Reconfigurable Fault-Tolerant Control: A Tutorial Introduction

European Journal of Control (2008)5:359386
# 2008 EUCA
DOI:10.3166/EJC.14.359386
Reconfigurable Fault-tolerant Control: A Tutorial Introduction

J. Lunze and J.H. Richter
Institute of Automation and Computer Control, Ruhr-Universitat Bochum, Universitatsstrasse 150, 44801 Bochum, Germany
This paper provides a tutorial introduction to reconfigurable control and surveys recent advances on this
topic. Control reconfiguration is an important method of
fault-tolerant control that uses the results of a fault
diagnosis component to restructure the control loop and
to adapt the controller to the faulty plant. This paper
describes recent approaches that are suitable for on-line
application. These approaches lead to a redesign of the
controller or augment the control loop with a reconfiguration block that adapts the nominal controller to the
dynamical properties of the faulty plant. The approaches
are illustrated by means of a running example and
experimental applications of selected methods. Challenges for future research in the field are stated.
Keywords: Fault-tolerant control; multivariable control systems; control reconfiguration, reconfigurability.
1. Introduction
1.1. Dependability of Complex Systems
The increasing complexity makes man-made systems
more and more vulnerable for faults and malfunctions. At the same time, requirements for system
dependability are surging as a consequence of
increasing economical demands and tightening environmental regulations. Maintaining system dependability at required levels by improving individual
components is challenging and expensive. Feedback
Correspondence to: J. Lunze, E-mail: lunze@atp.rub.de

E-mail: richter@atp.rub.de
control is an ideal technology for increasing the

system dependability. Control reconfiguration denotes
a class of solutions to this problem, where the control
loop structure and the controller dynamics are
adjusted in response to component malfunctions.
This paper gives a tutorial introduction to reconfigurable control (sometimes also referred to as
restructurable control) and reviews state-of-the-art
control reconfiguration methods. It explains how
feedback control can remain operational after severe
faults like sensor and actuator faults or failures.
Inevitably, components are subject to faults and failures, which fault-tolerant control accepts as a fundamental premise. This survey places emphasis on faults
that break the control loop. To bring the controller
back into operation, it is not sufficient to change
controller parameters. Alternative, albeit not necessarily identical sensors or actuators have to be used
instead of the faulty components. Thus the entire
control loop must be restructured to utilise the available redundancies. These steps have to be carried out
under real-time constraints, which necessitate a tradeoff between the complexity and sophistication of the
chosen approach and its real-time applicability.
The field of fault-tolerant control was largely
motivated by two aircraft incidents. In the first
incident, the left elevator was jammed in an upward
position. It took considerable time and efforts for the
cockpit crew to relearn flying the Lockheed L-1011,
which was eventually landed safely, using mostly
thrust control [47]. In the second and more severe
incident, two engines were torn off the right wing of a
Received 15 November 2007; Accepted 29 June 2008

Recommended by the Survey and Historical Papers Editor M. Gevers
360
Boeing-747 at low altitude, resulting in asymmetrical

thrust and additional control surface damage. This
incident turned into a severe accident, although it was
shown afterwards that the crash was avoidable in
principle [45]. The incidents show that fast autonomous, automatic responses to faults might have helped
the cockpit crew to avoid accidents, particularly in
situations with little time for decisions.
As a simplified version of the reconfiguration
problem to be solved in these situations consider the
yaw motion control of the aircraft shown in Figure 1.
Neglecting the coupling between the yaw axis and
remaining axes, the yaw angle is primarily controlled
by means of the rudder angle uR. When the rudder fails,
yaw angle control is impossible, unless a functionally
redundant actuator is found, because inflight rudder
repair is impossible. To restructure the loop, an
alternative actuator such as differential engine thrust
must be used. This example illustrates that severe faults
or component failures necessitate a change of the
control loop structure. Reconfiguration methods
should automatically find these changes.
Fig. 1. Aircraft with yaw axis z and yaw angle . The yaw angle
is normally controlled by the rudder deflection angle uR . After the
rudder fails by blocking in centered position (f), the differential
thrust uT can be used to influence the yaw angle. This solution must
be automatically and autonomously found by means of a control
reconfiguration component.
1.2. Fault-Tolerant Control

