329

Reliability evaluation of fault tolerant control with a semi-Markov fault detection and isolation model
Hongbin Li and Qing Zhao* Department of Electrical and Computer Engineering, University of Alberta, Alberta, Canada The manuscript was received on 3 December 2005 and was accepted after revision for publication on 31 March 2006. DOI: 10.1243/09596518JSCE225

Abstract: In this paper, a stochastic modelling method is used to study the reliability evaluation problem of fault-tolerant control systems (FTCSs). The faults in the system are described by a Markov chain, while the fault detection and isolation (FDI) and system operation for reliability evaluation are described by two semi-Markov chains. The semi-Markov description of FDI removes the restrictive memoryless assumption in Markov models and provides a general model for cyclic FDI schemes. Furthermore, a reliability index and evaluation method are presented for FTCSs. This index reects the control performance and hard deadline and can be used as a quantitative reliability measure for FTCSs. Keywords: reliability evaluation, fault-tolerant control systems

1 INTRODUCTION Many fault-tolerant control systems (FTCSs) employ fault detection and isolation (FDI) schemes and recongurable controllers to improve overall system reliability [1, 2]. In this area, many results have been reported on the reliability evaluation of FTCSs. For example, Wu and Patton [3] and Wu [47] attempted to evaluate the reliability of a ight control system by using a serialparallel block diagram and a Markov process model. Based on the same idea, Guenab et al. [8] studied structure optimization with the emphasis on reliability and cost. However, these methods are suitable only for systems with serialparallel structures. Some previous work on reliability evaluation exists in the literature. For example, Harrison et al. [9] studied the reliability of a navigator system with hardware redundancy and algorithmic FDI using a Markov process model. Walker [10] proposed a semi-Markov model to handle sequential FDI by introducing conditional probabilities to characterize FDI properties, but they did not consider control objectives, and hence the reliability evaluation does not directly reect control performance. Also, a new
* Corresponding author: Department of Electrical and Computer Engineering, University of Alberta, 9107 116 St, Edmonton, Alberta, T6G 2V4, Canada. email: qingzhao@ece.ualberta.ca

semi-Markov reliability model was recently proposed in reference [11]. This semi-Markov process model was constructed from the dynamic model and incorporated the characteristics of FTCSs: control objectives, performance degradation, hard deadline in FTCSs, and the eects of an imperfect FDI. However, this method is based on the Markov modelling of FDI and applies only to FDI with a memoryless property. How to model FDI without this memoryless restriction and how to extend the reliability model to this general case are the main objectives of this paper. The Markov models of faults and FDI schemes were rst proposed by Mariton [12] to study the eects of FDI delays on stability. By using two Markov processes to represent faults and FDI results respectively, Srichander and Walker [13] developed the necessary and sucient conditions for exponential mean-square stability; Mahmoud et al. [14. 15] derived the stability of FTCSs in the presence of noise and summarized their results on the analysis and design of FTCSs based on Markov models [14, 15]. However, Markov models assumes a memoryless property [16]. As discussed in reference [17], the sojourn time duration of FDI is a random variable that may take any probability distribution, but Markov models accept only the exponential distribution. This exponential distribution introduces the so-called memoryless restriction of FDI: the probability of
Proc. IMechE Vol. 220 Part I: J. Systems and Control Engineering

JSCE225 IMechE 2006

330

Hongbin Li and Qing Zhao

transiting from one state to another is independent of the amount of time that the process has spent in the current state. This problem was pointed out in reference [16], but no alternative model was constructed for FDI, and a large quantity of conditional probabilities were used instead. In reference [17], stability in the presence of general detection delays was analysed by modelling the sojourn time as a nite state Markov chain or a random variable with a mixture of given probability distributions, but the Markov chain model can give only xed values of sojourn times from a nite set. Also, these distributions can be described by the semi-Markov model of FDI proposed in this paper. Furthermore, it is shown that the reliability evaluation method presented in reference [11] can be extended to FTCS with the semi-Markov FDI description. Briey, this paper is organized as follows. Section 2 introduces the model of an FTCS with a semi-Markov FDI description; section 3 presents the reliability evaluation method for the FTCS with this FDI model; an example is given in section 4 to illustrate the semi-Markov FDI model and reliability evaluation procedure; nally, conclusions are reached in section 5.

