Proceedings of the 20th World Congress

Proceedings
The of
of the
International
Proceedings 20th
20th World
Federation
the Worldof Congress
Automatic Control
Congress
Proceedings
The of the
International 20th World
Federation of Congress
Automatic Control
Toulouse,
The France,
International
The International July 9-14,
Federation
Federation 2017
of Available
of Automatic
online at www.sciencedirect.com
Automatic Control
Control
Toulouse,
Toulouse, France,
France, July
July 9-14,
9-14, 2017
2017
Toulouse, France, July 9-14, 2017
ScienceDirect
IFAC PapersOnLine 50-1 (2017) 10369–10376
Support
Support technology
technology for
for safe
safe preventive
preventive
Support
Support technology
technology for safe preventive
for safesystems
preventive
maintenance
maintenance of
of control
control systems
maintenance of control systems
maintenance of control systems
Koichi Suyama ∗∗ Noboru Sebe ∗∗
Koichi
Koichi Suyama ∗∗ Noboru Sebe ∗∗ ∗∗
Koichi SuyamaSuyama Noboru
Noboru Sebe Sebe ∗∗
∗
∗ Tokyo University of Marine Science and Technology
∗ Tokyo University of Marine Science and Technology
∗ Tokyo University of
Etchujima,
Tokyo University
Etchujima, of Marine
Koto-ku,
Koto-ku,
Tokyo
Marine
Tokyo
Science
135-8533,
Science
135-8533,
and
and Technology
Japan
Technology
Japan
Etchujima,
(e-mail:
Etchujima, Koto-ku, Tokyo
Tokyo 135-8533, Japan
135-8533,
suyama@kaiyodai.ac.jp).
Koto-ku, Japan
(e-mail:
∗∗
(e-mail: suyama@kaiyodai.ac.jp).
suyama@kaiyodai.ac.jp).
∗∗ Kyushu
(e-mail: Institute of Technology
suyama@kaiyodai.ac.jp).
∗∗ Kyushu Institute of Technology
Kawazu,∗∗ Kyushu
Iizuka,Institute
Fukuokaof Technology
Kawazu, Kyushu
Iizuka, Institute
Fukuoka of820-8502,
Technology
820-8502,
Japan
Japan
Kawazu,
Kawazu, Iizuka,
(e-mail:
Iizuka, Fukuoka 820-8502,
sebe@ai.kyutech.ac.jp).
Fukuoka 820-8502, Japan
Japan
(e-mail:
(e-mail: sebe@ai.kyutech.ac.jp).
sebe@ai.kyutech.ac.jp).
(e-mail: sebe@ai.kyutech.ac.jp).
Abstract: On the basis of fault-tolerant control theory and switching L2 gain analysis, we
Abstract:
Abstract: On
On the basis of fault-tolerant control theory and switching L
L 2 gainstate analysis, we
propose
Abstract:
propose
a new
a On the
new the basis
basis of
maintenance
maintenance of fault-tolerant
support technology
fault-tolerant
support
control
control theory
technology theory
to
and
and switching
to implement
implement
an operating
switching
an L22 gain
operating gainstate analysis,
suitable
analysis,
suitable
we
we
propose
for
propose a performing
safelya new maintenance
new maintenancepreventive support technology
maintenance
support technology to
of toeachimplement
subsystem,
implement an where
an operating
operating the state state suitable
safetysuitable
of the
for
for safely
safely performing preventive maintenance of each subsystem, where the safety of the
for safely performing
bidirectional
bidirectional
transitionspreventive
performing
transitions
between normal
preventive
between
maintenance
maintenance
normal
operation
operation
of each
of and
eachan
and an
subsystem,
operating state
subsystem,
operating
where
whereis
state is
the safety
safety of
guaranteed.
the
guaranteed. of the
the
bidirectional
bidirectional transitions
transitions between
between normal
normal operation
operation and
and an
an operating
operating state
state is
is guaranteed.
guaranteed.
© 2017, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved.
Keywords: Maintenance; Control systems; Corrective actions; Fault tolerance; Reset.
Keywords:
Keywords: Maintenance;
Maintenance; Control Control systems;
systems; Corrective
Corrective actions;
actions; Fault
Fault tolerance;
tolerance; Reset. Reset.
Keywords: Maintenance; Control systems; Corrective actions; Fault tolerance; Reset.
1. INTRODUCTION Although it has been stated that online maintenance can
1.
1. INTRODUCTION
INTRODUCTION Although
Although
be performed it
it has
has been
been stated
in control stated
systems that
that byonline
online
designing maintenance
maintenance
the controller can
can
1. INTRODUCTION Although
be performed it has
in been
control stated
systems that by online
designing maintenance
the can
controller
be
be performed
appropriately,
performed in
in nocontrol
concrete
control systems
systems by
procedures
by designing
designing the
for the controller
maintenance
controller
Fault-tolerant control theory has been studied mainly on appropriately, appropriately,
have been presented
appropriately,
no
no concrete
no concrete up to now.
concrete
procedures
procedures
One reason
procedures
for
for maintenance
for maintenance
is that even
maintenance
Fault-tolerant
Fault-tolerant
the basis of control
control
measures theory
theory
after has
has been
been
control studied
studied
systems mainly
mainly
fall out on
on
of have been presented up to now. One reason isagainst
that even
Fault-tolerant control theory has been studied mainly on have
in
have suchbeen
been presented
designed
presented up
control to
up tosystems, now.
systems,
now. One One reason
reason is
protection that
that even
isagainst the
even
the
the
normalbasis
basis of
of measures
measures
operation due toafter
after
hardwarecontrol
control systems
systems
failures. For fall
fall out
out
example, of
of in such designed control protection the
the basis of measures after control systems fall out of in
in such
fluctuation
such designed
caused
designed control
by the
control systems,
bidirectional
systems, protection
transitions
protection against
between
against the
the
normal
normal
several operation
operation
studies on due
due to
to hardware
hardware
controller design failures.
failures.
have beenFor
For example,
example,
conducted fluctuation caused by the bidirectional transitions between
normal operation due to hardware failures. For example, fluctuation
normal
fluctuation caused
operation
caused by
and
by the
the an bidirectional
operating
bidirectional transitions
state where
transitions between
mainte-
between
several studies on
on controller
against design
failureshave been
been conductedand/or normal
several
to
several
to
studies
achieve tolerance
studies
achieve on
tolerance
controller
controller
against
design
design
failures
have
in actuators
have
in been
actuators
conducted
conducted
and/or
normal
nance
normal isoperation
performedand
operation
operation and an
an
is difficult
and
operating
an operating
operating to evaluate state
state
state and
where
where
where
mainte-
mainte-
guarantee.
mainte-
to achieve
sensors tolerance
without their against failures
detection/isolation in actuators
(e.g., and/or
Veillette, nance
nance
In the is
is performed
performed
proposed is
is
technology, difficult
difficult by to
to
using evaluate
evaluate
the and
and
switching guarantee.
guarantee.
L2 gain
to achieve
sensors tolerance
without their against failures
detection/isolation in actuators
(e.g., and/or
