Self-Recovery Control for Dependable Systems - IEEE Xplore

2013 IEEE International Conference on Automation Science and Engineering (CASE)

SuDT1.2

Self-Recovery Control for Dependable Systems Tri Tran1 and Q. P. Ha2

Abstract— The task of managing duty-standby controllers in building a dependable computerised-control system with wireless sensor networks is challenging owing to the scarcity of both information and processing resources. A novel synchronization method for redundant controllers applying techniques from dissipative systems theory is presented in this paper. As an alternative to the control summation in classical reliable control systems, only one scalar variable, which is the calculated supply rate, is exchanged among the member controllers. Thanks to this one-variable and autonomous-based approach, the reliability requirement will be met under the temporal constraint of real-time controllers whilst overcoming the latency issue and low data-package rates in wireless networks. A dissipation-based quadratic constraint with respect to the control and output increments is developed for these redundant controllers. When a failure is detected, the constraint of the standby controller will be activated from the lower bound of the supply rate being transferred from the duty controller. During the transition time, this constraint is imposed on the output increment such that the transition between the duty and standby controllers will be smooth for the output vector.

I. I NTRODUCTION Dependability is among the most important requirements of a modern distributed control system (DCS) installed with wireless sensor networks. Duty-standby controllers are usually installed to obtain a high-integrity system for reliable operations. This is a universal approach for increasing the dependability of operational systems. The current approaches for ensuring reliable and non-disruptive operations of these redundant controllers were to employ technologies from the computer science and/or reliable control systems [1] in the designs and implementations. These current technologies may not be functioning in a thin client environment of wireless networks having significant latency and power management problem due to its required higher volume of data transfers. Moreover, cluster based architectures, peer-topeer communication and cloud based applications are likely the adequate approaches for wireless sensor networks [2], [3], [4], which further prevent the usage of technologies for wired systems and centralised control centers. In this paper, we propose a novel synchronization method for redundant controllers associated with sensor networks employing control theoretical techniques. The resultant system will facilitate the set-point tracking [5] semi-automatic control [6] of decentralised controllers. The smooth transitions between the duty and standby controllers are made possible with a minimum inter-system communication. Specifi1 Tri Tran is with HIMA Australia Pty Ltd, Level 3, 533 Hay Street, Perth WA 6000, Australia. [email protected] 2 Q. P. Ha is with Faculty of Engineering and Information Technology, University of Technology, Sydney, 123 Broadway, Ultimo NSW 2007, Australia. [email protected]

978-1-4799-1515-6/13/$31.00 ©2013 IEEE

cally, a dissipation-based quadratic constraint with respect to control and output increments is developed for these redundant controllers. This constraint is normally a stability constraint on the control increment, but will become a constraint on the output increment during the switching-over interval to assure smooth transitions from duty to standby controllers. The domain of interests is described in Figure 1. The typical architecture of a modern DCS that is installed with wired and wireless networks is depicted by this figure [7]. The reliability of the lowest level in the system architecture, which consists of sensors, actuators and processors, is paramount in a wireless sensor network by virtue of the high probabilities of data dropouts. To obtain a higher integrity level, duty-standby controllers are installed for dependable systems. This is a unique approach to increase the integritylevel of any systems in general [8]. A. Dependable Self-recovery Control (DSC) System Dependability implies the reliability and availability of a system in operations. The quantitative reliability of a system is measured by its probability of being available and functioning without errors. The quantitative reliability is specified by the system Integrity-Level (IL). The integrity level of 99.9% indicates that the system could possibly be malfunctioning or unavailable due to failures in 8.76 hours per year (0.001 × 365 × 24 = 8.76), once being put under operations. The integrity level is crucial for many industries. For example, one can imagine what would happen if an airplane might fail to work properly in 8.76 hours at any time in one year. Therefore, IL is an important metric in designing dependable systems. According to industrial data in the DCS field, it is expected that the feedback control loops in a DCS should achieve IL-2 of 99.99% as a minimum in their design specifications. IL2 will eventually lead to a dual-redundant architecture for wired systems if COTS (commercial-off-the-shelf) components are used in the design, see, e.g. [9]. For COTS wireless sensor networks, it is not difficult to envisage that a higher than dual-redundant architecture should be acquired for IL-2 systems. The proposed architecture for dependable control systems in sensor networks is sketched out in Figure 2. We call this Dependable Self-recovery Control (DSC) system for sensor networks. It is not necessary to have two sensors and two actuators as explicitly drawn in Figure 2, but sufficiently to have two processors inside each single sensor and actuator. Details on component structures will depend on particular requirements of dependability, operability and sustain-