The main principle of fault-tolerant control (FTC)
(Figure 2) consists in augmenting the ordinary control
loop (execution level) by a supervision level with the
aim to satisfy the loop performance requirements for
both the faultless plant and the faulty plant. The
execution level works continuously to ensure disturbance attenuation and setpoint following.
The supervision level performs the two conceptual
steps of FTC, which are fault diagnosis and control
re-adjustment, usually accomplished separately and in
this order. Control re-adjustment is a collective term
for the manipulation of the controller to adequately
control the faulty plant. Figure 3 shows the procedure
from an event-driven perspective, revealing how the
system cycles through different operating modes due
to fault occurrence, fault diagnosis, reconfiguration,
and finally repair.
Several important notions have been introduced
to describe the aims and methods of fault-tolerant
Fig. 3. Control loop modes. (a) The loop starts in healthy (faultfree) operation mode. The occurrence of a fault event ef causes the
loop to operate in the undesired faulty mode. After the diagnosis
event ed , the reconfiguration event erc lifts the system to the more
desirable reconfigured mode, where it should be at least stable and
should satisfy the control specifications as well as possible. This
situation remains until the repair event er recovers the healthy
operation mode. (b) The timing diagram shows the temporal
relation between the events driving the automaton (a). The
diagnosis delay generally varies depending on the diagnosability
of the current operating conditions. The fault may not be diagnosed
for a long time if the system excitation is not sufficient. The time-toreconfigure adds the computation time for the reconfiguration
solution, which typically grows with the dimension of the system.
Fig. 2. Fault-tolerant control loop. A fault f acting on the plant is detected and located by the fault detection and isolation (FDI) module.
The fault estimate f^ is then used by the control loop adjustment module to adapt the structure of the control loop and the controller
parameters to the faulty plant.
361
Reconfigurable Fault-tolerant Control
control. A fault is an unpermitted condition that

changes at least one characteristic property of a component or the whole plant. Faults are triggered
internally, for example, by blocked valves in a chemical
batch plant, or externally by changes in environmental
conditions, such as a temperature drop. Faults can be
further classified by their location in a plant. Actuator
faults affect actuation components such as pumps,
valves, stirrers, switches, drives, motors, or brakes.
They concern the efficiency of inputs to the system.
Plant faults like clogged pipes or leakages affect
internal plant components resulting in changed plant
dynamics. Sensor faults lead to in erroneous measurements such as biased, scaled, or constant zero readings.
They concern the measured output of a system.
A malfunction is an intermittent irregularity in the
function of a system whereas a failure of a component
or plant is a permanent and complete interruption of
the service that this component or plant provides.
Faults in a component often turn into failures of parts
of a system or into failure of the overall system if there
is no response to the fault.
Redundancy is a prerequisite for fault-tolerant
control. Physical redundancy refers to the duplication
of critically important actuators and sensors. This
concept, sometimes also called direct redundancy,
allows for using simple schemes for the detection and
alleviation of faults and failures at the price of
increased system cost. Analytical redundancy refers to
the functional relationship between system inputs and
outputs, rather than to the components themselves.
For example, measured quantities can often be calculated from other quantities by means of algebraic
or, more often, by means of dynamic relations. Likewise, outputs strongly influenced by some control
input are often also controllable from other inputs,
albeit with different gains and time constants.
Analytical redundancy is more challenging to use
than physical redundancy, but it allows for building
more cost-efficient systems. All approaches described
in this article use analytical redundancy in addition to
physical redundancy.
Fault diagnosis is a difficult problem and a large
area attracting ongoing research, and certainly its
integration with reconfigurable control remains a
major unsolved problem. Since the inclusion of a
detailed treatment of fault diagnosis would exceed any
reasonable bound on paper length, the interested
reader is referred to the monographs and survey
articles [8, 16, 20, 21, 50]. For a general introduction
to fault-tolerant control, the reader might want to
consult [34]. Furthermore, the advent of self-monitoring actuators and sensor justifies the following
focused point of view [30, 69]. This paper singles out
the reconfiguration step for discussion, assuming that

the faults have already been detected, isolated, and
identified by a diagnosis component to sufficient
precision for re-adjusting the control loop.
Fault-tolerant control methods have been used in
the industry for a long time to varying degree, from
simple concepts to sophisticated approaches. Presently, there is still a gap between the achieved rigorous
theoretical foundation and the applications in the
industry. The open theoretical problems are numerous, as summarised in Section 6 below. Until their
resolution, engineering practice will likely continue to
rely on extensive simulations and experimental tests.
Few actual industrial applications of fault-tolerant
control have been reported [49]. A summary of
application-oriented studies of fault-tolerant control
is available in [34, 76].
1.3. Control Reconfiguration

Control reconfiguration deals with severe faults where
the structure of the loop needs to be changed in order
to ensure fault tolerance. Alternative measured or
manipulated variables must be found in order to reroute the signal paths around the faulty component
and to bring the control loop back into operation
(Figure 4). Hence, control reconfiguration includes
the choice of a new loop structure and the adaptation
of the control law to the new configuration. In the
aircraft yaw control example (Figure 1), differential
engine thrust is applicable and can be used to replace
the effect of the rudder. This article surveys reconfiguration methods that work autonomously, that find
reconfiguration solutions on-line, and that are based
on mathematically rigorous methods to guarantee the
reconfiguration success.
Figure 4 also points out that control reconfiguration starts from the solution of the controller design
problem for the nominal plant. The nominal controller can be used as an approximate solution to the
controller re-design problem for the faulty plant.
Therefore, the reconfiguration problem can also be
called a controller redesign problem. The availability
of the nominal controller is important since the control reconfiguration is to be completed automatically
by the control supervision level without the investigation of a human engineer.
For this reason, the model-matching approach to
control reconfiguration surveyed in Section 4.1 aims
at finding a controller that assigns the reconfigured
closed-loop system the same behaviour as the nominal
closed-loop system. In contrast, the fault-hiding
approach explained afterwards tries to hide the
362
Fig. 4. Control reconfiguration idea. For the nominal plant, the controller uses the input u2 (left). If the corresponding actuator fails, the
control loop is broken and an adjustment of the controller to the faulty plant is impossible unless other control inputs are used (right). In the
reconfigured closed-loop system the effect of the controller on the plant is re-routed around the faulty actuator (two arrows).
fault from the controller. The nominal controller