Veillette, nance is performed is difficult to evaluate and guarantee.
sensors without
Medanic, without their detection/isolation
and Perkins detection/isolation
(1992), Stoustrup(e.g., (e.g., Blondel In
Veillette,
and Veillette, In the
the proposed
proposed technology,
technology, by
by using
using the
the switching
switching L
L 2 gain
sensors
Medanic, and their
Perkins (1992), Stoustrup and Blondel to
In
to
evaluate
the proposed
evaluate
the
the
magnitude
technology,
magnitude
and
by
and
severity
using
severity the of the
switching
of the L22 gain
fluctuation
fluctuationgain
Medanic,
(2004),
Medanic, Meteand
and andPerkins
Gündeş
Perkins (1992),
(2008)).
(1992), Stoustrup
Stoustrup and
Fault-tolerant
and Blondel
control
Blondel to
in evaluate
transient the magnitude
responses after and a severity
switch of
(Suyama the fluctuation
and Sebe,
(2004), Mete to evaluate the magnitude and severity of the fluctuation
Mete and
(2004), certainly
theory Gündeş
andimproves
Gündeş the (2008)).
(2008)). Fault-tolerant
Fault-tolerant
availability performance control
control of inin transient
transient responses
responses of theafter
after aa switch (Suyama and Sebe,
(2004),
theory Mete
certainly and Gündeş
improves (2008)).
the Fault-tolerant
availability performance control of 2015),
in
2015),
the safety
transient
the responses
safety of the after a switch
bidirectional
bidirectional
(Suyama
(Suyama and
switch transitions
transitions and
is
Sebe,
is evalu-
Sebe,
evalu-
theory
control
theory certainly
systems.
certainly improves
However,
improves the
for
the availability
further
availability performance
improving the
performance of
avail-
of 2015),
ated andthe safety
guaranteed. of the bidirectional transitions is evalu-
control systems. However, for further improving the avail- 2015), the safety of the bidirectional transitions is evalu-
control performance,
ability
control systems. However,
systems. However, for further
preventive
for further improvingis the
maintenance
improving the im- ated
avail-
alsoavail- ated
ated
and
and guaranteed.
and guaranteed.
guaranteed.
ability
ability
portant. performance,
performance,
In addition, preventive
preventive
product maintenance
maintenance
liability makes itis
is also
also
obligatory im-
im- The proposed maintenance support technology, which for
ability performance, preventive maintenance isobligatory
also im- The proposed maintenance
portant.
portant. In
In
for manufacturersaddition,
addition, product
product
toproduct liability
liability
presentliability makes
makes
appropriate it
it
and obligatory
effective The The
the proposed
first time
proposed focuses on ansupport
maintenance
maintenance support
operating
support
technology,
technology,
state suitable
technology,
which
which
which for
for
for
portant.
for In addition,to
manufacturers present makes and
appropriate it obligatory
effective the
the first
first time
time focuses
focuses on
on an
an operating
operating state
state suitable
suitable for
for
for manufacturers
manufacturers
procedures to present
of preventive present
maintenance appropriate
for each and effective the
product. preventive
first time maintenance,
focuses on is anuseful operatingfor improving
state suitable not only for
for
procedures to appropriate and effective preventive maintenance, is useful for improving not only
procedures of
procedures of preventive
of preventive maintenance
preventive maintenance for
maintenance for each
for each product.
each product.
product.
preventive
the
preventive maintenance,
maintainability
maintenance, performanceis
is useful
useful for
for improving
directly but also the
improving not only
notavail-
only
However, there are many control systems on which it is dif- thethe maintainability
maintainability
ability
the performance
maintainability
performance
performance
of control
performance
directly
directly
systems
directly
but
but
but
also
also
indirectly.
also
the
the
The
the
avail-
avail-
dis-
avail-
However, there are many control systems on which it is dif-
dif- ability
However,
ficult
However, thereperform
to safely
there are many
are many control systems
preventive
control systems on which
maintenance.
on which itexam-
Forit is dif-
is ability performance
cussion
ability performance
in this
performance paper of
of control
of control
clarifies
control
systems
systems
that
systems we indirectly.
indirectly.
can The
The dis-
establish
indirectly. The dis-
an
dis-
ficult to
to safely
safely perform
ficultespecially
ple, perform preventive
preventive
in the process maintenance.
maintenance.
industry, For
For exam-
“maintenance-free exam- cussion in this paper clarifies that we can establish an
ficult to safely perform preventive maintenance. For exam- cussion
appropriate
cussion in
in this
and
this paper
effective
paper clarifies
procedure
clarifies that
that we
for
we can
can establish
preventive mainte-
establish an
an
ple, especially
ple, especially
especially
technology” in the
inbeen
hasin process
the process
process industry,
industry,
studied industry, “maintenance-free
“maintenance-free
because preventive mainte- nance appropriate and effective procedure for preventive mainte-
ple, the “maintenance-free appropriate
of
appropriate and
control
and effective
systems
effective procedure
in the
procedure for
controller
for preventive
design
preventive mainte-
step.
mainte-
technology” has been studied because preventive mainte- or nance of control systems in the
technology”
nance
technology” has been
has been studied
of manufacturing studied because
plantsbecause preventive
under preventive
safe conditions mainte-
mainte- nance
nance of
of control systems
systems in
controlnotations in the controller
controller design
design step.step.
nance
nance
operatingof
of manufacturing
manufacturing
states is difficult. plants
plants
The under
under safe
safe
international conditions
conditions
standards or
or
on The following arethe used controller
in this designpaper.step. Tzw (s):
nance of manufacturing plants under safe conditions or The following notations are used in this paper.
operating
operating
maintenance states
states is
is
(e.g., difficult.
difficult.
IEC The
The
60300-3-11 international
international
(2009)) standards
standards
and the on
on
well- The
the
The following
transfer
following notations
function
notations are
matrix
are used
usedfrom in
in athis
this paper.
signal
paper. w T T zw (s):
zw (s):
Tto an-
zw (s):
operating
maintenance states is
(e.g., difficult.
IEC The
60300-3-11 international
(2009)) standards
and the on
well- the
the transfer
transfer function
function matrix
matrix from
from a
a signal
signal w
w to
to an-
an-
maintenance
known (e.g.,inIEC
references IEC 60300-3-11
the60300-3-11
field of safety (2009)) and the
engineering the (e.g.,
well- theother z,
transferand �G�
function ∞ : thematrixH ∞ norm
 from of a
 aof signal transfer func-
w tofunc- an-

