CONTROL RECONFIGURATION AFTER

ACTUATOR FAILURES: THE GENERALISED

VIRTUAL ACTUATOR

Jan Lunze ∗

∗ Ruhr-Universitat BochumInstitute of Automation and Computer Control

44780 Bochum, Germany

Abstract: Control reconfiguration concerns the problem of finding a new controlconfiguration and new controller parameters after faults have brought the nominalcontroller out of operation. This paper develops the idea of the generalised virtualactuator, which is a reconfiguration block to be inserted between the faulty plant andthe nominal controller. General properties of the reconfigured closed-loop system likethe separation principle for the generalised virtual actuator are proved and guidelinesare given for the choice of the free parameters. The new reconfiguration schemeincludes several ideas that have been recently developed for specific situations andmakes it possible to use a uniform reconfiguration algorithm in all these situations.The results are illustrated by presenting a solution to the COSY benchmark problem.Copyright (c) 2006 IFAC

Keywords: Fault-tolerant control, reconfiguration, actuator failure, virtual actuator

1. INTRODUCTION

Fault-tolerant control aims at retaining a systemin operation after some fault has occurred. Differ-ent methods have been elaborated in the recentpast to detect and identify faults in a dynamicalsystem and to adjust the controller to the changesof the plant dynamics that are brought about bythese faults (cf. Blanke et al 2006).

This paper concerns the reconfiguration task incase of actuator failures that make the operationof the nominal control loop impossible. For actua-tor failures the adjustment of the controller to thefaulty plant includes the selection of alternativeactuators in order to close the control loop whichhas been brought out of operation by the actuatorfailures.

This problem is illustrated in Fig. 1 for a tanksystem considered later in more detail. For thenominal plant, the controller uses the input u2

to bring the tank level to the set-point w. If the

T a n k s y s t e mL e v e l

c o n t r o l l e r

u2

u1

u3

w y

d

-

Fig. 1: The reconfiguration problem for a level

controller

actuator associated with the input u2 is blocked,the control loop does no longer satisfy its missionand the controller has to be reconfigured so asto use the inputs u1 and/or u3. Clearly, after theselection of new inputs to be used, the controllerparameters have to be adapted to these inputs.

This paper develops the idea of a generalisedvirtual actuator, which adapts both the controlconfiguration and the controller parameters to thefaulty plant. The virtual actuator is a dynamicalsystem, which is put between the faulty plantand the nominal controller. As shown in Fig. 2,it transforms the output vector uf of the faulty

1240

V i r t u a l a c t u a t o r

F a u l t y p l a n t

yc

N o m i n a l c o n t r o l l e r

yf

uf

uc

w

R e c o n f i g u r e dp l a n t

R e c o n f i g u r e dc o n t r o l l e r

Fig. 2: Control reconfiguration by means of a

virtual actuator

plant into the output vector yc used by thecontroller and the controller output vector uc intothe plant input vector uf . The virtual actuatorshould “hide” the effects of the actuator failuresfrom the controller. That is, the reconfiguredplant, which consists of the faulty plant and thevirtual actuator, should behave like the nominalplant fault-hiding goal. If this goal is satisfied,the nominal controller can be used to control thefaulty plant.

The idea of using a virtual actuator has beenfirst proposed in (Lunze and Steffen 2002) and(Blanke et al. 2006) and further developed in(Lunze and Steffen 2006) and (Steffen 2005). Twoimportant properties have been shown in thesereferences. First, the virtual actuators definedthere ensure that the effects of faulty actuatorscan actually be “hidden” from the controller sothat the nominal controller can be used for thefaulty plant. Second, the design of the virtualactuator can be done completely automaticallywithout the intervention of a human operatorand, thus, can be applied under the real-timeconstraints of practical control reconfiguration.

In the recent literature different virtual actua-tors have been defined for different situations.Moreover, the proposed virtual actuators do notnaturally shrink to a static reconfiguration block ifthe reconfigurability condition given in (Gao andAntsaklis 1991) are met. Hence, a natural idea isto develop a virtual actuator that reduces to thisstatic block unter the reconfigurability conditionand extends smoothly to a dynamical block if thiscondition is violated. Similar investigations havebeen published in (Kanev and Verhaegen 2002)and (Staroswiecki 2002) with the former referenceconsidering discrete control actions and the latterproposing to choose the new actuator with respectto the control energy that is necessary to get asimilar performance of the closed-loop system asin the nominal case.

