Annual Reviews in Control 33 (2009) 136–148

Contents lists available at ScienceDirect

Annual Reviews in Control

journal homepage: www.elsevier.com/locate/arcontrol

Fault-tolerant actuators and drives—Structures, fault detection principles and

applications
Marco Muenchhof *, Mark Beck, Rolf Isermann
Technische Universität Darmstadt, Institute of Automatic Control, Laboratory for Control Systems and Process Automation, Landgraf-Georg-Strasse 4, Darmstadt, Germany

A R T I C L E I N F O A B S T R A C T

Article history: As fault detection and fault diagnosis methods are more and more finding their way into modern
Received 4 June 2009 industrial mechatronic products, it is now time to take the next step. Based on the research efforts for
Accepted 23 August 2009 fault detection and diagnosis, a status report has been prepared for research on fault management, i.e.
Available online 30 October 2009
automatic reactions of the system to continue operation after the detection of faults. These reactions may
employ hardware redundancy (i.e. switching from a faulty actuator to another, intact one) or analytical
Keywords: redundancy (i.e. switching from a faulty sensor to a ‘‘model sensor’’ or ‘‘soft sensor’’).
Sensor and actuator faults
A total fault-tolerance concept must encompass all components of a system, i.e. the actuators and
Structural analysis
Aerospace applications
drives, the process itself, the sensors as well as the controller and communication. In many cases, a
Automotive applications degradation of functions has to be accepted after a fault has appeared. Concentrating on some
Electro-mechanical applications widespread actuation principles, the paper will focus on electric drives and hydraulic actuators.
Other applications First, a review is given on fault-tolerance principles and general structural considerations, e.g. hot-
standby and cold-standby, focusing on the scheme of an overall fault-tolerant control system. Then, fault
statistics for existing actuators and drives will be presented. These fault statistics give hints on the parts
of the actuators which are most susceptible to faults. Different designs of fault-tolerant actuators and
drives, which have been realized as laboratory prototypes or even on an industrial scale, shall be
presented and evaluated with respect to their capabilities of withstanding faults. Finally, an outlook for
fault-tolerant mechatronic systems will be given.
ß 2009 Elsevier Ltd. All rights reserved.

1. Introduction delivers fault-tolerance. In this paper, case-studies shall be

While fault detection and diagnosis techniques in the past have
mainly been used to increase the safety of components or to
optimize the planning of maintenance schedules, the demand for
enhanced reliability of components has attracted the investigation
of fault-tolerance techniques quite recently.
Without the aforementioned raise in reliability that has been
obtained by the application of fault-tolerance, many current
innovations would have been impossible. Fly-by-wire is one of
such innovations (Goupil, 2009; Tarnowski, 2008). Also space
missions such as the Mars explorer (Cox, 2005) would most likely
not have been completed successfully. But also every-day
machines such as road vehicles, production machines and others
can benefit from an integrated fault management system which
* Corresponding author.
E-mail addresses: MMuenchhof@iat.tu-darmstadt.de (M. Muenchhof),
MBeck@iat.tu-darmstadt.de (M. Beck), RIsermann@iat.tu-darmstadt.de
(R. Isermann).
URL: http://www.muenchhof.net, http://www.iat.tu-darmstadt.de/rtp, http://
www.iat.tu-darmstadt.de/rtp
presented which show how an integrated fault management
system was designed for typical mechatronic actuators and drives,
such as e.g. electric motors or fluidic actuators.
While on the one hand, the introduction of hardware
redundancy into the system often causes additional cost for the
acquisition of the system, savings in the operating costs can be
expected on the other hand, mainly by the reduction of unexpected
downtime. Such unexpected downtime can cause high cost, if e.g.
an entire production line must be stopped. In many other
applications, legislation or safety requirements can mandate the
use of fault-tolerant actuators or sensors. In order to keep the total
system cost as low as possible in the presence of enhanced
reliability requirements, only those parts should be made
redundant, which are the most likely to fail. Fault statistics, as
presented in Sections 4.1 and 5.1, aid in locating the most critical
components, which must then be made redundant in an
appropriate way, see Section 3.
Fig. 1 presents the overall setup of an integrated fault
management system and provides an outline of this paper as
the individual blocks shown in Fig. 1 will be discussed in the
following. Section 2 will introduce the fault detection and
diagnosis methods employed in the fault management systems.

