Dynamic Safety Margin in Fault-TolerantPredictive Controller

M. Abdel-Geliel, E. Badreddin, A. Gambier

Automation Lab, University of Mannheim, Germanyelgeliel@ti.uni-mannheim.de, badreddin@ti.uni-mannheim.de, gambier@ti.uni-mannheim.de

Abstract — Dynamic safety margin (DSM) is a new performance index used to measure the distance between apredefined safety boundary in the state space and the systemtrajectory as it evolves. Controller design based on DSM is important to maintain a predefined margin of safety during the transient and in the presence of large disturbancesparticularly in safety-critical systems. In this paper, a fault tolerant control design, using predictive controller based onDSM, to recover system performance after some system faultsis discussed. In addition, real-time results of a control system,which was implemented in a two-tank system, are presented todemonstrate the fruitfulness of this design.

TI. INTRODUCTION

hethto

evaluation of a control system depends mainly on e difference between the desired performance according the given specifications and the actual performance.

Safety is one of the most important specifications for thecontrolled system. Safety control problem requires movingthe system from a given set of initial states in its state space to a predetermined safe region. Dynamic Safety Margin (DSM)is a new performance index for the control system design,which was introduced in [1], [2] and [16]. This indexmeasures how far the system state trajectory is from a predefined safety boundary in the state space. The statevariables of interest have to be inside that boundary regionin normal operation and in case of uncertainties and/ordisturbances. Thus, controller design based on DSM permits tomaintain a predefined margin of safety during transient and steady state of safety-critical systems. Moreover, it can be used in Fault Tolerant Control system design (FTC) [3], [4]in order to speed up performance recovery in some cases offaults.

Some methods for introducing DSM into controller designare stated in [1] and [16]. In those contributions, adaptingparameters of PID controllers, switching controller and/oroptimal control are highlighted. An algorithm for the computation of DSM and the use of DSM in fault diagnosisand isolation is discussed in [2]. Model-based PredictiveControl (MPC) belongs to a class of approaches thatdetermines the optimal control profile according to a predictionof the system behavior over a receding time horizon, i.e. asequence of future control actions is chosen in order to predict the evolution of the system and it is applied to the plant until new measurements are available. Then, a newsequence is determined, which replace the previous one [5]-[7]. DSM can be introduced in MPC as either a hard con-straint or an additional term in the performance index (soft

constraints). The way to do this, the analysis for FTC and the practical application in real-time is the maincontribution of this work.

The paper is organized as follow: First, DSM for safety-criti-cal system and the FTC problem are explained. Next, state-space predictive controller design based on DSM to maintaina predefined margin of safety during the system operation is developed and simulation results are presented. It follows anillustrative real-time example on a two-tank laboratory proto-type with industrial components. Finally, conclusions and fu-ture work are drawn.

II. DEFINITION OF FTC AND DSMAn FTC system is a control system that can

accommodate components faults and is able to maintainstability and acceptable degree of performance when not only the system is fault-free but also when there arecomponent malfunctions. The FTC prevents faults in a subsystem from developing into failures at system level. Thedesign of FTC systems can be classified as passive as well asactive (PFTC and AFTC). In PFTC, a system may tolerateonly a limited number of faults, which are assumed to beknown prior to the design of the controller. Once thecontroller is designed, it can compensate anticipated faultswithout any access of on-line fault information. AFTCcompensates the effect of faults either by selecting a pre-computed control law, or by synthesizing a new control lowon-line in real-time.

In the following, the general idea will briefly beexplained (see [1] for details). Let X be the state space in

n, and consider that a subspace X, which defines thesafe operation region for some subset of state variables, x

m in the state subspace , can be specified by a set ofinequalities { (x) 0,i=1,...q}, where : m . (x) > 0indicates unsafe operation (Fig. 1). It is assumed that thesystem is stable in the sense of Lyapunov and that the safe region is fully contained in the stability region. Starting withthe initial condition xo, the system trajectory will evolve to theoperating point xs traversing the state space with varyingdistance to the safety boundary. DSM is defined as theinstantaneous shortest distance (t), between the state variablesof interest and a predefined boundaries { x) = 0, i=1,...q} inthis subspace of state variables. When the system reaches theoperating point d (t)/dt = 0 and ( ) reaches a constant valueindicating the Stationary Safety Margin (SSM). Most industrial

