Fault-Tolerant Control for Three-Tank System in Case of Sensor Faults

This research paper would be devoted to the application of a fault-tolerant control (FTC) for a benchmark system composed of three interconnected tanks in case of sensor faults. The control scheme includes two blocks: fault detection and isolation (FDI) block and a control law reconfiguration block. The strategy of the FDI method is based on a bank of high gain observers; each of them is constructed to estimate the system state vector. Thus, the diagnostic signal-residuals are generated by the comparison of measured and estimated outputs and the faulty sensor is isolated. The reconfiguration block performs an update of the controller parameters according to the operating mode. The application of this method to a pilot plant demonstrates that the hydrographic system maintains quite performances after sensor faults occurrence.


Introduction
Any automation of a process aims at reaching an almost perfect solution to obtain a final product of good quality and health of all faults. e automated system control theory has been widely developed and applied to the industrial process. ese techniques ensure the stability of the closed-loop system and yield a predefined performance in the case where all system components operate safely. However, the more automated the process is, the more it is subject to fault occurrence. Hence, the need for a control method that is able to ensure nominal performance within highly automated systems where immediate maintenance is out of reach. is control is referred to as fault-tolerant control (FTC) which becomes extremely important in the last few decades. ere are two approaches to the synthesis of an FTC. One approach, known as passive FTC, aims at designing a robust controller against some given faults. Another approach, known as active FTC, requires a fast fault detection and isolation (FDI) algorithm followed by a control law adjustment that allows maintaining high performances in the controlled system. e detection and isolation of faults is an important research area in process control due to the improvements that can be reached in terms of the safety and reliability of the plant.
is can be traced from some valuable survey papers [1][2][3] and books [4,5]. Different methods have been developed and implemented in different directions and for several systems [6][7][8][9][10][11] such as model-based method [12,13], observer method [14][15][16], parameter estimation method [17], parity space method [18], and a combination of these methods with artificial intelligent [8,19]. e three-tank system (3TS) is considered an important and effective prototype of many applications in industrial processes, such as water treatment, food industry, chemical and petrochemical plants, oil, and gas systems. It is widely used in water conditioning systems, which provide the user with an abundant supply of luxuriously conditioned water and in craft brewing systems. In spite of the fact that many fault detection and isolation methods have already been applied to three-tank system systems, a few fault accommodation techniques have been considered. In [20], a feedback linearization approach for fault-tolerant control in a 3TS benchmark is investigated. Noura et al. proposed an approach based on the online estimation for the fault and the computation of additive control law is able to compensate for the fault effect on the system [21]. Mendoca et al. have used predictive control and fuzzy logic to design a faulttolerant control for a 3TS [22]. Orani et al. presented a global observer based on a second-order sliding mode control algorithm for the simultaneous fault detection, isolation, and reconstruction for hydraulic vertical 3TS [23]. Other researchers have focused on fault diagnosis and accommodation for both sensor and actuator faults; they have proposed an analytical redundancy method to solve the drawbacks of the hardware redundancy such as cost and space [24]. It should be noted that all these previous works have developed FTC solutions based on the linearized model of the 3TS. is means that these approaches are valid only around an operating area. To overcome the previous drawbacks, some papers have focused on the application of actuator fault magnitude estimation [25] or fault-tolerant control [26][27][28] by using a nonlinear model of the 3TS.
In this paper, we focus on the online sensor fault detection and isolation by adopting high gain observers' bank. A reconfiguration of the controller is then performed by adjusting the design parameters to compensate for the sensor fault effects. Compared to previous works, the proposed approach has the feature to potentially mitigate the required time of the FDI process as well as the ability to reach the reference trajectory after the fault occurrence. e other purpose of this paper is to show the experimental performance of the proposed FTC method on a real plant. Moreover, it is important to mention that the proposed FTC approach is valid for several working areas and not only locally around the operating point. e paper is organized as follows. Section 2 presents the 3TS model to illustrate sensor faults and accommodation methods. e next section is devoted to the strategy of fault diagnosis based on high gain observers bank used to detect, isolate, and estimate the faults. In section four, the full faulttolerant control scheme is exposed. In this context, a new adjusted control law that aims to reduce the fault effect on the system outputs is discussed. Experimental results are given and presented in section 5. Finally, a conclusion and some perspectives are given in the sixth section.