1367-5788/$ – see front matter ß 2009 Elsevier Ltd. All rights reserved.
doi:10.1016/j.arcontrol.2009.08.002
 M. Muenchhof et al. / Annual Reviews in Control 33 (2009) 136–148
Fig. 1. Scheme of an integrated fault management system (Isermann, 2006).
Fault-tolerance strategies will be discussed in Section 3. Then,
different fault-tolerant actuators will be analyzed in detail in
Sections 4 and 5. These sections follow the same composition:
First, fault statistics will be presented, which give hints on the
reliability of the individual components (Sections 4.1 and 5.1).
Then, a condensed overview of the applicable fault detection
methods will be given (Sections 4.2 and 5.2). Thereafter,
prototypical realizations from industry and academia as well as
industrial products will be presented and the particular fault
detection methodologies and fault-tolerance strategies analyzed
(Section 4.3 through 4.5 and 5.3 through 5.5). Fault-symptom
tables illustrate which faults can be detected and mitigated.
Finally, in Section 6 some conclusions will be drawn and an outlook
will be given with respect to fault-tolerant systems. Other
examples of fault-tolerant systems can be found in the publica-
tions by Isermann (2007) and Muenchhof, Beck, and Isermann
(2009a), Muenchhof, Beck, and Isermann (2009b), Muenchhof,
Beck, and Isermann (2009c).
2. Fault detection methods for fault-tolerance
Before the system is able to automatically react to a fault, the
fault must first be detected and diagnosed, i.e. its type, position, size
and cause be determined. The fault detection and diagnosis system
in Fig. 1 is divided into two parts: First, the inputs uðtÞ to the
process, the outputs yðtÞ and possibly additional measurements
xðtÞ are passed to a direct signal evaluation block in the monitoring
level. If the signals or their time-derivatives exceed certain
thresholds, then an alarm is raised and the operator is informed.
As these methods are typically only capable of detecting large
faults, the system is in most cases automatically shut down as a
protective measure upon the detection of a fault. This functionality
forms the protection level.
As the fault management system must have detailed informa-
tion about the fault to react correctly, one typically applies model-
based fault detection methods in this context, as they are capable of
providing in-depth information about the system and possible
faults. The available signals uðtÞ, yðtÞ, and xðtÞ are analyzed and
their information is consolidated by means of various signal-model
based and process-model based methods as depicted in Fig. 2. These
methods have been discussed in the books by e.g. Chen and Patton
(1999), Gertler (1998), Isermann (2006), Patton, Frank, and Clark
137
(1989), Patton, Frank, and Clark (2000). They yield so-termed
features, which can be process parameters (e.g. friction coefficient,
inductance, . . .), process states (e.g. pressure, flow rate, . . .) or
residuals. These features are then compared to their nominal values.
Larger deviations indicate the presence of a fault and hence lead to
the detection of the fault.
In the next step, the fault is subject to a symptom-fault
classification or inference which leads to the diagnosis of the fault,
i.e. determination of the type, position, size and cause of the fault.
Subsequently, the severity of the fault is rated and the fault is
assigned to a hazard class. Finally, a decision is made concerning
the remedial strategy against the implications of the fault. The fault
management system can automatically instantiate these counter
measures or can ask the user to acknowledge the actions first. The
different remedial strategies are discussed in the next section.
3. Fault-tolerance strategies
As illustrated in Fig. 1, the fault management system can take
one of the following actions upon the detection and, if required,
diagnosis of a fault:
 Reconfiguration is the most comprehensive action against a fault
and exploits redundancy inherent in the process. The use of
analytical redundancy allows the reconstruction of a measure-
ment from a faulty sensor by means of an analytical model of the
process dynamics driven by measurements from other, still
intact sensors. Actuator, sensor, or process hardware redundancy
means that there are more actuators/sensors present in the
system than would be necessary to fulfill the required actions. In
the case of a fault, the system can switch over from a faulty to an
intact (spare) actuator/sensor. Often, strongly coupled process
parts can evoke fault-tolerance. In an airplane for example,
almost all maneuvers can be carried out by different combina-
tions of the control surfaces.
 Change of operation or controller reconfiguration: As secondary
means to react to the existence of a fault, the controller can be
reconfigured, i.e. its parameters or structure can be changed. For
example, upon the onset of a fault, the controller can be made
more robust with respect to plant uncertainties. Typically,
controller reconfiguration alone cannot accommodate all-too
many faults, it must be combined with analytical redundancy or
138 M. Muenchhof et al. / Annual Reviews in Control 33 (2009) 136–148
Fig. 2. Overview of different fault detection methods (Isermann, 2006).
hardware redundancy. The topic of fault-tolerant control shall not
be treated here, as this contribution deals with hardware and
algorithmic redundancy for actuators, drives and their sensors as
means to limit the impact of faults. The interested reader is
referred to the contributions by Blanke, Frei, Kraus, Patton, and
Staroswiecki (2000), Blanke, Kinnaert, Lunze, and Staroswiecki
(2006), Patton (1997), and the survey paper by Zhang and Jiang
(2003) for a deeper treatment of fault-tolerant control.
 Stop of operation: If the fault is too severe, the further operation
may not be possible and the system has to be shut down. The
main reason to mandate the stoppage of operation is to avoid
further harm to health and wealth by bringing the system to a
safe state. Yet, not all systems have a safe state: While the safe
state for a road vehicle is in most cases the standstill at the
roadside and can be reached easily, the safe state for an airplane
is on the ground with engines off, which cannot be reached easily
during normal operation (i.e. flight).
 Repair/maintenance: In addition to or instead of any of the
previous actions, maintenance or repair must be carried out to
bring the system back to its full capabilities. Isermann (2006)
defines maintenance as an action taken to retain a system in, or
return a system to its designed operating condition. Maintenance
extends the useful life of systems, ensures the optimum
availability of installed equipments or equipment for emergency
use.
As described above, the fundamental idea of fault-tolerance is
that faults of individual components are accepted, but at the same
time, measures are taken to limit the impact of these faults on the
overall functionality, e.g. by changing the system structure and
exploiting redundancy. There exist different redundancy concepts
(e.g. Isermann, Schwarz, & Stölzl, 2000), which shall be shortly
reviewed in the following:
The most simple to realize type of redundancy is the static
redundancy. Here, typically three or more components (often
sensors, but also possible for actuators) are operated in parallel
and, in the case of sensors, a voter is used to consolidate the
information, i.e. determine the most likely sensor reading, see Fig. 3.
Due to the high number of components (to withstand n faults a
total of 2n þ 1 components is needed in the case of sensors with
voting), the application of static redundancy is constrained to
highly safety critical applications, such as nuclear power plants,
airplanes, etc. Furthermore, care must be taken that the group of
sensors or actuators shows a small susceptibility to common cause
faults. If identical components are used, one is always confronted
with the risk that all components show a fault at the same time due
to the same adverse condition (e.g. over-temperature, shock, loss of
power supply, . . .). Therefore, it is advisable to employ diverse
measuring or actuation principles whenever possible.
By relying on dynamic redundancy concepts, the number of
parallel components can be reduced effectively, especially in the
case of sensors. Here for example, already two parallel sensors now
suffice to tolerate one fault. This however comes at the expense
that a fault management system must be integrated. The fault
management system must determine the defective component in
case of a fault and must have remedial strategies to isolate the
faulty component if necessary and switch over to the intact one.
Depending on whether the standby component is also active or
not, one differentiates between cold-standby (Fig. 4) and hot-
standby (Fig. 5). For cold-standby, the redundant (spare) compo-
nent is only put in operation whenever a fault comes into
existence. This operating mode on the one hand saves lifetime of
the spare component. On the other hand, it is not possible to
foresee whether the spare component will run up when required.
In the case of hot-standby on the contrary, the spare component is
always up and running. While the component is now subject to
constant wear-and-tear, it can obviously immediately be observed
that the spare component also operates as expected.
Another form of redundancy that can be employed successfully
for fault-tolerant architectures is the analytical redundancy. Upon
the loss of one sensor, it is possible to reconstruct its measurement
by a process model which is fed by other, still active sensors. This
technique is also often termed model-sensor.
Although not in the scope of this paper, it should also be noted
that not only the hardware, but also the software can be a source of
impairments to the operation of the component. For example, the
 M. Muenchhof et al. / Annual Reviews in Control 33 (2009) 136–148
Fig. 3. Static redundancy (n-out-of-m voting; m ¼ 3 ! 1 fault tolerated, m ¼ 5 ! 2 faults tolerated).
crash of an important software part (e.g. operating system), can
lead to disrupture of operation.
Depending on the choice of components, the full function-
ality of the component cannot always be maintained after the