Proceedings of the2005 IEEE Conference on Control ApplicationsToronto, Canada, August 28-31, 2005

TB2.2

0-7803-9354-6/05/$20.00 ©2005 IEEE 803

designs are done trying to satisfy specified values of SSM.It is necessary to distinguish between safety boundary

and individual state limits of amplitudes in time domain.Sometimes, some of the safety boundaries are defined bythe state limits but not always. Fig. 2 shows the difference be-tween amplitude bound of variables and safety boundary. It isclear from Fig. 2 that all state variables lays inside its indi-vidual amplitude boundary but some state vectors do notsatisfy safety boundary constrains. In general, the safe-opera-tion region by is defined by a set of inequalities given

( ) 0 1, ...,i

ix q (1)i

SafeOperation

Region (·)<0

xo

(t)

Unsafe OperationRegion (·) > 0

Safetyboundary

i(·) = 0

x1

x2

xs

Fig. 1: DSM definition

x1

Safe limitsfor x2

Time

Time

x2

Safelimitsfor x1

Safe operationregion

Fig. 2. DSM and state limits

and DSM is defined as

)(min)(1

tt iqi

(2)

Tmii xxxtst

ii],...,,[,)()( 21

min)(xxx

x (3)

where s(t) is given by

regionoperationsafe theifregionoperationsafe the

11

)(if

outsidexinsidex

ts

and ˆ. min shortest distance from x(t) to xi, respectively.

Variable q is the number of defined inequalities and mthe number of state variables relevant to safety. Notice thatm n the dimension of the state-space.

In most cases, the safe operation region can be definedby a set of linear inequalities { . In case that theboundary function is nonlinear, it can be subdivided intotwo or more linear constraints (piecewise linear approxi-

mation).If is convex defined by linear boundary constraints and

the variables of interest are given by the whole state vector, i.e. m = n, then the safe region is polytope and defined byq linear inequalities in the form

i(x)= aiT x - ci 0 (4)

where aiT n, ci is a constant and i( ) = 0 is a

subspace of state vector xi where aiT xi = ci.. Thus, for

the state vector x, i( ) can be calculated [2] as

0)(iff00)(iff0

2

)(.)( x

x

a

xa

ii

i

tiict

T(5)

For all boundaries, the distance vectord(t) = [ 1(t) , 2(t),…, q(t)]T

can be obtained from

d(t)= dc- Da x(t) q (6)

where dc = Dia ccq,, Da = Dia Ac

q n

qq

22221ia

1,,1,1aaa

Dq

diag ;

TT nqqqc ccc aaaAc 21c

q21 ;

( ), DSM, is the minimum element in d( ) according to (1).

III. FAULT TOLERANT CONTROL AND DSMAccording to the definition of DSM in [1] and [2], DSM

should be (.) 0; otherwise there is a fault or largedisturbance. Hence, a FTC design based on DSM satisfiesthe desired response and maintains the system state within the safe region. Moreover, it should have the ability to bringthe system states to the safe region as fast as possible whenit, for some reason, reached an abnormal situation. FTCbased on DSM can be passive or active [3],[4]. If thepassive FTC with DSM has not the ability to recover thesystem then active FTC with DSM is preferred. Theinvolvement of DSM in active FTC systems is importantbecause the information of fault detection and isolation (FDI) system, in most cases, is not accurate. Hence, DSM withactive FTC can improve the FTC system. In this work, DSMonly in passive FTC systems is introduced, where there is noinformation about the fault.

IV. PREDICTIVE CONTROLLER WITH DSM

In general, most of the control algorithms used to recoverthe system performance usually stem from linear quadratic, adaptive or robust control. Thus, this section explains howDSM can be involved into predictive controllers to achieve safety requirements in addition to system performance.