mode [18]. Let f S be a discrete-time Markov n 1 chain and dene f(t)=f , nT t<(n+1)T , nN. n s s N denotes the set of non-negative integers and T s the FDI detection cycle duration. The transition probability matrix of f is denoted as G=[G ] , n ij N1N1 W G =1, iS . 1 jS1 ij Usually f(t) is not directly measurable, and the FDI scheme is used to produce an estimate of the plant mode, denoted as g(t)S ={0, 1, , N }. Based on 2 2 g(t), the control input u(g(t), t) is applied to the plant. In practice, g(t) is often generated by cyclic sensor measurements and calculations with a xed amount of data, e.g. the Shewhart control chart and parity space methods [19]. In this case, the cycle duration time T can be assumed to be a known constant. s Let g S denote a discrete-time stochastic n 2 process, nN, representing the FDI mode after the nth detection cycle, as shown in Fig. 1. Let h S m 2 and T N denote the FDI mode and cycle index m respectively after the mth transition of g , mN. For n example, in Fig. 1, h =g and T =4. 2 4 2 (h, T )7{h , T : mN} is called a discrete-time m m Markov renewal process if T =l|h , , h ; T , , T } =j, T m+1 m 0 m 0 m m+1 =Pr{h =j, T T =l|h } (2) m+1 m+1 m m holds for xed f =f +1= , =f =k, kS , T T T 1 jS , l, mN. g m =h m then called m+1 associated is the 2 n m discrete-time semi-Markov chain of (h, T ), where m=sup {T n}. The FDI mode at t is dened as hN h g(t)7g , nT t<(n+1)T . n s s Given f =f +1= , =f =k, mN, kS , Tm Tm Tm+1 1 (h, T ) is called time homogeneous if Pr{h =j, T T =l|h =i} m+1 m+1 m m is independent of m for any i, jS , lN. 2 , lN} is called the semi-Markov Qk7{[Qk(i, j, l)] N2N2 kernel of g given f =k. Note that the behaviour and n n parameters of g depend on f as g is an estimate n n n of f . n Given f =k, kS , it can be shown that h7 n 1 {h : mN} is a Markov chain with state space S and m 2 transition matrix Pk7[Pk ] 7[W 2 Qk(i, j, l)] ij N2N2 N2N2 l=1 [20, 21]. Qk(i, j, l )7Pr{h

2 AN FTCS WITH A SEMI-MARKOV FDI MODEL As in many references [1214], an FTCS can be modelled using the equations x(t)=[A(f(t))+DA(f(t))]x(t) +[B(f(t))+DB(f(t))]u(g(t), t)+E(f(t))w(t) y(t)=[C(f(t))+DC(f(t))]x(t) +[D(f(t))+DD(f(t))]u(g(t), t)+F(f(t))w(t) (1) where x(t)Rn, u(g(t), t)Rm, y(t)Rl, and w(t)Rh denote the system state, control input, output, and exogenous input vectors respectively. A(f(t)), B(f(t)), C(f(t)), D(f(t)), E(f(t)), and F(f(t)) are system matrices with appropriate dimensions, DA(f(t)), DB(f(t)), DC(f(t)), and DD(f(t)) are uncertainty matrices which are assumed to be bounded and have known probability distributions. A random variable f(t)S ={0, 1, 2, , N } called 1 1 the plant mode is adopted to describe the occurrences of faults among the possible modes in S . By 1 assuming that no automatic repair or intermediate fault occurs and that the failure rate is constant, a Markov chain can be used to describe the plant
Proc. IMechE Vol. 220 Part I: J. Systems and Control Engineering