maintenance
known (e.g.,
references in the field of (2009))
safety and
engineering well-
(e.g., other
other z,
z, and
and �G�
�G� ∞ :
: the
the H
H ∞ norm
norm  of a
a transfer
transfer func-
known
Kumamoto references
(2010)) in the
only field
explain of safety
required engineering
work items (e.g., tion
other matrix
z,
of tion matrix G. L∞and G.�G� L ∞
2 :
(a,b)the = H ∞ x(t)
norm  �x(t)�
of a 2 transfer
(a,b) < ∞
func- ,
known
Kumamoto references
(2010)) in the
only field
explain of safety
required engineering
work items (e.g.,
of tion matrix G. L 2 (a,b) = = ∞ x(t)
x(t) 
 �x(t)�
�x(t)� 2 (a,b) <
< ∞
∞ ,,
Kumamoto
preventive (2010))
maintenance, only explain
such as required
component work items
replacement. of where
tion �x(t)�
matrix G.
2 (a,b) L 2denotes
(a,b) = thex(t) the  L
�x(t)�
2 norm2 (a,b)defined
2 (a,b)defined by,
< ∞ by
Kumamoto
preventive (2010)) only such
maintenance, explain as required work
component items of where �x(t)�2 (a,b)
replacement. 2 (a,b)
 b denotes the 12 the L 2 norm
preventive
There are maintenance,
no systematic such
studiesas component
on an replacement.
operating state where
where �x(t)�
�x(t)� 2(a,b)
 denotes
denotes
T the
the the
the L
L 2 norm
norm defined
defined by by
preventive
There are maintenance,
no systematic such
studiesas component
on an replacement.
operating state �x(t)�2 (a,b) =2 (a,b) abb x T (t)x(t)dt
1
1 . 2
There
There are
suitableare no
for no systematic
safely performing
systematic studies on
preventive
studies on an
an operating
maintenance.
operating state
state �x(t)�
�x(t)� 2 (a,b) ==  a
x T (t)x(t)dt
b xT (t)x(t)dt 2 .  2
1
2 .
suitable
suitable forfor safely
safely performing
performing preventive
preventive maintenance.
maintenance. �x(t)�22 (a,b)
(a,b) = a x (t)x(t)dt .
a
suitable for
In this paper, safely
weperforming
propose a preventive
new maintenancemaintenance. support 2. SWITCHING L2 GAIN
In 2. SWITCHING L 2 GAIN
In this
this paper,
technology
In this to we
paper,
paper, we propose
we propose a
propose
new
new maintenance
aa new maintenance support
maintenance support
support
2. SWITCHING L
2. SWITCHING L22 GAIN
GAIN
technology
technology
(a) achieve to to
to
an operating state suitable for safely perform- 2.1 Switch to be analyzed
technology
(a)
(a) achieve
ing
(a) achieve
preventive
achieve
an
an operating
an operating
maintenance
operating
state
state
stateof suitable
suitable for
for safely
each subsystem
suitable for safely perform- 2.1
safely perform-
perform- 2.1 Switch to
2.1 Switch
Switch to to be
be analyzed
be analyzed
analyzed
ing
ing
(b) preventive
preventive
under maintenance
maintenance
guaranteed safety of
of
of each
each
the subsystem
subsystem
bidirectional transitions
ing
(b) preventive
under maintenance
guaranteed safety of the
of subsystem transitions Suppose that aa linear
eachbidirectional Suppose that time-invariant (LTI) system Hp
(b) under
undernormal
between
(b) guaranteed
guaranteed safetyand
operation
safety of the
of the bidirectional
thebidirectional
operating state. transitions switches
transitions Suppose
Suppose that
to aa linear
another
that linear time-invariant
time-invariant
LTI system
linear time-invariant Hf with(LTI) a statesystem
(LTI)
(LTI) system
transition
system
H
H
Hpp
p
between
between normal
normal operation
operation and
and the
the operating
operating state.
state. switches
switches
at the to
to another
another
switching time LTI
LTI t system
system
= t . H
H f with
with aa state
state transition
transition
between
The proposednormal operationisand
technology based theonoperating state.
the above-mentioned switches
at the to another
switching time LTI tt =system
tt00 .. Hf with a state transition
f
The proposed technology is based on the above-mentioned at
at the
the switching
switching time
time t =
= t 0.
The
The proposed
fault-tolerant technology
controller
proposed controller is
design
technologydesign based
is based andonon the above-mentioned
switching L2 gain anal- Suppose that the system before the switch (i.e., the pre-
the above-mentioned 0
fault-tolerant
fault-tolerant
ysis, such as that
fault-tolerant controller design
described
controller design inand
and
Suyama
and and L
switching
switching
switching L 2 gain
2 gain
Sebe
L 2 gain
anal-
anal- Suppose
Suppose
anal- switch
(2015). Suppose
that
that
that the
system) the system
system
system before
is represented
the
before
before by thethe switch (i.e.,
the switch
switch (i.e.,
the pre-
(i.e., the
the pre-
pre-
ysis,
ysis, such
such as
as that
that described
described in
in Suyama
Suyama and
and Sebe
Sebe (2015).
(2015). switch
switch system)
system) is
is represented
represented by
by
ysis, such as that described in Suyama and Sebe (2015). switch system) is represented by
Copyright 2017 IFAC
2405-8963 © 2017, 10856
IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved.
Copyright
Peer review©
Copyright © 2017
2017 IFAC
IFAC 10856
10856
Copyright ©under
2017 responsibility
IFAC of International Federation of Automatic
10856Control.
10.1016/j.ifacol.2017.08.1690
Proceedings of the 20th IFAC World Congress
10370
Toulouse, France, July 9-14, 2017 Koichi Suyama et al. / IFAC PapersOnLine 50-1 (2017) 10369–10376