The control law of predictive controller, for a system de-fined by the state-space model, is determined from the mini-mization of a 2-norm measure of predicted performance [5]

804

1

u

T T1 1

1T

i 0

1min min ( ) ( ) ( ) (

( ) ( )

i N

N

N)J N k N k i k Q i k

i k R i k

u ue S e e e

u u

(7)

and C ubB DC ;

;.)11(

1

1

11

000

uNrNNm

uNNN

N

N

b

BCABCA

BCACBBCA

C

subject to x )()()1( kkk uBxA

(8))()()( kkk uDxCy

;.)11(

1

1

11

0

00

uNrNNq

uNNN

N

N

aa

aa

aa

b

BADBAD

BDBAD

BDBAD

Dwhere uu

NrTNkkk .)]1()1()([ uuuu ;)(-)()( kkdk yye ; e m is the error between the desired

and measured response. x n is the system state vector, yd

m is the reference output vector, y m is the measured output vector, u r is the input vector, A, B, Cand D system parameter matrix of adequate dimensions, S1,Q1 are the error weighting matrix, R is the input weighting matrix, N, N1 and Nu are the maximum, minimum andcontrol horizons, respectively.

11

( )1

( 1

( )( )

`0 0 0

0 0 0

0 0 0 0

0 0 0 0

u

m N Nu

m N N u

r N Nr N

u

)

D

DD

The involvement of DSM into the predictive controllercan be handled in two different forms, where both presentadvantages and disadvantages. Both methods consider thatthe system model is described by a state-space model and that the safe region is defined by linear boundaries.

dc and Da are constant matrices calculated from (6).

The objective function according to (10) isA. Method 1

)2(minmin rJ cuHuMuuu

(12)To control DSM (DSM positive) all elements of the

distance vector (d q) in (6) must be positive. Thus, the vector d can be introduced in the predictive control problemas additional Linear Matrix inequality (LMI) constraints.Hence, the control signal is obtained by minimizingequation (7) subjected to

subject to (11), where

));(())((

;))((;

katTkar

BtTkatBt

TB

xCyQxCyc

CQxCyHRCQCM

NNiikikkk

kkk

,...,1,)(or0)()()(

)()()1(

xdxCy

uBxAx (9)

Consider (5) and (8) then a general form of errorprediction and distance vector d are

))(( uCxCye Bka (10)0

;..

10

10

001

uNruNrt

R

R

R

R )11.()11.(

100

10

001NNmNNm

t

S

QQ

Q

0)( uDxDdd bkAt (11) Equation (12) is known as a quadratic programming (QP)problem, for which standard solvers exist [8]-[12]. One lineoptimization of equation (12) gives the desired controlsequence, which achieves the output performance and thesafety performance. Note, Q, S, R, N, N1 and Nu are freedesign parameters. DSM constraints are considered here ashard constraints.

where

;)11.(

)(

)11(

)1(

NNm

Nkd

Nkd

Nkd

y

y

y

y)11.(

)(

)1(

)1(

NNm

Nk

Nk

Nk

e

e

e

e

The feasibility of the above MPC with DSM constrainscan be analysed as in [7] and it has not been included in thiswork. Moreover, the safety region can be considered asan invariant set [13] and can be analysed according to that.This method can give a good results but the computationburden is so high that it can only be applied, where the process time constants are slow.

)11(

)(

)2()1(

NNq

Nk

kk

d

dd

d;)11(11

1

nNNq

N

N

N

AaD

AaD

AaD

AD

;)11( NNq

c

c

c

t

d

d

d

d nNNm

N

N

N

CA

CA

CA

a)11.(

11

1

C

B. Method 2 In order to present the second method, the following lemmais necessary:

Lemma 1: if the safe operating region, , is convex, then thecondition to minimize any-norm of d( ) subject to system

805

model is to move the states to be inside the safety region .The proof of lemma 1 is simple; it can be easily proofed

according to the convex set propertiesHence, the 2-norm of d( ) can be introduced as additional

term in the main objective function (7). The objectivefunction of the predictive controller in this case can be rewritten in the following form

]

[

1uN

0)(T)(

1

)(T)(

)()(minmin

T

T

ikiki

N

Nikiki

kNkNJ

d

d

d

d

Ruu

eQe

eSeuu

(13)

subject to (7) and (4), where

1 111

1 1

0 0(.)(.) , ,

(.) 0 0m q

d

Q See Q S

d P

T P

P e ko

)(1 PP and .