After in Section 2 the plant models and thereconfiguration problem have been defined, thispaper defines the generalised virtual actuator inSection 3 and shows in Sections 4 and 5 thatthe free parameters of this reconfiguration blockcan be chosen so as to satisfy the fault-hidinggoal as long as the faulty plant is stabilisable

through the remaining actuators. Besides the factthat this virtual actuator reduces to a staticblock if the reconfigurability condition is met,the relation of the design of this actuator to thedisturbance decoupling problem investigated in(Steffen 2005) is elaborated. Sections 6 and 7analyse the reconfigured loop and give guidelinesfor choosing the parameter matrices N and M ofthe virtual actuator. Finally, Section 8 illustratesthe generalised virtual actuator by using it tosolve the COSY benchmark problem.

2. THE RECONFIGURATION PROBLEM

Nominal plant is described by the state-spacemodel

x(t) = Ax(t) + Buc(t) + Ed(t), x(0) = x0(1)

y(t) = Cx(t) (2)

with state vector x ∈ Rn, input vector uc ∈ R

m,disturbance vector d ∈ R

p and output vectoryc ∈ R

r. For the investigations of different failuremodes of the actuators it is important that themodel (1), (2) is set up not only with respectto the inputs used in the nominal closed-loopsystem but also includes redundant inputs. Forthe example shown in Fig. 1 all three inputs u1, u2

and u3 are elements of the input vector u althoughthe nominal controller uses only the input u2.Hence, the matrix B has three columns. Hence,the matrix B in the model (1) does not necessarilyhave full column rank.

The nominal controller may be an arbitrary dy-namical system with inputs yc and w, wherew ∈ R

r is the reference input, but for analysisa static output feedback is used:

uc(t) = −Kyc(t) + V w(t) (3)

As the controller uses only a subset of the inputsignals ui that are included in the vector u, thematrices K and V usually have zero rows.

The faulty plant distinguishes from the nominalplant only in the input matrix B, which is changedto Bf :

xf (t) = Axf (t) + Bfuf (t) + Ed(t) (4)

y(t) = Cxf (t). (5)

In this model the control input is denoted byuf and the output by yf in order to distinguishbetween the input and output of the nominal andof the faulty plant. The matrix Bf has vanishingcolumns for all failed actuators. For example, inthe control problem shown in Fig. 2 the secondcolumn of the matrix Bf is zero if the actuatorassociated to the input signal u2 fails. Then the

1241

nominal controller, which uses only this input,does not influence the plant any more.

This paper concerns the situation where the fail-ure of one or more actuators has been detectedand, hence, the model (4), (5) of the faulty plantis known. The reconfiguration should be accom-plished by introducing a virtual actuator betweenthe faulty plant and the nominal controller suchthat the following aims are satisfied:

• Fault-hiding goal: The reconfigured plantshould have the same input-output behaviourwith respect to input uc and output yc as thenominal plant.

• Stability: The reconfigured closed-loop sys-tem should be stable.

It is obvious that if the virtual actuator satisfiesthe fault-hiding goal the closed-loop system hasthe same behaviour with respect to the commandinput w and output yc as the nominal loop. How-ever, it has to be investigated, which behaviourthe closed-loop system has with respect to thedisturbance input d.

3. DEFINITION OF THE GENERALISEDVIRTUAL ACTUATOR

F a u l t y p l a n t

òBf

E

d

A

C

V i r t u a l A c t u a t o r

òBf

M

A

CN

B D

-

uf

xf

yf

x D y D

u D

N o m i n a l c o n t r o l l e ryc

w

uc

Fig. 3: Closed-loop system including the generalised

virtual actuator

Definition 3.1. Consider the faulty plant (4), (5).The generalised virtual actuator is defined by

x∆ = A∆x∆ + B∆u∆, x∆(0) = x∆0 (6)

uf = C∆x∆ + D∆uc (7)

yc = Cyx∆ + yf (8)

with the state x∆ ∈ Rn and the matrices

A∆ = A − BfM (9)

B∆ = B − BfN (10)

C∆ = M (11)

D∆ = N . (12)

M and N denote matrices that can be freelychosen.

