half of Fig. 14. The graph (which is nearly shows the input of the reconfigured plant of the faulty identical to the nominal input), the actual input plant and the position of the lever. Since the servo does not is not shown here. move, its position The graphs show that the output of the reconfigured loop matches the output of the nominal loop very closely. The slight differences are the result of input saturation. The control signal
1600
IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 51, NO. 10, OCTOBER 2006
coming from the virtual actuator goes up to about 1.8, while the physical system leaves the linear range around 0.7. The stability of the system is not affected, only the response time is slightly increased due to the physical limitations. In other applications it was sometimes found necessary to implement anti wind-up measures in order to keep the system stable in spite of the input saturation. It is also interesting to see that the high amplification of the virtual actuator leads to an amplification of the measurement noise. This is partly caused by the nominal system structure: As the momentum cannot be measured, it has to be deduced from the lever position by double differentiation, which significantly increases the measurement noise. In the reconfigured system, the noise gets amplified again by the virtual actuator, which has a high amplification in order to compensate for the slower response of the lateral rotors. The results also show that the lateral rotors have a preferred direction: They are more effective in the backward movement than forward. This leads to very little overshoot in the forward movement, but a very significant overshoot after the backward swing. The overall control performance is still very impressive, considering the tight input limits and the nonlinearity of the lateral rotors.
VI. CONCLUSION This paper has developed a method for online reconfiguration of the control after the occurrence of actuator failures. The reconfiguration problem has been stated in two different ways. The original formulation contains requirements for the reconfigured control loop. These have been translated into requirements concerning the open-loop behaviour of the reconfigured plant. By applying a state transformation, the reconfiguration problem can be transformed into a disturbance decoupling problem with stability. Hence, known theoretical results can be applied to find the solution of the reconfiguration problem. The solution is called a virtual actuator, because it is a block which takes the signal for the broken actuators as input and produces the intended effects on the output of the plant by using the remaining actuators. The two design parameters of the virtual actuator can be found using known approaches to the disturbance decoupling problem. The algorithm presented here follows the geometric approach, which leads to a state transformation that splits the system into two parts. The first part is relevant for the decoupling, and suitable feedback and feedforward matrices are generated. The second part forms a classical state feedback controller design problem, which can be solved using any suitable method. By putting both parts together, suitable parameters can be found for the virtual actuator to reconfigure the control loop. It has been shown that the algorithm is complete in the sense that it finds a solution as long as this reconfiguration problem is solvable. The approach has also been demonstrated to solve a challenging practical reconfiguration experiment.
REFERENCES [1] B. Heiming and J. Lunze, “Control reconfiguration: The COSY benchmark problem and its solution by means of a qualitative model,” presented at the European Control Conf. Karlsruhe, Germany, 1999, CM-5, F1039-3. [2] G. Basile and G. Marro, Controlled and Conditioned Invariants in Linear System Theory. Upper Saddle River, NJ: Prentice-Hall, 1992 [Online]. Available: http://www.deis.unibo.it/Staff/FullProf/GiovanniMarro/gm_books.htm [3] M. Blanke, C. W. Frei, F. Kraus, R. J. Patton, and M. Staroswiecki, “What is fault-tolerant control?,” in Proc. SAFEPROCESS 2000: 4th Symp. Fault Detection and Safety for Technical Processes, 2000, pp. 40–51. [4] M. Blanke, M. Kinnaert, J. Lunze, and M. Staroswiecki, Diagnosis and Fault-Tolerant Control. New York: Springer-Verlag, 2003. [5] S. Chen, G. Tao, and S. M. Joshi, “On matching conditions for adaptive state tracking control of systems with actuator failures,” IEEE Trans. Autom. Control, vol. 47, no. 3, pp. 473–478, Mar. 2002. [6] V. Dardinier-Maron, H. Noura, and F. Hamelin, “Reconfiguration against major actuator failures,” in Proc. SAFEPROCESS 2000: 4th Symp. Fault Detection and Safety for Technical Processes, 2000, pp. 762–767. [7] Z. Gao and P. J. Antsaklis, “Stability of the pseudo-inverse method for reconfigurable control systems,” Int. J. Control, vol. 53, no. 3, pp. 717–729, 1991. [8] A. Gehin, M. Assas, and M. Staroswiecki, “Structural analysis of system reconfigurability,” in Proc. SAFEPROCESS 2000: 4th Symp. Fault Detection and Safety for Technical Processes, 2000, pp. 292–297. [9] X. Hu, A. Lindquist, J. Mari, and J. Sand, Geometric Systems Theory—Lecture Notes. Stockholm, Sweden: Royal Inst. Technol., 2003. [10] P. Ioannou, Robust Adaptive Control. Upper Saddle River, NJ: Prentice-Hall, 1996. [11] S. Kanev and M. Verhaegen, “Reconfigurable robust fault-tolerant control and state estimation,” presented at the 15th IFAC World Congr., Barcelona, Spain, 2002, T-Fr-A10, 2542. [12] M. Morari, E. C. Kerrigan, A. Bemporad, D. Mignone, and J. M. Maciejowski, “Multi-objective prioritisation and reconfiguration for the control of constrained hybrid systems,” presented at the Amer. Control Conf., 2000, ACC00-IEEE1027. [13] J. Lunze, D. Rowe-Serrano, and T. Steffen, “Control reconfiguration demonstrated at a two-degrees-of-freedom helicopter model,” in Proc. European Control Conf., Cambridge, U.K., 2003. [14] J. Lunze