Fig. 1 A sample path of the FDI process

JSCE225 IMechE 2006

Fault tolerant control with a semi-Markov FDI model

331

Given f =f +1=,=f =k, let tk=T T Tm T T ij m+1 m if h =i and h m =j, kS , m+1 i, jS . tk is the sojourn m m+1 1 2 ij time of g between its transition to state i at T n m and the consecutive transition to j at T . The m+1 probability distribution of tk is given by ij Pr{tk =l}=Pr{T T =l|h =i, h =j} ij m+1 m m m+1 Qk(i, j, l ) = (3) Pk ij with the convention that Qk(i, j, l)/Pk =1 if ij {l=+2} Pk =Qk(i, j, l)=0, i, jS , lN. The indicator function ij 2 1 =1 if l=+2; otherwise, 1 =0. Denote {l=+2} {l=+2} . Hk(i, j, l)7Pr{tk =l} and Hk7[Hk(i, j, l)] N2N2 ij Given f =k, Pk, together with Hk, determines the n stochastic behaviour of g or, equivalently, Qk solely n determines g as Qk(i, j, l)=Pk H(i, j, l). n ij To recap, the description of FDI is summarized as follows. 1. The FDI mode g is modelled as a semi-Markov n chain conditioning on the plant mode f . n 2. The embedded Markov renewal process (h, T ) gives the transition history of g . n 3. Given a xed plant mode f =k, Pk describes the n transition probability of the embedded Markov chain h and Hk the sojourn time distribution m of g . n 3 RELIABILITY MODELLING As in reference [11], the reliability index of an FTCS is dened as follows. Denition 1 The reliability R(t) of FTCS is dened as the probability that, during the time interval [0, t], the FTCS either satises the presumed control objective or violates it temporally for a short time within the presumed hard deadline T . hd Owing to imperfect FDI results, FTCSs may violate the control objectives only for a short time. It is assumed that, if this time is greater than a particular limit T , the system is generally unable to return to hd a functional state. In this sense, T is called the hd hard deadline in FTCSs. This concept of a hard deadline has been used in the analysis and reliability modelling of control systems. For example, see reference [22] for the derivation and applications of hard deadlines in control systems and reference [23] for the reliability modelling of real-time control systems.
JSCE225 IMechE 2006

Considering that the plant and FDI modes are described by discrete-time stochastic models and that the fault occurrence within T is assumed to be s negligible, the main interest is in evaluating the reliability value at t=nT , denoted by R 7R(nT ), s n s nN. The performance measure at t=nT is denoted s as J and the maximum performance threshold when n f =i is denoted as Ji , iS . J is determined by a n max 1 n performance measure function, such as the system norm of the system model corresponding to f and n g . The hard deadline is denoted as T N, the maxin hd mum number of detection cycles T for a temporal s performance violation. Based on Denition 1, the reliability index R is given by the probability n R =1Pr{ZkN, 0k<n, nk>T , n hd YlN, kln, J >Ji , i=f } (4) l max l A discrete-time semi-Markov chain XR is presented n to evaluate this reliability index. For each plant mode i, two functional states of XR are dened as n (i, N) : {f =i}m{J Ji } (5) n n max (i, F ) : {f =i}m{J >Ji }m{sojourn timeT } n n max hd (6) The absorbing semi-Markov state F represents the total failure state of the system. Figure 2 illustrates the transitions of XR with four plant modes; for n simplicity, the self-transition of each functional state is not shown. If the initial state XR =(0, N), 0 R =1PR((0, N), F, n), where PR((0, N), F, n) denotes n the transition probability from (0, N) to F at n. Therefore, the reliability evaluation problem is reduced to constructing XR and calculating its n transition probability. To calculate the semi-Markov kernel of XR , several n probabilistic parameters were dened in reference [11], which are restated briey in Denition 2.

Fig. 2 A state transition diagram with four fault modes

Proc. IMechE Vol. 220 Part I: J. Systems and Control Engineering

332

Hongbin Li and Qing Zhao

Denition 2 For given plant and FDI modes, the probabilistic parameters are dened as c 7Pr{J Ji |f =i, g =j} ij n max n n pi 7 lim Pr{g =j|f =i} j n 2 n n (7) wi 7 lim Pr{g =j|XR =(i, N )} n n j n 2 vi 7 lim Pr{g =j|XR =(i, F )} j n 2 n n (8) where iS , jS . 1 2 c is the probabilistic performance estimated ij by the randomized algorithm in reference [24], pi is j the stationary distribution of g given a particular n plant mode of f , and wi and vi are estimates of FDI n j j modes given the state of the semi-Markov reliability process [11]. Given f =i and g =j, the combinational mode n n (f , g ) after the subsequent transition is detern n mined by which one of f and g transits rst n n and which mode they transit to. For example, if f n transits rst to k at n+m, then (f ,g )= , = n+1 n+1 (f ,g )=(i, j) and (f ,g )=(k, j); if g n+m1 n+m1 n+m n+m n transits rst to l at n+m, then (f ,g )= , = n+1 n+1 (f ,g )=(i, j) and (f ,g )=(i, l). So n+m1 n+m1 n+m n+m f and g can be considered to be competing n n with each other, and the order of transitions is crucial to determine the subsequent mode. These transitions are called competition transitions, and their probabilities competition probabilities, as given in the following denition.