4. ANALYSIS OF THE RECONFIGUREDPLANT

This section shows that the reconfigured plant hasthe same input-output behaviour as the nominalplant with respect to the input uc and the outputyc. In this analysis the disturbance is ignored.

If the faulty plant (4), (5) is combined with thevirtual actuator (6) – (12), the following model ofthe reconfigured plant is obtained:

(xf

x∆

)

=

(A BfM

O A − BfM

) (xf

x∆

)

+

(BfN

B − BfN

)

uc

(xf (0)x∆(0)

)

=

(x0

x∆0

)

(13)

yc = (C C)

(xf

x∆

)

(14)

After the state transformation(

x

x∆

)

=

(I I

O I

)

︸ ︷︷ ︸

T

(xf

x∆

)

with T−1 =

(I −I

O I

)

(15)

the transformed system

(x

x∆

)

=

(A O

O A − BfM

) (x

x∆

)

+

(B

B − BfN

)

uc

(x(0)

x∆(0)

)

=

(x0 − x∆0

x∆0

)

(16)

yc = (C O)

(x

x∆

)

(17)

results. As the state x∆ is not observable, themodel reduces to

x(t) = Ax(t) + Buc(t), x(0) = x0 − x∆0

yc(t) = Cx(t).

This model is identical to the nominal plantprovided that x∆0 = 0 holds. Hence, the virtualactuator yields a reconfigured plant that satisfiesthe fault-hiding goal for arbitrary M and N .

Theorem 4.1. The reconfigured plant (13), (14)has the same input-output behaviour as the nom-inal plant (1, (2) for arbitrary parameter matricesM and N of the virtual actuator.

1242

5. SEPARATION PRINCIPLE FOR THEVIRTUAL ACTUATOR

This section shows that the reconfigured closed-loop system has two sets of eigenvalues, whereone is determined by the feedback matrix M ofthe virtual actuator whereas the other is identicalto the eigenvalue set of the nominal closed-loopsystem. This fact is called the separation principleof the virtual actuator.

The following analysis is not restricted to a staticoutput feedback (3) and can be easily extended toany dynamic feedback. The reconfigured closed-loop system consists of the reconfigured plant(13), (14) and the controller (3), both of whichare considered for vanishing disturbance d andcommand input w. If the transformed model (16),(17) is used, the reconfigured closed-loop systemis described by

(x

x∆

)

=

(A − BCC O

−B∆KC A − BfM

) (x

x∆

)

(x(0)

x∆(0)

)

=

(x0 − x∆0

x∆0

)

As the system matrix is a block diagonal matrix,the following result is obtained:

Theorem 5.1. Separation principle for the

virtual actuator. The set σ of eigenvalues ofthe reconfigured closed-loop system (13), (14), (3)consists of the set of eigenvalues of the nominalclosed-loop system (1), (2), (3) and the set ofeigenvalues of the virtual actuator (6).

This theorem holds true for arbitrary matricesM and N of the virtual actuator. Clearly, acorollary of this theorem is that the matrix M

has to be chosen so that the matrix M − BfM

has eigenvalues with negative real parts in orderto ensure the stability of the reconfigured closed-loop system. Hence, the stabilisation goal can besatisfied by using the generalised virtual actuatoras long as the faults plant is stabilisable.

Corollary 5.1. The stability of the reconfiguredclosed-loop system can be ensured by appropri-ately choosing the matrix M of the virtual actu-ator if and only if the pair (A,Bf ) is stabilisable(cf. (Lunze 1997)).

6. ANALYSIS OF THE RECONFIGUREDCLOSED-LOOP SYSTEM

If the models of the faulty plant (4), (5) is com-bined with the virtual actuator (6) – (8) and thecontroller (3), the following model is obtained af-ter the state transformation (15) has been applied:

(x

x∆

)

=

(A − BKC O

−B∆KC A − BfM

)(x

x∆

)

+

(BV

B∆V

)

w +

(E

O

)

d (18)

(x(0)

x∆(0)

)

=

(x0 − x∆0

x∆0

)

yc = (C O)

(x

x∆

)

(19)

yf = (C − C)

(x

x∆

)

. (20)

In the block diagram shown in Fig. 4, the lowerblock represents the nominal closed-loop system.The control error e = V w − yc is feed into the“difference system”

x∆ = (A − BfM)x∆ + B∆e, x∆(0) = x∆0

y∆ = Cx∆, (21)

whose name results from its output y∆, whichis the difference between the output yc of thenominal closed-loop system. Hence, y∆ shows howthe reconfigured closed-loop system differs fromthe nominal loop.