45



Fig. 1.

Typical Modern Distributed Control System with Wired and Wireless Networks [7] Fig. 2, p. 2736.

ability from the users and project specific design inputs. Each individual processor of a node will run the control algorithm autonomously. They are denoted as controllers S.1/2 and A.1/2 in Figure 2. Only one variable–the calculated supply rate, is exchanged between these controllers, among those, one will act as a duty controller, the others are in standby. The selection of a controller in duty mode, which is scheduled by the processor operating system, will depend on its hardware healthy state, the communication between nodes and/or user decision. It is, therefore, a cloud-based operational system running location-independent applications. The architecture of four duty-standby controllers communicated via the sensor “cloud” is the skeleton of this work to achieve an IL-2 system installed with wireless COTS components. By targeting general purpose components in the architecture, the result will not be limited within proprietary applications but outreaches all standardized products complying to ISA 100.11a or IEEE 802.15.4e currently available.

with proprietary networks. Based on this centralised/satellite control room architecture, the currently used DCS demands substantial engineering resources for the design, implementation and testing of a new installed system. The ratio of 1:10 for the hardware and software vs. engineering activities is not a low figure in this field. The centralised control architecture will vanish when DSC systems are installed. The new DSC system will become a Plug-And-Play (PAP) system, which will not require much of the above resources, especially in the installation, testing and operational phases. Wireless Sensor Network (WSN) is at the forefront of industrial process driven applications with the newly introduced standards such as ISA 100.11a or IEEE 802.15.4e. They are, nonetheless, computer system prone standards. The dependability features have not been thoroughly addressed therein. The unique known approach for achieving a mandatory dependability is to have multiple duplicated and interoperable sensors, actuators and controllers [8]. Research in networked control systems has been intensive during the past decade and is quite mature in its own right [10]. However, the currently developed control methods for networked control systems are not quite up to the dependability mandate for high-integrity applications. This research contributes a fundamental solution to building dependable systems in the aforementioned applications. C. Sustainability Aspect of the Present Approach

Fig. 2. Dependable Self-recovery Control (DSC) system for sensor networks.

B. Implementation and Significance of DSC Systems The above DSC architecture is compatible with the current development in new infrastructures for the industrial computerised-control systems with wireless instrumentations and control devices. The to-be-old generation DCS is usually a dependable system that is of a computer network type, and universally installed with different application softwares. The main processors are implemented with hundreds singleinput single-output controllers connected with wired sensors and actuators, and physically installed in a central control room, or in a few satellite control rooms interconnected

As mentioned, the unique approach in dependability designs is to have multiple duplications of sensors, actuators and controllers that are inter-operable [8]. Here, the key for a successful implementation rests with the amount of data to be transferred between the duty and standby components. Fewer amounts of data will demand less inter-communication over the sensor “cloud”. The presented approach requires only one floating-point number to be exchanged between the peer controllers, which is the calculated supply rate with respect to the control input and plant output increments. More importantly, it is not necessary to exchange this variable at every updating time steps. By virtue of this one-variable approach, which also accepts intermittent data losses, the success of the employed approach is guaranteed.