Pr{s >ti }=1; otherwise i j 2 m Pr{s >ti }= Gm Pi Hi( j, l, h) i j ii jl m=1 lS2 h=1 2 Pr{s =ti }= Gm1 (1G ) Pi Hi( j, l, m) i j ii ii jl m=1 lS2 Pr{s <ti }=1Pr{s >ti }Pr{s =ti } i j i j i j The competition probability may then be classifed into the three cases =lmti =m|s >ti } Pr{s >ti } n+m jl i j i j =Pi Hi( j, l, m) Pr{s >ti } (9) jl i j r (m)=Pr{f =kms =mmg =lmti =m} (i,j).(k,l) n+m i n+m jl (10) =Gm1 G Pi Hi( j, l, m) ii ik jl r (m)=Pr{f =kms =m|s <ti } Pr{s <ti } (i,j).(k,j) n+m i i j i j =Gm1 G Pr{s <ti } (11) ii ik i j where ki, lj, mN. With these probabilistic parameters, the semiMarkov kernel of the reliability model XR can be n calculated by the following theorem. For notational simplicity, (i, N) is denoted as as i , (i, F) as i , N F r (m) as r , and r [min(m, T )] as (i,k).(j,l) ik.jl (i,k).(j,l) hd rmin . ik.jl (i,j).(i,l) Theorem 1 The semi-Markov kernel of the reliability semi-Markov chain XR , is given by the equations n c (12) Q (i , i , m)= wi r R N N k ik.il il kS2 lS2ck Q (i , j , m)= wi r c (13) R N N k ik.jl jl kS2 lS2 (1c ) (14) Q (i , i , m)= wi r il R N F k ik.il kS2 lS2ck Q (i , j , m)= wi r (1c ) (15) R N F k ik.jl jl kS2 lS2 Q (i , i , m)= vi rmin c (16) R F N k ik.il il kS2 lS2ck (17) Q (i , j , m)= vi rmin c k ik.jl jl R F N kS2 lS2 Q (i , i , m)= vi rmin (1c ) (18) R F F k ik.il il kS2 lS2ck Q (i , j , m)= vi rmin (1c ) (19) R F F k ik.jl jl kS2 lS2 Q (i , F, m) R F =1 {m>Thd} r (m)=Pr{g

Denition 3 Given f =i and g =j, the combinational mode n n is denoted as (i, j), iS , jS . Suppose that 1 2 (f ,g )= , = (f ,g )=(i, j) and the n+1 n+1 n+m1 n+m1 next combinational mode after the consequent transition of f and/or g at n+m is (f ,g )= n n n+m n+m (k, l), where ki and/or lj, kS , jS . The 1 2 probability of this event is called the competition probability, denoted by r (m). (i,j).(k,l) Given f =i, g =j, the sojourn times of f and g n n n n are denoted as s and ti respectively. If the next i j mode of g is known as l, the sojourn time of g is n n denoted as ti . If the plant mode i of f is absorbing, jl n
Proc. IMechE Vol. 220 Part I: J. Systems and Control Engineering

Q (F, a, m)=0, R

Q (i , a, h) R F hN,hm aSr,aF aS r

(20) (21)