remains in the loop while a reconfiguration block
re-routes the input or output signals around the faulty
component (Figure 4).
This article focuses on methods for reconfiguration
that are applied after successful fault diagnosis. After
stating the reconfiguration problem in Section 2, control reconfiguration approaches are classified by their
underlying paradigms in Section 3. State-of-the-art
methods are explained for the two paradigms redesign
(Section 4) and fault-hiding (Section 5). Experimental
results illustrate and evaluate a recent fault-hiding
approach. In Section 6, the perspective is broadened
and several other approaches to and aspects of control
reconfiguration are briefly sketched. The article concludes with Section 7.
2. Reconfiguration Problem
This section introduces the models and reconfiguration goals used throughout the article. The main ideas
are explained for linear plants, although many of these
ideas are also applicable to nonlinear plants.
Plant P
Bd
x
A
uc
Controller K
y
r
Fig. 5. Block diagram of the nominal control loop in state-space

representation. The controller can have arbitrary linear or nonlinear dynamics. The only assumption used about the controller is
that the nominal controller ensures the control objectives.
matrix, and d 2 Rp the disturbance ( Figure 5). The

system representation (1), (2) contains known inputs
uc as well as disturbances d, which are unknown and
can be stochastic or deterministic. For control
reconfiguration, the model must include all available
inputs and outputs, that is, the input vector uc does
not only contain the inputs needed in the faultless
case, but also the inputs that can be used in the faulty
case. The same requirement holds for the output
vector y.
In the control loop, the reference input is denoted
by r(t). A general linear controller K is represented by
x_ c t Ac xc t Fc yt Gc rt; xc 0 xc0 ;
2.1. Plant Modelling

A state-space representation of a linear plant P
(A, B, C, Bd) is given by
_
xt
Axt Buc t Bd dt; x0 x0 ;
1
yt Cxt;
where xt 2 Rn is the state, yt 2 Rr the output,

uc t 2 Rm the input from the controller, A 2 Rnn the
system matrix, B 2 Rnm the input matrix, C 2 Rrn the
output matrix, Bd 2 Rnp the disturbance distribution
3
uc t Cc xc t Kc yt Vc rt
This representation includes the important classes of

output regulation controllers
Bc : Fc Gc
Dc : Kc Vc
5
6
static state feedback controllers (Ac Fc Gc

Cc 0, C I), and static output feedback controllers
(Ac Fc Gc Cc 0).
363
2.2. Fault Modelling Strategies

Fault-tolerant control is based on the knowledge of
the fault. Hence, fault information must be incorporated into the system model (1), (2).
Multiplicative faults cause variations of the model
parameters and, hence, occur in the model in multiplications of the parameter matrices with the plant
signals to yield the model Pf (Af, Bf, Cf, Bd)
x_ f t Af xf t Bf uf t Bd dt; xf 0 xf 0 ;
7
yf t Cf xf t
For actuators and sensors, a component failure is

expressed by replacing the column corresponding to
the broken k-th actuator in B or the row corresponding to the broken l-th sensor in C by a zero
column or row, respectively,

Bf b 1 . . . bk1 0 bk1 . . . bm ;
Cf c1 . . . cl1 0 cl1 . . . cr T
10
The zero columns or rows are justified, for example, in

setpoint control problems. Here the actuators, when
blocking, are likely to be near the equilibrium point
around that the nonlinear model is linearised to obtain
the linear model (1), (2). For nonlinear systems
operated near an equilibrium, an equilibrium input
translates to a zero input relative to the equilibrium.
The output yf differs from the nominal output y, since
the fault changes the plant behaviour, either because
the state innovations change due to actuator faults, or
because the measurement is faulty.
Internal component faults are mapped to a modified
system matrix Af. For example, a partially clogged pipe
connecting two tanks in an industrial process plant
changes parameters in the matrix A. On the other hand,
complete pipe clogging would induce a zero entry.
The model (7), (8) of the faulty system permits a
qualitative evaluation of the components to be faultless or faulty. The quantitative description
Af A;
Bf B;
Cf C
(8) is adequate. Hence, all control reconfiguration

approaches described below use it, where the model
parameters are either given by (9) or by (11). Alternatively, additive fault models are commonly used in
the fault diagnosis literature [31], but are considered
here only for augmenting a multiplicative fault-model
by an offset caused by actuator blockage.
2.3. Reconfiguration Goals
To ensure that the reconfigured closed-loop system
performs in the same way as the nominal one the
reconfiguration goals are expressed by comparing the
reconfigured control loop to the nominal control loop
(Figure 6) as follows, where (t) denotes the unit step
function:
Loop stabilisation goal. The reconfigured closedloop system should be asymptotically stable.
Loop equilibrium recovery goal. The reconfigured
closed-loop system should attenuate disturbances
d(t), and its output yf should asymptotically
follow a given setpoint: rt rt ! yt
rt ! 0 as t ! 1.
Loop output trajectory recovery goal. The reconfigured plant output yf (t) should exactly match
the nominal plant output y(t) for arbitrary disturbance inputs d(t) and command inputs r(t).
Loop state trajectory recovery goal. The reconfigured plant state xf (t) should exactly match the
nominal plant state x(t) for arbitrary disturbance
inputs d(t) and command inputs r(t).
All methods for achieving these reconfiguration
goals should ideally work autonomously, reconfigure
11
is obtained if the matrices are represented in terms of a