46

A highly dependable control scheme of four controllers, two sensor and two actuator processors will be developed to replace a single-input single-output controller. It will facilitate in the controller installation in the field and on site, far away from the central control room, in a fully decentralised architecture of mesh networks. The four redundant controllers are put in the duty-standby operational modes. For this new DSC system to be functioning, the method of selfrecovery control will be employed in the inter-operability management for the duplicated components. It is a fusion of inter-operable hardware, software and feedback control methods: While the processor operating system makes reasoning on the role of a duty controller based on its resource availability, the self-recovery controllers will ensure that the asymptotic property of the supply rate are maintained among the redundant controllers. As a consequence, the control will recover the pre-transition values after every switchingover event. And the supply rate is the only variable that needs to be transferred among these controllers herein. The temporal constraint of real-time controllers will thus be fulfilled in the presence of non-negligible latency and small package rates in WSN, yet achieve the overall dependability. Furthermore, as the information is passed around the member controllers only, the self-recovery controllers can be adopted into any clustered architectures of WSN for energy-efficient operations. D. Incremental Passivity and Dissipativity The incremental passivity approaches have been theoretically presented elsewhere [11], [12], or in another approach called incremental quadratic constraint [13], which also imply the usages ( of signal) increments ∆uk and ∆yk in the supply rate ξ ∆uk , ∆yk . Nevertheless, practical control applications have not been developed from these theoretical studies. The incremental dissipativity is deployed in this presented work for building a new generation of reliable control systems with wireless sensor networks. The initiative method of exchanging the supply rates of quadratically dissipative systems between peer controllers for dependability management has not been presented in the applied control and computer engineering literatures hitherto. We have presented a quadratic constraint approach for decentralised model predictive control of networked systems in the imperfect data environment previously [14]. A constraint on the control vector was derived as a stabilising constraint for model predictive control therein. This work develops quadratic constraints on variable increments, and further more a constraint on the output increment is derived, and applies to an industrial problem of dependable control systems using wireless sensor networks. This paper is organized as follows. Notation, formal definitions and existing results are outlined in Section 2. Section 3 is reserved for the incremental dissipativity criterion and stabilisability condition. Numerical simulation with model predictive control of a DC motor is presented at the end of this section. An intuitive analysis with a signal processing perspective for the energy-dissipative trajectories is presented

in Section 4 in appreciation of the developed theoretical development. A second-order plus dead-time process, which is universally typical in process control [15], is deployed as a typical example. Section 5 concludes our paper. II. P RELIMINARIES A. Notation Capital and lower case alphabet letters denote matrices and column vectors, respectively. (.)T denotes the transpose operation. diag[Ai ]h1 stands for the block-diagonal matrix with diagonal entries Ai , i = 1, 2, ..., h. ∥ui ∥ is the ℓ2 −norm of vector ui . ∥xi ∥Q is the weighted ℓ2 −norm of xi , Q ≻ 0. ∥M ∥ is the induced 2-norm of matrix M . In the discrete time domain, the time index is denoted by k, k ∈ Z. xi+ denotes xi (k + 1) when k is omitted for conciseness. The time index k is denoted by a subscript k where appropriate. B. System Model and Quadratic Constraint Consider a system S having a discrete time state space model of the form: { x(k + 1) = Ax(k) + Bu(k), S: (1) y(k) = Cx(k). where x(k) ∈ Rn , y(k) ∈ Rq and u(k) ∈ Rm are the state, measurement output and control vector, respectively. The measurement output increment ∆y(k):=y(k +1)−y(k), and its constraint set Y, ∆y(k) ∈ Y and 0 ∈ Y, is considered for dependable self-recovery control systems. Specifically, ∥∆y(k)∥2 ≤ ρ,

(2)