This is an unconstrained quadratic problem, where P1 is the weighting matrix for d and it depends on the value of DSM( ) i.e. if is negative then the weighting matrix increasedand vice-versa. P is a constant weighting matrix. Thenumber of free design parameters in this case increased by Po.DSM constraints, here, is considered as a soft constraints.This optimization problem can be solved in two differentways1) One-shot OptimizationSolving problem in the form of (13) using directoptimization can be found in [5],[14]. Substituting (10) and (11) in (12)

TT

0min min

0 ttJ

t

Qe eu R u

d P du u

is obtained, where

10

0001

..

P

P

P NqNqt

.

The control law is given by

( )ky d c xu K y K d K x (14)

where

tBbtbBBy t QCDQDCQCK T1TT

1T T

d B t B b t b b tK C Q C D Q D D1

T T T Tx b t AB t B b t b B t aK C Q C D Q D C Q C D Q D

The first component in u , namely u(k), is the controlvector applied to the system. This control vector can beobtained from (14) as

( ) : 0 : : 0 ( )k kr y d c xu I K y K d K x (15)

Despite simplicity of the direct optimization algorithm, it

needs much memory space because the matrices usually havelarge dimensions. Moreover, the problem could benumerical unstable when the horizons are very large.2) Dynamic programming

The solution of the control problem by applying dynamicprogramming is given by the affine control law [6] butwithout integral action

T( ) 1 ( ) ( 1) (wk N k N ku K u M B P A x (16)where uw represents the control vector due to the reference (yr)and ux the control action based on the state feedback

1T )1(1 BPBRK NN ,

where DQDRR 1T

j . P(N-1) is calculated by solving

the Riccati Difference Equation (RDE)TT T( 1) ( ) ( ) (1j j jP Q A P A M B P A K )j

for j = 1,…N-2, and a specificT

10( ) SP C . KC

A

1 is calculatedfrom

T1 ( ) ( ) [ ( ) ]j j jK K M B P ,

whereT

1 jM D Q C and T

1 jQ CQ C . The matrices C andD are obtained from

( )m q n

a

CC D

and qm0D

D .

The matrices j1Q and are defined asjR

110111

1 NjNN

NNjj

QQ

11

1

NjuNNnNNj

j R

IR

The control vector uw(k) is given byT T( ) ( ) ( 1)1k kjw d Nu D Q w B p

where ; p(N-1) is obtained fromqm

c

krkwd

y )()(

T

11

T1

( 1) ( ) ( ( 1)

( ) ( )

jj j k N

j j

jp C D K Q w

A B K p

andT

(0) ( )1 k Np C S w .

The advantage of using dynamic programming optimiza-tion instead of direct optimization is that the matrices di-mensions are smaller. However, the number of calculationsteps is increased.

Notice that both methods to implement DSM in predictivecontroller are general for MIMO systems. The following ex-ample shows the advantages of each method.Example

State-space model parameters of a separately exited dcmotor, described in [1], are

A B C D

1111

10 01 ]0[

806

0 1 2 30

1

2

3

4

0 2 4 6 8 10-0.6

-0.4

-0.2

0

0.2

0.4

0 2 4 6 8 100

1

2

3

4

5

0 2 4 6 8 100

0.5

1

1.5

2

2.5

3

SB

OP

speed

current

Sta

tes

Con

trol (

Vol

t)

[rad/s]

curr

ent(A

)

t [s]

DS

M

(a) (b)

t [s]t [s]

(c) (d)

Fig. 3. DC motor response with PID(SB: Boundary and OP: Trajectory)

0 5 100

1

2

3

0 5 100

1

2

3

4

5

0 1 2 30

1

2

3

4

0 5 10-0.1

0

0.1

0.2

0.3

0.4

current

speed

Sta

tes

Con

trol (

Vol

t)

[rad/s]

curre

nt(A

)

t [s]

DS

M

(a) (b)

t [s]t [s]

Fig. 4. DC Motor response with predictive controller method 1

0 5 100

0.5

1

1.5

2

2.5S

tate

s

0 5 102.5

3

3.5

4

4.5

5

Con

trol (

Volt)

0 1 2 30

1

2

3

4

[rad/s]

curr

ent(A

)

0 5 10-0.1

0

0.1

0.2

0.3

0.4

t [s]

DS

M

current

speed

(a) (b)

(c) (d)

t [s]t [s]