onset of a fault. Depending on the severity of the reduction of
functionality, one speaks of different degradation steps. In many
applications, it is required that the component can tolerate one
fault without a cutback in functionality. Upon the emergence of
a second fault however, typically degradation starts. Depending
on the degree of degradation, the following degradation steps
have been defined:
 Fail-operational (FO) means that the component remains
functional in the presence of a fault. The component can either
maintain full operationability or can maintain partial operation-
ability under certain impairments, depending on whether the
functionality lost due to the presence of the fault can be replaced
fully or not. This degradation mode will be required for sensors
and actuators of fault-tolerant mechatronic systems, especially
Fig. 4. Dynamic redundancy with cold-standby.
Fig. 5. Dynamic redundancy with hot-standby.
139
in safety-critical applications. It is suggested by Reichard (1998)
to further subdivide the term fail-operational into short-time and
long-time fail-operational with regard to vehicles.
 Fail silent (FSIL) characterizes a component that is switched off in
the case of a fault. As the functionality of the failed component is
not replaced, this always goes along with a degradation of the
functionality. With respect to the interaction with other
components, the faulty subsystem remains silent, i.e. it does
not negatively influence other components. This operation mode
is nowadays already typical for the electronic subsystems of
mechatronic systems.
 Fail-safe (FS) describes a situation, where the operation cannot be
kept up. Thus, the mechatronic system is brought to a safe state
(e.g. stand-still of moving parts), where it does not cause harm
and is then switched off. This obviously means that there is a
severe degradation in the functionality. The term fail-safe can
further be subdivided into passive fail-safe and active fail-safe
depending on whether the system needs an external energy
source to reach the safe state or not.
4. Fault-tolerant electrical drives
The first actuation principle to be under closer examination are
electrical drives. Before going into details, however, a very short
comparison of electrical and fluidic actuators shall be given, based
on the book by Isermann (2005). Electrical motors show good
response characteristics. They can be used for flexible drive concepts
and show a high overall efficiency especially if electrical power is
already available at the installation site. Model-based fault detection
and diagnosis methods can be implemented more easily since good
models are known. One drawback is the restricted thermal range of
operation. There is also a high percentage of moving mechanical parts
and a high rotational inertia of the rotor, which limits the dynamic
operation range. Hydraulic systems on the contrary can be used to
develop high actuating force at large displacements. They have a high
power density and the actuators have a rugged design. The main
disadvantages are the need for an additional power unit and a larger
overall system structure.
As quite a few of the realizations discussed in the following
stem from aeronautical applications, the most important pro’s and
con’s of the competing actuation principles shall be mentioned
according to Garcia, Cusido, Rosero, Ortega, and Romeral (2008),
where electro-hydraulic and electro-mechanic actuation are
compared for aeronautical use.
Here, the electro-hydraulic actuator (EHA) is recommended due
to the fact that the reliability of EHA components has been studied
well and that both hot-standby and cold-standby configurations
140 M. Muenchhof et al. / Annual Reviews in Control 33 (2009) 136–148
have been developed and validated. One major disadvantage is the
maintenance necessary for hydraulic components—an issue that
can be reduced by a change to condition-based maintenance
methods. The typically chosen central pressure supply is seen
critical because the infrastructure (i.e. the piping) is heavy and
inflexible and in the case of leakages corrosive fluids might spill
(Rosero, Ortega, Aldabas, & Romeral, 2007). While distributed
pressure supplies overcome these drawbacks, they suffer from the
increased cost and weight.
Even though the electro-mechanical actuator was strongly
promoted as part of the all-electric aircraft in the past, nowadays
only a perspective as a stand-by actuator for primary flight surfaces
and as a main actuator for secondary flight surfaces is seen for the
electro-mechanical actuator. Here, the significant maintenance cost
reduction due to the reduction of wearing parts, such as seals, is very
favorable (van den Bossche, 2002). The electro-mechanical drive is
heavily impaired by the fact that a linear motion can in most cases
only be generated by a matching gear, thus fostering flutter
concerns due to the free-play of the mechanical transmission and the
jam susceptibility. Upon shorts, there is also always the risk of fire as
pointed out by Rosero et al. (2007).
4.1. Fault statistics of electrical drives
A first glance on the fault statistics of AC induction motors, see
Fig. 6 (data taken from Motor Reliability Working Group, 1985;
Thorsen & Dalva, 1995), shows that the most predominant faults are
bearing defects, which account for 51% of all faults. Bearing faults
are caused by the permanent wear-and-tear of the rolling elements
as well as the inner and outer races and appear mainly by overload,
missing lubrication and overheating. Further reasons can be
corrosion or deformation due to static overload or peak loads.
Further 15% of all faults affect the stator windings, a fault
whose impact can be limited by multi-phase machines and/or
appropriate inverter structures (Muenchhof & Clever, 2009).
Stator winding faults are mainly caused by insulation break-
downs (due to high temperature, air entrapments and contain-
Fig. 6. Scheme of an induction motor along with fault statistics (data taken from
Motor Reliability Working Group, 1985; Thorsen & Dalva, 1995)
ments in the insulating coating, ageing, over-temperature,
water-entrapments or excessive shock). Only 4% of all faults
pertain to the rotor, thus rotor faults have not to be seen in the
first place. Fault statistics for power electronics are presented
by, e.g. Thorsen and Dalva (1995).
4.2. Fault detection methods for electrical drives
For the fault detection at electrical drives, one often employs
signal-model based methods. These methods are well suited for
periodic processes and hence are well suited for the periodic stator
currents and the rotating magnetic fields inside the motor.
Typically, stator currents, rotor speed and structure-borne noises
are evaluated. The analysis of structure-borne noise is easy to
realize and allows a reliable detection of bearing faults, but only in
laboratory settings. In the presence of louder ambient noises, gear
teeth influence, etc., the detection performance decreases tre-
mendously. Faults in the stator windings (shorts and breaks)
directly affect the shape of the stator currents. By the electro-
magnetic coupling between the stator and the rotor, one can
furthermore also detect defects at the rotor by an analysis of the
stator currents. A survey of these signal based methods can be
found in the publications by El Hachemi Benbouzid (2000),
Filippetti, Franceschini, Tassoni, and Vas (2000), Zhongming and
Bin (2000). Signal-based supervision of the frequency inverter and
the induction motor has also been treated by Wolfram and
Isermann (2000).
Another fault detection method relies on the placement of
measurement coils inside the motor (Seinsch, 2001). Besides the
necessary design change, this method is also limited to stationary
operating points. Furthermore, one can monitor the temperature of
the windings (Salzer, 2001). However, this method makes it hard to
discern between the operation related and fault induced increases
in temperature.
Physical model-based methods have also successfully been
applied. Beilhartz and Filbert (1997) presented an offline fault
detection method for induction motors, Wolfram and Isermann
(2002) suggested the use of parameter estimation methods during
running and stand-still of the induction motor to detect rotor and
stator defects. In the paper by Kral, Wieser, Pirker, and Schagginger
(2000), the comparison of a torque-model based on the stator
voltages and a second model based on the rotor-currents allowed
the detection of faults. However, the stator voltages are often not
measured. The frequency response locus of the stator impedance
has been used for fault detection by Nold (1991).
4.3. Fault-tolerant AC motors
Most AC motors have three stator phases, which are connected
in Delta or Wye connection. Due to this wiring, upon the loss of one
phase, the motor becomes single-phased and cannot generate a
rotating magnetic field any longer but only an alternating field.
Upon a simple change of the structure of the frequency inverter, the
three-phase machine can already be made fault-tolerant as shown
in Fig. 7. Here, each phase is controlled separately by a full H bridge.
Upon the loss of one phase, the motor still has two remaining
healthy and independently controllable phases and can hence
generate a rotating field and thus torque. The loss of a phase is a
critical fault since according to Klima (2003), the most common
power inverter failure is in fact the loss of one leg, i.e. at least one
permanently open switch. Although the operation in the presence
of this fault can be maintained, the torque generation along the
circumference after the loss of one phase is quite inhomogeneous.
Another disadvantage is the fact that the number of wires needed to
connect the motor to the frequency inverter doubles (Atkinson
et al., 2005; de Lillo, Wheeler, Empringham, Gerada, & Huang,
 M. Muenchhof et al. / Annual Reviews in Control 33 (2009) 136–148
Fig. 7. Fault-tolerant electrical drive by separate control of the windings and/or
multiple poles, scheme (Krautstrunk, 1999).
2008; Green, Atkinson, Mecrow, Jack, & Green 2003; Krautstrunk,
1999, 2005).
Fig. 8 shows the fault-tolerant drive as developed by
Krautstrunk (1999, 2005). Only one full H bridge is shown in