for given ρ > 0. Similarly, the control constraint of the form 2 ∥∆u(k)∥ ≤ η is also inclusive in the problem formulation. Firstly, define a quadratic supply rate for S, as follows: [ ][ ] ( ) [ T ] Q S ∆u(k) T ξ ∆u(k), ∆y(k) , ∆u (k) ∆y (k) , S T R ∆y(k) (3) where Q, R, S are multiplier matrices with symmetric Q and ( ) R. For conciseness, ξ ∆u(k), ∆y(k) is denoted as ξ△(k) . The asymptotic constraint is then defined in the following. ( Definition) 1: The input output increment pairs ∆uk , ∆yk of the closed-loop S satisfy the asymptotic constraint if there are k0 ∈ Z+ and 0 ≤ γ < 1 such that 0 ≥ ξ△(k) ≥ γξ△(k−1) ∀ k > k0 . (4) Rewrite (4) as the following quadratic constraint in the variable ∆y k , ∆y Tk Q∆y k + 2∆y Tk S∆uk ≥ γξ△(k−1) − ∆uTk R∆uk , (5) which is convex if Q ≺ 0. This constraint is feasible if R≻0, as the right hand side, φi(k) := γξ△(k−1) − ∆uTk R∆uk , φi(k) ≤ 0 as long as ξ△(k−1) ≤ 0. However, only R ≺ 0 is considered herein, as stated in Theorem 1 below. Since 2 (5) should be fulfilled by all ∥∆uk ∥ ≤ η, the following constraint will be used instead: ∆y Tk (Qc − I)∆y k ≥ γξ△(k−1) + η∥S T S − R∥, R ≺ 0. (6)

47

Most of the time, Qc = Q ≺ 0 is chosen in this work. Nevertheless, whenever γξ△(k−1) + η∥S T S − R∥ > 0, the constraint (4) will need to have Qc − I ≻ 0 in order for a solution to exist. Qc is then found from inequalities given in Remark 1 below. The incremental dissipativity of the open-loop S, defined next, plays a more important role in the convergence of ∆x(k) in this development. Definition 2: S is said to be (Q, S, R)−incrementally dissipative with respect to the supply rate ξ△k , if there exists a non-negative storage function V (∆x) := ∆xT Pi ∆x, Pi ≻ 0, such that for all ∆x(k) and all k ∈ Z+ , the following dissipation inequality is satisfied irrespectively of the initial value of the state increment ∆x(0): V (∆x(k + 1)) − τ V (∆x(k)) ≤ −ξ△(k) , 0 < τ < 1. (7) We will prove in the next section that, if the open-loop S is also (Q, S, R)−incrementally dissipative, the convergence of ∥∆xk ∥ → 0 will be obtained as a result of (4). Based on this convergent property and the state space model (1), the constraint (4) will be implemented for the controller on duty such that the predictive value of the output increment satisfies the constraint (6). C. Problem Description We are concerned with maintaining the asymptotic property of the supply rate ξ△(k) among the controllers of a DSC system, subject to the output increment constraint (2), which is executed by (6). The value of ξ△(k−1) is transferred between the duty-standby controllers of a DSC system, within which the constraint (6) is imposed on ∆y(k) for the controller in duty. The design of feedback compensators for S is not discussed herein, as it is independent to the operation of a DSC system. The predictive PID and model predictive control algorithms are employed in the numerical simulations in this work. III. D ISSIPATIVE C ONDITION AND C ONVERGENCE OF S TATE I NCREMENTS The following theorem states a sufficient convergence condition of ∆x(k) → 0 for S and its associated controller. The multiplier matrices Q, S, R used in (6) will be determined from solutions to the LMI (linear matrix inequality) optimisation problem rendered in this theorem. Without loss of generality, assuming that ξ△k ≤ 0 for all k ≥ 0, and ξ△(k−1) is transferred between the duty and standby controllers at every successive step. Theorem 1: Consider S in association with its duty controller. Let 0 < τ < 1. Suppose that the following LMI optimisation is feasible for A = A − I: max

P , Q, S , R

trace(Q)

(8)

subject to 

P  ∗   ∗  ∗ ∗

0 −Q ∗ ∗ ∗

AT AT P AT C T Q τ AT P A ∗ ∗

AT B T P BT C T Q AT (τ P B + C T S) B T (τ P B + 2C T S) + R ∗

BT 0 AT C T S BT C T S R

    ≻ 0,  (9a)