�
ẋp (t) = Ap xp (t) + Bp w(t) Control system
Hp : t ≤ t0 , (1)
z(t) = Cp xp (t) + Dp w(t), Normal Si Controller
operation Kn
where xp (t) ∈ Rnp (t ≤ t0 ) is the internal state, w(t) ∈ Rni
is the input, and z(t) ∈ Rno is the output. We assume Transition i, 1 Transition i, 4
that Ap is stable, (Ap , Bp ) is controllable, and (Cp , Ap ) is Controller
State i Si
observable. Kn

Suppose that the system after the switch (i.e., the post- Transition i, 2 Transition i, 3
switch system) is represented by
� State i m Si Controller
ẋf (t) = Af xf (t) + Bf w(t) Ki
Hf : t > t0 , (2)
z(t) = Cf xf (t) + Df w(t),
Maintenance
where xf (t) ∈ Rnf (t > t0 ) is the internal state and
w(t), z(t) are the same input and output as in the pre- Fig. 1. Proposed framework for preventive maintenance.
switch system Hp . We assume that Af is stable, (Af , Bf ) 3.1 Normal operation
is controllable, and (Cf , Af ) is observable.
In general, a control system should achieve superlative
Suppose that the following internal state transition occurs
performance in normal operation among several operating
around the switch:
states. That is, Controller Kn used in normal operation
xf (t0+ ) = Sxp (t0 ), (3) should be designed so that it can achieve optimal perfor-
where S ∈ R nf ×np
is a constant matrix. Using the matrix mance under other requirements, such as tolerance against
S, we represent controller resets and/or additions possibly a stoppage of a subsystem for its maintenance.
accompanying the restart (Suyama and Sebe, 2015).
3.2 Stoppage of a subsystem for maintenance
2.2 Switching L2 gain The stoppage of Subsystem Si is necessary for preventive
maintenance. It leads the control system from normal
Suyama and Sebe (2015) proposed the following switching operation to State i in Fig. 1. This is Transition i,1.
L2 gain based on responses on the post-switch side alone:
Note that the control system — except Si — continues to
�z(t)�2 (t0 , ∞) operate. The stability and acceptable performance of the
γ̂ = sup . (4)
w(t)∈L2 (−∞, ∞)\{0} �w(t)�2 (−∞, ∞) operating part in State i are guaranteed by the tolerance
This switching L2 gain evaluates the magnitude and sever- against the stoppage of Si that is predesigned in Controller
ity of the fluctuation in transient responses after a switch. Kn . We thus design Controller Kn using fault-tolerant
control theory. In general, owing to the stoppage of Si ,
By using the following theorem, we obtain the value of γ̂: the performance is lower than that in normal operation.
Theorem 1. (Suyama and Sebe, 2015) For a given γ > 0, Furthermore, the safety of Transition i,1 should be also
the switching L2 gain γ̂ satisfies γ̂ < γ if and only if there guaranteed by tolerance against the stoppage of Si . The
exist X̃p � O and X̃f � O satisfying the following LMIs: fluctuation in the transient responses after Transition i,1
� � should be well suppressed so that deviation from normal
X̃p Ap + AT p X̃p X̃p Bp
≺O (5) operating range does not occur. The magnitude and sever-
⎡ BpT X̃p −γI ⎤ ity of the fluctuation after Transition i,1 can be evaluated
X̃f Af + AT f X̃f X̃f Bf Cf
T
by the value of γ̂i,1 , the switching L2 gain γ̂ for Tran-
⎣ T
Bf X̃f −γI DfT ⎦ ≺ O (6) sition i,1. A smaller γ̂i,1 implies that the fluctuation is
Cf Df −γI suppressed in a more effective manner; then, Transition i,1
X̃p − S T X̃f S � O. (7) can be performed more safely. Thus, Controller Kn should
be predesigned so that the value of γ̂i,1 is smaller than an
This theorem also implies that the switching time t0 does acceptable level.
not affect the value of γ̂. Remark 1. If Controller Kn such that γ̂i,1 is smaller than
an acceptable level does not exist, then we consider the
3. A FRAMEWORK FOR SAFE PREVENTIVE following countermeasures for guaranteeing the safety of
MAINTENANCE Transition i,1.
• We stop Subsystem Si after leading the control sys-
Suppose that preventive maintenance of a control system tem to an operating state that is suitable for the
is performed for each subsystem Si (i = 1, 2, 3 . . .). The stoppage, as in Asai (2005).
framework for safe preventive maintenance of Subsystem • From γ̂i,1 and an acceptable level, we have the per-
Si that the proposed maintenance support technology mission condition for Transition i,1, as in Suyama
presents is shown in Fig. 1. State i is the operating state and Kosugi (2013). Only when the internal state of
where Si is stopped for its maintenance (“gray-colored” Si the control system satisfies the condition, we stop
indicates its stoppage); State i m is the operating state Subsystem Si .
that is suitable for safely performing its maintenance.
Transition i, j (j = 1, 2, 3, 4) denotes a system transition The same considerations apply to Transitions i,2, i,3,
between two operating states. and i,4.

10857
Proceedings of the 20th IFAC World Congress
Toulouse, France, July 9-14, 2017 Koichi Suyama et al. / IFAC PapersOnLine 50-1 (2017) 10369–10376 10371
3.3 Operating state suitable for maintenance
In general, owing to the stoppage of Subsystem Si , the
performance of the operating part in State i (i.e., the
control system except Subsystem Si ) is lower than that in
normal operation. Furthermore, the servo system in State i
does not always have tolerance against an emergency
stoppage of a subsystem in the operating part that is
caused by some problem. Thus, it is desirable to switch
Controller Kn to another Controller Ki that achieves an
operating state suitable for maintenance of Si . This is
Transition i,2 in Fig. 1, and its safety should also be
evaluated and guaranteed by using the switching L2 gain
γ̂. That is, Controller Ki should be predesigned so that
γ̂i,2 , the value of γ̂ for Transition i,2, is smaller than an
acceptable level.
State i m is an operating state suitable for performing
maintenance of Si for the following reasons.
• The performance of the operating part is almost as
desirable as that in normal operation.
• The operating part has tolerance against an emer-
gency stoppage of another subsystem because of the
following.
· The stability and acceptable performance of the
operating part after an emergency stoppage are
guaranteed.
· The transition caused by an emergency stoppage
is safe; i.e., the fluctuation in transient responses
after an emergency stoppage is well suppressed.
Thus, maintenance of Si can be safely performed in
State i m.
Note that Controller Ki and State i m are only for preven-
tive maintenance of Si , i = 1, 2, 3, . . .. The achievement
of an operating state suitable for preventive maintenance
of each subsystem is the main feature of the proposed
maintenance support technology.
3.4 Return to normal operation after maintenance
After maintenance of Si , we first switch Controller Ki for
maintenance of Si to Kn for normal operation. This is
Transition i,3, which leads the control system to State i.
The safety of Transition i,3 should be evaluated and
guaranteed by using the switching L2 gain γ̂. That is,
Controller Ki should be predesigned so that γ̂i,3 , the
value of γ̂ for Transition i,3, is smaller than an acceptable
level. Note that although Transition i,3 is only opposite in
direction to Transition i,2, γ̂i,3 �= γ̂i,2 in general.
After the fluctuation in transient responses caused by
Transition i,3 settles, we activate Si to return the con-
trol system to normal operation. This is Transition i,4.
Although Transition i,4 is only opposite in direction to
Transition i,1, γ̂i,4 �= γ̂i,1 in general, where γ̂i,4 is the
value of γ̂ for Transition i,4. Thus, Controller Kn should
be predesigned so that γ̂i,4 , as well as γ̂i,1 , is smaller than
an acceptable level.
3.5 Controller design
Controller Kn used in normal operation The require-
ments for Controller Kn are listed below.
10858
(a) Superlative performance in normal operation.
(b) Acceptable performance after the stoppage of Subsys-
tem Si for its maintenance: the operating part in State i
(i.e., the control system except Subsystem Si ) has an
acceptable performance.
(c) Safety of Transitions i,1 and i,4: the fluctuations
in transient responses after these transitions are well
suppressed in the sense of the switching L2 gain value.
If we predesign the control system having maintainability
performance of Si (i = 1, 2, 3, . . .), the above require-
ments (b) and (c) should be imposed simultaneously for
all i = 1, 2, 3, . . .. We can reduce optimization that satis-
fies the requirements to a multiobjective design problem,
which can be solved by applying the iterative performance
improvement procedure using the non-common Lyapunov
function presented in Sebe (2007) to obtain Kn .
Controller Ki for maintenance of Si The requirements
for Controller Ki are listed below.
(a) Superlative performance in State im during mainte-
nance of Subsystem Si : the performance of the operating
part in State im (i.e., the control system except Subsys-
tem Si ) is almost as high as that in normal operation.
(b) Tolerance against an emergency stoppage of another
subsystem in the operating part in State im:
• the stability and acceptable performance of the
operating part after an emergency stoppage are
guaranteed, and
• the transition caused by an emergency stoppage is
safe; i.e., the fluctuation in transient responses after
an emergency stoppage is well suppressed in the
sense of the switching L2 gain value.
(c) Safety of Transitions i,2 and i,3: the fluctuations
in transient responses after these transitions are well
suppressed in the sense of the switching L2 gain value.
We can reduce optimization that satisfies the requirements
to a multiobjective design problem. Such a problem can be
solved by applying the iterative performance improvement
procedure using the non-common Lyapunov function pre-
sented to obtain Ki . Note that Controller Ki is used only
for maintenance of Si . Thus, Ki �= Kj (i �= j) in general.
Remark 2. Strictly speaking, the switching L2 gain values
for Transitions i,2 and i,3, γ̂i,2 and γ̂i,3 , depend not only on
Controller Ki but also on Kn . However, it is not desirable
to add the above requirement (c) to the requirements for
Kn for the following reasons.
• It is difficult to simultaneously design Kn and Ki .
• The requirement (c) imposes another restriction on
the performance in normal operation that Kn can
achieve.
4. APPLICATION TO A SERVO SYSTEM
4.1 Servo system
Consider a servo system in normal operation as shown in
Fig. 2. Plant P is an LTI system with three inputs and
three outputs. Let xpl (t) ∈ Rnpl denote its internal state.
Suppose that P is described by
ẋpl (t) = Apl xpl (t) + Bpl u(t)
Plant P : (8)
y(t) = Cpl xpl (t),
Proceedings of the 20th IFAC World Congress
10372
Toulouse, France, July 9-14, 2017 Koichi Suyama et al. / IFAC PapersOnLine 50-1 (2017) 10369–10376