Plant Description.
e 3TS plant consists of three identical cubes with the same cross section area S. ese tanks are coupled serially to each other via cylindrical pipes of the same cross section area S n . e complete structure of the plant is shown in Figure 1.
Two pumps P 1 and P 2 , driven by DC-motors, represent, respectively, the input flows Q 1 and Q 2 of tanks T 1 and T 3 . e plant is a closed system, in which the liquid that enters the reservoir from the tanks returns to the tanks thanks to two pumps.
Besides the outflow valve on T 3 , the system includes five additional valves. Two of them are used to join each pair of neighboring tanks and can be manually tuned to close the connection between the two consecutive tanks. e other three valves V l1, V l2 , and V l3 are at the bottom of each tank. ese leak valves can be used to manually drain each tank [29]. A piezoresistive differential pressure sensor, associated with each tank, delivers an analog voltage signal to measure the three liquid levels denoted by h 1 , h 2 , and h 3 .

Mathematical Model.
e analytic model can be easily derived from the principle of mass conservation and the Torricelli law. In fact, the change of water volume in tank i (i � 1:3) is determined by the following equation: where Q in,i and Q out,i represent the total liquid inflows and outflows in tank i, respectively. en, the mathematical model is specified by the following mass balance equations: where t represents the time; h 1 , h 2 , and h 3 represent the liquid levels in each tank; S represents the cross section of the tanks; Q 1 and Q 2 designate respectively the flow rates of pumps P 1 and P 2 ; Q ij denotes the flow rates between tank T i and T j ; and Q li represents the output flow of the corresponding tank when its leak valve is open. Q e is the leakage valve. e flows Q ij and Q e in (2) are given by Torricelli's law as follows: where a zi is the outflow coefficient, sgn(.) is the sign of the argument, and g is the acceleration of gravity. Consequently, the nonlinear 3T model is given as follows: where a i represents the system parameter given by

ree-Tank System Faults
Representation. e 3TS laboratory system is considered as a rich ground to serve as a test environment for the FTC. It is used as a benchmark system that can be affected by various additive and/or multiplicative faults: (i) Faults actuator: an actuator fault can be represented by (i) where u f i and u i represent the faulty and the normal control action of the ith pump, respectively. e constant offset is denoted by u i0 and 0 ≤ α i ≤ 1 denotes a gain degradation of the i th actuator. (ii) Faults sensor: similar to the actuator fault representation, a faulty output can be written as where y f j and y j represent the faulty and the normal level of the j th sensor, respectively. e constant offset is denoted by y j0 and 0 ≤ β j ≤ 1 denotes a gain degradation of the jth sensor.

Problem Statement.
It is important to be able to carry out the fault detection and isolation before that the faults induce a drastic effect on the system performance. Even in the case of system changes, faults should be detected and isolated. e observer-based approach is used to generate residual signals corresponding to the difference between measured and estimated signals. It is straightforward to think that if the system is faulty, the residual signal will be different to zero. However, the resultant residual will be equal to zero in case of an unfaulty system. e residual signal is compared to a fixed threshold; this comparison is followed by a decision block. To handle all possible sensor faults, we use an observer's bank composed of three high gain observers. Each observer uses the information of two sensors to estimate the third state as it is shown in Figure 2. e three estimated liquid levels y 1 , y 2 , and y 3 provided by the observers' bank allow to calculate the three residuals as follows: Considering these following notations, Table 1 can be established: Consequently, the novel output vector used to implement the control law is given by with y j and y j are, respectively, the measured and the estimated output. F j is a binary variable such as Once the FDI is performed, the faulty sensor S i is identified and the binary variable F i is set to 1. As a result, the control output y ci switches from measured to the estimated output provided by the i th observer (see Figure 3).

Basic Concepts.
Consider nonlinear systems of the form: where the vectors x and u are, respectively, the state and control defined on the subsets M and U and the vectorvalued functions f (.) and p (.) are sufficiently differentiable with respect to their arguments. Firstly, assume y is a single output. Suppose an injective map ζ � q(x) exists, which has a continuous inverse and brings system (12) into the bitriangular form: Denote the system in the ζ-coordinate as Mathematical Problems in Engineering with Assume in the coordinate change dim[ζ] � dim[x] and the Jacobian ( zq(x)/zx ) is nonsingular. According to [30], for (12) an asymptotic observer is where In a practical design, L is firstly chosen such that A-LC is stable. en, an arbitrary θ ≥ 1may be chosen. A large value of θ involved relatively a fast convergence in the estimation error, but, at the same time, it can induce an amplification of the noise measurement.