fault parameter vector 2 , where denotes
the space over that is defined. This model form is
suited to describe changes in component characteristics. Since control reconfiguration deals mostly
with severe faults, the multiplicative fault model (7),
Fig. 6. Reconfiguration goals compare the nominal closed-loop

system (left) with the reconfigured closed-loop system (right). Both
the nominal and reconfigured closed-loop systems should be stable.
When setpoint tracking is a nominal control goal, it is important
that the equilibrium of the reconfigured closed-loop system
matches the nominal loop behaviour with respect to the inputs r
and d and the outputs yf or y, respectively. Likewise, to achieve
trajectory tracking, the dynamic transmission behaviour is
matched.
364
on-line, operate together with any nominal controller

structure, meet arbitrary real-time constraints, handle
structural faults, and use analytical redundancy. In
the explanation of the main ideas of reconfiguration
methods below, it will be shown which of the mentioned requirements these methods satisfy.
Remark 1 All goals are formulated above in a strict
sense. In practice, however, they are often not strictly
attainable. In that case, they are approximated or
restricted to part of the system. For example, the failure
of a dynamic actuator renders its state uncontrollable,
hence not stabilisable. However, the control of failed
actuators is not of interest, hence the corresponding
state is excluded from the stabilisation goal.
reasons used in the normal operation mode. The

nominal controller is a static output feedback

kR
1
uR t

yt
rt;
0
0
uT t
which only uses the rudder. The zeros in the feedback
law result from the consideration of all available
inputs to the plant. For illustrative purposes, kR 1 is
used in the following discussions.
Examples for fault models are the following:
(i)
2.4. Illustrative Example: Aircraft Yaw Control

The aircraft example is used throughout this article to
illustrate the different reconfiguration methods. The
yaw rate _ of the aircraft in Figure 1 is primarily
controlled by the rudder deflection angle uR. The
turbines are usable to the same end as well, if differential thrust uT is applied. Both the rudder actuation
system and the turbines have their own dynamics,
which are approximated here as first-order systems
with state variables xR and xT and time constants
TR TT 1 s. A simple linearised model obtained
from the momentum balance with respect to the z-axis
of the aircraft has the form
0
xR t
T1R
10
xR t
dB
C B
C
CB
0 A@ xT t A
@ xT t A @ 0 T1T
dt
_ t
_ t
0:27 0:13 103
01
1

TR 0
B
C uR t
1
@ 0 T A
;
12
T
uT t
0 0
0
yt 0
1
xR t
1 @ xT t A;
_ t
13
where the inputs uR and uT drive the first-order models

of the actuators, whose states physically represent
forces. The angular rate _ is considered as the output
of the system.
The model reflects the intuition that both the rudder
uR and the differential thrust uT affect the yaw rate _ .
However, due to geometry, the rudder has twice the
gain of the differential thrust with respect to creating
yaw torque, as visible in the lower row of the system
matrix in the model (12), and for this and other
(ii)
Failure of the control channel that moves the

rudder to the deflection angle uR 0 . Within
a linear modelling framework, this type of
failure is multiplicative, since it can be represented by a modified input matrix
0
1
0 0
14
Bf @ 0 T1T A;
0 0
where the first column is set to zero to reflect the
rudder command outage.
Blockage of the rudder at an arbitrary position
uR , which is modelled by the same modified
input matrix (14) and an additional disturbance
input,
0
xR t
T1R
10
xR t
dB
C B
C
CB
0 A@ xT t A
@ xT t A @ 0 T1T
dt
_ t
_ t
0:27 0:13 103
1
0
0 u 1
R
0 0

T
B 1 C uR t
B RC
@ 0 TT A
@ 0 A;
uT t
0 0
0
15
whereas the output equation (13) remains
unchanged.
Both faults have structural consequences since they
break the nominal control loop. The controller is
ineffective until further measures are taken to reconfigure the controller to use differential engine thrust
for controlling the yaw rate. The model (12), (13)
shows that, after command failure, the controller
action must be redirected to differential thrust uT and
scaled by a factor of two. In case of non-centered
rudder blockage, the induced disturbance must in
addition be compensated.
The least goal is the recovery of the steady-state
behaviour as demanded by the equilibrium recovery
goal, which simplifies the safe landing of the aircraft.
365
Furthermore, the best-possible recovery of the transient yaw dynamics is desirable to relieve the cockpit
crew from re-learning to fly the faulty aircraft. The
better the dynamics are recovered, the more the
reconfigured aircraft feels, from the viewpoint of the
pilot, like the fault-free aircraft.
Remark 2 Several phenomena that govern real aircraft
as well as any coupling between the yaw, roll and pitch
axes have been neglected to obtain a simple model for
illustrative purposes. In reality an aircraft model is a
nonlinear parameter-varying system. Furthermore,
rudders have faster time constants than jet engines, and
the saturations in the input channels represent a major
challenge for fault-tolerant control. A realistic and
detailed multi-axis case study of aircraft under engine
thrust control is reported in [13].
3. Reconfiguration Paradigms
framework and follows one of the following paradigms (Figure 7):