 T where [M ](i, j) denotes the (i, j) element of a matrix

where u(t) = u1 (t) u2 (t) u3 (t) ∈ R3 are the control
 T M . The same holds for the servo performance of each
inputs and y(t) = y1 (t) y2 (t) y3 (t) ∈ R3 are the operating loop in States 1 and 1m.
measured outputs. Here, Actuator j produces the control
input uj , and Sensor j measures the output yj . Let
xi, j (t) ∈ R ( j = 1, 2, 3 ) denote the internal state of 4.2 Stoppage of Loop 1 for maintenance
Integrator j. Integrator j can be described by
 For simplicity, we consider only maintenance of Loop 1.
ẋi, j (t) = ej (t) The discussions on maintenance of Loops 2 and 3 are
Integrator j : (9)
vj (t) = xi, j (t), similar.
where ej (t) ∈ R is the tracking error, and vj (t) ∈ R is the
 T The stoppage of Loop 1, which is necessary for its main-
output of Integrator j. Let e(t) = e1 (t) e2 (t) e3 (t) tenance, is performed by the following.
∈ R3 . Kn is also an LTI controller used in normal opera-
tion. Let xKn (t) ∈ RnKn denote its internal state. Suppose • The integral action of Integrator 1 stops, and its
that Kn is described by output is held at zero.
 • Actuator 1 stops; it can be described by the condition
ẋKn (t) = AKn xKn (t) + BKn v(t) where the plant input u1 is equal to zero.
Controller Kn : (10)
u(t) = CKn xKn (t) + DKn v(t). • Sensor 1 stops and the feedback in Loop 1 does not
 T function.
Here, r(t) = r1 (t) r2 (t) r3 (t) ∈ R3 are the stepped ref-
erence signals, which are changed after sufficiently longer This is Transition 1,1 caused by the stoppage of Loop 1,
time intervals than the time constant of the servo system. which leads the servo system to State 1 shown in Fig. 3.
We can then consider the steady state of the servo system
in each time interval. Let Loop j ( j = 1, 2, 3 ) denote e2 W2 z2
the control loop with Integrator j, where Loop j includes e3 W3 z3
rj , ej , uj , and yj . It corresponds to Subsystem j in the
r1 y1
proposed maintenance support technology. We evaluate its 0 0
servo performance by �Tzj rj �∞ , where Wj is the weighting r2 + 1 y2
Kn P
function. Let W = diag{W1 , W2 , W3 }. −
s
r3 + 1 y3
s
e1 W1 z1 −

e2 W2 z2

e3 W3 z3
Plant
r1 + 1 u1 y1
−
s Fig. 3. Servo system in State 1.
Integrator 1
r2 + 1 u2 y2
s Kn P
− Integrator 2
y3
r3 + 1
s
u3 Performance in State 1 We define the  internalTstate of
− Integrator 3
Controller the servo system in State 1 by x1 (t) = xT pl (t) xi (t)
T  T
Loop 1 T
xKn (t) , where xi (t) = xi, 2 (t) xi, 3 (t) ∈ R2 . The
Loop 2
Loop 3
servo system in State 1 can then be described as follows:

ẋ1 (t) = A1 x1 (t) + B1 r(t)
Fig. 2. Servo system in normal operation.
State 1 : e(t) = C1 x1 (t) + D1 r(t) (15)
z(t) = E1 x1 (t),
Performance in normal operation We define the internal  T  T
state of the servo system in normal operation by xn (t) = where e(t) = e2 (t) e3 (t) , z(t) = z2 (t) z3 (t) ∈ R2 ,
 T T    
xpl (t) xT T
i (t) xKn (t) . The servo system in normal Apl Bpl DKn Bpl CKn O
operation can be described as follows: A1 = −Cpl O O , B1 = I
 O B Kn AKn O (16)
ẋn (t) = An xn (t) + Bn r(t)
C1 = [ −T1 Cpl O O ] , D1 = T1 ,
Normal operation : e(t) = Cn xn (t) + Dn r(t) (11)
z(t) = En xn (t), E1 = O T1 W T1T O ,
 
where 0 1 0
    and T1 = . The servo performance of the operat-
Apl Bpl DKn Bpl CKn O 0 0 1
An = −Cpl O O , Bn = I ing part is then evaluated by
(12)
O B Kn AKn O �Tzr (s)�∞ = �E1 (sI − A1 )−1 B1 �∞ . (17)
Cn = [ −Cpl O O ] , Dn = I, En = [ O W O ] .
The servo performance of the overall system is then Safety of Transition 1,1 We take r(t) as the exogenous
evaluated by input of the pre- and post-switch systems in the discussion
�Tzr (s)�∞ = �En (sI − An )−1 Bn �∞ . (13) in Section 2, because it affects the transient responses
after Transition 1,1. We also take e(t) as the evaluation
Furthermore, we evaluate the servo performance of Loop j output of the pre- and post-switch systems to evaluate
( j = 1, 2, 3 ) by the undesirable effects of Transition 1,1 on Loops 2 and 3,
�[Tzr (s)](j, j) �∞ = �[En (sI − An )−1 Bn ](j, j) �∞ , (14) which continue to function after Transition 1,1. Letting