detail. However, the methods for fault detection and fault
mitigation apply to all H bridges. The fault detection is based on
Fig. 8. Fault-tolerant electrical drive by separate control of the windings and/or
multiple poles, fault detection, diagnosis and fault management (Krautstrunk, 1999).
141
direct signal evaluation. The drain-source voltages of all FETs are
monitored. They indicate whether a FET is conducting or not and
also provide a scaled measurement of the current carried by the
FET in the ‘‘on’’ position. The logic allows to detect whether a FET
does not conduct despite it was commanded to be ‘‘on’’. It also
allows to detect over-current which can be caused by the fact that
the opposite FET in the inverter leg is conducting even though it
was commanded to be ‘‘off’’. Furthermore, the phase current as
supplied to the motor is monitored. Since this monitor is operating
at a slower sample rate, it does not detect faults as fast as the FET
drain source voltage monitors. Whenever a fault is detected, its
effect is mitigated by a change of the vector control sequence of the
remaining healthy H bridges. One may not be able to mitigate the
effect of a shorted phase, since the rotor upon movement will
induce a voltage into the shorted phase, which in turn causes a
magnetic field, which then generates a decelerating rotor torque.
Please note that in this diagram as in all following diagrams, the
fault management options shutdown and repair will not be stated
explicitly. Of course, the fault mitigation by redundancy can only
be a short or medium time option. In the long run, repair must be
carried out to reestablish full functionality of the system.
In order to generate a more homogeneous torque, the number
of phases of the stator windings can be increased. Although the
resulting so-termed multi-phase motors have already been under
investigation in the 1960’s, the breakthrough came with a need for
high-power electric drives, e.g. for ship propulsion, hybrid vehicles
and such (e.g.Levi, 2008). Here, the loss of one phase is less critical
as the motor e.g. has a total of 15 windings. The design of a four-
phase fault-tolerant PMSM aircraft actuator is shown by Atkinson
et al. (2005). A five-phase permanent magnet motor has been
realized by Bianchi, Bolognani, and Pre (2008) and has been
investigated experimentally for post-fault operation.
4.4. Fault-tolerant synchronous and BLDC drives
The next example comes from an aeronautical application. The
pressure in the fuselage of passenger planes flying above 2000 m is
permanently controlled. Fresh bleed air from the engines is
constantly released at the front of the fuselage. At the tail, so-
Fig. 9. Fault-tolerant electrically actuated cabin outflow valve, scheme (Moseler &
Isermann, 2000).
142 M. Muenchhof et al. / Annual Reviews in Control 33 (2009) 136–148
Fig. 10. Fault-tolerant electrically actuated cabin outflow valve, fault detection,
diagnosis and fault management (Moseler & Isermann, 2000).
termed cabin outflow valves are mounted, which allow the air from
the fuselage to escape to the surroundings. The valves are driven by
brushless DC motors (BLDC) as illustrated in Fig. 9 (Moseler, Heller,
& Isermann 1999). There are two brushless DC motors, which act
on a common gear. The control system determines, which of the
two brushless DC drives is active and is hence used as the actuator
for the fuselage pressure control circuit. Upon a fault, the system
will change over from the faulty to the intact BLDC. If both BLDCs
fail, the pilot still has a fallback and is able to manually operate the
valve by a third motor, which is designed as a classical DC motor
with mechanical commutator and brushes.
The entire fault management system that was designed by
Moseler and Isermann (2000) is illustrated in Fig. 10. Here, several
fault detection methods are combined to achieve optimal
performance under various operating conditions, i.e. with excita-
tion, without excitation, etc. Parameter estimation is used to
determine the flux linkage and the resistance of the armature
Fig. 11. Fault-tolerant parallel electrical drive, scheme (Reuss & Isermann, 2004).
windings. Parity equations are used to calculate five residuals.
Furthermore, the variance of the residuals is also monitored.
Finally, a logic is used to monitor the signals from the three Hall
sensors for improper combinations of their outputs, which also
points to a fault. The detected faults include overheat and shorts as
well as winding interruptions and increased friction. Furthermore,
all sensors are monitored for offset and stuck-at faults.
The fault management system switches over from the defect to
the spare intact drive in the case of a fault. Only increased friction
in the drive train may not be compensable, especially if the reason
for the increased friction (e.g. bearing defect) is located between
the combination gear and the flap. However, there exists at least a
second outflow valve as redundancy.
4.5. Electric motors in parallel and serial connection
As was discussed in Section 4.1, bearing defects are a typical
fault for electric motors. Bearing defects can lead to a blockage of
the rotor and hence to failure of the electric drive. This fault can
only be tolerated if two separate motors are used and the faulty
motor can be detached by a clutch. One can think of two setups:
Parallel or serial connection, see Figs. 11 and 13. There are two load
transfer modes possible for the parallel connection which are
chosen to enable a bumpless transfer under load condition,
depending on the severity of the fault (Reuss & Isermann, 2004): In
the case of a minor fault, the second motor first speeds up. Once the
desired rotational velocity is reached, the first clutch disengages
and thus separates the defective motor from the load and the
second clutch engages and establishes the power flow between the
spare motor and the load. In case of a severe fault, the first clutch
disengages instantaneously. The load is thus free-running while
the second motor speeds up and reaches the desired final velocity.
Once the drive is up to speed, the second clutch closes and the load
is driven by the second motor resulting in a small and unavoidable
bump. As each motor can be decoupled from the load, it is also
possible to conduct special motor tests from time to time without
affecting the motion of the load.
Instead of the parallel connection, one can also think about
mounting the two motors one behind the other as illustrated in
Fig. 13. Here, at least the rear motor can be detached from the load,
while the front motor is always connected to the load. Thus, if the
 M. Muenchhof et al. / Annual Reviews in Control 33 (2009) 136–148
Fig. 12. Fault-tolerant electrical drive, fault detection, diagnosis and fault
management (Reuss & Isermann, 2004; Wolfram & Isermann, 2002.
rotor of the front motor blocks, the entire fault-tolerant drive fails.
Heitzer (2003) proposed the same serial setup for an electric steer-
by-wire system, but in this case without a clutch.
Fig. 12 illustrates the fault detection system and the fault-
tolerance setup. As in the previous example, different methods
have been combined for fault detection and diagnosis. For fault
detection, Wolfram and Isermann (2002) applied direct signal
monitoring, the Discrete Fourier Transform, also in combination with
time-warping for an angle-synchronous sampling, parameter
estimation and signal energy evaluations in the form of parity
equations. The load supervision was designed for centrifugal
pumps and is left open in the figure, as the load supervision
methods must be designed specifically to the load that is driven by
the fault-tolerant drive. The fault-tolerant motor setup was
combined with clutches and a second AC induction motor with
frequency inverter by Reuss and Isermann (2004). A synchronous
143
Fig. 13. Fault-tolerant serial electrical drive, e.g. for steer-by-wire, scheme (Heitzer,
2003; Reuss & Isermann, 2004).
AC motor with separate power electronics served as a load
emulator. Now, in the case of a fault, the system can open one
clutch to separate the faulty motor from the drive train and close
another clutch to use the second motor as a drive as was described
in the preceding paragraphs.
5. Fault-tolerant fluidic actuators
The main distinctive features of electrical and fluidic drives
have already been summarized in Section 4 and hence shall not be
repeated here.
5.1. Fault statistics of hydraulic actuators
Fig. 14 shows the general setup of a (conventional) hydraulic
servo axis, along with fault statistics from aeronautical applications.
The hydraulic fluid is conveyed and pressurized by the pressure
supply (3% of all faults) and then delivered to the hydraulic valve. As
can be seen from the fault statistics for aircraft actuators, the
proportional valve is the most error prone component, aggregating
51% of all faults (valve assembly 19% of all faults, lap assembly
32% of all faults). Typical faults are control edge erosion (65% of all
valve faults), particles being caught between sleeve and spool (20% of
all valve faults) and external leakage (10% of all valve faults).
The proportional valve throttles and directs the hydraulic fluid
to the two chambers of the hydraulic cylinder, which accounts for
another 16% of all faults. Here, the most typical faults are external
leakage (58% of all cylinder faults), internal leakage (14% of all
cylinder faults), and broken or cracked piston rods (14% of all
cylinder faults). Finally, the fluid flows back to the supply tank. The
load driven by the hydraulic cylinder attains for further 16% of all
faults.
5.2. Fault detection methods for hydraulic actuators
Industrially applied fault detection methods for hydraulic systems
are typically limited to pressure switches, temperature switches and
level switches for the hydraulic fluid in the supply tank. More
detailed fault detection is mainly based on mounting additional
sensors, such as e.g. expensive flow meters, as well as acceleration,
temperature and pressure sensors.
Recently however, also model-based supervision methods have
been in the focus of research in industry and academia, see the
144 M. Muenchhof et al. / Annual Reviews in Control 33 (2009) 136–148