JSCE225 IMechE 2006

Fault tolerant control with a semi-Markov FDI model

333

where T denotes the hard deadline, S the state hd r space of Xe , and S ck the set of elements in S n 2 2 excluding k, mN, i, jS , ij. The indicator func1 tion 1 =1 if m>T ; otherwise, 1 =0. {m>Thd} hd {m>Thd} Proof. (wR , T R ) denotes the associated discreten n time Markov renewal process of XR , n, nN. (h , T ) n h h denotes the associated Markov renewal process of g , hN. n, h, and n represent the cycle or transition n indices of these processes, but they may correspond to the same time instant. The transitions are caused by the changes in the FDI and plant modes. By the total probability formula and conditioning on the FDI modes, the transition probability can be decomposed into three parts, as shown in the equations Q (i , i , m) R N N =Pr{wR =i , T R T R =m|wR =i } n+1 N n+1 n n N = Pr{wR =i , T R T R =m|wR n+1 N n+1 n n kS2 =i mh =k} Pr{h =k|wR =i } N h h n N = Pr{h =k|wR =i } h n N kS2 Pr{J Ji mf = , =f n+m max n+1 n+m lS2ck =img =h =lmT T n+m h+1 h+1 h =m|wR =i mh =k)} n N h = Pr{h =k|wR =i } h n N kS2 Pr{J Ji |f =img =l} n+m max n+m n+m lS2ck Pr{s >mmh =lmti =m|f =imh =k} i h+1 kl n h (22) where s and ti denote the sojourn time of f and i kl n g respectively. The rst two terms in equation (22) n can be approximated by the stationary probabilities in the probabilistic parameters given by Pr{h =k|wR =i }#wi h n N k Pr{J Ji |f =img =l}#c n+m max n+m n+m il (23) (24)

be proved in a similar fashion as shown in the example of equation (13) according to Q (i , j , m) R N N =Pr{wR =j , T R T R =m|wR =i } n+1 N n+1 n n N = Pr{wR =j , T R T R =m|wR n+1 N n+1 n n kS2 =i mh =k} Pr{h =k|wR =i } N h h n N = Pr{h =k|wR =i } h n N kS2 (Pr{J Jj |f =jmg =k} n+m max n+m n+m Pr{f =jms =mmti >m|f =imh =k} n+m i k n h + Pr{J Jj |f =jmg =l} n+m max n+m n+m lS2ck Pr{f =jms =mmh =lmti n+m i h+1 kl =m|f =imh =k}) n h = wi r c (26) k ik.jl jl kS2 iS2 where ji, jS . 1 For equations (17) to (20), when the sojourn time is no greater than T , the transition is similar to the hd case of i ; otherwise, XR transits to F. Therefore, the N n minimum function min(m, T ) is used in equations hd (17) to (19); Q (i , F, m) becomes non-zero only if R F m>T , and this probability is complementary to hd the transition probability to other states within T , hd which is calculated on the basis of 1 in {m>Thd} equation (20).

Remark 1 The main idea of the above derivation of the transition probability is to decompose it into three parts: the FDI mode estimation, the competition probability, and the probabilistic performance estimation. The eects of the hard deadline are described by min(m, T ) and 1 . hd {m>Thd} Once the semi-Markov kernel of XR is obtained, the n transition probability and reliability function R can n be calculated using available formulae [20, 21].

The last term in equation (22) is equal to the competition probability Pr{s >mmh =lmti =m|f =imh =k}=r i h+1 kl n h ik.il (25) By substituting equations (23) to (25) in equation (22), equation (12) is proved. Equations (13) to (15) can
JSCE225 IMechE 2006

4 EXAMPLE Consider a longitudinal vertical take-o and landing aircraft model in the form of equation (1) with the
Proc. IMechE Vol. 220 Part I: J. Systems and Control Engineering

334

Hongbin Li and Qing Zhao

system matrices [25]

distributions respectively: 0.0188 0.0024 1.0 0.4555 4.0208 1.420 0

A = 0

3.5446 7.5922 B = 0 5.52 4.49 0 0.2211 0 0.1761

1.7723 7.5922 0 1 0 0 B = , C = 1 0 2.76 4.49 0 0 1 0 0 0 0 1 1 1

A =A , C =C 1 0 1 0

C C C

0.0366 0.0271 0.0482 0.1002 0 0.4422 1.01 0 0.1761

0.3681 0.707

D D C D
1 0 0 0

Pois(m|20)=

20m e20 m! 10! 0.5m0.510m, m10 m!(10m)!

Bin(m|10, 0.5)=

Based on these parameters, the stationary distribution of g is computed as n p0 p0 0.8 0.2 1 = p= 0 p1 p1 0.2 0.8 0 1 p shows that the correct and false detection probabilities are 0.8 and 0.2 respectively. To see the dierence between the Markov process model in reference [11] and this semi-Markov model of FDI, the sample paths from these two types of models shown in Fig. 3 should be considered. These two curves are given under the plant mode 0, and the generator matrix of the continuous-time Markov process model is