10859
Proceedings of the 20th IFAC World Congress

Toulouse, France, July 9-14, 2017 Koichi Suyama et al. / IFAC PapersOnLine 50-1 (2017) 10369–10376 10373

xp (t) = xn (t) and xf (t) = x1 (t), we have the pre- and The servo performance of the operating part in State 1m
post-switch systems as follows: is evaluated by
� � � �
An Bn A1 B1 �Tz r (s)�∞ = �E1m (sI − A1m )−1 B1m �∞ . (23)
Hp : , Hf : . (18)
T1 Cn T1 Dn C1 D1
Furthermore, the following matrix describes the internal Safety of Transition 1,2 We take r(t) as the exogenous
state transition around the switch: input of the pre- and post-switch systems, because unlike
� � Transition 1,1, r1 (t) does not exert effects on the transient
I O O
S = O T1 O . (19) responses after Transition 1,2. We also take e(t) as the
O O I evaluation output of the pre- and post-switch systems.
Letting xp (t) = x1 (t) and xf (t) = x1m (t), we have the
From the discussion in Section 2, we obtain the value of γ̂1 pre- and post-switch systems as follows:
for Transition 1,1. If γ̂1,1 is smaller, the fluctuation after � � � �
Transition 1,1 is suppressed in a more effective manner; A1 B1 T1T A1m B1m
Hp : , H f : . (24)
Transition 1,1 can be performed more safely. C1 D1 T1T C1m D1m

4.3 Operating state suitable for maintenance of Loop 1 The matrix describing the internal state transition is
� �
I O O
In general, the servo performance of the operating part S= O I O , (25)
(i.e., Loops 2 and 3) is lower than that in normal operation, O O O
owing to the stoppage of Loop 1. Furthermore, the servo because Controller K1 is activated from the zero initial
system in State 1 does not always have tolerance against state at the time of Transition 1,2. From the discussion in
an emergency stoppage of Loop 2 or 3. Thus, it is desirable Section 2, we have the value of γ̂1,2 for Transition 1,2.
to switch the controller to a better one.
We switch the controller to an LTI controller K1 that Tolerance against emergency loop stoppage in State 1m
achieves an operating state that is suitable for safely Controller K1 is designed so that the servo system in
performing maintenance of Loop 1, State 1m, as shown State 1m has tolerance against an emergency stoppage of
in Fig. 4. This switch is Transition 1,2. Let xK1 (t) ∈ RnK1 Loop 2 or 3. Here, let us consider an emergency stoppage
denote its internal state. Suppose that K1 is described by of Loop 2 in State 1m. The discussion on an emergency
� stoppage of Loop 3 is similar.
ẋK1 (t) = AK1 xK1 (t) + BK1 v(t)
Controller K1 : (20)
u(t) = CK1 xK1 (t) + DK1 v(t),
e3 W3 z3
� �T � �T
where v(t) = v2 (t) v3 (t) , u(t) = u2 (t) u3 (t) ∈ R2 . r1 y1
0
r2 y2
0 0 P
e2 W2 z2
K1
r3 + 1 y3
e3 W3 z3 s
−
r1 y1
0
r2 + 1 y2
s P
− K1
r3 + 1 y3
s Fig. 5. Servo system after an emergency stoppage of Loop 2
−
in State 1m.

(i) Deterioration in performance. If Loop 2 stops in

State 1m, the servo system falls into the operating state
Fig. 4. Servo system in State 1m. shown in Fig. 5. We define the internal state of the servo
� �T
system in Fig. 5 by x1m2 (t) = xT T
pl (t) xi, 3 (t) xK1m (t) .
Performance in State 1m We define the internal � state of The servo system in this operating state can then be
T
the servo system in State 1m by x1m (t) = xT pl (t) xi (t) described as follows:
� T �
xT ẋ1m2 (t) = A1m2 x1m2 (t) + B1m2 r(t)
K1m (t) . The servo system in State 1m can be described Loop 2 stops
as follows: : e3 (t) = C1m2 x1m2 (t) + D1m2 r(t)
� in State 1m
ẋ1m (t) = A1m x1m (t) + B1m r(t) z3 (t) = E1m2 x1m2 (t),
State 1m : e(t) = C1m x1m (t) + D1m r(t) (21) (26)
z(t) = E1m x1m (t), where
⎡ �T � �T
⎤
where Apl Bpl T12 T12 DK1 T12 Bpl T12 T12 CK 1
⎡ ⎤ A1m2 = ⎣ −T12 T ⎦
Apl Bpl T1T DK1 Bpl T1T CK1 Cpl O O
�
A1m = ⎣ −T1 Cpl O O ⎦ ⎡ O⎤ B K T
1 12
A K 1

O BK 1 AK1 O � �
� � B1m2 = ⎣ T12�T ⎦
, C1m2 = −T12 T
Cpl O O
O (22)
B1m = I2 , C1m = [ −T1 Cpl O O ] O
�T
O � � D1m2 = T12 , E1m2 = [ O W3 O ] ,
D1m = I, E1m = O T1 W T1T O . (27)

10860
Proceedings of the 20th IFAC World Congress
10374
Toulouse, France, July 9-14, 2017 Koichi Suyama et al. / IFAC PapersOnLine 50-1 (2017) 10369–10376