and T. Steffen, “Reconfigurable control of a quantised system,” in Proc. SAFEPROCESS 2000: 4th Symp. Fault Detection, 2000, pp. 822–827. [15] ——, “Hybrid reconfigurable control,” in Modelling, Analysis and Design of Hybrid Systems. Berlin, Germany: Springer-Verlag, 2002, pp. 267–284. [16] J. Lunze and T. Steffen, “Control reconfiguration by means of a virtual actuator,” in Proc. SAFEPROCESS 2003: 5th Symp. Fault Detection and Safety for Technical Processes, 2003, pp. 133–138. [17] ——, “Rekonfiguration linearer Systeme bei Sensor- und Aktorausfall,” Automatisierungstechnik (at), vol. 51, no. 2, pp. 60–68, 2003. [18] J. Maciejowski, Predictive Control With Constraints. Upper Saddle River: Prentice-Hall, 2002. [19] T. Pasternak, “Reconfiguration in hierarchical control of piecewiseaffine systems,” in Hybrid Systems Computation and Control. New York: Springer-Verlag, 2002, vol. 2289, Lecture Notes in Computer Science, pp. 364–377. [20] M. Staroswiecki, “On reconfigurability with respect to actuator failures,” presented at the 15th IFAC World Congr., Barcelona, Spain, 2002, T-Tu-M10, 775. [21] T. Steffen, Control Reconfiguration of Dynamical Systems: Linear Approaches and Structural Tests. Berlin, Germany: Springer-Verlag, 2005. [22] W. M. Wonham, Linear Multivariable Control—A Geometric Approach. New York: Springer-Verlag, 1985. [23] W. M. Wonham and A. S. Morse, “Decoupling and pole assignment in linear multivariable systems: a geometric approach,” SIAM J. Control, vol. 8, pp. 1–18, Feb. 1970. [24] Z. Yang, R. Izadi-Zamanabadi, and M. Blanke, “On-line multiple-model based adaptive control reconfiguration for a class of non-linear control systems,” in Proceedings of the SAFEPROCESS 2000: 4th Symposium on Fault Detection and Safety for Technical Processes, 2000, pp. 745–750.
LUNZE AND STEFFEN: CONTROL RECONFIGURATION AFTER ACTUATOR FAILURES
Jan Lunze (A’93–M’04) was born in Dresden, Germany. He received the diploma in automatic control, the Ph.D. degree, and the Dr.Sc. degree (Habilitation), all from the Technical University Ilmenau, Ilmenau, Germany, in 1974, 1980, and 1983, respectively. From 1974 to 1992, he was a Research Associate and later Professor of Automatic Control at the Academy of Sciences in Dresden, Germany. From 1992 to 2001, he was Professor of Control Engineering at the Technical University Hamburg-Harburg, Germany, and since 2002, he has been Head of the Institute of Automation and Computer Control of the Ruhr-University Bochum, Germany, where he teaches systems and control theory. His research interests are in linear control theory, particularly in the fields of robust control and large-scale systems, in hybrid systems, discrete-event systems and in applications of knowledge processing to dynamical systems. Currently, his research is focused on qualitative modelling, fault diagnosis and process control applications of robust and decentralised control. He is author and/or coauthor of numerous papers and of several books, including Robust Multivariable Feedback Control (Prentice-Hall, 1988), Feedback Control of Large-Scale Systems (Prentice-Hall,
1601
1992), Künstliche Intelligenz für Ingenieure (Oldenbourg, 1994), Regelungstechnik (Springer, 1996), Automatisierungstechnik (Oldenbourg, 2003), and Diagnosis and Fault-Tolerant Control (Springer, 2003).
Thomas Steffen was born in Germany in 1975. He received the degree as “Dipl.-Ing.” in electrical engineering from the Technical University of Ilmenau, Ilmenau, Germany, in 1999, and the Ph.D. degree from the Ruhr-Universität Bochum, Germany, in 2005. He studied at UMIST, Manchester, U.K., during the accademic year 1996–1997, and he worked at the Technical University of Hamburg-Harburg, Germany, from 1999 to 2001. Since 2004, he has been working on message routers for mobile networks at mBalance (international) BV, Amsterdam, The Netherlands. His research interests include the geometric approach, optimal control, rapid prototyping, networking technologies, structural analysis, and stochastic processes.
IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 51, NO. 10, OCTOBER 2006
Control Reconfiguration After Actuator Failures Using Disturbance Decoupling Methods Jan Lunze, Member, IEEE, and Thomas Steffen
Abstract—This paper addresses the control of a system after an actuator has failed: A reconfiguration of the control structure is sought which keeps the system operational. The goal is to find a different set of actuators for controlling the plant and to use them in such a way that the plant output is identical to the output of the nominal closed-loop system. It is further required that the nominal controller remains part of the reconfigured control loop. This paper shows that this reconfiguration problem is equivalent to a disturbance decoupling problem which is solved by means of the geometric approach. The resulting solution is a reconfiguration block, which generates suitable inputs for the faulty plant based on the output of the nominal controller. The feasibility of this approach is demonstrated by a physical experiment with a helicopter model.
Compared to previous treatments, the approach presented here differs with respect to the pursued goal and to its implementation. The objective is to precisely reproduce the output trajectory of the system despite of actuator failures. The approach leads to a unique separation of the reconfiguration problem into two parts. The first part is the control of the nominal plant, for which the nominal controller can be used. The second part refers to the reconfiguration by means of a disturbance decoupling problem, which can be solved in real time. Thus, the approach can be used to find a solution online, after the fault has been detected. No manual intervention is necessary, and no predesigned alternative controller is required.
Index Terms—Actuator faults, disturbance decoupling, fault-tolerant control (FTC), linear control, reconfiguration.