Fig. 14. Scheme of a hydraulic servo axis with pressure supply and fault statistics (Muenchhof, 2006).

survey papers by Murrenhoff, Meindorf, and Stammen (2004) and is thus immune to loss of oil in one hydraulic circuit as well as air
Bredau, Winter, Post, and Bauer (2008). There are two trends: enclosures in one circuit and laminar leakage inside the cylinder as
Condition monitoring for components as well as oil condition long as only one circuit is affected. All control edges are mounted
monitoring. For the latter, special sensors need to be inserted into on one valve spool. If the valve spool blocks or the electro-magnetic
the system (e.g. Seyfert, 2004). drive of the valve spool fails, then the entire actuator fails.
Model-based approaches most often employ the Extended However, the electro-magnetic force is doubled such that hard
Kalman Filter to identify physical quantities such as the laminar enclosures inside of the valve can be removed by the oversized
leakage coefficient, increased friction of the piston or the valve
spool, etc. (e.g. An & Sepehri, 2003). Parity equations as a means to
supervise hydraulic actuators are presented by Kress and Crepin
(2000) and Muenchhof (2006), where also parameter estimation
methods have been used.
Neural nets as models have also been used for the supervision of
hydraulic systems avoiding the rather complex nonlinear physical
modeling of the hydraulic components. Other data-driven model-
ing techniques that have successfully been applied include support
vector machines (Schaab, Muenchhof, Vogt, & Isermann, 2005).
The main application of signal-model based methods is for fault
detection at the pressure supply: Ramdén (1998) uses the analysis
of structure-borne noise for the supervision of pumps. As hydraulic
pumps typically rotate at a constant speed, signal-model based
methods can show their full potential in this application. Pump
monitoring using wavelet analysis is proposed by Gao and Patton
(2003) and Leykauf and Isermann (2008). Tan and Sepehri (2001)
also supervised the pump. Other, non-model based methods
include acoustic analysis and infrared thermography of the
hydraulic system.