� �T �
� �T Safety of Transition 1,4 After the fluctuation in tran-
T12 = 0 0 1 , and T12 = 0 1 . Under the stability of
the servo system shown in Fig. 5, the servo performance sient responses caused by Transition 1,3 settles, we acti-
of the operating part (i.e., Loop 3) is evaluated by vate Loop 1, i.e., Integrator 1, Actuator 1, and Sensor 1.
This is Transition 1,4, which leads the servo system to
�Tz3 r3 (s)�∞ = �E1m2 (sI − A1m2 )−1 B1m2 T12
�
�∞ . (28) normal operation.
For tolerance against an emergency stoppage of Loop 2 in
We take r(t) and e(t), the exogenous input and evaluation
State 1m, this should be smaller than an acceptable level.
output, respectively, as in Transition 1,1. Letting xp (t) =
(ii) Safety of transition. In addition, this transition should x1 and xf (t) = xn (t), we have the pre- and post-switch
be safe. We take r(t) as the exogenous input of the systems as follows:
� � � �
pre- and post-switch systems. We also take e3 (t) as the A1 B1 An Bn
evaluation output of the pre- and post-switch systems. Hp : , Hf : . (33)
C1 D1 T1 Cn T1 Dn
Letting xp (t) = x1m (t) and xf (t) = x1m2 (t), we have the
pre- and post-switch systems as follows: The matrix describing the internal state transition is
� � � � ⎡ ⎤
A1m B1m A1m2 B1m2 I O O
Hp : �T �T , Hf :
C1m2 D1m2
. S = ⎣ O T1T O ⎦ , (34)
T12 C1m T12 D1m
O O I
(29)
The matrix describing the internal state transition is because Integrator 1 is activated from the zero initial state
⎡ ⎤ at the time of Transition 1,4. We then obtain the value of
I O O γ̂1,4 for Transition 1,4.
S = ⎣ O T12 �T
O ⎦. (30)
O O I 4.5 Controller design
We then obtain the value of γ̂1m2 for this transition. For
tolerance against an emergency stoppage of Loop 2 in Controller Kn used in normal operation The require-
State 1m, this should be smaller than an acceptable level. ments for Controller Kn are listed below.
(a) Superlative performance: Kn achieves a high servo
The discussion on tolerance against an emergency stop-
performance among several operating states.
page of Loop 3 yields the following:
(b) Acceptable performance after the stoppage of Loop 1
• the condition corresponding to (28) that �Tz2 r2 (s)�∞ for its maintenance: under the stability of the system in
is smaller than an acceptable level, and State 1 shown in Fig. 3, the servo performance of the
• the condition on the value of γ̂1m3 for the transition operating part (i.e., Loops 2 and 3) is better than an
caused by the emergency stoppage. acceptable level.
(c) Safety of Transitions 1,1 and 1,4: the magnitude and
After all, Controller K1 should be designed so that severity of Transitions 1,1 and 1,4 can be evaluated by
• the servo performances of Loops 2 and 3 in State 1m γ̂1,1 and γ̂1,4 , respectively; if these values are smaller than
are almost as high as that in normal operation, and an acceptable level, Transitions 1,1 and 1,4 can be safely
• the servo system in State 1m has tolerance against an performed.
emergency stoppage of Loop 2 or 3. We can reduce optimization that satisfies these require-
ments to the following multiobjective design problem:
Thus, maintenance of Loop 1 can be safely performed in
minimize �Tzr (s)�∞
State 1m. Kn
subject to (b) �Tzr (s)�∞ < γac and (c) γ̂1,1 , γ̂1,4 < γ̂ac ,
4.4 Return to normal operation (35)
where γac and γ̂ac indicate acceptable levels of servo perfor-
After maintenance of Loop 1, we first switch Controller mance and the switching L2 gain γ̂, respectively. Applying
K1 for maintenance of Loop 1 to Kn for normal operation. the iterative performance improvement procedure using
This is Transition 1,3, which leads the servo system to the non-common Lyapunov function presented in Sebe
State 1. (2007), we can then design Controller Kn .
Safety of Transition 1,3 We take r(t) and e(t), the Note that we here consider only maintenance of Loop 1.
exogenous input and evaluation output, respectively, as in If we consider maintenance of all loops, the requirements
Transition 1,2. Letting xp (t) = x1m (t) and xf (t) = x1 (t), (b) and (c) for Loops 2 and 3 have to be imposed
we have the pre- and post-switch systems as follows: simultaneously.
� � � �
A1m B1m A1 B1 T1T Controller K1 for maintenance of Loop 1 The require-
Hp : , Hf : . (31)
C1m D1m C1 D1 T1T ments for Controller K1 are listed below.
The matrix describing the internal state transition is (a) Superlative servo performance during maintenance of
� � Loop 1: under the stability of the system in State 1m
I O O shown in Fig. 4, K1 achieves desirable servo performance
S= O I O , (32) during maintenance of Loop 1.
O O O (b) Tolerance against an emergency stoppage of another
because Controller Kn is activated from the zero initial loop during maintenance of Loop 1: even if an emergency
state at the time of Transition 1,3. We then obtain the stoppage of Loop 2 or 3 occurs, the operating part main-
value of γ̂1,3 for Transition 1,3. tains an acceptable servo performance and the magnitude

10861
Proceedings of the 20th IFAC World Congress

Toulouse, France, July 9-14, 2017 Koichi Suyama et al. / IFAC PapersOnLine 50-1 (2017) 10369–10376 10375

and severity of the transition caused by the emergency It follows from (38) that the servo performance index
stoppage are also acceptable. satisfies �Tzr (s)�∞ ≥ 0.5. Under the condition that the
(c) Safety of Transitions 1,2 and 1,3: the magnitude and requirements described by γac and γ̂ac are satisfied, when
severity of Transitions 1,2 and 1,3 can be evaluated by γ̂1,2 �Tzr (s)�∞ got sufficiently close to 0.5 in comparison with
and γ̂1,3 , respectively. γac = 0.6, we terminated the iterative performance im-
We can reduce optimization that satisfies the requirements provement procedure to obtain Controller Kn given in
to the following multiobjective design problem: (39). Controller K1 given in (40) is similar.
minimize �Tz r (s)�∞
K1
Table 1. Servo performance.
subject to (b) �Tz2 r2 (s)�∞ , �Tz3 r3 (s)�∞ < γac
Operating Servo performance index
γ̂1m2 , γ̂1m3 < γ̂ac , and state Operating part Loop 1 Loop 2 Loop 3
(c) γ̂1,2 , γ̂1,3 < γ̂ac . (36) Normal 0.507 0.504 0.503 0.505
operation
State 1 0.591 — 0.512 0.521
4.6 Numerical example State 1m 0.505 — 0.502 0.502