A. Literature
I. INTRODUCTION ECHNICAL systems are invariably subject to faults. In a controlled system, the effect of the fault can be spread through the control loop and affect parts of the system which are not directly connected to the location of the fault. This can render the system inoperable until the fault is repaired, causing an expensive downtime. The field of fault-tolerant control deals with this situation. Several solutions have been elaborated [4]. The passive approach uses a robust controller, which ensures the closed-loop stability and satisfactory performance under a number of fault cases (usually at the cost of nominal control performance). The active approach changes the controller parameters and, if necessary, the control configuration in response to the fault. Control reconfiguration includes the selection of new actuators or sensors and the redesign of the control law with respect to the new control configuration. This approach is investigated here for actuator failures that make one or more actuators completely inoperable and, hence, render the control loop ineffective. The reconfiguration has to close the control loop by means of actuators that have not been used in the nominal control loop.
T
Manuscript received February 4, 2004; revised February 18, 2005. Recommended by Associate Editor M. A. Demetriou. This work was supported by the Deutsche Forschungsgemeinschaft under Grant Lu462/14. J. Lunze is with the Institute of Automation and Computer Control, RuhrUniversität Bochum, 44780 Bochum, Germany (e-mail: [email protected]). T. Steffen was with the Institute of Automation and Computer Control, RuhrUniversität Bochum, 44780 Bochum, Germany. He is now with mBalance, 1105 BJ Amsterdam ZO, The Netherlands (e-mail: [email protected]). Color versions of Figures 3–7, 9, 10, and 12–15 are available online at http:// ieeexplore.ieee.org. Digital Object Identifier 10.1109/TAC.2006.882938
Fault-tolerant control is currently an important research area. It involves both the detection of faults and the reconfiguration of the control structure (or a similar countermeasure). Historically, the first approach to the reconfiguration problem was the pseudoinverse method [7]. It is applicable both to actuator and to sensors faults, but it can only provide an approximation of the nominal system matrix. The result may not be stable, and additional steps are necessary to guarantee stability. Model-matching methods can solve the stabilisation, as shown in [5]. However, because this approach relies on the transfer function of the system, the mathematical treatment is complex, and the resulting algorithms are difficult to implement. The system property of reconfigurability has been treated only recently. A structural analysis can be found in [8], and a related analysis based on the control energy of linear state-space systems is developed in [20]. A detailed study of the reconfigurability after faults in discrete actuators can be found in [11]. The latter two references are especially interesting because they cover actuator limits. For every isolated fault, it is possible to solve the reconfiguration problem by redesigning a new controller for the faulty system. In [11], [13], and [18] it is shown that an optimal controller can be redesigned with the same optimisation problem as in the nominal case. The same idea has also been applied to hybrid systems, as detailed in [19] and [12]. However, the redesign step becomes too complex for the application to large systems. For more complex systems, it is possible to predesign controllers for the anticipated fault cases, and switch to the corresponding controller once a fault is detected. Both [3] and [24] demonstrate the feasibility of this approach. This paper builds on the state–space analysis. By keeping the nominal controller in the loop, a complete controller redesign is made unnecessary. This becomes possible by using a virtual actuator as introduced in [4], [15], and [16]. It has already been
0018-9286/$20.00 © 2006 IEEE
LUNZE AND STEFFEN: CONTROL RECONFIGURATION AFTER ACTUATOR FAILURES
demonstrated that the virtual actuator can be designed and applied automatically after the fault has been detected. What sets this paper apart from earlier work on the virtual actuator is the pursued goal: The objective for the virtual actuator design is to reproduce the output trajectory of the plant. In this, it is similar to the model-matching approach, but it is formulated and solved completely in state space. Due to this goal, the considered reconfiguration problem belongs to the class of problems defined by the “disturbance decoupling problem” (DDP). The classical solution to DDP, based on the geometric approach, is presented in [23]. Previous work [13], [14], [17] has explored different formulations of the reconfiguration problem and the resulting solutions. Several of the recent approaches to reconfiguration have been applied to the Three-Tank Benchmark Problem defined in [1]. The reconfiguration approach can be simplified if it is assumed that the fault affects only the parameters of the system, but it does not significantly change its structure. In that case, adaptive control has been shown to keep the control loop stable in [10]. However, for major actuator faults as described in [6], adaptive control is not a suitable solution.
1591
Fig. 1. Nominal control loop.
Fig. 2. Reconfigured control loop.
B. Overview In Section II, the reconfiguration problem considered in this paper is defined. In Section III, the reconfiguration problem is transformed into a disturbance decoupling problem. Since this is a well studied problem, known solutions can be used. In Section IV, the geometric approach to disturbance decoupling is summarised. The result can be used to find the solution to the original reconfiguration problem using an inverse transformation. In Section V, the results of this paper are applied to a physical helicopter model. The reconfiguration approach is illustrated step by step, and the reconfiguration solution is tested in a simulation and in a physical experiment. II. THE RECONFIGURATION PROBLEM A. The Idea of a Virtual Actuator The aim of control reconfiguration is to prevent a fault in one component (like an actuator) from causing a failure of the whole system. Without reconfiguration, actuator faults can lead to a disruption of the normal operation, which may require a shutdown or even cause physical damage. The approach presented here aims at canceling the effect of the fault before it reaches the output of the plant. The only way to do this is by changing some inputs of the plant (see Figs. 1 and 2). The idea followed in this paper is to place a block between the controller output and the vector of all available actuators. Since the goal of this block is to generate a signal which has the same effect as the broken actuator would have in the nominal system, the block is called a virtual actuator. If the virtual actuator is successful, the behaviour of the reconfigured plant, which consists of the faulty plant and the virtual actuator, is indistinguishable from the nominal plant. Therefore, the nominal controller can be used to control the reconfigured plant. As a consequence, the virtual actuator can be designed based on the open-loop behaviour, although its purpose
Fig. 3. Nominal plant.
is to work in a closed-loop system. Therefore, the reconfiguration problem will be restated in terms of the open-loop system. While this approach may seem more complex, it has a significant advantage over the redesign of the controller. Typically, the controller design is a lengthy process, which involves several cycles of deriving and testing new controller parameters. Thus, the redesign cannot be performed on-line after the fault has been discovered. Here, the virtual actuator is used in addition to the original controller. The knowledge accumulated in the controller during its design is preserved and the reconfigured control loop can leverage on it. The design of the virtual actuator itself has a much more limited scope. It presents fewer degrees of freedom and it is therefore easier to automate than a complete controller redesign. B. Model of the Nominal and Faulty Plant The following information is given for the reconfiguration is modelled in problem. The nominal plant state–space form (1a) (1b) (1c) with the state , the input , the output and the initial state (see Fig. 3). The system matrices have , and corresponding dimensions: . The nominal plant is assumed to be stabilizable. Together with the nominal controller it forms a stable control loop (Fig. 1). No further assumptions have to be made; the system matrices are not required to have full rank.