5.3. Fault-tolerant hydraulic actuator with dual ram and valve

Fig. 15(Crepin & Kress, 2000; Kress & Crepin, 2000), shows a
fault-tolerant hydraulic actuator, the rudder actuator of the
Eurofighter. The actuator has two separate hydraulic circuits and

Fig. 16. Fault-tolerant electro-hydraulic rudder actuator for Eurofighter, fault

Fig. 15. Fault-tolerant electro-hydraulic rudder actuator for Eurofighter, scheme detection, diagnosis and fault management (Crepin & Kress, 2000; Kress & Crepin,
(Crepin & Kress, 2000; Kress & Crepin, 2000). 2000).
 M. Muenchhof et al. / Annual Reviews in Control 33 (2009) 136–148 145

power. The electro-magnetic drive has been designed as a lines, valve spool grooving, control edge erosion and sealing
quadruplex system. defects inside the cylinder along with faults at all employed
Two different fault detection and diagnosis systems have been sensors. In case of a fault, the controller can be reconfigured, the
developed, see Fig. 16: While Kress (2002) was developing an end- load can be transferred from one valve to the other or a model
of-line monitoring system with special sensors mounted at the sensor can be used to reconstruct the piston position from other
actuator, Crepin (2003) was concerned with developing methods sensor measurements, see Fig. 18.
for in-flight diagnostics. Whenever a fault is detected, the
corresponding sensor, controller and electromagnet of the quad- 5.5. Fault-tolerant hydraulic actuator with dual ram and integral
ruplex control loop are shut down, i.e. each lane is designed to be pressure supply
fail-silent. For sensor signal consolidation, Kress, Crepin, Kubbat,
and Schreiber (2000) have used different voting schemes. Fig. 19 shows a design of an aircraft actuator with a
decentralized, individual pressure supply. Such an actuator is
5.4. Fault-tolerant hydraulic actuator with single ram and dual valve typically only employed for the control of secondary flight control
surfaces (Moog Aircraft Group, 1996; Navarro, 1997). Here, two
The design in Fig. 17 is an alternative with regard to the opposite acting cylinder chambers are connected to one fixed
problems associated with the criticality of one single valve spool. displacement pump each. By control of the electric drive, the
Here, the hydraulic cylinder is fed by two parallel hydraulic valves. If amount of hydraulic fluid displaced from one chamber to the other
one valve spool blocks (sufficiently close to the zero position), then can be determined exactly. Bypass valves allow the piston to move,
the other valve can discharge the parasitic volume flow of the if the pump axle should be blocked and the pump should thus not
blocked valve and maintain control of the cylinder. The entire
system has been constructed from standard components of industrial
hydraulics, thus avoiding expensive re-designs. For this setup, it has
also been shown how the hydraulic servo axis can operate in
closed-loop position control even after a loss of the position sensor
by Muenchhof (2008). As a normal differential cylinder can be used
instead of the four chamber double-rod cylinder employed in the
previous example, the increase in installation space for the fault-
tolerant actuator has been limited while many of the faults
mentioned in Section 5 can still be tolerated. However, if one
valve blocks close to full open, the other valve is not able to
position the piston rod anymore. Hence this scheme is only fault-
tolerant for small travel ways of the valve.
The fault detection system that was developed by Muenchhof
(2006) is based on parity equations that provide five residuals and
parameter estimation that provides the valve-opening-flow-rela-
tion of the four control edges and the bulk modulus and coefficient
of the laminar leakage flow between the two chambers and is
capable to detect faults such as congestion of the supply and return

