Design and Assessment of a Multiple Sensor Fault Tolerant Robust Control System

This paper presents an enhanced robust control design structure to realise fault tolerance towards sensor faults suitable for multiinput-multioutput (MIMO) systems implementation. The proposed design permits fault detection and controller elements to be designed with considerations of stability and robustness towards uncertainties, besides multiple faults environment on a common mathematical platform. This framework can also cater to systems requiring fast responses. A design example is illustrated with a fast, multivariable, and unstable system, that is, the double inverted pendulum system. Results indicate the potential of this design framework to handle fast systems with multiple sensor faults.


INTRODUCTION
Growing demands for plant or system availability, reliability, and survivability have prompted active research in fault tolerant control systems (FTCSs) [1,2].FTCSs are designed to accommodate component faults automatically by ensuring overall system stability and acceptable performance.A typical FTCS design incorporating separate control and fault detection elements can achieve fault tolerance objectives, but without due considerations given to significant interactions between the elements such as those described in [3,4].In addition, addressing issues concerning uncertainties is crucial as practical problems associated with variations in actual plant operating range are undesirable.
Fault detectors are typically based upon the use of process models [5][6][7].Data from the monitored plant is input to these algorithms and the outputs are compared with the corresponding plant outputs.If there are discrepancies, then it is an indication that at least one fault has occurred.The model-based approach to designing sensor FTCS employs mathematical manipulation of available signals, that is, analytical redundancy, via suitably designed controllers to accommodate for faults rather than using extra hardware (sensors/actuators).

Integrating control and fault detection in FTCS
An integrated approach [8][9][10][11] where fault detection and controller elements are designed with consideration to the overall system stability or interaction is favourable as the reliability of operation can be determined in a mathematically sound setting offering fast control responses in addition to the availability of the established solution for incorporating robustness towards uncertainties.
In this paper, a robust controller-based MIMO FTCS which integrates the fault detection and controller elements in a single design is presented.A fault indicating residual is utilised as a function of control.The residual signals act as weighting factors, which put corresponding emphasis on nominal controller and fault accommodating controller.The FTCS structure proposed allows the plant to be controlled by a nominal controller that ensures the achievement of best performance objectives, when sensor faults and uncertainties are not present, while preserving the stability at a lower degree of system performance in the presence of major sensor faults [11,12].The proposed structure can handle systems with fast responses, multiple sensor faults, and modelling uncertainties.
Note that purely robust control-based FTCS such as described in [13,14] ensures robustness towards minor faults only; faults are modelled as very small perturbations on the system.As demonstrated by [13,14], it is not possible for a purely robust control structure to maintain high performance, when faults are not present as they are designed using worst case criterion.

PROBLEM STATEMENT
Assuming that the MIMO plants and controllers are described mathematically in state-space form as follows: where x ∈ R n is state vector, u ∈ R l is the input vector, while y ∈ R m is the measured output vector.
A, B, C, and D are known matrices with appropriate dimensions related to the system dynamics.In addition, σ(M) denotes the largest singular value of M. H ∞ denotes the Banach space of bounded analytic functions with the ∞ norm defined as Definition 1.All MIMO transfer matrix representations have appropriate dimensions and are proper real-rational matrices, stabilisable, and detectable.A state space rational proper transfer function is denoted by Furthermore, let P be a block matrix, Therefore, the linear fractional transformation of P over F is defined as where F is assumed to have appropriate dimensions and (I − P 22 F) −1 is well defined.

