Reconfiguration Criterion for Fault-Tolerant Control

Faults occurring in systems such as automotive vehicles and aircrafts cause a catastrophic accident that leads to loss of property, life, and so forth. To avoid an accident caused by faults, many systems require a high level of dependability. Adopting redundant actuators has been considered as an efficient method of achieving the required dependability. Conventionally, redundant actuators are considered as backup systems if the primary ones operate normally. But if faults occur in the primary actuators, then redundant ones are activated as main actuators. However, adopting redundant actuators leads to the losses of fuel, space, cost, and weight during normal operation. In contrast to adopting hardware redundancies such as secondary actuators, software based fault accommodation methods have been proposed for the last 30 years. The goal of these methods is to provide the feasible control input in order to maintain the normal performance. For this reason, these methods are defined as fault-tolerant control (FTC) or reconfiguration. There have been proposed various fault-tolerant control techniques: pseudoinverse [1], model reference adaptive control [2], sliding mode control [3–5], multiple model switching and tuning [6], control allocation [3, 7–10], and so forth. However, most of the proposed methods shown above consider the reconfiguration ability.Thismeans that although the proposed reconfiguration methods can accommodate faults theoretically and practically, there are some faulty systems that cannot be tolerated. Generally, reconfiguration possibility highly depends on the relationship between the faulty states and controllable normal inputs. If a faulty system cannot take sufficient controllable inputs related to the faulty states, then the goal of reconfiguration must be changed to achieve stabilization of the faulty system in order to avoid structural damage. This paper proposes the reconfiguration condition that provides the possibility of fault-tolerance. By explicitly analyzing the relationship between the faulty states and normal inputs, the condition also proposes the required number of redundant actuators that can achieve fault-tolerance.


Introduction
Faults occurring in systems such as automotive vehicles and aircrafts cause a catastrophic accident that leads to loss of property, life, and so forth.To avoid an accident caused by faults, many systems require a high level of dependability.Adopting redundant actuators has been considered as an efficient method of achieving the required dependability.Conventionally, redundant actuators are considered as backup systems if the primary ones operate normally.But if faults occur in the primary actuators, then redundant ones are activated as main actuators.However, adopting redundant actuators leads to the losses of fuel, space, cost, and weight during normal operation.
In contrast to adopting hardware redundancies such as secondary actuators, software based fault accommodation methods have been proposed for the last 30 years.The goal of these methods is to provide the feasible control input in order to maintain the normal performance.For this reason, these methods are defined as fault-tolerant control (FTC) or reconfiguration.There have been proposed various fault-tolerant control techniques: pseudoinverse [1], model reference adaptive control [2], sliding mode control [3][4][5], multiple model switching and tuning [6], control allocation [3,[7][8][9][10], and so forth.
However, most of the proposed methods shown above consider the reconfiguration ability.This means that although the proposed reconfiguration methods can accommodate faults theoretically and practically, there are some faulty systems that cannot be tolerated.Generally, reconfiguration possibility highly depends on the relationship between the faulty states and controllable normal inputs.If a faulty system cannot take sufficient controllable inputs related to the faulty states, then the goal of reconfiguration must be changed to achieve stabilization of the faulty system in order to avoid structural damage.This paper proposes the reconfiguration condition that provides the possibility of fault-tolerance.By explicitly analyzing the relationship between the faulty states and normal inputs, the condition also proposes the required number of redundant actuators that can achieve fault-tolerance.

General Dynamic Model of Actuator Faulty System
The response of a faulty actuator can be categorized into one of four types: Lock-in-Place (LiP), Hardover, Float, and Loss of Effectiveness (LoE) [11].its desired (normal) output.Hence, the general response of a faulty actuator can be represented as follows: where the subscript  indicates the th actuator and ⟦ ⋅ ⟧ is the smallest integer greater than or equal to ⋅.And   is the performance degradation factor represented by a quantitative value in [0, 1] according to the degraded performance: if no fault occurs.
( For example, if the th actuator is operated normally, then   = 1, so   =  NORMAL  .And if 50% of LoE failure occurs on the th actuator, then   = 0.5, so   = 0.5 NORMAL  . For the total number of actuators , suppose faults are occurring on  (1 ≤  ≤ ) actuators; then, the general dynamics of faulty actuators yields From (3), the general responses of actuators including faulty and normal actuators can be represented as follows: where u  2 ∈ R − is a set of normal actuators u ,NORMAL and I  is an ( × )-identity matrix.And If no faults are occurring in actuators, then Γ  = I  and ⟦Γ  ⟧ = I  in (5) and Γ = I  and ⟦Γ⟧ = I  in (6).Hence, u = u NORMAL .
To analyze the general dynamics of a faulty system, let us consider the following linearized model: where x ∈ R  is a state vector and u ∈ R  is an input vector.
Then the generalized model including -faulty actuators yields where

The Proposed Fault-Tolerant Control Allocation Method
In this section, the reconfiguration criterion is proposed.The proposed criterion determines whether the faulty system has sufficient normal actuators enough to accommodate faults occurring on several actuators.To analyze the criterion, the effects of faulty actuators are analyzed first.Next, the reconfiguration criterion is proposed.And then the minimum number of redundant actuators for compensating the effects of faulty actuators is proposed in the last of this section.