D C

E =[0.05 0.05 0.05 0.05]T, E =E 0 1 0 The subscript 0 and 1 in the system matrices represent those for plant mode 0 and 1 respectively. Plant mode 0 represents the fault-free mode. Under plant mode 1, an actuator fault is considered, and the eectiveness of the rst actuator is reduced by half, as reected in B . 1 Suppose that the cycle duration T , is 1 s. The s transition matrix of the plant mode Markov chain f is n G=

G=

0.05 0.2

0.05 0.2

0.99 0.01 0 1

According to G, the mean time for the fault occurrence is 1/0.01=100 cycles=100 s, and this high failure rate is intentionally chosen for this example to reduce the calculation burden. The FDI is modelled by a semi-Markov chain g with the parameters n P0=

C D
1 0

0 1

, P1=

C D
1 0

0 1

According to G, the stationary distribution is [0.8 0.2], the same as p. Furthermore, the mean sojourn times from mode 0 to 1 and from 1 to 0 are 20 s and 5 s respectively, the same as the means of H0(0, 1, m) and H1(1, 0, m). However, in the sample path of the Markov process model in Fig. 3, there are two transitions from 1 to 0 with a sojourn time of about 0.05 of a second owing to the memoryless property of the exponential distribution. These transitions are impractical because the FDI needs at least one detection cycle to return mode 0 from the false alarm. In contrast, the sample path from the semi-Markov model is acceptable; each sojourn time is an integer multiple of the detection cycle duration. Therefore the Markov model may not generate a reasonable sample path for FDI with cyclic detection schemes. The static state feedback controller for the normal and faulty cases are 0.4558 0.5080 1.4881 1.0242 K = 0 0.1022 0.1089 0.1216 0.0486 K = 1

H0(0, 1, m)=H1(1, 0, m)=Pois(m|20) H0(1, 0, m)=H1(0, 1, m)=Bin(m|10, 0.5) where P0 and P1 are transition probability matrices of the embedded Markov chain and H0(0, 1, m), H0(1, 0, m), H1(0, 1, m), and H1(1, 0, m) are distribution functions of sojourn time, mN. Pois(|) and Bin(|, ) denote the Poisson and binomial
Proc. IMechE Vol. 220 Part I: J. Systems and Control Engineering

C C

0.1078 0.7452 0.1680

0.3158

0.6761

1.3673 0.7858 0.4397

D D

When g(t)=0, u=K x is in use; when g(t)=1, 0 u=K x is switched on. 1 Here, the H norm is used as the performance 2 measure. The performance evaluation function with
JSCE225 IMechE 2006

Fault tolerant control with a semi-Markov FDI model

335

Fig. 3 Sample paths of FDI models

the thresholds for the two fault modes is dened as

dG (f , g , s)d yw n n 2 , stable at n 1+dG (f , g , s)d yw n n 2 J0 =0.5, J1 =0.67 max max where G (f , g , s) is the transfer function from w yw n n to y corresponding to the current fault mode f and n the FDI mode g . The assumption of the known n probability distributions of modelling uncertainties and the randomized algorithm in reference [24] gives the probabilistic performance values 0.7033 0.6260 01 = c c 0.5583 0.6084 10 11 For example, c means Pr{J J0 |f =0mg =0}= 00 n max n n 0.7033. From p and c, the probabilistic parameters w and v are calculated as c=

J = n

1,

unstable at n

00

D C

Set the hard deadline T =5. By substituting hd these parameters into Theorem 1, the semi-Markov reliability model is obtained. The transition probability and reliability function curve are then calculated, as shown in Fig. 4, where R is the reliability n curve and PR(1, i, n) the transition probability curve from state 1, 0 , to state i, i=15, nN. From N PR(1, 1, n) and PR(1, 2, n), it can be seen that the performance degradation during this time period is mainly caused by false alarms of FDI and XR jumps n from 0 to 0 with high probability. From R and N F n PR(1, 5, n), it can be seen that the probability of system failure is zero within T , a nding which is hd consistent with the denition of reliability function. Next, in order to show the inuence of FDI on reliability, the same aircraft model is used but with a dierent FDI, which has the new parameters H0(0, 1, m)=H1(1, 0, m)=Pois(m|80) H0(1, 0, m)=H1(0, 1, m)=Bin(m|3, 0.5) According to H0(0, 1, m), the mean sojourn time for a false alarm increases from 20T , to 80T ; according s s to H0(1, 0, m), the mean recovery time from a false alarm decreases from 10T to 3T . Following the same s s procedure, the transition probability curves of the reliability model and the reliability curve are given in Fig. 5. Compared with the results in Fig. 4, the maximum transition probability to state 2 decreases
Proc. IMechE Vol. 220 Part I: J. Systems and Control Engineering