Fig. 18. Fault-tolerant electro-hydraulic servo axis, fault detection, diagnosis and
Fig. 17. Fault-tolerant electro-hydraulic servo axis, scheme (Muenchhof, 2006). fault management (Muenchhof, 2006).
146 M. Muenchhof et al. / Annual Reviews in Control 33 (2009) 136–148
Fig. 19. Fault-tolerant electro-hydraulic servo axis, scheme (Moog Aircraft Group,
1996; Navarro, 1997).
Fig. 20. Fault-tolerant electro-hydraulic servo axis, fault detection, diagnosis and
fault management (Moog Aircraft Group, 1996; Navarro, 1997).
be able to rotate. The decentralized pressure supply however
requires an increase in installation space. Unfortunately, neither
the test methods nor the fault symptom tables have been
published by the authors, so only the employed measurements
could be shown in Fig. 20.
Further fault-tolerant actuators and sensors have been pre-
sented in the survey papers by Muenchhof et al. (2009a, 2009b,
2009c) and the respective publications by Isermann (in press,
2007).
6. Conclusions and outlook
Safety-critical systems, such as e.g. airplanes, trains, road-
vehicles and so-termed X-by-wire technologies will inherently
require fault-tolerant structures. For non safety-critical systems, such
as machine tools, production robots, etc., fault-tolerance will bring
the benefit of increased running-times, less downtime and longer
maintenance cycles. This will lead to cost reduction and will be
interesting in terms of the life-cycle costs. The arrival of fault-
tolerant components and their penetration of the market shall shortly
be discussed for both electric and fluidic actuators.
For electric actuators, there will be a coexistence of both, three-
phase and n-phase (n > 3) motors expected, due to the distinct
advantages and disadvantages of both. Three-phase machines are
available off-the-shelf in many different ratings, making it easy to
find a suitable product at a low (mass-production) price. The changes
in the power electronics (from single legs to H bridges) can be
accomplished with little effort taking into account the low prices for
power semiconductors. Multi-phase drives on the contrary still
have to be engineered specifically for one application which affects
the price of the component. They will for some time only be used, if
their distinct advantages, such as the possibility of splitting the
power across a higher number of phases, or the absence of an off-the-
shelf three-phase motor render the increased design cost insignif-
icantly (Levi, 2008).
Although the electrical faults can be coped with very well by the
presented designs, mechanical faults cannot be tolerated by many of
the designs discussed in this paper. Mechanical faults, such as e.g.
bearing defects, can only be tolerated by entirely new designs of
electric drives, where e.g. two drives act on a single load and can be
disconnected by clutches or special gears that allow to isolate a
faulty motor entirely from the load, see Sections 4.4 and 4.5.
Furthermore, as permanent magnet synchronous motors induce a
current into the stator upon movement of the rotor, care must be
taken that the defect windings of a synchronous motor are never
shorted while the motor is still rotating. This requirement could
also nicely be fulfilled by separation of the drive using a clutch
(which however decreases reliability).
In the area of hydraulic systems, fault-tolerance concepts so far
have mainly been realized for aeronautical applications. The major
disadvantage of the current designs with a dual-tandem ram is the
increase in installation space due to the double cylinder, which
furthermore must be designed as a double rod cylinder to ensure
equal active piston areas in all four chambers. The design proposed in
Section 5.4 can save installation space, however with losses in the
degree of fault-tolerance. It is based on standard industrial
components and can be used with a differential cylinder with
one-sided piston rod only. Many other architectures for EHA’s in
aeronautical applications have been assessed by Sadeghi and Lyons
(1992).
It is expected that current developments such as steer-by-wire
and brake-by-wire will bring more and more fault-tolerant
mechatronic systems to the mass market (e.g. Isermann et al.,
2000, Isermann, Schwarz, & Stölzl, 2002). While fly-by-wire has
already become the de-facto standard for larger passenger planes,
other areas, such as cars, trains, etc., have not yet been equipped in
large numbers with X-by-wire systems. For helicopters e.g. the first
fly-by-wire helicopter was the NH90 by Eurocopter in 2004. One
reason for the particular deep penetration of fly-by-wire in the area
of airplanes is the fact that the control surfaces of airplanes are by
themselves redundant. The most important maneuvers can be
triggered by different combinations of control surfaces. This is e.g.
not true for helicopters, where the loss of one control element
already leads to a loss of the helicopter. The same argument can
also be applied to steer-by-wire and brake-by-wire in cars. Braking
and steering tasks cannot be transferred to the other components
very well. Furthermore, X-by-wire in automotive applications
suffers from obligations by the legislation which mandate that the
driver always has full control over his/her vehicle (Dilger &
Dieterle, 2002). The trend to fault-tolerant mechatronic systems
however is probably growing slowly and is especially suitable for
systems with very high demands on reliability or safety.
 M. Muenchhof et al. / Annual Reviews in Control 33 (2009) 136–148
References
An, L., & Sepehri, N. (2003). Hydraulic actuator circuit fault detection using extended
Kalman filter. In Proceedings of the 2003 ACC.
Atkinson, G. J., Mecrow, B. C., Jack, A. G., Atkinson, D. J., Sangha, P., & Benarous, M.
(2005). The design of fault tolerant machines for aerospace applications. In
Proceedings of the IEEE international conference on electric machines and drives
(pp. 1863–1869).
Beilhartz, J., & Filbert, D. (1997). Using the functionality of PWM inverters for fault
diagnosis of induction motors. In 3rd IFAC symposium on fault detection, supervision
and safety for technical processes (SAFEPROCESS), Vol. 1 (pp. 246–251).
Bianchi, N., Bolognani, S., & Pre, M. D. (2008). Impact of stator winding of a five-phase
permanent-magnet motor on postfault operations. IEEE Transactions on Industrial
Electronics, 55(5), 1978–1987.
Blanke, M., Frei, C., Kraus, F., Patton, R. J., & Staroswiecki, M. (2000). What is fault-
tolerant control. In Proceedings of the 2000 SAFEPROCESS.
Blanke, M., Kinnaert, M., Lunze, J., & Staroswiecki, M. (2006). Diagnosis and fault-tolerant
control (2nd ed.). Springer.
Bredau, J., Winter, A., Post, P., & Bauer, F. (2008). Condition monitoring in fluid power
technology—A comprehensive approach. In Proceedings of the 6th fluid power
conference (pp. 211–240).
Chen, J., & Patton, R. J. (1999). Robust model-based fault diagnosis for dynamic systems.
Asian studies in computer and information science (p. 31), Boston: Kluwer.
Cox, N. (2005). The mars exploration rovers: Hitting the road on mars. In Proceedings of
the 16th IFAC world congress.
Crepin, P. -Y. (2003). Untersuchung zur Eignung eines robusten Filterentwurfs zur Inflight-
Diagnose eines elektrohydraulischen Aktuators. Ph.D. thesis. Darmstadt, Germany: TU
Darmstadt, Fachbereich Maschinenbau [URL: elib.tu-darmstadt.de/diss/000336/].
Crepin, P.-Y., & Kress, R. (2000). Model based fault detection for an aircraft actuator. In
Proceedings of the ICAS 2000 congress.
de Lillo, L., Wheeler, P., Empringham, L., Gerada, C., & Huang, X. (2008). A power
converter for fault tolerant machine development in aerospace applications. In
Proceedings of the 13th power electronics and motion control conference EPE-PEMC
2008 (pp. 388–392).
Dilger, E., & Dieterle, W. (2002). Fehlertolerante Elektronikarchitekturen für sicherheits-
gerichtete Kraftfahrzeugsysteme. At, 50 (8), 375–381
El Hachemi Benbouzid, M. (2000). A review of induction motors signature analysis as a
medium for faults detection. IEEE Transactions on Industrial Electronics, 47(October
(5)), 984–993.
Filippetti, F., Franceschini, G., Tassoni, C., & Vas, P. (2000). Recent developments of
induction motor drives fault diagnosis using AI techniques. IEEE Transactions on
Industrial Electronics, 47(5), 994–1004.
Gao, Y., & Patton, R. J. (2003). Application of wavelet analysis for performance
monitoring and diagnosis of a hydraulic pump. In Proceedings of the 2003 SAFE-
PROCESS.
Garcia, A., Cusido, J., Rosero, J. A., Ortega, J. A., & Romeral, L. (2008). Reliable electro-
mechanical actuators in aircraft. IEEE Aerospace and Electronic Systems Magazine,
23(8), 19–25.
Gertler, J. (1998). Fault detection and diagnosis in engineering systems. New York: Marcel
Dekker.
Goupil, P. (2009). Airbus state of the art and practices on FDI and FTC. p. 32. In
Proceedings of the IFAC SAFEPROCESS.
Green, S., Atkinson, D. J., Mecrow, B. C., Jack, A. G., & Green, B. (2003). Fault tolerant,
variable frequency, unity power factor converters for safety critical PM drives. IEE
Proceedings—Electric Power Applications, 150(6), 663–672.
Heitzer, H.-D. (2003). Development of a fault-tolerant steer-by-wire steering system.
Auto Technology, 4, 56–60.
Isermann, R. (2005). Mechatronic systems: Fundamentals (1st ed.). Berlin, Germany:
Springer.
Isermann, R. (2006). Fault-diagnosis systems: An introduction from fault detection to fault
tolerance (1st ed.). Berlin, Germany: Springer–Verlag.
Isermann, R. (2007). Fehlertolerante mechatronische Systeme, parts 1 and 2. Auto-
matisierungstechnik 55(4 and 5).
Isermann, R. (in press). Fault diagnosis applications. Springer–Verlag
Isermann, R., Schwarz, R., & Stölzl, S. (2000). Fault tolerant drive-by-wire systems—
Concepts and realization. In Proceedings of the 2000 SAFEPROCESS.
Isermann, R., Schwarz, R., & Stölzl, S. (2002). Fault-tolerant drive-by-wire systems. IEEE
Control Systems Magazine, 22(5), 64–81.
Klima, J. (2003). Analytical investigation of an induction motor drive under inverter fault
mode operations. IEE Proceedings—Electric Power Applications, 150(3), 255–262.
Kral, C., Wieser, R. S., Pirker, F., & Schagginger, M. (2000). Sequences of fieldoriented
control for the detection of faulty rotor bars in induction machines—The Vienna
monitoring method. IEEE Transactions on Industrial Electronics, 47(5), 1042–1050.
Krautstrunk, A. (1999). Remedial strategy for a permanent magnet synchronous motor
drive. In Proceedings of the EPE.
Krautstrunk, A. (2005). Fehlertolerantes Aktorkonzept für sicherheitsrelevante Anwen-
dungen. Aachen, Germany: Springer–Verlag.
Kress, R. (2002). Robuste Fehlerdiagnoseverfahren zur Wartung und Serienabnahme