Effects of Faulty Actuators.
In the generalized faulty system model provided in the previous section, faults on actuators directly affect the actuator term.To analyze the effects of actuator faults, the virtual input vector v ∈ R  is employed: In ( 9), not all elements of v are affected by faulty actuators.
To classify v into the fault-affected term v  1 and the faultfree (normal) term v  2 , rearrange the row vectors of the input distribution matrix as where k  1 ∈ R  and k  2 ∈ R (−) ; that is, the number system states affected by faulty actuators are assumed to be .And B   11 ∈ R × , B  12 ∈ R ×(−) , and B  22 ∈ R (−)×(−) .From (3) and (10), the virtual input can also be represented by the combination of fault types as follows: Let us denote the input error vector by e  = u  1 − u  1 for the expected normal input vector u   1 represented as a dotted red line in Figure 1(d).And denote the corresponding virtual input error vector by e Then the effects of faulty actuators can be represented as follows: ] . ( Due to faults on -actuators, e V ∈ R  cannot be zero.By (3), the virtual input error vector represented by the combination of fault types yields 3.2.Reconfiguration Criterion.In this subsection, the faulttolerant control problem is introduced, and then the reconfiguration criterion is proposed.In (12), for the faulty-actuated system, the only controllable actuators are u  2 .This leads to the fact that the relationship between u  1 and u  2 can be efficiently used to compensate the effects of faulty actuators.Hence, the fault-tolerant control problem can be stated as finding the control input u  2 that can reduce e V .Let us denote the fault-tolerant control input by u  ∈ R − .Without loss of generality, it is assumed that u  = u  2 + u  2 to simplify the problem.Then the input-virtual input relationship controlled by u  can be represented as follows: It is worth noting that (14) shows the conceptual description of fault-tolerant control.The possibility of tolerating the effects of faulty actuators highly depends on the relationship between u  1 and u  2 .This means that the characteristics of matrices B   11 and B  12 determine the possibility of faulttolerance.In this paper, the conditions for tolerating the effects of faults based on the characteristics of matrices B    11   and B   12 are proposed as the reconfiguration criterion.Hence, the proposed reconfiguration criterion describes the relationship between normal actuators and effects of faulty actuators.Moreover, this reconfiguration criterion determines whether there are a sufficient number of normal actuators that can accommodate faults occurring on actuators.
Before proposing the reconfiguration criterion, rearrange the input distribution matrix [B  1 B  2 ] as follows: for   ≤  and   =  − , For 1 ≤  ≤  and 1 ≤  ≤ , assume that  0 =  0 = 0.And set B  as Moreover, let us denote B  by By ( 17), the effects of normal actuators can be explicitly described.Then the reconfiguration criterion can be stated as follows.
Reconfiguration Criterion.The system that has -faulty actuators is reconfigurable, if a matrix B  ∈ R   ×  satisfies the following: (i) rank( B  ) ≥ ; (ii) B  is full row rank; that is, rank( B  ) =   .
From conditions (i) and (ii), there exists at least one solution u  2 that satisfies the following: Equation ( 18) means that the effects of faulty actuators can be compensated by   -normal actuators.This leads to the fact that the required number of normal actuators for tolerating faults is   .Hence, the minimum number of redundant actuators can be stated as follows.
Minimum Number of Redundant Actuators.If the system is reconfigurable for -faulty actuators, that is, for  ≤  ≤ , there exists a matrix B  that satisfies the reconfiguration criterion, then the minimum number of redundant actuators is   .
It is worth noting that the faulty system that satisfies the reconfiguration criterion can compensate the effects of faults by redistributing normal actuators.However, if a system cannot take sufficient normal actuators, then reconfiguration cannot be achieved; consequently, the effects of faulty actuators may cause catastrophic accident.In this case, uncontrolled forces generated by faulty actuators stress the system structures.Hence, the primary goal of faulttolerant control is to achieve stabilization of the system by degrading the performance of normal actuators.Figure 2 describes the fault-tolerant control strategy.In Figure 2, fault-tolerance can be achieved by two ways: performance maintenance and stabilization (graceful degradation).If the system satisfies the proposed reconfiguration criterion, then the effects of the faulty actuators can be compensated; that is, the performance of the faulty system can be maintained.In contrast, if the system cannot achieve perfect compensation due to lack of redundant actuators, that is, the reconfiguration criterion cannot be satisfied, then the fault-tolerant mechanism tries to stabilize the system by reducing the required performance in order to avoid additional types of damage such as structural breaks.Examples of fault-tolerant control strategy for these two types are introduced in the following section.

Examples
In this section, two systems are introduced to show how to work the proposed reconfiguration criterion.The first example is a simple crane system that has not any sufficiently redundant normal actuators for tolerating fault.The other example is an aircraft that adopts various control surfaces (actuators).