Sensor faults defined
Sensor fault symptoms can be observed as measurements that are unavailable, incorrect, or unusually noisy.These faults may occur individually or concurrently or simultaneously, resulting in total system failure or degradation in performance.Significant information about the influence of faults on a process cannot be known without the inclusion of its model in the design.Additive faults provide a suitable framework for sensor faults and are modelled as additional input signals to a system [5], where f s (t) ∈ R m denote sensor faults.Hence The variable y(s) denotes all available sensor outputs.When output sensor faults occur in the plant as shown in (5), the measured outputs become Due to the existence of fault represented by f s (s), a conventional controller cannot usually satisfy required performance and the closed-loop control system may even become unstable.A sensor fault-compensating controller can be introduced to augment a nominal controller designed for best performance.However, since the structure of the system as seen in Figure 1 is virtually an internal model controller [15], conditions for physical realizability need to be observed.To ensure that the fault-compensating controller, Q is well defined and proper, the transfer matrix representation from f s (s) to controller output u(s) must exist and is also proper.Therefore, By appropriate use of input weight, W s (s), the input f s (s) can be normalised and transformed into the physical input, f s (s).Consideration of such sensor fault models has been shown to be suitable for use in formulating the FTCS objectives for the rejection of sensor faults as an optimisation problem.Uncertainties affecting the sensors can also be classified as a subset of f s (s). Figure 1 shows the block diagram illustrating the interconnections assumed for the formulation H ∞ problem associated with the proposed FTCS design.

Fault indicating residuals
The presence of sensor faults and uncertainty vectors defined in Section 2.1 can be reflected by a fault indicating residual, since a filtered estimation can be obtained via coprime factorisation of the plant model, G p (s) [11,12].Let Hence, from (8) and ( 9), the fault indicating residual denoted by f r (s) can be defined as

Integrating the controller element
Now, since f r (s) reflects the presence of faults and uncertainty, it can be utilised as an input to the fault compensating controller.The perturbations caused can then be minimised by control actions due to the nominal controller and fault compensating controller.The control signal vector can be expressed as follows: where and u k (s) denotes nominal controller (K(s)) output, and u q (s) denotes sensor fault compensator (Q(s)) output.Error from feedback is denoted by e(s) whereby r(s) denotes input demand.Thus, from (10), f r (s) is utilised in the following manner: From ( 6), (7), and ( 8), e(s) can be expressed as By substituting ( 12), (13), and ( 14) into ( 11), the following is derived: Thus, The plant output expression in (16) shows that in the absence of sensor faults and uncertainties, the output closed-loop system is only reliant on the nominal controller K(s), allowing for high performance during healthy operation.Note that the fault detection scheme generating the above-mentioned fault indicating residual does not need to be made robust, since the fault indicating residual is mainly used as an activating signal for Q(s).It is thus not essential to identify nor to estimate the source of the faults, hence even if the presence of f r (s) is due to uncertainties and not faults in the sensors, Q(s) will still provide the necessary control signals to compensate for such perturbations thereby introducing robustness to the system.

Sensor fault compensator realisation
The sensor fault compensator Q(s) is integrated into the framework by utilising f r (s) as a function of control.The design Q(s) is achieved with the H ∞ technique.A performance weights W ftc (s) can be defined to establish postfault performance requirements, which emphasise on stability rather than high performance.The corresponding solution for achieving Q(s) is by minimising the following optimisation criterion: Therefore, the standard H ∞ problem is specified in (17) for which the corresponding transfer functions from f s (s) to z(s) must satisfy.If the controller Q(s) in ( 17) is found, then the closed-loop system is said to have robust performance towards uncertainty and sensor faults; it is well known that a system satisfies robust performance if and only if it is robustly Figure 1: Block diagram representation of H ∞ problem formulation for the proposed FTCS design.stable with respect to norm-bounded matrix perturbation [16].The equivalent linear fractional transformation (LFT) block diagram for the H ∞ problem stated above is shown in Figure 2. Thus, z(s) f r (s) = P 11 (s) P 12 (s) P 21 (s) P 22 (s) From (10), P 21 and P 12 can be derived as Now, note that and thus, Substituting ( 21) into (22), Ignoring the reference input r(s), we have Note that the following matrix operation (Zhou, Doyle & Glover, 1996, page 23) has been used in the derivation of (24): With the conditions laid out, the closed-loop system shown above is guaranteed to be tolerant to sensor faults and modelling uncertainty, stable for any nonlinear, time varying, and stable K(s) and Q(s) due to the minimisation of the transfer matrix between fault-generating signal f s (s) to the performance evaluation signal z(s).