Direct use of physical redundancy,
Projection of the current fault situation to a
known scenario,
Use of learning control to deal with unanticipated
faults,
Controller redesign,
Fault hiding with respect to the nominal controller
input and output.
Each paradigm is briefly discussed in the following
paragraphs. Detailed explanations of the two most
important paradigms to redesign the controller or to
hide the fault from the nominal controller are given in
the following two sections. The automatic redesign
approach represents the core of this article.
3.2. Reconfiguration by Means of Physical
Redundancy
3.1. Survey
Over the past 30 years, a variety of approaches
to control reconfiguration has been developed.
The majority of approaches is based on a linear
The concepts following this paradigm originate from

safety-critical applications such as the control of nuclear power plants or aircraft control systems and find
new attention for all-electric automotive steering
Fig. 7. Classification of control reconfiguration methods. Projection refers to the choice of a control scheme from a list of predefined
solutions. Learning control denotes a family of approaches from computer science, specifically artificial intelligence with a strong focus on
learning and handling of unanticipated faults. Automatic redesign refers to on-line reconfiguration without reference to predefined solutions.
If the nominal controller is discarded, automatic design is called controller redesign. If it is kept in the loop, the automatic redesign is called
fault hiding.
366
systems without mechanical backup [32]. In such

applications, faults leading to failures potentially cause
catastrophic events. To avoid the latter, conceptually
simple approaches to control reconfiguration are pursued. They usually involve the installation of physically
redundant, identical hardware components, such as
duplicate actuators or sensors. After a component fault
has been detected, a simple decision logic switches the
controller from an impaired to the corresponding
redundant component. This approach is expensive,
since every critical component must be installed at least
twice. The computational effort for the reconfiguration
step is negligible, and this approach works well in
practice. However, this approach is only capable of
exploiting physical redundancy.
The use of physical redundancy is appropriate for
the mentioned domain of safety-critical applications,
however too expensive outside of this domain. This
observation motivates the search for methods that can
exploit analytical redundancy, such as those methods
described below.
3.3. Reconfiguration by Projection to a Known
Scenario
All methods following this paradigm determine the
controllers for the faulty plant prior to plant operation and organise them as banks, from which the
controller that is best-suited to the current fault case is
selected on-line. Each prepared controller should be
robust against uncertainties in the fault model, since
the space of possible faults is usually a continuum,
whereas only a finite number of sample fault cases can
be considered for controller design. Frequently, linear
quadratic regulators are used as bank controllers (see
[3] and references therein).
When a fault occurs, the resulting case is mapped to
one of the pre-computed scenarios, which motivates
the name projection for this reconfiguration paradigm. Both physical and analytical redundancy can be
exploited. The concept is simple, however involves
considerable off-line efforts for the design of various
controllers and on-line effort for the implementation
of all these controllers. Projection is not considered as
an on-line reconfiguration method and, hence, not
further discussed here.
3.4. Reconfiguration by Learning a New Control

Algorithm
In the projection paradigm and most other paradigms,
all relevant faults need to be considered before
bringing the control loop into operation. This may be
too restrictive in practice and has led to the idea of

combining classical control techniques with learning
control methods. Usually, a fast component (e. g.
Kalman filter) is employed to obtain quick estimates
of changing conditions, and a slower learning component is used to store previous knowledge for future
re-use.
The concepts of learning control are closely related
to adaptive control, which also consist of a fast and a
slow loop. Both paradigms, however, differ with
respect to the models used in the slower loops. The
learning techniques make use of neural networks,
expert systems and general problem solvers, while
adaptive approaches usually employ in the slow loop
the same models that are used in the fast loop.
This paradigm is a large topic of its own with a
strong focus on computer science, specifically with
ideas of artificial intelligence. Since this line of research
lies outside the focus of this article, the matter is not
discussed here any further and the reader is referred to
[19, 66] for further details.
In this context it should be mentioned that adaptive
control methods can be readily used for fault accommodation but not for control reconfiguration, because
they aim at changing the parameters of the controller
in order to minimise the distance between the true
loop behaviour and a loop reference model (see [1, 10]
for an example). Adaptive control does not properly
address problems in which alternative inputs or outputs have to be used.
3.5. Reconfiguration by Controller Redesign