1592
IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 51, NO. 10, OCTOBER 2006
Fig. 4. Faulty plant.
Since actuator failures are considered, the faulty plant differs (Fig. 4). from the nominal plant in the input matrix The resulting model of the faulty plant is Fig. 5. Reconfiguration goal.
(2a) (2b) (2c) and a corresponding matrix with the input . The initial state is assumed to be identical to the . The input is available initial state of the nominal plant includes all available for reconfiguration. It is important that inputs to the plant, even the ones not used by the nominal controller. For the scope of this paper, it is assumed that the failed actuator has already been identified. Therefore, the model of the is known. This implies that the faulty plant reconfiguration solution is not applicable before the fault has been detected, which is a restriction shared by all active faulttolerant methods. C. Reconfiguration Goal Given the plant models, a virtual actuator has to be found, which restores the performance of the control loop despite of the fault (Fig. 2). The requirements are given in the terms of the closed-loop behaviour of the reconfigured plant. 1) The reconfigured loop has to be stable. 2) The output of the faulty plant in the reconfigured loop shall be the same as the output of the nominal plant in the nominal loop. Due to this second requirement it is possible to find a solution without knowing the behaviour of the controller. Since the input to the controller will be the same in the nominal and in the reconfigured control loop, so will be the output of the controller. However, because the controller is the same in the nominal and in the reconfigured loop, it is possible to restate the requirements in terms of the open-loop behaviour of the reconfigured plant. If the behaviour of the reconfigured plant is identical to that of the nominal plant, it follows that the behaviour of the reconfigured control loop is identical to that of the nominal loop. A similar argument can be made for the stability: given the identical behaviour, the stability of the reconfigured loop depends on the internal stability of its components and the stability of the nominal loop. Thus, the following two requirements on the reconfigured plant are sufficient for a successful reconfiguration.
Definition 1: A plant is called successfully reconfigured, if the system consisting of the virtual actuator and the faulty plant (“reconfigured plant”) satisfies the following two properties. 1) The reconfigured plant has the same behaviour as the nom, the output trajectories of inal plant. Given any input the reconfigured and the nominal plant are equal (Fig. 5)
(3) 2) The reconfigured plant is stabilizable: Hence
all hidden modes are stable
(4)
Three points are worth highlighting. First, even if a solution is will usufound and implemented, the state of the faulty plant ally differ from the state of the nominal plant . It was shown in [21] that many relevant reconfiguration problems are not solvable if both are required to be equal. Second, it follows from the requirements that this problem is not solvable if the faulty plant is not stabilizable. However, it is possible to treat a plant which is not fully controllable, if the uncontrollable part is stable. Third, as linear systems are considered here, it is not possible to deal directly with the problem of actuator saturation. Since this is an important practical problem, some reconfiguration approaches are mainly concerned with saturation [18]. The best approximation in a linear framework is to consider the required control energy. A low controllability Grammian (or the resulting high controller amplification) indicates that saturation issues are likely to appear. III. RECONFIGURATION USING A VIRTUAL ACTUATOR In this section, the required structure of the virtual actuator is deduced from the problem definition. Finding the parameters for this structure will lead to a disturbance decoupling problem, which is treated in the next section.
LUNZE AND STEFFEN: CONTROL RECONFIGURATION AFTER ACTUATOR FAILURES
1593
Fig. 6. Reconfigured plant based on a parallel model.
A. Parallel Model Consider the comparison of the output of the faulty plant with the output of the nominal model (shown in Fig. 5). The joint system is
Fig. 7. Reconfigured plant based on a difference model.
B. Difference Model In (7), both the feedback
(5a) (5b) (5c) (5d) (5e) disappear, a controller is Since the objective is to make introduced to make the faulty plant follow the behaviour of the nominal plant. The feedback term in the control law is based on the difference between the state of the nominal plant and the of the faulty plant. The feedforward term depends on state the nominal input . The resulting control law is
(6) and of appropriate dimensions. The system with matrixes including the control law (shown in Fig. 6) is described by the following equations:
(7a) (7b) (7c) (7d) (7e) (7f)
and The choice of the feedback and feedforward matrices is not an ordinary control problem. Instead, it belongs to the more difficult class of disturbance decoupling problems, which will be discussed in more detail in the next section.
(8) and the output (9) are related to the difference (10) Therefore, a state transformation
(11) instead of and keeps unis used, which introduces changed. This simplifies the system to the following set of equations: (12a) (12b) (12c) (12d) (12e) (12f) (12g) The corresponding structure is shown in Fig. 7. The state equation for represents the faulty plant, while the equation models the difference between the state of the nominal in
1594
IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 51, NO. 10, OCTOBER 2006
plant and the faulty plant. This model together with the control law (6) is the virtual actuator
(13a) (13b) (13c) (13d) Note that the virtual actuator has the correct input and output signals as shown in Fig. 2. Based on this structure, the reconfiguration goals given in Definition 1 can now be stated in terms of the virtual actuator. has to be stable. 1) The state of the virtual actuator 2) The output deviation has to be zero for all time . and have to be chosen such that these two The parameters requirements are satisfied.