A NUMERICAL SIMULATION EXAMPLE
An experimental study of the FTCS implementation on a double inverted pendulum system for tolerance towards sensor faults is shown next to illustrate the feasibility of the proposed design method.The implementation is tested for fault tolerance towards sensors in nominal and under plant uncertainty conditions.

The double inverted pendulum system
The double inverted pendulum system is an example of a chaotic system.The system is a fast, multivariable, nonlin- ear, and unstable process.The pendulum system is a standard classical control test rig for the verification of different control methods, and is among the most difficult systems to control in the field of control engineering.Similar to the single inverted pendulum problem, the control task for the double inverted pendulum is to stabilise the two pendulums.The position of the carriage on the track is controlled quickly and accurately, so that the pendulums are always erected in their inverted position during such movements.The double inverted pendulum system is made up of two aluminium arms connected to each other with the lower arm attached to a cart placed on a guiding rail, as illustrated in Figure 3. Data used in this case study has been obtained from [9].The aluminium arms are constrained to rotate within a single plane and the axis of rotation is perpendicular to the direction of the force acting on the cart motion f .The cart can move along a linear low-friction track and is moved by a belt driven by a servo motor system.Sensors providing measurements of cart position x c , the pendulums angles θ 1 and θ 2 , controller output, u, and motor current i are assumed available for the purpose of control.The control law has to regulate the lower-arm angle and upper-arm angle, θ 1 and θ 2 , respectively, from an initial condition, and the control of the position of the cart x c from an initial position.

Nominal high-performance controller
An H ∞ loop shaping controller, as high-performance nominal controller K for the MIMO system, is designed using the MATLAB command ncfsyn.m.The specification function W p is augmented to K in the manner shown in Figure 4. Sensors for detecting e x (cart positional error), θ 1 and θ 2 , are fault prone sensors.Motor voltage and current are denoted by u and i, respectively.The controller output variable is the corresponding motor voltage demand u.The controller performance was tested on the SIMULINK model of the double inverted pendulum.Initial conditions are with θ 1 = 0.05 rad and θ 2 = −0.04rad.The cart movement command signal r c is initiated at 0.5 m and at −0.5 m after 50 seconds, is shown in Figure 5, while system responses are shown in Figure 6.It is observed that the output responses are within limits of specifications, and the cart position set points have been achieved in a stable and smooth manner.

FTCS design and implementation
The nominal model of the double inverted pendulum model is described by its left coprime factors to ensure well posedness.The double inverted pendulum model without modelling uncertainty is considered for the representation of the nominal plant in the fault indicating residual generator setup.Fault indicating residuals are denoted by f θ1 , f θ2 and f ex for faults in the corresponding sensors.
The interconnection of the system is setup and the design of the controller sensor fault compensating controller, Q is automated with the command hinfsyn.m provided in MATLAB's μ-analysis and synthesis toolbox [17], which iteratively solves the optimisation criterion set out in (17).When γ value of below 1 is obtained, the solution of a satisfactory Q is used.This condition is only met with relaxations to the effects of additive faults, as it is obvious that total failure cannot be handled.Note that the performance weights W ftc (s) (shown in the appendix) to establish postfault performance requirements reuse the elements in the original specification function W p , which are related to the fault prone sensors, that is, sensors providing measurements of cart position x c , the pendulums angles θ 1 and θ 2 .The block diagram showing the augmentation of Q to nominal controller K is illustrated in Figure 7.

Tests and results
The following responses have been recorded from testing the FTCS by simulating the occurrence of faults in the relevant sensors.Sensor effectiveness indicating faults are simulated as deterioration of performance; 0%: no fault, 100%: total failure.Results are shown for conditions with and without modelling uncertainty.Responses of the inverted double pendulum system performances with the proposed FTCS, H ∞ , and μ controllers are recorded for comparison purposes.