D i f f e r e n c e s y s t e m

òBf

M

A

C

N o m i n a l c l o s e d - l o o p s y s t e m

òB

E

A

CV

K

-

uf

yf

x D

y D

B D

-

w

d

x

yc

e

Fig. 4: Transformed closed-loop system showing the

separation principle

This model yields two corollaries:

• The input-output behaviour with respect tothe disturbance input d or the commandinput w and to the output yc is identical tothe corresponding input-output behaviour ofthe nominal closed-loop system.

• The input-output behaviour with respect tothe disturbance input d or the commandinput w and to the output yf differs fromthat of the nominal closed-loop system dueto the influence of the difference system (21).

1243

7. DESIGN OF THE VIRTUAL ACTUATOR

This section concerns the question how to choosethe matrices M and N in order to get a small dif-ference y∆ between the behaviours of the nominaland the reconfigured closed-loop system. Is alsoshows how earliser reconfiguration approaches re-late to the generalised virtual actuator.

Complete reconfiguration. Fig. 4 and eqn. (21)yield the following result:

Corollary 7.1. If N can be chosen such that

B∆ = B − BfN = O (22)

holds, the input-output behaviour of the recon-figured closed-loop system is identical to that ofthe nominal control loop for both the disturbanceinput d and the command input w. Furthermore,if x∆(0) = 0 hold, the reconfigured loop has thesame free motion as the nominal loop.

The condition (22) can be satisfied for an arbi-trary controller (3) if and only if the relation

RankBf = Rank (B Bf ) (23)

holds. This condition claims that the columnsbelonging to the failed actuators are linearly de-pendent upon the remaining columns of Bf . Thenthe effect of the failed actuators can be preciselyreplaced by using other actuators and the recon-figuration is complete.

For B∆ = O the difference system is not con-trolled and can be deleted from the representationof the reconfigured closed-loop system. Hence, thevirtual actuator (6), (8) reduces to the static re-configuration block

uf (t) = Nuc(t), yc(t) = yf (t), (24)

which is identical to the reconfiguration solutiondescribed in (Gao and Antsaklis 1991).

If the condition (23) is violated, the pseudo-inverse method published in (Gao and Antsaklis1991) proposes to use the pseudo-inverse solution

N = B+

f B (25)

with B+

f denoting the pseudoinverse of Bf .

Design of the virtual actuator by distur-

bance decoupling methods. If the transferfunction matrix

G(s) = C(sI − A + BfM)−1(B − BfN)(26)

of the difference system vanishes, the reconfigu-ration is complete as well. Then the differencemodel (21) has a vanishing output. To select thematrices N and M such that the condition (26)holds is a disturbance decoupling problem forknown disturbance uc. It has been shown in (Stef-fen 2005) that the solution to this problem yieldsa complete reconfiguration. This solution exist,however, only under restrictive conditions.

Restoration of the static behaviour. Thestatic behaviour is completely reconstructed ifthe static reinforcement of the difference systemvanishes:

G(0) = −C(A − BfM)−1(B − BfN) = O.

Approximate solution. The generalised virtualactuator has the property that the effect of thevirtual actuator “disappears” if the matrix B∆

can be made very small by choosing the matrixN appropriately.

Corollary 7.2. For ‖B∆‖ → 0, the behaviour ofthe reconfigured closed-loop system approachesthat of the nominal loop: ‖yc − yf‖ → 0.

8. EXAMPLE: THE COSY BENCHMARKPROBLEM

The reconfiguration by means of the generalisedvirtual actuator is illustrated by solving theCOSY benchmark problem proposed by (Heimingand Lunze 1999). For the solution given here, theproblem can be reduced to the two tanks. Duringthe nominal operation there exist two level con-trollers, where the set-point to the left controlleris the input u1. The right controller uses the uppervalve, whose position is given by the input u2. Aredundant control input is provided by the lowervalve with input signal u3. The right controllerhas to attenuate the disturbance d and to holdthe tank level at a given value w2.