This paradigm performs a complete controller
redesign after the detection and identification of a
fault. To facilitate design automation, the desired loop
behaviour is represented by a reference model and the
nominal controller is designed to match the closedloop behaviour with the reference model. In response
to a fault, the same design procedure is followed to
bring the behaviour of the reconfigured closed-loop
system as close to the reference model as possible.
The term reference model is used here in a broad
sense. The closed-loop behaviour can be represented
by quadratic weights for LQ-regulator design or
model predictive control, by eigenvalues, by the
complete eigenstructure, or by a state-space model.
Both analytical and physical redundancy are utilisable by this paradigm. The computational cost varies
according to the specific method. Notably, unlike
most of the other approaches, model predictive control is not limited to linear systems, and naturally
handles constraints, such as actuator saturation [44].
367
However, model predictive control requires the highest on-line computational effort.
3.6. Reconfiguration by Hiding the Fault from the
Nominal Controller
The motivation of this paradigm is best explained by
looking at the faulty plant from the perspective of the
controller. Keeping the nominal controller in the
closed loop unchanged after a fault is desirable for at
least the following three reasons.
First, if the controller is a human being (pilot,
plant operator, etc.), the technical term controller
redesign implies that the human being must be
trained for all possible fault scenarios before operation. Furthermore, the fault occurrence causes a
considerable amount of workload and stress at fault
time. Naturally, the number of fault cases that can be
trained off-line is limited, and the stress load potentially causes new problems arising from inappropriate
decisions. Second, if the nominal controller is automatic, it includes much of the design knowledge
that has been gained in the iterative off-line steps of
its design. It is desirable to keep as much of this
experience as possible even after faults. Third, in the

case of large-scale plants controlled by multivariable
controllers, it is unnecessary to replace the entire
controller, if the faults affect only a small part of the
plant.
Keeping the nominal controller is possible if a
reconfiguration block is added between the former
and the faulty plant that hides the fault effects from
the controller. The reconfiguration block together
with the nominal controller represents the reconfigured controller. From the controller perspective, the
reconfiguration block forms a reconfigured plant
whose behaviour is identical with the nominal behaviour. For a human controller, fault-hiding implies
that the faulty plant may be operated in the wellknown nominal way. For example, a pilot would not
have to figure out which other controls he must use to
compensate the effect of lost actuators, but the
reconfiguration block takes care of that task.
The concepts of controller redesign and fault hiding
are compared in Figure 8.
4. Controller Redesign Approach

Designing a new dedicated controller from scratch
after the identification of faults promises good performance, provided that a suitable controller synthesis
approach is used. Therefore, several redesign methods
have been developed, whose main ideas are presented
in this section together with an evaluation of the
suitability of these methods for completely automatic
reconfiguration. The section concludes with bibliographical remarks.
4.1. Overview of the Model-Matching Approach
This section reviews the basic model-matching idea,
which is common for all approaches of the redesign
paradigm. Model matching is based on a closed-loop
reference model
Fig. 8. Comparison of the controller redesign and fault-hiding

paradigms. Controller redesign (left) discards the nominal controller from the closed-loop system and determines, at reconfiguration
time, a new controller for the faulty plant. The new controller uses
alternative inputs of uf and outputs of yf , if necessary. Fault hiding
(right) keeps the nominal controller in the closed-loop system and
determines, at reconfiguration time, a reconfiguration block. Both
approaches involve an automatic design step, which can be
completed by using one of various possible synthesis methods.
x_ m t Mxm t Nrt
16
yt P xm t;
17
where r(t) is a reference input signal, and N is introduced to guarantee a desired steady state gain. The
closed-loop system formed by system (1), (2) and a
state feedback controller
uc t Kxt Vrt
18
should have the same dynamics as the reference model

(16), (17).
368
When the model-matching approach is used for

reconfiguration purposes, a standard technique consists in using the model of the nominal closed-loop
system as a reference model. In the yaw rate control
example, the reference model has the parameters
0
1
0 1
1
1
0
1
M@ 0
1
0 A; N @ 0 A:
0
0:27 0:13 103
The nominal controller is designed to have the closedloop system match the reference model. In explicit
model following, the difference between the outputs
of the reconfigured plant and the reference model
is minimised in a least squares sense. In implicit model
following, the difference between the faulty and
nominal state innovations are minimised. The goal of
control reconfiguration is to match the reference
model as close as possible after the occurrence of a
fault.
Problem 3 (Reconfiguration by Linear Explicit Model
Following) Given the system (1), (2), a nominal state
feedback (18) and a fault model (7), (8), determine a
new controller
uf t Kf xf t Vf rt
19
such that the conditions

Af Bf Kf M 0;
20
Bf Vf N 0
21
are satisfied.
A zero right-hand side in the conditions (20), (21) is
the ideal goal. In this case, the reconfigured closedloop model equals the nominal closed-loop model in
terms of both its dynamical and input-output behaviour. If these conditions cannot be satisfied, the goal
is to minimise the left-hand sides of the conditions
(20), (21). The approaches discussed below differ with
respect to the reference model features and with
respect to the mathematical tools used for its recovery.
pseudo-inverse matrix, which gives the methods its

name. The following first introduces the basic idea,
which lacks the guarantee of closed-loop stability,
followed by extensions that ensure stability and
required performance.
A fault results in a modified plant model (7), (8).
The goal is to solve Problem 3 such that the right-hand
sides of (20), (21) are minimised in the 2-norm k k2
sense,
min J1
with
J1 k M Af Bf Kf k2
22
min J2
with
J2 k N Bf Vf k2 :
23
Kf
Vf
The solution is given in terms of pseudo-inverse