HGO Design for the 3TS Model.
e nonlinear model (4) of the three-tank system can be written as follows:

Mathematical Problems in Engineering
Typical values of the 3T system are given in Table 2. ese values are later used in observer and controller implementation.
(1) Observer Form with a Single Output Measurement. If only a single measurement is available during operating, according to (16), the observer for the 3TS model takes the form where ensuring that the matrix A-LC is Hurwitz: For instance, suppose only where L j f h(x) is the j th Lie derivative of the function h by f; for example, h(x) and f(x) are differentiable functions of x up to the order n.
So, we have and hence (2) Observer Form with Both State Measurements. To detect and isolate several sensor faults in the whole operating area, we use in FDI block a bank of nonlinear observers. According to [30] and using the assumption cited in [31] if where where L1 and L2 are, respectively, 2x2 and 1x2 constant matrix, which can be easily determined such that A-LC has merely stable eigenvalues (26).
(iii) where the dimensions of L1 and L2 are, respectively, 2x2 and 1x2 constant matrix, which can be easily determined such that A-LC has merely stable eigenvalues. In this case, we have (v) with a and b as given below, and Lθ is the same as given in observer 1. (vi) b.3-Observer 3. Suppose y 1 � h 1 and y 2 � h 2 are Where Lθ is the same as given in observer 1. e proof of convergence of this observer is detailed in [31].

FTC Design
e main objective is to establish a closed-loop regulation to track two reference liquid levels. For this reason, two PI controllers are installed. Each one controls one liquid level. In safety mode, these controllers can successfully accomplish this task. However, in the case of a faulty sensor, nominal performances are affected in the best case, and it can lead to instability in the worst case. To avoid such behavior, we should use the FTC that allows reconfiguring the controller when a fault occurs. As is shown in Figure 4, the role of the FTC unit can be divided into two main tasks: the first one is the FDI detailed in Section 3 and the second one concerns the control law reconfiguration which performs the design parameters adjustment. In the case of faulty sensor Si, the binary variable Fi is set to 1. As a result, the control output yci switches from measured to the estimated output provided by the ith observer. To reduce the sensor fault effect and to maintain the closedloop performance, the control output yci is used for the feedback and then compared with the input reference. e sensor fault accommodation allows reducing the fault effect, and so the system still operates in the degraded mode. To alleviate this degradation, we suggest adjusting the parameters of the PI controller (k p , k i ), from the normal mode parameters (k pin , k iin ) to faulty mode parameters (k pf , k if ) using a switcher block.

FTC Application
To prove the validity of the FTC strategy proposed in paragraphs 3 and 4, we apply it to the hydrographic system described in the second section. e main aim is to accomplish a closed-loop regulation of two levels h 1 and h 3 . As is shown in Figure 5, the test setup is composed by the following: (i) ree liquid tanks with 1-meter height and one evacuation reservoir. (ii) Two 36 W water-pumps (12 V/3 A) with a 4 Lpm liquid flow. (iii) ree piezoresistive transducers MPX-5010 with sensitivity equal to 450 mV/kPa; everyone equips each tank. ese transducers provide accurate analog output signals that are proportional to the pressure variation due to the liquid injection. e accepted range of pressure is from 0 to 10 kPa and the output signal is between 0.2 and 4.7 v. e main feature of this sensor is the possibility to connect it directly to a microcontroller without using a conditioning card. (iv) An STM32Fio card is used as an I/O interface to establish a connection, via USB port, between the control desk using MATLAB/Simulink environment and the I/O peripheries (the three piezoresistive differential pressure sensors as input and the motopump drive board as output). (v) A control desk with MATLAB/Simulink environment.
(vi) Power supply of two variable voltage sources 30 V/ 4A. e control law is implemented in real time using a sampling period of 0.1s. e experimental setup is in the laboratory "Study of Industrial Systems and Renewable Energies" "ESIER" at the National Engineers School of Monastir, Tunisia.