Fig. 8. Solution of the disturbance decoupling problem.
and can be used in the control law. It is a decoupling problem with stability, because the resulting system has to be stable. The solution of the disturbance decoupling problem is known to be a control law of the form (Fig. 8)
IV. RECONFIGURATION AS DISTURBANCE DECOUPLING PROBLEM This section shows that the choice of the parameters for the virtual actuator is a disturbance decoupling problem. Therefore, known methods can be applied to find these parameters, which then lead to the solution of the reconfiguration problem. A. Design of the Virtual Actuator as Disturbance Decoupling Reconfiguration goals 1) and 2) pose a disturbance decoupling problem for the system (13). In terms of disturbance decoupling, the nominal input is is the disturbance (because it is given), and the actual input the input used to decouple the output . Note that is also the output of the virtual actuator, but no requirement is based on this signal. Therefore, the disturbance decoupling problem can be formulated as follows. Problem 1: Disturbance decoupling Given: The system with inputs
and
and output
is known.
Find: An input trajectory depending on such that the output vanishes
which is in line with the results from the previous section. There are several methods for choosing the two parameter matrices and . As a state-space model is given here, the geometric approach provides a natural way to address the problem. In Section IV-B, the decoupling part of the problem is solved, and in Sections IV-C and IV-D the stabilisation of the decoupled system is treated. Sections IV-E and IV-F demonstrate how this solves the original reconfiguration problem. Remark: The disturbance decoupling problem is the dual problem to unknown input observation [2]. The latter is often used for fault-tolerant control of a plant with sensor faults and disturbance. It is difficult to define the duality between the reconfiguration problem after actuator faults and after sensor faults, because the boundary conditions are usually not symmetric. For a more in-depth treatment of this issue, cf. [21]. B. Solution of the Disturbance Decoupling Problem Using the Geometric Approach
(14a) (14b) (14c) where the input trajectory
(16)
and
(15) and the system is stable. This specific problem definition is known in literature as the known disturbance decoupling problem with stability (often abbreviated to DDP/S or DDPS). It is classified as a known disturbance decoupling problem, because the disturbance is known
The geometric approach to disturbance decoupling is centred around the notion of a controlled invariant subspace defined in [22]. A subspace is called invariant if the system state never leaves the subspace once it has entered it. It is called controlled invariant if there exists a state feedback such that the subspace is invariant. For the disturbance decoupling problem, the subspace to be . It has to be -infound is usually denoted by variant (also called controlled invariant) and it has to be con(unobservable). Additionally, the disturtained within bance has to be contained within this subspace. These three requirements can be formally written as
invariant unobservable undisturbed
and
(17a) (17b) (17c)
LUNZE AND STEFFEN: CONTROL RECONFIGURATION AFTER ACTUATOR FAILURES
1595
where “ ” denotes the image of a transformation (the set of ” denotes the kernel of a transpossible output values) and “ formation (the set of inputs without effect). The first condition guarantees that a control (shown by ) can be found to make the subspace invariant. It depends on the dynamics of the system as defined by . The second condition requires that all states within the subspace lead to a vanishing system output . The third condition means that even in the presence of disturbance (shown by ), the invariance of can be maintained. Lemma 1: The known DDP as specified in goal (15) can be solved if and only if there exists a such that the conditions (17) are met. This lemma implies that if and only if a subspace exists which solve the disturbance satisfying (17), matrices and decoupling problem can be calculated. Proofs can be found in [9] and [22]. The typical algorithm to solve the problem consists of two -invariant subspace in steps. First, the maximum is calculated. It can be found by iteratively removing any part which is not controlled invariant from
is prois constructed such that is an orthogonal matrix, , and the noninvariant subspace is projected onto jected onto . The transformed difference system is described by
(18a) (18b) (18c)
(23a) (23b)
steps Lemma 2: The series (18) becomes stationary after is the maximum subspace which and the resulting subspace satisfies both (17a) and (17b). The second step of the algorithm is to check whether the disturbance effect can be contained in the invariant subspace:
(19) If the result is positive, all requirements (17) are fulfilled and and can be suitable feedback and feedforward matrices generated as follows:
(20a) (20b) has to make the subspace invariant for the The choice of controlled autonomous system. Matrix has to be chosen in such a way that the disturbance effect is moved into this invariant subspace. Both existence conditions hold because they are equivalent to the decoupling properties (17a) and (17c). C. Analysis of the Decoupled System In order to simplify the system given by (14) and (16), the invariant subspace is split from the noninvariant part. For this purpose a state transformation
(21)
(22a) (22b) (22c) with the following matrix substitutions:
After the transformation, the requirements (20) for become
and
, , , and are submatrices occurring acwhere , act cording to the transformation. The submatrices , maps from the subvector , and upon the subvector is the coupling from the latter to the former. Expanding in (22) leads to this equation for
It follows from (23) that the submatrices vanish. Therefore, the subvector and
,
,
becomes autonomous. Since the initial state is zero, will always be zero and can be eliminated. The resulting reduced system is given by
(24a) (24b) (24c) can be deThese equations show how the free input termined from the reduced system state. The output equation means that the disturbance has been canceled out and that, therefore, the reconfiguration is successful. and have been found which Theorem 1: If two matrices satisfy (23), then the virtual actuator defined by (24) makes the reconfigured plant meet the requirement (3) for a successful reconfiguration.