matrices
Kf arg min J1 B
f Af A BK
24
Vf arg min J2 B

f N;
25
Kf
Vf
where B
f denotes the pseudo-inverse of Bf [6]. The
controller (19) with the matrices Kf and Vf is then
plugged into the closed-loop system instead of the
original controller (Figure 9). In the figure, thick
arrows indicate that the respective block is subject to
changes at reconfiguration time. So far, this method
suffers from the severe problem that the stability of
the reconfigured closed-loop system cannot be guaranteed. In addition, it may even fail to re-establish a
closed-loop system [55].
The stability problem can be addressed by replacing
the unconstrained optimisation problems (22) and
(23) by constrained problems, where the closed-loop
system matrix is required to be stable. The stability
constraint is formulated in terms of the stability
4.2. Pseudo-Inverse Methods for Control

Reconfiguration
The pseudo-inverse method addresses actuator faults
modeled by Bf as well as internal plant faults modeled
by Af. The nominal plant (1), (2) is controlled by
state feedback (18), yielding the closed-loop system
(16), (17), which is used as the reference model. The
reference model is recovered by determining the
Fig. 9. Pseudo-inverse method for control reconfiguration. The

prefilter and feedback gains V and K of the state-feedback control
scheme are re-adjusted to reconfigure the closed-loop system after
faults, resulting in Vf and Kf . Assuring stability and robust
performance with acceptable computational efforts were key
problems with this early reconfiguration approach.
369
robustness of linear systems with structured uncertainty. The modified pseudo-inverse method attains
the stabilisation goal if possible, but is computationally intensive and its on-line applicability is questionable. Details are described in [24].
Further restrictions on the set of admissible solutions were developed to ensure that controllers are
found that satisfy given performance bounds. For
example, in [18, 61] a computationally simpler
approach based on a set of admissible reference
models is described in terms of linear matrix
inequalities (LMI). The admissible set can be chosen
to ensure adequateness and robust stability. The
reconfigurability of a fault situation can be assessed
with respect to that admissible set. This framework
allows to embed the equilibrium and trajectory
recovery goals into a suitable choice of admissible
models.
In this approach, a set of admissible models is
defined as
_ Mxt Nrt
xt
subject to M; N 2 M N ;
with the sets M and N , which are defined by LMI
as in
M fM such that M 0g
N fN such that N 0g:
Necessary and sufficient conditions for the existence
of solutions are given and the solutions are obtained
by non-constrained optimisation. The solutions are
unique and efficiently computable if the regions described by the LMI are convex. The robustness issues
are discussed further in [61].
exactly matching the specified dynamic behaviour

after actuator and internal plant faults. Again, the
nominal closed-loop system (16), (17) is used as a
reference model.
Definition 4 A closed-loop system formed by the system
(1), (2) and the controller (18) provides PERFECT
MODEL FOLLOWING with respect to the reference model
(16), (17), if and only if the relations
A BK M;
BV N
hold.
This approach is illustrated by Figure 10. The reference model T(s) is run in parallel to the faulty plant
and implemented in the controller. The control input
ut ke et km xm t kr rt
26
to the plant consists of the stabilising part with gain ke

and the model matching part with gains km and kr.
The former is chosen to stabilise the output error
dynamics and the latter are chosen to decouple the
output error from the input.
Assume that the relations
Cf P I
27
hold. Then the output error e ym yp is described

by (7), (8), (16), (17), and (26), which yield the
dynamical system
_ Af Bf ke et M Af Bf km xm t
et
N Bf kr rt:
28
4.3. Linear Model-Following Approach to Control

Reconfiguration
Three linear model-following approaches are described in this section. The first one, perfect model
following, uses stabilising feedback with dynamic
compensators. The second one, adaptive model following, applies an adaptive feedback control algorithm consisting of state feedback, a reference prefilter
and an affine term to the faulty plant. In eigenstructure assignment, the nominal eigenvalues and
eigenvectors are recovered after a fault has occurred.
4.3.1. Perfect Model Following
This approach combines the use of a stabilising feedback with the design of a dynamic compensator for
Fig. 10. Perfect model-following method for control reconfiguration. The plant Gs subject to a fault f is controlled after
reconfiguration by the stabilising gain Ke and model-matching
gains Kr and Km . Note that the reference model Ts is an integral
part of the controller.
370
This error model motivates to use a controller where