Nominal response, without modelling uncertainties and sensor faults
Nominal performances of all controllers for healthy system are recorded in Figure 8. Apparently the proposed FTCS produces faster cart positioning response compared to all other control system responses, initiating slightly higher overshoots in θ 1 and θ 2 .

Multiple sensor faults without plant uncertainty
Multiple sensor faults are assumed to occur at 2, 4, and 6 seconds after the simulation has been initiated (e x at 90% deterioration, θ 1 at 20% deterioration, and θ 2 at 10% deterioration, resp.).The output responses are shown in Figure 9.  Observe that the proposed FTCS and the μ controller handled the faults and managed to achieve satisfactory control responses.However, stability could not be maintained by the H ∞ controller.

Multiple sensor faults with plant uncertainty
Tests for control systems to handle system uncertainty and multiple sensor faults were also performed.Conditions were made similar to the tests performed for the nominal system with multiple sensor faults.The supremacy of the proposed FTCS to accommodate for faults even under the influence of system uncertainties is seen in Figure 10.
The H ∞ controller could not handle this mode of fault and oscillates beyond control as shown.Meanwhile, both the proposed FTCS and the μ controller handled the fault satisfactorily.

Further discussion
Overall, the proposed FTCS has managed to handle all preand postfault conditions satisfactorily, while maintaining the highest level of stability in all test scenarios.Although it seems that the μ controller could handle faults and modelling uncertainty as well as the proposed FTCS, it could not handle certain cases of single faults such as the cases shown in Figure 11 for the effect of θ 2 sensor fault at 10% deterioration.Responses of μ control system is too oscillatory and unstable.

CONCLUSION
The proposed FTCS has been observed to have managed all faults simulated in the nominal performance tests, while the two other control systems could not consistently maintain stability in a majority of fault scenario.Robust performance assessments showing the performance of the control systems when faced with system uncertainty in addition to sensor faults were also simulated.Again, it is observed that fault tolerance capability of the proposed FTCS has been maintained.The proposed improvement to the model-based FTCS structure provides a potential framework for the realisation of an integrated MIMO FTCS.This design framework is suitable as it inherently incorporates fault residuals as feedback and allows the application of established robust MIMO control design concept.The test results show the capability of the proposed FTCS to maintain availability and an acceptable level of performance for multiple deteriorated sensor conditions.

System interconnection and synthesis of Q(s)
The appropriate system interconnection structure of P(s) which is the outer loop of the FTCS inclusive of the nominal controller, K(s),and fault indicating generation elements needs to be formed using MATLAB μ-toolbox instruction sysic.m[17].Hence, Figure12 is equivalent to Figure13.Following that, the sensor fault compensating controller, Q(s), which is an H ∞ controller closing the inner loop of the FTCS (i.e., closing the loop for the system interconnection obtained from P(s) shown above), can be solved with the MATLAB instruction, hinfsyn.m [17].Since [k] = hinfsyn(p, nmeas, ncon, gmin, gmax, tol, ricmethd, epr, epp), (A.4) hence, in this case, (i) k denotes the calculated H ∞ controller, that is, Q(s); (i) p denotes system interconnection P(s) as shown above; (iii) nmeas denotes number of fault indicating signals; (iv) ncont denotes the number of control inputs; (v) gmin, gmax, tol, and so on are as denoted in [17].
Finally, the closed-loop interconnection with Q(s) is shown as in Figure 14.

Figure 2 :
Figure 2: The LFT representation of the proposed FTCS.

Figure 3 :
Figure 3: Schematic diagram of the pendulum system.

Figure 4 :Figure 5 :
Figure 4: The H ∞ loop-shaping controller K with specification function.

Figure 6 :Figure 7 :
Figure 6: System responses with K implementation (position of cart x c is shown instead of cart position error e x ).