1596
IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 51, NO. 10, OCTOBER 2006
D. Stabilisation The remaining task is to stabilise the difference system. This is important, because the poles of the difference system remain hidden from the input–output behaviour of the reconfigured plant, which means that they are not stabilised by the nominal controller. Requiring both disturbance decoupling and stabilisation at the same time is a more difficult problem than reaching either property alone. The stabilisation can only be performed once the decoupling is done, because it depends on the remaining degrees of freedom in the input [9]. The first step is to determine the freedom in the choice of the , which has to satisfy (23a). Adding any feedback matrix matrix to does not affect this condition. For is introduced such that notational reasons a new matrix
(25) Assume that
satisfies (23a). Then
Fig. 9. Reconfigured plant.
(26) is an admissible feedback matrix for any . Therefore, the can be used for stabilisation. The autonomous dychoice of namics of the difference model depends on the poles of
It is possible to place the poles in the left half plane if and only if the pair
Given: Nominal and faulty plant
and
Find: A virtual actuator satisfying (3) and (4) using (18). 1) Find the maximum invariant subspace . 2) Use (21) to eliminate the noninvariant subspace 3) Find and according to (23). If no exists, (3) cannot be satisfied. by using (25). 4) Construct . 5) Use a controller design method to find If no stable solution exists, (4) is impossible. Result: The solution (24) and (26) (Fig. 9).
is stabilizable
(27)
Under this condition, any controller design approach can be used to find . The resulting feedback matrix is then used to implement the difference system (Fig. 9). If the decoupling requirements (17) and the stabilisation requirement are fulfilled, the reconfiguration problem is solved. is found for Theorem 2: If a stabilising feedback matrix the pair (27), then the virtual actuator (24) leads to a stabilizable reconfigured plant. Thus, the requirement (4) for a successful reconfiguration is fulfilled. Note that contrary to the initial structure (depicted in Fig. 7), . the difference system considered here has the reduced state The behavior is identical to the corresponding full difference system, because the removed part of the state–space does not contribute to the behavior of the system. E. Reconfiguration Algorithm The goal of the reconfiguration algorithm is to find a difference system such that both reconfiguration requirements (3) and (4) are fulfilled. To achieve this, the steps used in the previous derivation have to be performed in the following order. Algorithm 1: Reconfiguration after actuator failures
It follows from Theorems 1 and 2 that the resulting system satisfies the reconfiguration goal given in Definition 1. F. Proofs The reconfiguration goal in Definition 1 consists of two separate conditions. For this reason, the algorithm contains two conditions which have to be met, and the proof of the theorems above also has two parts. Proof: (For Theorem 1: The reconfigured plant behaves like the nominal plant.) Equations (2) and (24) describe the behavior of the reconfigured plant. By applying the state transformation
to the state of the faulty plant, the following model results: (28a) (28b) (28c) (28d)
LUNZE AND STEFFEN: CONTROL RECONFIGURATION AFTER ACTUATOR FAILURES
1597
Similarly to the step in (24) this model can be simplified by into two parts and by expanding splitting (29a) (29b) (29c) (29d) (29e) The model can be further simplified by introducing a new instead of state Fig. 10. Flight model.
Since vanishes according to (23), the part of the model is completely decoupled from the rest. The remaining part has the same behavior as the nominal system. The output trajectory is, therefore, identical if the initial conditions are
To keep the model as simple as possible, only one of the two main rotors is modelled, and the angular acceleration rate is considered the output of the system (although only the angular position is measurable). This reduces the system order from 7 to 3 without affecting the reconfiguration solution. The resulting model for the nominal case is
(30a) (30b) (30c)
Note that this condition is weaker than . Successful reconfiguration is still possible if the occurrence of the and the change is accounted for by fault changes the state of a corresponding value of with . Proof: (For Theorem 2: The reconfigured plant is stabilizable.) The hidden poles of the reconfigured plant are determined , and was chosen such that these poles by are stable. The remaining poles are identical to the poles of the nominal plant (see the aforementioned proof). Therefore, they are stabilised by the nominal controller. Consequently, the reconfigured control loop has poles in the left half plane only. V. APPLICATION EXAMPLE A. Reconfiguration Experiment The helicopter experiment described in [13] is used as an application example (Fig. 10). It consists of two main rotors positioned at the ends of a lever (Fig. 11). They can be rotated by two servo mechanisms, consisting of a motor, a sensor and a comparator/amplifier. In the reconfiguration experiment these servo mechanisms fails. The reconfiguration idea is to use the lateral instead, which are fixed, but speed controlled. Alrotors though they have different dynamics, the virtual actuator can generate the input signal required to produce exactly the intended effect (in terms of net momentum on the lever).
, the input , and the output mowith the state . The open-loop system has poles at mentum and 5. The fault case model is identical to the nominal model, but the main rotor servo is broken. This actuator failure is modelled by changing
to
The block diagram of the system and the position of the failed actuator is shown in Fig. 12. If no reconfiguration is performed, the system is completely uncontrolled. This is an important observation, which has two consequences. First, the fault detection and the reconfiguration algorithm have to be fast, because otherwise the system will leave the range of acceptable states. Second, because the system is unstable, the fault detection is rather simple. The faulty system will produce a trajectory that is markably different from its nominal behavior. In the complete system, the momentum is not directly measurable. Instead, the angular position of the lever (the double of the momentum) is measured and used by the integral phase lead (PD) controller to stabilise the system. For the purpose of the reduced plant model considered here, the double integrator can be considered as a part of the controller, leading to an integral controller. The controller acts on the servo input of
1598
IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 51, NO. 10, OCTOBER 2006
Fig. 11. Sketch of the flight model.