Fig. 5. DC Motor response with predictive controller method 2

where and u = v Tix i.is the motor speed (angular velocity), i armature current, vi

input voltage [0,5]. The safe operation region is defined by i-(w+0.5) < 0; i-w > 0; i<4 and w<4. (17)

Fig. 3 shows the motor state trajectory (Fig. 3a), DSMvariation (Fig. 3b) and speed response (Fig. 3c) to stepinput 2 rad/sec using PID controller with Kp = 4, Ki = 1 andKd=1. The response of the controller is accepted w.r.t. theerror and rise-time but the state trajectory lies outside thesafe boundaries at transient (Fig. 3a) i.e. DSM is negative. To improve DSM at transient time, the controller should be redesigned according to DSM. Some method of solving thisproblem is stated in [1] and [3] using switched PID,adaptive PID and optimal state-feedback controllers basedon DSM.Fig. 4 shows the motor response using a predictive controllerin the form of (9) subject to (11) (method 1) with thefollowing parameters

T

101011010111

cA ; C ;T004402.0c

1,1,1,1,10.702,0.702,diagiaD

10[11;3;11;3 SQuNNN

;

]001.0[]; RFig. 5 shows the best motor response can be obtained, w.r.t

safety and transient performance, using a predictive controllerin the form of (15) (method 2) with the following parameters

Po = Diag(10,10,0,0,0,0); Q1 = S1 = [30]; R = [0.001];N=10; N1=1; Nu=5.

Note that the rise time in Fig. 4 is similar to Fig. 3 but thestate trajectory (Fig. 4a) is forced to be inside the safe region during transient period. Response in Fig. 5a satisfiesthe safety bounds but the rise-time increased (Fig. 5c).

The performance of method 1 is more accepted but the computation algorithm is difficult. On the other hand,algorithms of method 2 are quite easy and provide smoothercontrol signals but the overall performance of the system isfor particular example worse and the free design parameters

increased.

V. EXPERIMENTAL RESULTSThe above algorithms are tested in real-time operation of

an experimental laboratory process described in [15]. Theprocess, shown in Fig. 6, consists of two-tank system. Eachtank has a control valve at the output line to control the level in the tank. In the current experiment, the interconnect-ing valve was fully opened, the leakage valve (control valveof 2nd tank) was adjusted to simulate a constant leakage andthe control valve, of the first tank, was used to adjust the level in both tanks. The two-tank system was fed at constantflow 1 l/s in the first tank. The discrete linear model of thesystem at sampling rate equal to 10 Hz is given in Table 1.

h1

Input flow 1l/s

Leakage valve

Controlvalve

LevelTransmitter 1

LevelTransmitter 2

Fig. 6. Schematic diagram of a two-tank system

807

0 500 10000

0.1

0.2

0.3

0.4

0 500 1000-0.5

-0.4

-0.3

-0.2

-0.1

0

0.1

-0.5 0 0.5-5

0

5x 10-3

0 500 1000-3

-2

-1

0

1

2x 10-3

h2

h1

[rad/s] t [s]

(a) (b)

t [s]t [s]

(c) (d)

DSM

Con

trol S

igna

l

dh/d

t [m

/s]

Stat

es

Fig. 8: Level response using predictive controller with DSM

Table 1: Linear state-space model of the two-tank-systemA B

0 .9 7 4 8 0 .0 0 1 9 - 0 .0 1 4 6- 0 .1 6 1 6 - 0 .2 1 0 4 0 .5 5 5 5- 2 .4 3 2 3 - 1 .1 4 0 8 0 .2 3 0 7

- 0 .0 0 0 4- 0 .0 1 0 5- 0 .0 1 7 3

C D[1 0 0] [0]

The output h is the level in the tank (m) and the input is the valve opening.

Consider that the variables, which are relevant to systemsafety, are the tank level rate (dh/dt) and vi, the valve limb movement (m) which simulates the valve opening. The safeoperation region ( is given by:

dh/dt + 0.8 vi - 0.08 0; dh/dt + 0.75 vi + 0.14 0; - 0.4 dh/dt 0.4; -0.5 vi 0.5. (18)

where the valve opening is normalized within [-0.5, 0.5] i.e. 0.5 means fully opened and -0.5 completely closed. Thelevel rate (dh/dt) changes in (mm/sec).