0.6920 0.3080 01 = w w 0.3145 0.6855 10 11 v v 0.6134 0.3866 v= 00 01 = v v 0.3606 0.6294 10 11 For example, Pr{g =0|XR =0N}#w =0.6920. n n 00 w=

C C

00

D C D C

JSCE225 IMechE 2006

336

Hongbin Li and Qing Zhao

Fig. 4 Transition probability and reliability curves

Fig. 5 Transition probability and reliability curves with dierent FDI models

approximately from 0.2 to 0.08, and the maximum point shifts from n=20 to n=80 as a result of the increase in the mean time for false alarms. It is also noted that the shapes of some of the curves are
Proc. IMechE Vol. 220 Part I: J. Systems and Control Engineering

very dierent from those in Fig. 4. Consequently, the transition probability to state 5 decreases, the reliability deteriorates more slowly, and the system will probably survive longer. Therefore, a properly
JSCE225 IMechE 2006

Fault tolerant control with a semi-Markov FDI model

337

designed FDI is crucial to achieve a high reliability of an FTCS.

5 CONCLUSIONS This paper presents a semi-Markov description of FDI and the reliability evaluation of an FTCS with a semi-Markov FDI model. This semi-Markov model of FDI is more general than the Markov process model, and the memoryless restriction is thereby removed. The reliability evaluation method presented in reference [11] is then extended to this general FTCS model. This reliability evaluation considers the characteristics of FTCS, and an example is given to illustrate the procedure.

REFERENCES
1 Patton, R. Fault-tolerant control systems: the 1997 situation. In Proceedings of the IFAC Symposium on Fault detection supervision and safety for technical processes, Vol. 3 (Eds R. Patton and J. Chen), 1999, pp. 10331054 (IFAC, Kingston Upon Hull). 2 Blanke, M., Kinnaert, M., Lunze, J., and Staroswiecki, M. Diagnosis and fault-tolerant control, 2003 (Springer-Verlag, Berlin). 3 Wu, N. and Patton, R. Reliability and supervisory control. In Proceedings of the IFAC Symposium on Fault detection supervision and safety for technical processes, Vol. 5 (Ed. N. Wu), 2003, pp. 10331054 (IFAC, Washington, DC). 4 Wu, N. Coverage in fault-tolerant control. Automatica, 2004, 40, 537548. 5 Wu, N. Reliability criteria based recongurable control system design. In Proceedings of the IFAC Symposium on Fault detection supervision and safety for technical processes, Vol. 3 (Eds R. Patton and J. Chen), 1997, pp. 10561070 (IFAC, Kingston Upon Hull). 6 Wu, N. Reliability of fault tolerant control systems: part i and part ii. In Proceedings of the 40th IEEE Conference on Decision and control, Orlando, Florida, USA, 2001, pp. 14661471 (IEEE, New York). 7 Wu, N. Reliability prediction for self-repairing ight control systems. In Proceedings of the 35th IEEE Conference on Decision and control, Kobe, Japan, 1996, pp. 184186 (IEEE, New York). 8 Guenab, F., Theilliol, D., Weber, P., Ponsart, J., and Sauter, D. Fault tolerant control method based on cost and reliability analysis. In Proceedings of the 16th IFAC World Congress, Prague, Czech Republic, 2005 (Elsevier Science Ltd). 9 Harrison, J., Daly, K., and Gai, E. Reliability and accuracy prediction for a redundant strapdown navigator. J. Guidance Control, 1981, 4(5), 523529.
JSCE225 IMechE 2006