This is the final without further iterations. The orthogonal state transformation
leads to
Fig. 12. Nominal control loop.
the plant in order to attenuate disturbances and to follow the reference trajectory. The goal of the reconfiguration is to achieve the same system behaviour without using the servo input (only using the lateral rotor input). The resulting difference model is given by
The requirements (23) for
and
which leads to the following parameters for the virtual actuator:
(31a) The system equations (24) for the virtual actuator become (31b) (31c) where denotes the disturbance. The goal is to find an input vector such that the output vector remains all zero for every disturbance trajectory . B. Constructive Solution The first step is to find the maximum invariant unobservable subspace with respect to the input and the output . The iteration starts with the unobservable subspace
The stabilization part is trivial. It is obvious that and therefore holds. That is, no input variable is available for stabilization. Fortunately, the autonomous system matrix
has only stable eigenvalues . So the uncontrollable part is stable, and therefore the faulty plant is still stabilizable.
LUNZE AND STEFFEN: CONTROL RECONFIGURATION AFTER ACTUATOR FAILURES
1599
Fig. 13. Reconfigured control loop.
Fig. 15. Simulation and experiment: response of the reconfigured loop.
C. Experimental Results
Fig. 14. Simulation and experiment: response of the nominal loop.
The reconfigured control loop is shown in Fig. 13. The block diagram shows that a different signal path is used to control the system (lateral rotors instead of main rotors). The virtual actuator is necessary because the new signal path has a different transfer function. With the virtual actuator, the transfer function of the new signal path is identical to the transfer function of the original signal path. Both are
The result can easily be verified numerically to satisfy the reconfiguration goals from Definition 1. The simulation results using a linear system model are shown in the top half of Figs. 14 and 15. The output trajectory of the nominal control loop and of the reconfigured control loop are exactly identical within the numerical accuracy of the simulation. The practical test of the virtual actuator is more challenging, because the real experiment shows many effects which are not captured in the simple linear model. The result of the experiment for the nominal system is shown in the bottom half of Fig. 15. The input trajectory , the state of the servo mechanism and the lever position (which is a double integral of ) are shown in the graph. The behaviour is close to the simulation results, although there is a noticeable steady-state deviation caused by sticky friction. The corresponding experimental result for the reconfigured control loop is shown in the bottom half of Fig. 14. The graph (which is nearly shows the input of the reconfigured plant of the faulty identical to the nominal input), the actual input plant and the position of the lever. Since the servo does not is not shown here. move, its position The graphs show that the output of the reconfigured loop matches the output of the nominal loop very closely. The slight differences are the result of input saturation. The control signal
1600
IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 51, NO. 10, OCTOBER 2006
coming from the virtual actuator goes up to about 1.8, while the physical system leaves the linear range around 0.7. The stability of the system is not affected, only the response time is slightly increased due to the physical limitations. In other applications it was sometimes found necessary to implement anti wind-up measures in order to keep the system stable in spite of the input saturation. It is also interesting to see that the high amplification of the virtual actuator leads to an amplification of the measurement noise. This is partly caused by the nominal system structure: As the momentum cannot be measured, it has to be deduced from the lever position by double differentiation, which significantly increases the measurement noise. In the reconfigured system, the noise gets amplified again by the virtual actuator, which has a high amplification in order to compensate for the slower response of the lateral rotors. The results also show that the lateral rotors have a preferred direction: They are more effective in the backward movement than forward. This leads to very little overshoot in the forward movement, but a very significant overshoot after the backward swing. The overall control performance is still very impressive, considering the tight input limits and the nonlinearity of the lateral rotors.
VI. CONCLUSION This paper has developed a method for online reconfiguration of the control after the occurrence of actuator failures. The reconfiguration problem has been stated in two different ways. The original formulation contains requirements for the reconfigured control loop. These have been translated into requirements concerning the open-loop behaviour of the reconfigured plant. By applying a state transformation, the reconfiguration problem can be transformed into a disturbance decoupling problem with stability. Hence, known theoretical results can be applied to find the solution of the reconfiguration problem. The solution is called a virtual actuator, because it is a block which takes the signal for the broken actuators as input and produces the intended effects on the output of the plant by using the remaining actuators. The two design parameters of the virtual actuator can be found using known approaches to the disturbance decoupling problem. The algorithm presented here follows the geometric approach, which leads to a state transformation that splits the system into two parts. The first part is relevant for the decoupling, and suitable feedback and feedforward matrices are generated. The second part forms a classical state feedback controller design problem, which can be solved using any suitable method. By putting both parts together, suitable parameters can be found for the virtual actuator to reconfigure the control loop. It has been shown that the algorithm is complete in the sense that it finds a solution as long as this reconfiguration problem is solvable. The approach has also been demonstrated to solve a challenging practical reconfiguration experiment.