Consider the following Plant P , weighting function Wj Table 2. Tolerance in servo performance
(j = 1, 2, 3), Controller Kn in normal operation, and against loop stoppage.
Controller K1 for maintenance of Loop 1:
⎡ −3 1 1 −3 1 0 −3
⎤ Operating Servo performance index
state Loop 1 stops Loop 2 stops Loop 3 stops
⎢ 3 −2 0 −1 −3 2 1⎥
Normal
⎢ 1 −1 −4 −3 2 3 −3 ⎥ operation 0.591 N/A N/A
⎢ −4 3 4 −4 ⎥
P = ⎢ −1 0 0⎥ (37) State 1 — Loop 3: 1.149 Loop 2: 1.052
⎢ 0 1 −3 3 0 0 0⎥ State 1m — Loop 3: 0.519 Loop 2: 0.530
⎣ ⎦
3 −2 −1 0 0 0 0
1 2 1 0 0 0 0 Table 3. Switching L2 gain values.
Wj = 1 + 0.5s (j = 1, 2, 3) (38)
⎡ 27.35 −15.82 Transition γ̂
7.63 21.07 577.36 Transition 1,1 1.241
⎢ −15.65 −23.96 −11.35 2.41 1079.51 Transition 1,2 1.167
⎢ −22.28 20.60 −31.05 −37.78 19.51 Emergency stoppage of Loop 2 in State 1m 1.258
⎢ −29.01
⎢ 64.95 15.01 −16.33 393.48 Emergency stoppage of Loop 3 in State 1m 1.133
⎢ −428.88 −751.22 −6.99 −39.87 −589.82
⎢
Kn = ⎢ −214.91 −2.07 −858.04 Transition 1,3 1.318
236.43 4.59 Transition 1,4 1.013
⎢ 553.15 −470.61 −297.68 51.21 −359.78
⎢
⎢ −2.58 3.44 6.75 1.16 −288.57
⎣
4.91 −6.53 14.63 12.46 114.48
−6.26 −3.99 4.42 2.76 74.63
The analysis results are shown in Tables 1–3.
⎤ (i) Normal operation. The system in normal operation has
99.30 −1070.58 −0.75 −2.38 −16.11
−62.04 622.83 6.33 10.66 3.68 ⎥
a desirable servo performance of 0.507 as shown in Table 1.
1391.51 344.19 −23.15 −6.67 16.52 ⎥ In addition, tolerance against the stoppage of Loop 1 is
−15.84 542.23 −62.28 68.05
⎥
51.19 ⎥ achieved with
159.79 535.03 690.49 −701.50 457.76 ⎥
⎥ (39) • an acceptable performance of the system in State 1
−450.19 1168.51 804.61 732.72 89.23 ⎥
−1205.20 −751.55
⎥
533.88 −218.67 −1034.01 ⎥
of 0.591 as shown in Tables 1 and 2, and
−373.00 298.77 0 0 0 ⎥ • an acceptable magnitude and severity of Transi-
⎦ tion 1,1 of γ̂1,1 = 1.241 as shown in Table 3.
−493.57 −49.14 0 0 0
−329.32 445.98 0 0 0 (ii) State 1 after the stoppage of Loop 1. The system
⎡
40.07 19.38 −79.37 −168.53 in State 1 does not have tolerance against an emergency
⎢ 21.46 −21.24 −66.37 1363.34 stoppage of Loop 2 or 3, because the operating part after
⎢ 75.06 −16.94 −15.40 −494.31
⎢ the emergency stoppage does not exhibit an acceptable
⎢ 118.42 −920.05 365.29 −217.24
performance (1.149, 1.052 ; Table 2).
K1 = ⎢ 846.31 140.42 −30.82 −158.29
⎢ (iii) State 1m for maintenance of Loop 1. The performance
⎢ 723.94 622.58 −217.76 2044.21
⎣ of the operating part (i.e., Loops 2 and 3) is as desirable
9.27 −6.03 −31.82 405.64
−5.73 −8.62 3.12 289.01 as that in normal operation, which is shown by the servo
⎤ performance index of 0.505 (Table 1). In addition, it has
−2133.82 −1112.41 0.37 −10.42
−243.50 −409.38 8.35 −15.83 tolerance against an emergency stoppage of Loop 2 or 3,
⎥
−533.82 −95.18 −95.75 −99.16 ⎥ because
⎥
−376.23 −2278.28 −1089.66 335.76 ⎥ • the operating part after the emergency stoppage ex-
−2412.00 −971.20 −424.60 −1491.32 ⎥. (40)
⎥ hibits an acceptable performance (0.519, 0.530 ; Ta-
−5518.32 −6107.69 357.30 −1455.22 ⎥
⎦ ble 2), and
−340.77 −241.24 0 0
452.18 177.66 0 0 • the magnitude and severity of the transition caused
by an emergency stoppage of Loop 2 or 3 is acceptable
We set γac = 0.6 and γ̂ac = 1.5. Note that in order (γ̂ = 1.258, 1.133 ; Table 3).
to avoid obtaining a high-gain controller, we did not
completely perform the optimization in (35) and (36). Maintenance of Loop 1 can then be safely performed.

10862
Proceedings of the 20th IFAC World Congress
10376
Toulouse, France, July 9-14, 2017 Koichi Suyama et al. / IFAC PapersOnLine 50-1 (2017) 10369–10376

We now present the simulation results of the servo system. 1

Figures 6–8 show the responses in the outputs y1 , y2 , and r1

y3 of the plant with the reference signals r1 , r2 , and r3 , y1
respectively. Owing to the stoppage of Loop 1 for its
maintenance at t = 40 (Transition 1,1), Loops 2 and 3 0.5

showed a slight fluctuation because of the tolerance against

the stoppage in normal operation achieved by Controller
Kn . At t = 60, the controller is switched from Kn to K1
(Transition 1,2). In State 1m, the servo performance of 0

the operating part (i.e., Loops 2 and 3) is as desirable

as that in normal operation, as shown in the responses
to the change in the reference signals at t = 80. We
can safely perform preventive maintenance of Loop 1 in −0.5
0 20 40 60 80 100 120 140 160
Time
State 1m as mentioned above. After maintenance of Loop 1
is completed, Transitions 1,3 and 1,4 are performed at Fig. 6. Response in Loop 1.
t = 100 and 120, respectively. As shown in the values
1
γ̂1,3 = 1.318 and γ̂1,4 = 1.013 in Table 3, the magnitude
r2
and severity of these transitions are acceptable. They
y2
appear in the responses at t = 100 and 120 in Figs. 7 and
8. After Transition 1,4, the system is in normal operation,
0.5
as shown in the responses to the change in the reference
signals at t = 140.

5. CONCLUSIONS 0

Product liability makes it obligatory for manufacturers

to present appropriate and effective procedures of pre-
ventive maintenance for each product. Thus, it has be- −0.5
0 20 40 60 80 100 120 140 160
come increasingly important to establish safe procedures Time
for preventive maintenance of control systems in various Fig. 7. Response in Loop 2.
application areas. This paper is the first important step
in researches that focus on safe preventive maintenance in 1
the field of control engineering. r3
y3
ACKNOWLEDGEMENT
0.5

This research was supported by JSPS KAKENHI Grant

#26420410, Japan Society for the Promotion of Science.
0
REFERENCES
T. Asai. A general synthesis framework to attenuate
disturbance responses due to switching. Transactions
−0.5
of SICE, 41: 846–855, 2005 (in Japanese). 0 20 40 60 80 100 120 140 160
Time
International Electrotechnical Commission. IEC 60300-3-
11: Dependability management — Part 3-11: Applica- Fig. 8. Response in Loop 3.
tion guide — Reliability centred maintenance. 2009. K. Suyama. Fault-tolerant servo systems against actuator
H. Kumamoto. Satisfying safety goals by probabilistic risk failures using limited integrators. Proceedings of the 39th
assessment. Springer, 2010. Annual Conference of the IEEE Industrial Electronics
A.N. Mete and A.N. Gündeş. MIMO controller synthesis Society, 3534–3540, 2013.
with integral-action integrity. Automatica, 44: 128-134, K. Suyama and N. Sebe. New switching L2 gain analysis
2008. for a restart with controller resets after maintenance.
N. Sebe. A new dilated LMI characterization and itera- Proceedings of the 8th IFAC Symposium on Robust
tive control system synthesis. Proceedings of the 11th Control Design, 349–356, 2015.
IFAC/IFORS/IMACS/IFIP Symposium on Large Scale R.J. Veillette, J.V. Medanic, and W.R. Perkins. Design
Systems: Theory and Applications, 6 pages, 2007. of reliable control systems. IEEE Transactions on
J. Stoustrup and V.D. Blondel. Fault tolerant control: A Automatic Control, 37: 290–304, 1992.
simultaneous stabilization result. IEEE Transactions on
Automatic Control, 49: 305–310, 2004.
K. Suyama and N. Kosugi. Controller reset strategy for
anti-windup based on L2 gain analysis. Proceedings
of the 39th Annual Conference of the IEEE Industrial
Electronics Society, 3443–3448, 2013.

10863