A predictive controllers with and without DSM are used,according to Section 3, to regulate the level of the left tank at a set point of 0.3 m in case of leakage fault. Fig. 7 showsreal-time results without considering DSM in predictivecontroller for the actual two-tank system when the leakagevalve is opened 10% after 500 sec, 30 after 650 sec, and 50% after 800 sec (fault scenario). Fig. 8 shows the real-time results of the above algorithm with considering DSM in predictive controller for the same faults. It is clear fromFig. 8 that in case of fault the controller has the ability tooperate the system within the safety limit until the fault be repaired or isolated.

VI. CONCLUSIONSController design based on DSM improves safety-

assessment of safety-critical systems particularly by usingMPC. Results of a simulation example as well as of a real-time implementation on a two-tank process demonstrate theadvantage of this approach mainly in FTC. However, thefeasibility of MPC with DSM constraint was not treated inthis work. There are some open areas in applying this

approach, which should be covered in the future: Forexample, DSM measuring for large-scale system and theproblem of determining safety boundaries. Hence, all thesetopics will be undertaken in the future work as well as the problem of applying DSM to fault prognosis.

REFERENCES[1] E. Badreddin and M. Abdel-Geliel. “Dynamic Safety Margin Principle

and Application in Control of Safety Critical System,” IEEEInternational conference of control application (CCA 2004) conference,September 2-4, 2004, Taiwan. 689-695.

[2] M. Abdel-Geliel and E. Badreddin, “Dynamic Safety Margin in FaultDiagnosis and Isolation,” European Safety and Reliability (ESREL) conf.,Tri city Poland, June 27-30, 2005.

[3] M. Blanke, M. Staroswieki and N. Eva Wu, “Concept and Methods inFault-Tolerant Control,” Tutorial at American Control Conference,June 2000.

[4] M. Mahmoud, J. Jiang, and Y. Zhang, “Active Fault Tolerant ControlSystem: Lecture Notes in Control and information Sciences,”Springer, 2003.

[5] J.A Rossiter, “Model-Based Predictive Control: Practical Approach,”CRC, 2003.

[6] A. Gambier and H. Unbehauen, “Multivariable Generalized State-Space Receding Horizon Control in a Real-time Environment,”Automatica, 35, 1787-1797, 1999.

[7] D. Q. Mayne, J. B. Rawlings, C. V. Rao and Po. M. Scokaert,“Constrained Model Predictive Control: Stability and Optimality,”Automatica, 36, 789-814, 2000.

[8] E.F. Camacho and C. Bordons, “Model Predictive Control,” Springer,1999.

0 500 10000

0.1

0.2

0.3

0.4

0 500 1000-0.5

0

0.5

-0.5 0 0.5-5

0

5x 10-3

0 500 1000-4

-2

0

2x 10-3

x1 (valve opening)

Con

trol s

igna

l

t [s]

DSM

(a) (b)

t [s]t [s]

(c) (d)

dh/d

t [m

/s]

h2

h1

Stat

es

Fig. 7: Level response using predictive controller without DSM

[9] T.F. Coleman, and Y. Li, “A Reflective Newton Method For Minimizing a Quadratic Function Subject to Bounds on Some of the Variables,” SIAMJournal on Optimization, Vol. 6, N° 4, 1040-1058, 1996.

[10] J.M. Maciejowski, “Predictive Control with Constrained,” Prentice Hall,2001

[11] F. Borrelli, “Constrained Optimal Control of Linear and Hybridsystems: Lecture Notes in Information Science,” Springer, 2003.

[12] Thomas C., M.A. Branch and A. Grace, “Optimization Toolbox,” MathWork, Inc., 1999.

[13]F. Blanchini. “Set Invariance in Control,” Automatic, 35:1747-1767,1999.

[14]A. Gambier. “State-space Design of Predictive Control for MIMOSystems,” PhD thesis, Bochum University, Germany, 1995.

[15]A. Gambier, T. Miksch and E. Badreddin, “A control Laboratory Plant toExperiment with Hybrid System,” Proc. of American ControlConference, Denver, 2003.

[16] M. Abdel-Geliel and E. Badreddin, “Adaptive controller using dynamicsafety margin for hybrid laboratory plant,” Proc. of American ControlConference 2005, Portland, Oregon, USA, 1443-1448.

808