REFERENCES [1] B. Heiming and J. Lunze, “Control reconfiguration: The COSY benchmark problem and its solution by means of a qualitative model,” presented at the European Control Conf. Karlsruhe, Germany, 1999, CM-5, F1039-3. [2] G. Basile and G. Marro, Controlled and Conditioned Invariants in Linear System Theory. Upper Saddle River, NJ: Prentice-Hall, 1992 [Online]. Available: http://www.deis.unibo.it/Staff/FullProf/GiovanniMarro/gm_books.htm [3] M. Blanke, C. W. Frei, F. Kraus, R. J. Patton, and M. Staroswiecki, “What is fault-tolerant control?,” in Proc. SAFEPROCESS 2000: 4th Symp. Fault Detection and Safety for Technical Processes, 2000, pp. 40–51. [4] M. Blanke, M. Kinnaert, J. Lunze, and M. Staroswiecki, Diagnosis and Fault-Tolerant Control. New York: Springer-Verlag, 2003. [5] S. Chen, G. Tao, and S. M. Joshi, “On matching conditions for adaptive state tracking control of systems with actuator failures,” IEEE Trans. Autom. Control, vol. 47, no. 3, pp. 473–478, Mar. 2002. [6] V. Dardinier-Maron, H. Noura, and F. Hamelin, “Reconfiguration against major actuator failures,” in Proc. SAFEPROCESS 2000: 4th Symp. Fault Detection and Safety for Technical Processes, 2000, pp. 762–767. [7] Z. Gao and P. J. Antsaklis, “Stability of the pseudo-inverse method for reconfigurable control systems,” Int. J. Control, vol. 53, no. 3, pp. 717–729, 1991. [8] A. Gehin, M. Assas, and M. Staroswiecki, “Structural analysis of system reconfigurability,” in Proc. SAFEPROCESS 2000: 4th Symp. Fault Detection and Safety for Technical Processes, 2000, pp. 292–297. [9] X. Hu, A. Lindquist, J. Mari, and J. Sand, Geometric Systems Theory—Lecture Notes. Stockholm, Sweden: Royal Inst. Technol., 2003. [10] P. Ioannou, Robust Adaptive Control. Upper Saddle River, NJ: Prentice-Hall, 1996. [11] S. Kanev and M. Verhaegen, “Reconfigurable robust fault-tolerant control and state estimation,” presented at the 15th IFAC World Congr., Barcelona, Spain, 2002, T-Fr-A10, 2542. [12] M. Morari, E. C. Kerrigan, A. Bemporad, D. Mignone, and J. M. Maciejowski, “Multi-objective prioritisation and reconfiguration for the control of constrained hybrid systems,” presented at the Amer. Control Conf., 2000, ACC00-IEEE1027. [13] J. Lunze, D. Rowe-Serrano, and T. Steffen, “Control reconfiguration demonstrated at a two-degrees-of-freedom helicopter model,” in Proc. European Control Conf., Cambridge, U.K., 2003. [14] J. Lunze and T. Steffen, “Reconfigurable control of a quantised system,” in Proc. SAFEPROCESS 2000: 4th Symp. Fault Detection, 2000, pp. 822–827. [15] ——, “Hybrid reconfigurable control,” in Modelling, Analysis and Design of Hybrid Systems. Berlin, Germany: Springer-Verlag, 2002, pp. 267–284. [16] J. Lunze and T. Steffen, “Control reconfiguration by means of a virtual actuator,” in Proc. SAFEPROCESS 2003: 5th Symp. Fault Detection and Safety for Technical Processes, 2003, pp. 133–138. [17] ——, “Rekonfiguration linearer Systeme bei Sensor- und Aktorausfall,” Automatisierungstechnik (at), vol. 51, no. 2, pp. 60–68, 2003. [18] J. Maciejowski, Predictive Control With Constraints. Upper Saddle River: Prentice-Hall, 2002. [19] T. Pasternak, “Reconfiguration in hierarchical control of piecewiseaffine systems,” in Hybrid Systems Computation and Control. New York: Springer-Verlag, 2002, vol. 2289, Lecture Notes in Computer Science, pp. 364–377. [20] M. Staroswiecki, “On reconfigurability with respect to actuator failures,” presented at the 15th IFAC World Congr., Barcelona, Spain, 2002, T-Tu-M10, 775. [21] T. Steffen, Control Reconfiguration of Dynamical Systems: Linear Approaches and Structural Tests. Berlin, Germany: Springer-Verlag, 2005. [22] W. M. Wonham, Linear Multivariable Control—A Geometric Approach. New York: Springer-Verlag, 1985. [23] W. M. Wonham and A. S. Morse, “Decoupling and pole assignment in linear multivariable systems: a geometric approach,” SIAM J. Control, vol. 8, pp. 1–18, Feb. 1970. [24] Z. Yang, R. Izadi-Zamanabadi, and M. Blanke, “On-line multiple-model based adaptive control reconfiguration for a class of non-linear control systems,” in Proceedings of the SAFEPROCESS 2000: 4th Symposium on Fault Detection and Safety for Technical Processes, 2000, pp. 745–750.
LUNZE AND STEFFEN: CONTROL RECONFIGURATION AFTER ACTUATOR FAILURES
Jan Lunze (A’93–M’04) was born in Dresden, Germany. He received the diploma in automatic control, the Ph.D. degree, and the Dr.Sc. degree (Habilitation), all from the Technical University Ilmenau, Ilmenau, Germany, in 1974, 1980, and 1983, respectively. From 1974 to 1992, he was a Research Associate and later Professor of Automatic Control at the Academy of Sciences in Dresden, Germany. From 1992 to 2001, he was Professor of Control Engineering at the Technical University Hamburg-Harburg, Germany, and since 2002, he has been Head of the Institute of Automation and Computer Control of the Ruhr-University Bochum, Germany, where he teaches systems and control theory. His research interests are in linear control theory, particularly in the fields of robust control and large-scale systems, in hybrid systems, discrete-event systems and in applications of knowledge processing to dynamical systems. Currently, his research is focused on qualitative modelling, fault diagnosis and process control applications of robust and decentralised control. He is author and/or coauthor of numerous papers and of several books, including Robust Multivariable Feedback Control (Prentice-Hall, 1988), Feedback Control of Large-Scale Systems (Prentice-Hall,
1601
1992), Künstliche Intelligenz für Ingenieure (Oldenbourg, 1994), Regelungstechnik (Springer, 1996), Automatisierungstechnik (Oldenbourg, 2003), and Diagnosis and Fault-Tolerant Control (Springer, 2003).
Thomas Steffen was born in Germany in 1975. He received the degree as “Dipl.-Ing.” in electrical engineering from the Technical University of Ilmenau, Ilmenau, Germany, in 1999, and the Ph.D. degree from the Ruhr-Universität Bochum, Germany, in 2005. He studied at UMIST, Manchester, U.K., during the accademic year 1996–1997, and he worked at the Technical University of Hamburg-Harburg, Germany, from 1999 to 2001. Since 2004, he has been working on message routers for mobile networks at mBalance (international) BV, Amsterdam, The Netherlands. His research interests include the geometric approach, optimal control, rapid prototyping, networking technologies, structural analysis, and stochastic processes.