Fault Free Case.
In a faulty free case, the PI controllers successfully ensure this task since these outputs track well the desired trajectory as is shown in Figure 6.
To ensure good tracking of the level references h 1 and h 3 , we used two PI controllers, one for each level with identical parameters K pn � 20 and K in � 15.

Sensor Fault Effect without FTC.
e consequence of the fault scenario in the feedback performance is illustrated in Figure 7. From the instant t1 � 300s, the measured level h 1 has a bias of −8 cm compared to its real value; that is why the control law tries to cancel the static error created by the faulty measurement which appears clearly in the sudden magnitude change of u 1 . Consequently, the real output is different from the reference and it is equal to the value of reference plus the bias value (37.5 + 8 � 43.5 cm). Since t � 450s, the control law u 1 has been almost constant and greater than the nominal value in the fault-free case. Similar to level 1 fault consequence, Figure 8 shows the effect of the fault in sensor 3 which arises at a real level different from the reference, and after t � 720s, a control law u 2 which has almost a constant value greater than the nominal one.

FTC without Controller Adjustment.
e application of the previous FDI method to the same fault scenario sited in subsection 5.2.1 requires the use of observers' bank in order to generate residual and to identify the faulty sensor. After a transient time, this residual is compared to a fixed threshold which allows setting the binary variable Fi to 1 or 0.
(i) At t � t1 � 300s, a bias of −8 cm is added to the liquid level 1; this sudden change induces a rocking of the control output y c1 from the measured y 1 to the estimated y 1 generated by the observer 1 (see Figures 2  and 3). (ii) At t � t2 � 500s, similar to level 1, a bias of −6 cm is added to the third level and, consequently, the feedback is ensured by the estimated output y 3 .
In a practical design, L is firstly chosen such that A-LC is Hurwitz. en, an arbitrary θ ≥ 1 may be chosen. Normally, a large value of θ allows a fast estimation error convergence. But, in the same way, it can generate excessive peaks during the transient, beside inducing an amplification of the noise measurement in the state estimation. To achieve a compromise, we have chosen the observers' parameters as As is shown in Figures 9 and 10, levels 1 and 3 try to suitably track the liquid reference trajectories. But, since the comparison of the input reference is done with an estimated value of the real measurement, large oscillations appear after the fault occurrence.

FTC with Controller Adjustment.
To improve the performance of the closed-loop sited lastly, we suggest the adjustment of the controller parameters from the nominal one (K pn � 20, K i n � 15) to the faulty one (K pf � 70, K if � 50) using a switcher block in which the switching condition is the error between the estimated and the measured signals. As is shown in Figure 11, in a healthy case, the error is less than the threshold; then K p � K pn , after fault occurrence, the error is greater than the threshold and K p switch to K pf . e result of this adjustment is shown in Figures 12 and  13. Compared to Figures 9 and 10, the quality of regulation is improved.

Result Discussion.
e proposed active fault-tolerant control ensures typically quite performances for the closedloop system. Indeed, after sensor fault accommodation a controller reconfiguration is performed to improve the tracking performances. e tracking errors e 1 � y 1 − y 1ref and e 3 � y 3 − y 3ref are depicted, respectively, in Figures 14  and 15 for three cases: fault-free case (a), FTC without control law adjustment (b), and FTC with control law adjustment (c).    Mathematical Problems in Engineering To evaluate the control performance, we use the mean square error MSE criterion defined by where n is the number of measurements, y ref (k) is the desired output, and y(k) is the system output. e computation of the MSE for outputs y 1 and y 3 in cases a, b, and c is illustrated by Table 3, when n � 10000. As seen in Table 3, the MSE values arising from the proposed approach are a little bigger than the fault-free case, but it is still widely smaller than the case of FTC without control law parameters adjustment. is also is confirmed by the dynamic behavior of the output levels y1 and y3 after sensor fault occurrence.

Conclusion
In this study, a bank of high gain observers has been considered for FDI application in a 3TS. After sensor detection and isolation, fault accommodation is applied to ensure the reference tracking aim. For preserving the same performance as the safe mode, a controller parameters adjustment is also proposed. Experimental results are given for the validation of our approach. is work can be extended to reach simultaneous sensor and actuator faults by using unknown input observers. e performance of the controller feedback can be improved using a filtered high gain observer, which ensures a good state estimation, even in the case of noisy measurements.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.