elektrohydraulischer Aktuatoren. Ph.D. thesis. Darmstadt, Germany: TU Darmstadt,
Fachbereich Maschinenbau.
Kress, R., & Crepin, P.-Y. (2000). Model-based fault detection with parity space relations
for a direct drive valve. In Proceedings of the IFAC mechatronics 2000.
Kress, R., Crepin, P.-Y., Kubbat, W., & Schreiber, M. (2000). Fault detection and diagnosis
for electrohydraulic actuators. In Proceedings of the IFAC mechatronics 2000.
Levi, E. (2008). Multiphase electric machines for variable-speed applications. IEEE
Transactions on Industrial Electronics, 55(5), 1893–1909.
147
Leykauf, M., & Isermann, R. (2008). Modelbased fault diagnosis of a direct injection
gasoline engine with homogeneous and stratified operation. In Proceedings of the
8th Internationales Symposium ‘‘Automobil- und Motorentechnik’’.
Moog Aircraft Group. (1996). Redundant electrohydrostatic actuation system-Applica-
tion: F/A-18 C/D horizontal stabilizer. Brochure.
Moseler, O., Heller, T., & Isermann, R. (1999). Model-based fault detection for an
actuator driven by a brushless DC motor. In Proceedings of the 14th IFAC world
congress.
Moseler, O., & Isermann, R. (2000). Application of model-based fault detection to a
brushless DC motor. IEEE Transactions on Industrial Electronics, 47(5), 1015–1020.
Motor Reliability Working Group. (1985). Report of large motor reliability survey of
industrial and commercial installations, part II. IEEE Transactions on Industry
Applications, IA-21 (4), 865–872.
Muenchhof, M. (2006). Model-based fault detection for a hydraulic servo axis. No. 1105
in Fortschritt-Berichte VDI Reihe 8. Dsseldorf, Germany: VDI-Verlag.
Muenchhof, M. (2008). Displacement sensor fault tolerance for hydraulic servo axis. In
Proceedings of the 17th IFAC world congress. Seoul, Korea: International Federation
of Automatic Control.
Muenchhof, M., Beck, M., & Isermann, R. (2009a). Fault diagnosis and fault tolerance of
drive systems—Status and research. In Proceedings of the European control con-
ference 2009-ECC 09.
Muenchhof, M., Beck, M., & Isermann, R. (2009b). Fault diagnosis and fault tolerance of
drive systems—Status and research. European Journal of Control, 3.
Muenchhof, M., Beck, M., & Isermann, R. (2009c). Fault tolerant actuators and drives—
Structures, fault detection principles and applications. In Proceedings of the 7th IFAC
symposium on fault detection. Supervision and safety of technical processes—SAFE-
PROCESS 2009.
Muenchhof, M., & Clever, S. (2009). Fault tolerant electric drives—Solutions and current
research activities, part I and part II. In Proceedings of the European control con-
ference 2009-ECC 09.
Murrenhoff, H., Meindorf, T., & Stammen, C. (2004). Online condition monitoring
(OCM) in fluid power technology. In Proceedings of the 4th IFK.
Navarro, R. (1997, October). Performance of an electro-hydrostatic actuator on the F-18
systems research aircraft. Technical Report NASA/TM-97–206224. Edwards, CA,
USA: NASA, Dryden Flight Research Center.
Nold, S. (1991). Wissensbasierte Fehlererkennung und Diagnose mit den Fallbeispielen
Kreiselpumpe und Drehstrommotor. No. 273 in Fortschritt-Berichte VDI Reihe 8.
Dsseldorf, Germany: VDI Verlag.
Patton, R. (1997). Fault tolerant control: The 1997 situation. In Proceedings of the IFAC
symposium on fault detection, supervision and safety for technical processes (SAFE-
PROCESS), Vol. 2 (pp. 1033–1055). Hull, United Kingdom: Pergamon Press.
Patton, R. J., Frank, P. M., & Clark, R. N. (1989). Fault diagnosis in dynamic systems—Theory
and applications. London: Prentice Hall (Control Engineering Series).
Patton, R. J., Frank, P. M., & Clark, R. N. (2000). Issues of fault diagnosis for dynamic
systems. Berlin: Springer–Verlag.
Ramdén, T. (1998). Condition monitoring and fault diagnosis of fluid power systems:
Dissertation no 514. Ph.D. thesis. Sweden, Link’’ping: Link’’ping University.
Reichard, G. (1998). Sichere Elektronik im Kraftfahrzeug. At, 46 (2), 78–83
Reuss, J., & Isermann, R. (2004). Umschaltstrategien eines redundanten Asynchron-
motoren-Antriebssystems. In SPS/IPC/DRIVES 2004: Elektrische Automatisierung,
Systeme und Komponenten: Fachmesse & Kongress (pp. 469–477).
Rosero, J. A., Ortega, J. A., Aldabas, E., & Romeral, L. (2007). Moving towards a more
electric aircraft. IEEE Aerospace and Electronic Systems Magazine, 22(3), 3–9.
Sadeghi, T., & Lyons, A. (1992). Fault tolerant EHA architectures. IEEE Aerospace and
Electronic Systems Magazine, 7(3), 32–42.
Salzer, P. (2001). Monitoring und Diagnoseystem zur globalen Fehlererfassung an
Generatoren. In VDE-ETG Workshop: Monitoring und Diagnose elektrischer Maschi-
nen.
Schaab, J., Muenchhof, M., Vogt, M., & Isermann, R. (2005). Identification of a
hydraulic servo axis using support vector machines. In Proceedings of the 16th
IFAC world congress. Prague, Czech Republic: International Federation of Auto-
matic Control.
Seinsch, O. (2001). Methoden der Motordiagnose—Übersichtsvortrag. In VDE-ETG
workshop: Monitoring und diagnose elektrischer Maschinen.
Seyfert, C. (2004). Take a smell at your oil—A new approach towards online oil
condition monitoring. In Proceedings of the 4th IFK Dreseden.
Tan, H.-Z., & Sepehri, N. (2001). On condition monitoring of pump pressure in a
hydraulic servo-drive system. In Proceedings of the 2001 ACC.
Tarnowski, E. (2008). Overview of potential evolutions of technologies applied in
commercial transport airplanes. In Proceedings of the 17th IFAC world congress.
Thorsen, O., & Dalva, M. (1995). A survey of the reliability with analysis of faults on
variable frequency drives in industry. In Proceedings of the European conference on
power electronics and applications EPE ‘95 (pp. 1033–1038).
van den Bossche, D. (2002). The evolution of the airbus flight control actuation systems.
In Proceedings of the 3rd international fluid power conference.
Wolfram, A., & Isermann, R. (2000). On-line fault detection of inverter-fed induction
motors using advanced signal processing techniques. In Proceedings of the IFAC
symposium on fault detection, supervision and safety for technical processes (SAFE-
PROCESS 2000).
Wolfram, A., & Isermann, R. (2002). Component based tele-diagnosis approach to a
textile machine. Control Engineering Practice, 10, 1251–1257.
Zhang, Y., & Jiang, J. (2003). Bibliographical review on reconfigurable fault-tolerant
control systems. In Proceedings of the 2003 SAFEPROCESS.
Zhongming, Y., & Bin, W. (2000). A review on induction motor online fault diagnosis. In
Proceedings of the third international power electronics and motion control conference
IPEMC 2000, Vol. 3 (pp. 1353–1358).
148 M. Muenchhof et al. / Annual Reviews in Control 33 (2009) 136–148
Marco Muenchhof is currently working as a post-doctoral researcher at the Institute of
Automatic Control at the Technische Universität Darmstadt, Germany, in the fields of
fault management for hydraulic/mechatronic systems, adaptive control, and system
identification. Marco has studied electrical engineering at TU Darmstadt and obtained
a diploma (Dipl-Ing) and a doctoral degree (Dr-Ing) respectively. His doctoral thesis
investigates fault detection and diagnosis methods for hydraulic servo axes. In addition
to his studies in the field of electrical engineering, he holds a masters degree (MS) in
mechanical and aerospace engineering from the State University of New York at
Buffalo, USA. At SUNY Buffalo, his research interest had been in the area of control
of flexible structures. He is involved in several national and international professional
bodies. For IFAC, the International Federation of Automatic Control, he currently serves
as Chair of the Technical Committee 4.1 (Components and Technologies for Control).
He has been member of International Program Committees of several conferences.
Further information can be found on his homepage http://www.muenchhof.net.
Mark Beck studied electrical engineering at the Technische Universität Darmstadt.
After obtaining his diploma (Dipl-Ing) in 2007 he started to work as a research
associate at the Institute of Automatic Control at the Technische Universität Darm-
stadt. His research interests focus on the fields of fault detection, fault diagnosis and
fault tolerance of hydraulic and mechatronic systems.
Rolf Isermann studied mechanical engineering and obtained the Dr-Ing degree in
1965 from the University of Stuttgart. In 1968 he became ‘‘Privatdozent’’ for automatic
control and in 1972 he became a professor in control engineering at the University of
Stuttgart. From 1977 to 2006 he was professor for control systems and process
automation at the Institute of Automatic Control of the Darmstadt University of
Technology. Since 2006 he is professor emeritus and is Head of the Research Group
of Control Systems and Process Automation. He received the Dr hc (honoris causa) from
L’Université Libre de Bruxelles and from the Polytechnic University in Bucharest. In
1996 he was awarded the ‘‘VDE-Ehrenring’’, and in 2007 the ‘‘VDI-Ehrenmitglied’’. The
MIT Technology Review Magazine awarded him in 2003 one of the Top Ten repre-
sentatives of emerging Technologies in the field of mechatronics.
He has published books on Modeling of Technical Processes, Process Identification,
Digital Control Systems, Adaptive Control Systems, Mechatronic Systems, Fault
Diagnosis Systems, Engine Control and Vehicle Drive Dynamics Control. Current
research concentrates on the fields of identification and digital control of nonlinear
systems, intelligent control and model-based methods of process fault diagnosis with
applications to servo systems, fault-tolerant systems, combustion engines, automo-
biles and mechatronic systems. The research group on combustion engines works on
multivariable engine modeling, HiL-simulation, combustion pressure control and
fault diagnosis of both, CR-Diesel engines and FSI-gasoline engines. In the vehicle
dynamics group present topics are parameter estimation for drive dynamics control,
fault detection of sensors, suspensions, tires and brake systems and the development
of collision avoidance systems with surrounding sensing and active braking and
steering.
Since 1975 he held several chair positions of IFAC-Technical Committees (Interna-
tional Federation of Automatic Control). In 1996 he was elected as Vice-President of
IFAC until 2002. From 2002 to 2008, he was a member of the IFAC-Council.
He organized several national and international conferences like the 10th IFAC-
World-Congress in Munich 1987, the 1st IFAC-Symposium SAFEPROCESS, Baden-
Baden, 1991 and the 1st IFAC-Conference on Mechatronic Systems, Darmstadt held
in 2000. He also organized the biannual VDI/VDE-Conference AUTOREG (control of
vehicles and power trains) from 2002 to 2008.