P ≻ 0,

Q + I ≺ 0,

R ≻ 0,

(9b)

and the constraint (6) with multipliers Q, −R and −S is fulfilled by ∆y(k) ∈ Y, as a result of applying uk from the duty controller to S. Then, the state increment ∆xk converges to zero with the self-recovery controllers. Proof: Firstly, the open-loop Σ is (Q,S,R)incrementally dissipative due to (9). In other words, the dissipation inequality (7) holds true for every xk , uk , uk+1 , due to (9). The remaining of the proof is voided due to space limitation. Remark 1: 1) Whenever γξ△(k−1) + η∥S T S − R∥ > 0, the constraint (6) will need to have Qc − I ≻ 0 for solution existences. Any Qc that satisfies Q + Qc ≺ 0 can be used in this approach. Q + I ≺ 0 in (9b) ensures that it is possible to have Q + Qc ≺ 0 and Qc − I ≻ 0. 2) To assure the feasibility of (4), it can be converted into a constraint on the input increment ∆uk , similarly to previous works, see, e.g., [14], as an alternative to the above constraint on the output increment (6). The constraint on ∆uk can be employed as a stabilising constraint for the MPC while the controller is not in the transition time between the duty and standby controllers. The time instant at which the constraint on ∆yk is switched to the constraint on ∆uk will be when γξ△(k−1) + η∥S T S − R∥ ≥ 0, as explained in item 1. Illustrative Example: Numerical simulation in Matlab for the self-recovery control of a DC motor having state space equations of the form (1) in the following, and traditional model predictive control (MPC) algorithm have shown a promising result of smooth transfer between the duty and standby controllers: [ ] [ ] [ ] −b/J K/J 0 A= , B= , C= 1 0 , −K/J −R/J 1/L where J = 0.01, b = 0.1, K = 0.01, R = 1, L = 0.5. In this simulation, Theorem 1 has been applied by having two MPCs separately, representing two autonomous controllers installed in two wireless sensor nodes. One MPC plays the role of the controller in duty while the other is on standby. To assist the control practitioners in appreciation of the theoretical development in this work and its potentiality in actual implementation, as well as new product development– the DSC system with wireless sensor networks, an intuitive analysis for the presented approach is provided in the next section with a signal processing perspective. The predictive PID control of a second-order plus dead-time process, which is universally typical in process control [15], will be outlined herein to illustrate the analysis result. IV. A N E NERGY D ISSIPATION V IEW P OINT ON I NPUT AND O UTPUT S IGNALS In this section, an informal interpretation of relationships between control input and plant output signals in the

48

time domain is presented with an energy dissipation view point. The effectiveness of this time domain analysis is demonstrated with a predictive PID (proportional-integralderivative) algorithm.



A. Energy Passivity and Energy Dissipation (a) AP Trajectory - Attractive.

The discussion is started with a special case of relationships between the input and output of an absolute energypassive (AP) signal system, such as the input and output trajectories of a feedback control system, to illustrate the physical meaning of dissipating “abstracted energy” around the steady states. Definition 3: An input and output signal system is called absolute energy-passive (AP) if and only if its input and output trajectories, uk and yk respectively, always pass through their corresponding steady states (or set point) at the same time instants. For transparent presentations, assuming that the output and input steady states are normalized to zero (yss ≡ 0, uss ≡ 0). A system that is AP is not necessarily attractive. Figure 3 depicts the behaviours of AP trends for both attractive and non-attractive cases. For systems having AP trends, the following discrete time inequality holds true for all k ≥ 0: pk := (yk − yss )T (uss − uk ) ≥ 0.

(10)