The linearised model (1), (2) is obtained with

A =

−0.0478 −0.0004 01.0000 0 00.0058 0 −0.0058

B =

0.0406 −0.0058 −0.0092−1.0000 0 0

0 0.0046 0.0073

C = (0 0 1), E =

00

−0.0454

Is is assumed that the upper valve fails andis remains completely closed. Then the second

1244

column in the matrix B has to be set to zero toobtain the matrix Bf .

Static reconfiguration. A complete reconfigu-ration of the controller is possible, because thecondition (23) is satisfied. Hence, the reconfig-uration is possible with a static reconfigurationblock (24)

uf =

0 0 −2.70390 0 0.63250 0 1

uc .

0

0.1

0.2

0.3

0.4

h 2 in m

0 200 400 600 8000

0.5

1

Time in sec

u 2, u3

Fig. 5: Behaviour of the reconfigured closed-loop

system where the reconfigured controller uses the

input u3

Figure 5 shows that the right tank has the samebehaviour with the reconfigured controller as inthe nominal case. In the lower subplot the controlinput u3 used by the reconfigured controller iscompared to the input u2 of the nominal con-troller, which is shown by the dashed lines.

Reconfiguration by means of the gener-

alised virtual actuator. Alternatively, assumethat the lower valve is not available for the re-configuration. Then the right controller has onlythe command input u1 of the left controller asits disposal. With the third columns deleted, thematrices B and Bf do no longer satisfy the con-dition (23) and a dynamic reconfiguration blockhas to be used. For the matrix

N =

1 −0.0002 .0.00040 0 00 0 0

of the virtual actuator the nominal closed-loopsystem has the eigenvalues −0.0427, −0.0124 ±0.0058i. Therefore, the matrix M of the virtualactuator should place the eigenvalues of the ma-trix A−BfM to the left of these eigenvalues, sayat −0.05, −0.06 and −0.07:

M =

−0.9968 −0.0048 −0.00020 0 00 0 0

.

0

0.1

0.2

0.3

0.4

h 2 in m

0 200 400 600 8000

0.5

1

Time in sec

u 1

Fig. 6: Behaviour of the reconfigured closed-loop

system where the reconfigured controller uses the

input u1

Figure 6 shows the disturbance behaviour of thetank system after the controller has been extendedby a virtual actuator that uses the input u1.The response is slower than the nominal response,which is drawn by dashed lines to make a compar-ison possible. The slower response results from thefact that the controller of the right tank uses nowthe command input of the controller of the lefttank as control input.

9. REFERENCES

Blanke, M.; Kinnaert, M.; Lunze, J. and Staroswiecki,M.: Diagnosis and Fault-Tolerant Control, 2ndedition, Springer, Heidelberg 2006.

Gao, Z. and Antsaklis, P. J.: Stability of thepseudo-inverse method for reconfigurable controlsystems. International Journal of Control, 53:717–729, 1991.

Heiming. B. and Lunze, J.: Definition of the three-tank benchmark problem for controller reconfig-uration. In European Control Conference, Karl-sruhe 1999.

Kanev, S. and Verhaegen, M.: Reconfigurable ro-bust fault-tolerant control and state estimation.paper no. 2542. IFAC Congress, Barcelona 2002.

Lunze, J.: Regelungstechnik, Band 2. SpringerVerlag Berlin, 1997.

Lunze, J. and Steffen, T.: Rekonfiguration linearerSysteme bei Sensors- und Aktorausfall. Automa-tisierungstechnik, 2002a.

Lunze, J. and Steffen, T.: Control reconfigurationafter actuator failures using disturbance decou-pling methods IEEE Trans. AC (to be publishedin September 2006).

Staroswiecki, M.: On reconfigurability with re-spect to actuator failures. paper no. 775. IFACCongress, Barcelone 2002.

Steffen, T.: Control Reconfiguration of DynamicalSystem: Linear Approaches and Structural Tests,Springer-Verlag, Heidelberg 2005.

1245