10 Walker, B. Fault detection threshold determination using Markov theory. In Fault diagnosis in dynamic systems: theory and application (Eds R. Patton, P. Frank, and R. Clark), 1989, 477508 (Prentice-Hall, Englewood Clis, New Jersey). 11 Li, H. and Zhao, Q. Reliability modeling of fault tolerant control systems. In Joint Proceedings of IEEE Conference on Decision and control and the European Control Conference, Seville, Spain, 2005, 23972402 (IEEE, New York). 12 Mariton, M. Detection delays, false alarm rates and the reconguration of control systems. Int. J. Control, 1989, 49, 981992. 13 Srichander, R. and Walker, B. Stochastic stability analysis for continuous-time fault tolerant control systems. Int. J. Control, 1993, 57, 433452. 14 Mahmoud, M., Jiang, J., and Zhang, Y. Active fault tolerant control systems: stochastic analysis and synthesis, 2003 (Springer-Verlag, Berlin). 15 Mahmoud, M., Jiang, J., and Zhang, Y. Stochastic stability analysis of active fault-tolerant control systems in the presence of noise. IEEE Trans. Autom. Control, 2001, 46, 18101815. 16 Walker, B. Fault tolerant control system reliability and performance prodiction using semi-Markov models. In Proceedings of the IFAC Symposium on Fault detection supervision and safety for technical processes, Vol. 3 (Eds R. Patton and J. Chen), 1997, pp. 10531064 (IFAC, Kingston Upon Hull). 17 Mahmoud, M. Continuously variable duration Markov models for detection delays in linear jump systems. In Proceedings of the American Control Conference, Denver, Colorado USA, 2003, 48514856 (IEEE, New York). 18 Kuo, W. and Zuo, M. Optimal reliability modeling, 2002 (John Wiley, Hoboken, New Jersey). 19 Viswanadham, N., Sarma, V., and Singh, M. Reliability of computer and control systems, 1987 (Elsevier, New York). 20 Barbu, V., Boussemart, M., and Limnios, N. Discrete-time semi-Markov model for reliability and survival analysis. Commun. Statist. Theory Meth., 2004 33(11), 28332868. 21 Howard, B. Dynamic probablistic systems, Vol. II, 1971 (John Wiley, New York). 22 Shin, K. and Kim, H. Derivation and application of hard deadlines for real-time control systems. IEEE Trans. Systems, Man Cybernetics, 1992, 22(6), 14031412. 23 Kim, H. and Shin, K. Reliability modeling of realtime systems with deadline information. In Proceedings of the IEEE Aerospace Conference, Vol. 2, 1997, pp. 511523 (IEEE, New York). 24 Tempo, R., Bai, E., and Dabbene, F. Probabilistic robustness analysis: explicit bounds for the minimum number of samples. Systems Control Lett., 1997, 30(5), 237242. 25 Zhang, Y. and Jiang, J. Active fault-tolerant control system against partial actuator failures. IEE Proc. Control Theory Applics, 2002, 149(1), 95104.
Proc. IMechE Vol. 220 Part I: J. Systems and Control Engineering

338

Hongbin Li and Qing Zhao

APPENDIX Notation system matrices fault detection and isolation fault tolerant control systems transition probability matrix of f n Hk matrix of the distribution functions of tk ij i or (i, N), i or (i, F), F N N states of XR n Ji performance threshold when max f =i n J control performance measure n at t=nT s N set of non-negative integers Pois(|), Bin(|, ) Poisson and binomial distribution functions respectively Pk transition matrix of h when f =k n PR matrix of the transition probability of XR n Qk semi-Markov kernel of g n when f =k n QR semi-Markov kernel of XR n R(t) reliability values at t R reliability values at nT n s Rn real vector space with dimension n S set of plant modes 1 S set of FDI modes 2 S ck the set of elements in S 2 2 excluding k S the state space of XR r n A, B, C, D, E, F FDI FTCS G

t T hd T s u(g(t), t) w(t) x(t) XR n y(t)

time hard deadline detection cycle duration of fault detection and isolation control input vector exogenous input vector state vector semi-Markov chain for reliability evaluation output vector

c , pi , wi , vi or c, p, w, v ij j j j probabilistic parameters to calculate QR DA, DB, DC, DD matrices of modelling uncertainties f(t) plant mode at t f Markov chain to represent the n plant mode g(t) fault detection and isolation mode at t g semi-Markov chain to n represent the fault detection and isolation mode (h, T )={h , T : mN} m m Markov renewal process associated with g n r (m) or r competition probability (i,j).(k,l) ij.kl rmin simplied notation for ik.jl r [min(m, T )] (i,k).(j,l) hd s sojourn time random variable i of f n tk sojourn time random variable ij of g n (wR , T T ) Markov renewal process n n associated with XR n 1 indicator function {}

Proc. IMechE Vol. 220 Part I: J. Systems and Control Engineering

JSCE225 IMechE 2006