It is clearly that AP is a property of systems having zero phase shift between its input and output. AP response is actually nothing else than a special case of a passive system. Inequality (10) is, therefore, called instant absolute passive inequality (iAPi) herein. The absolute energy-passive trajectory is usually difficult to obtain in real life. In the feedback control and circuit theory, it is quite usual to deal with the one-overshoot stable (OOS) response instead. This would be an ideal response one would normally like to have when designing a feedback compensator (called controller), as depicted by Figure 4. While AP is not necessarily equivalent to attractive, OOS is a special case of stabilized and well performed systems. Definition 4: The critically damped response is oneovershoot stable or OOS if and only if it is AP and the output and input attract to their steady states after only one overshoot. Similar to AP responses, OOS is quite difficult to achieve in a control synthesis problem. It is quite usual to have a stabilized response that may have an overshoot, but does not have AP property; i.e., the input and output trajectories do not across their steady states at the same time instants, as shown in Figure 5. This is a typical critically-damped response in the feedback control literature. One easily verifies that the sum of pk over the time intervals of T 1 and T 3 are greater than that over T 2. This response will become AP when T2 → 0. From this typical case, the relationship between stabilized responses and energy-passivity is generalized in definition 5 below. Definition 5: For an energy-passive and stabilized trajectory, the accumulative sum of pk over time is always



(b) AP Trajectory - Non-Attractive. Fig. 3.

Absolute Energy-Passive (AP) trends.



Fig. 4.

One-Overshoot Response (OOS) Trajectory.

nonnegative, wk :=

κ ∑

(yk − yss )T (uss − uk ) ≥ 0, ∀κ > 0.

(11)

k=0

Alternatively, it can be said that, for an energy-passive and stabilized system, the sum sk of pk where pk ≥ 0, denoted as s+ k , is greater than or equal to the absolute value of the sum sk of pk where pk < 0, denoted as s− k , i.e. − s+ (12) k ≥ −sk . The trend of a more general case of stabilized responses can be graphically represented by Figure 6. In this figure, the sum of pk in odd intervals T 1, T 3, T 5, . . . (s+ k ) is greater than the sum of pk in even intervals T 2, T 4, T 6, . . . (s− k ). As a result of that, the energy-passive response is attractive. The even time intervals represent the phase shift between the input and output trajectories. If all the even time intervals Teven → 0, the response will become AP or OOS. This type of response is much easier to achieve in a control design problem. Under an energy dissipation perspective, if pk = (yk −yss )T (uss −uk ) is considered as an abstracted supply power, then s+ k is the consumed energy, while s− is the generated energy. k When (12) holds true, we say the system response is energy dissipative, i.e. energy is dissipated away. Recalling the energy conservation equality in physics, it is obvious that the availability of an energy storage ζ, or storage function ζk ≥ 0, will provide larger margins for the inequality − (12) to be fulfilled (as s+ k + sk ≥ −ζk ), and so will the energy dissipation. If we draw the trends of |pk | for the

49



predictions are probably well suited to a synthesizing strategy for an energy-dissipating based method. The predictive PID algorithm based on the energy dissipativity is not presented due to space limitation. V. C ONCLUSION

Fig. 5.

OOS and Energy-Passive, but Not AP.



Fig. 6.

A Stabilised Response.

case represented by Figure 6, as in Figure 7 below, the accumulative sum sk is represented by the cross sections of areas under the trend curve. They can, therefore, be viewed as the abstracted energy of pk . 

ϲϬ ϱϬ ϰϬ ϯϬ ϮϬ ϭϬ Ͳ^ŬͲ

Ϭ ϭ

ϵ

^Ŭ н

Ͳ^ŬͲ

^Ŭн ,ĞŝŐŚƚ

ϭϳ

Ϯϱ

ϯϯ

ϰϭ

Ͳ^ŬͲ ϰϵ

ϱϳ

ϲϱ

tŝĚƚŚ

Fig. 7.

A Representation of Stabilized and Energy-Passive Responses.

The area width and height are the metrics for this abstracted energy quantity. The width is timing or phase related, while the height is amplitude related. They will definitely change the response behavior when being adjusted. Talking about the phase and amplitude related quantities, we are introducing the concept of energy-dissipativity. Energy-dissipativity contains energy-passivity components with phase related properties, as well as amplitude components with gain related properties. It is natural to say that, energy-passivity is phase related content only, while energydissipativity has both phase and amplitude related contents. The quadratic supply rate of the form pk := (yk − yss )T Q(yk − yss ) +(yk −yss )T S(uss −uk )−(uk −uss )T R(uss −uk ) is therefore preferable for use in describing an energy dissipation system. One may easily see that, artificially adjusting the control signal uk will instantly change the amplitude response, but may not have an immediate effect on the phase quantity. Some forms of prediction will need to be applied well in advance if the adjustment aims to change the phase related quantity, i.e. the energy passivity. Along this line,