Crane System.
A simple crane system considered in this subsection is depicted in Figure 3.In this crane, center of the horizontal plate is moved up and down by two motors: where  is the plate mass and  is the gravitational constant.
And   and   are forces generated by the left and right motors, respectively.To control the plate position (height), a dynamic inversion control law applies to both motors.
In this simulation, it is assumed that a 30% of LoE fault occurs on the left motor; that is, the force generated by the left motor is reduced by almost 30%.Then the plate is operated by asymmetric forces; consequently, the plate cannot be stabilized.Since forces are generated asymmetrically, the following moment equation is applied to the plate: where  is the rotational inertia of the plate and  is the angle between the horizontal line and the plate.And  indicates the distance from the center of the plate to the position that force   or   activates.So fault occurring on the left motor affects two equations, (19) and (20); that is,  = 2.However, the number of the remaining normal motor is one (right motor).Hence, the reconfiguration criterion cannot be satisfied.
In Figure 4, responses of plate position and angle of the faulty crane are described.Although fault on the left motor (actuator) degrades its performance, the controlled plate position can maintain the referenced position.However, since the controller generates more forces to satisfy the referenced plate position, the plate angle is oscillated (Figure 4(b)).As a result, the faulty crane cannot be stable.
From the reconfiguration criterion result, the crane system cannot achieve sufficient number of normal motors that can accommodate the effects of fault.In this case, the primary goal of fault-tolerant control is to stabilize the faulty crane; that is, fault-tolerant mechanism tries to reduce the required performance of the crane.Figure 5 shows the simulation results of the performance maintenance crane case by applying the reconfiguration input introduced in (14).In Figure 5(a), the control performance can be maintained by generating additional force to the normal (right) motor.However, the plate is extremely oscillated due to asymmetric additional force acting on the normal motor (Figure 5(b)).Moreover, this additional force may cause structural damage, if the crane is oscillated continuously.In contrast, in Figure 6(b), oscillation of the plate can be prevented by degrading the performance of the normal motor.Although control performance cannot be achieved as shown in Figure 6(a), the faulty crane can avoid additional damage.

Aircraft System.
In this paper, a tailless jet fighter developed under the innovative control effectors (ICE) program is considered [4,12].The ICE adopts elevons, pitch flap, and all-moving tips as control surfaces.Since the proposed reconfiguration criterion represents the relationship between faulty states and normal actuators, the input distribution matrix of the ICE is considered in this simulation.In [12], the input distribution matrix linearized at Mach 0.4 and 15,000 ft altitude yields where V  , V  , and V  denote the virtual inputs for roll rate, pitch rate, and yaw rate, respectively.And control inputs,  le ,  re ,  pf ,  lamt , and  ramt , are deflections of left elevon, right elevon, pitch flap, left all-moving tip, and right all-moving tip, correspondingly.
In this simulation, the following fault scenario is considered: a 30% of LoE fault on the left elevon at 4 sec and float fault on the right all-moving tip at 8 sec.Since one fault occurs on the left elevon during 4-8 sec, the input distribution matrix [B  1 B   2 ] can be represented as follows: To examine the possibility of reconfiguration, select B 2 ; then, the following are satisfied: So the reconfiguration criterion is satisfied.Hence, the effects of faulty left elevon during 4-8 sec can be compensated.Moreover, the minimum required number of normal actuators is 2. Actually, the reconfiguration criterion can also be satisfied, if B 3 is selected.Similarly, for two-faulty-actuator case after 8 sec, the input distribution matrix Then  = 3.And for  ∈ [1,3], B  can be represented as Choose B 3 ; then, the following are satisfied: 3 is full row rank.So the reconfiguration criterion is satisfied.Therefore, the effects of faulty left elevon and right all-moving tip after 8 sec can be accommodated.Moreover, it is easy to check that the minimum required number of normal actuators is 3. Hence, faults occurring in the ICE can be compensated by the redundant normal actuators.Figure 7 shows the simulation results.In these figures, relationships between the virtual inputs and actual control surfaces are considered.Due to fault on the left elevon at 4 sec, the performances of virtual inputs are degraded.Moreover, the performances of virtual inputs in roll and yaw dynamics are significantly reduced after injecting float fault on the right all-moving tip at 8 sec.However, by redistributing the normal actuators such as right elevon, pitch flap, left all-moving tip, and right all-moving tip (before 8 sec), the effects of injected faults can be compensated.
The following figures show the results of roll motion of the faulty ICE.In this simulation, the aircraft maneuvers turn reversal which can be achieved by rolling the aircraft to 60 deg to the left and then to 60 deg to the right.As shown in Figure 8(b), the roll angle diverges due to injected fault on the left elevon at 4 sec.However, by redistributing the normal actuators, the effects of faulty actuator can be accommodated; consequently, the aircraft can maintain the performance as shown in Figure 8(c).

Concluding Remarks
This paper has proposed the reconfiguration criterion that presents the possibility of fault-tolerance.The proposed criterion explicitly describes the relationship between the faulty states and normal actuators.This relationship determines
) And  NORMAL  denotes the desired normal position shown as a dotted red line in Figure 1(d), and  TOTAL  denotes the faulty position depicted as a blue line in Figures 1(a), 1(b), and 1(c).