A self-recovery control scheme has been presented as an alternative to the classical reliable control systems previously developed for wired computerized-control systems. Selfrecovery controllers operate autonomously employing onevariable redundant management approach, within which, the real-time value of the supply rate is exchanged among the duty and standby controllers. The scheme is ready for use in designing a new generation of dependable control systems with wireless sensor networks. With a signal processing perspective, an intuitive analysis has also been provided to interpret the meaning of energy-dissipating trajectories. The system-on-a-chip implementation for multivariable systems is underway. R EFERENCES [1] G. K. Befekadu, V. Gupta, and P. J. Antsaklis, “On reliable stabilization via rectangular dilated LMIs and dissipativity-based certifications,” IEEE Transactions on Automatic Control, vol. 58, no. 3, pp. 792–796, 2013. [2] C. Roger, “Wireless safety networks a reality?,” In Proc. of the 10th ¨ Rheinland Symposium, Cologne, Germany, May International TUV 2012. [3] H. Forbes, “Is wireless sensing the most important technology in process measurement?,” Process and Control Engineering - Online magazine of Institute of Instrumentation, Control and Automation, Australia, http://www.pacetoday.com.au/features, 17 January 2013. [4] D. Pesch, “Communication protocols for wireless sensor networks,” Presented in 3rd Workshop on RF Wireless Sensor Networks Research in Ireland, Dublin, Ireland, December 2007. [5] Tri Tran and Q. P. Ha, “Set-point tracking semi-automatic control of interconnected systems with local input disturbances,” Proceedings of the 1st Australian Control Conference AUCC’11, Melbourne, Australia, pp. 224–229, Nov. 2011. [6] Tri Tran, H. D. Tuan, Q. P. Ha, and Hung T. Nguyen, “Stabilising agent design for the control of interconnected systems,” International Journal of Control, vol. 84, pp. 1140–1156, July 2011. [7] P. D. Christofides, J. F. Davis, N. H. El-Farra, D. Clark, K. R. Harris, and J. N. Gipson, “Smart plant operation: Vision, progress and challenges,” AiChE journal, vol. 53, pp. 2734–2741, 2007. [8] M. L. Schooman, Reliability of Computer Systems and Networks: Fault Tolerance, Analysis and Design. Wiley-Interscience, 2001. [9] P. Gruhn and H. Cheddie, Safety Instrumented Systems: Design, Analysis, and Justification, 2nd Edition. Intnl. Society of Automation, 2006. [10] V. Gupta, A. F. Dana, J. P. Hespanha, R. M. Murray, and B. Hassibi, “Data transmission over networks for estimation and control,” IEEE Transactions on Automatic Control, vol. 54, no. 8, pp. 1807–1819, 2009. [11] S. R. Sanders and G. C. Verghese, “Lyapunov-based control for switched power converters,” IEEE Transactions on Power Electronics, vol. 7, no. 1, pp. 17–24, 1992. [12] A. Pavlov and L. Marconi, “Incremental passivity and output regulation,” Systems and Control Letters, vol. 57, pp. 400–409, 2008. [13] A. B. Acikmese and M. J. Corless, “Observers for systems with nonlinearities satisfying incremental quadratic constraints,” Automatica, vol. 47, no. 7, pp. 1339–1348, 2011. [14] Tri Tran, Q. P. Ha, and Hung T. Nguyen, “Semi-automatic control of modular systems with intermittent data losses,” Proceedings of the 7th IEEE Conference on Automation Science and Engineering CASE’11, Trieste, Italy, pp. 625–630, Aug. 2011. ˚ K. J. and T. H¨agglund, “The future of PID control,” Control [15] Astrom Engineering Practice, vol. 9, pp. 1163–1175, 2001.

50