the gain ke stabilises the matrix
Af Bf ke
and the gains km and kr must decouple the error
dynamics from the model state xm and the reference
input r, respectively. Perfect model following is
obtained for
km B
f M Af
kr
29
B
f N:
30
Perfect model following guarantees closed-loop stability if the pair (Af , Bf ) is stabilisable. The stabilising
gain can be determined, for instance, by pole placement or LQ-design. The bounded-input boundedoutput (BIBO) stability of the closed-loop system is
even assured if the model following is not perfect, due
to the bounded nature of the reference signal r. The
loop output trajectory recovery goal is met if full
decoupling is achieved.
Perfect model following can be obtained only if the
assumption (27) is satisfied and the faulty plant has
the same zero structure as the nominal plant. If new
zeros are introduced by faults, a dynamic component
is needed to compensate these zeros. An extension of
perfect model following referring to this idea shows
that the design of the dynamic compensator turns out
to be computationally demanding, which makes
this approach questionable under real-time constraints [25].
In the yaw control example, the output matrix is not
an identity matrix. Furthermore, the fault introduces
a plant zero at 1, while there were no zeros in the
nominal plant. Hence, the fault in the yaw control
example cannot be handled by this approach.
4.3.2. Adaptive Model Following
In adaptive model following a closed-loop reference
model including the reference signal is recovered by
using a control law of the form
ut K1 txt K2 trt k3 t;
31
K_ 1j t G1j xteT tPbj ;

K_ 2j t G2j rteT tPbj ;
33
k_3j t 3j eT tPbj ;
34
j 1; :::; m
32
(Figure 11), where an adaptive scheme for the gains

K1 t, K2 t, k3 t is used that results in a stable
Fig. 11. Adaptive model following method for control reconfiguration. The controller consists of a static state feedback K1 , a
feedforward pre-filter K2 and an affine source term K3 that are
tuned by an adaption algorithm based on the closed-loop reference
model shown on the bottom of the figure.
closed-loop system and statically tracks the reference

signal [17]. Here, G1;j , G2;j , 3;j are constant matrices,
et xt xm t is the state tracking error, and P is
the solution of the Lyapunov equation
PM MT P Q 0;
where Q QT 0 is some symmetric positive-definite
matrix.
This method covers the blocking of actuators at
arbitrary positions. No assumptions have to be made
about the blocking position, which is an advantage of
this approach over many other methods in the literature. However, adaptive model following prescribes
the use of state-feedback control.
4.3.3. Eigenstructure Assignment
The nominal closed-loop eigenstructure can be considered as the important quantity to be restored after
the occurrence of a fault as proven in [35]. In case of
full state-feedback (18), the eigenvalues i of the
nominal closed-loop system are fully recovered by the
reconfigured feedback law
K S A1 Vf Cf Vf 1 ;
35
where the matrix of eigenvectors is defined by

maxr;m
, and the matrix concerning
Vf v1f ; v2f ; . . . ; vf
eigenvalues is S 1f s1 ; 2f s2 ; . . . ; rf smaxr;m with
parameters si defined in [35]. The closed-loop stability
can be guaranteed, and furthermore the closed-loop
eigenvalues satisfy the equation
f;i Af Bf Kf Cf i
A BKC;
i 1; . . . ; maxr; m:
371
The closed-loop eigenvectors

v f;i f;i I Af 1 Bf KCf vf;i
are recovered as closely as possible. In case of output
feedback, only the most dominant eigenvalues and
eigenvectors are recovered, while the remaining ones
are fixed.
Eigenstructure assignment prescribes static statefeedback or output-feedback as control structure. The
shown basic approach to eigenstructure assignment can
deal neither with faults that result in an order reduction
of the system, nor with cases where nominal closedloop eigenvalues equal post-fault open-loop eigenvalues. The approach lacks robustness properties against
uncertainties in the fault model. Eigenstructure
assignment augmented to include integral action was
applied to the nonlinear model of a pressuriser in [36].
All of these issues are addressed in a recent extension [4]. A modified redesign of a static output feedback controller is given to allow for plant order
reduction and equal pre-fault closed-loop as well as
post-fault open-loop eigenvalues by formulating an
appropriate optimisation problem. If the degrees of
freedom for matching all eigenvalues are not sufficient, a dynamic controller design approach is used.
Robustness is achieved by ensuring the appropriate
alignment of the resulting eigenvectors to minimise the
eigenvalue sensitivity with respect to uncertain plant
parameters by means of a corresponding term in the
cost functional. Sufficient conditions are given for the
possibility to place poles in a prescribed region by
means of static output feedback, which imply that
trajectory recovery is possible.
These algorithms require the solution of a nonconvex global optimisation problem for that the
authors suggest the application of genetic optimisation. Furthermore, there is no a-priori guarantee of
success in placing the eigenvalues inside a specified
target region. In case of a negative result the procedure must be repeated with a relaxed target region.
These properties render the otherwise interesting
approach intractable for on-line use unless the problem can be relaxed to convex problems for specific
problem instances and solved by using more efficient
optimisation techniques.
4.4. Reconfiguration by Optimal Control

4.4.1. LQ-Optimal Redesign
The basic idea of linear quadratic optimal control
[2, 40] is shown in Figure 12(a). Before the plant is
Fig. 12. Optimisation approach to control reconfiguration by

controller redesign. In LQ-optimal redesign, the nominal performance weights Q and R are used to re-synthesise the control law for
the faulty plant. In model predictive control, the plant model is
updated to reflect the fault, for example, by adding constraints on
actuator variables.
put into operation, a linear time-invariant controller

is designed off-line using LQ-optimal design according to the optimisation goal
Z 1

xtT Qxt utT Rut dt:
36
min
K
The positive semi-definite weighting matrix Q penalising the state error and positive definite weighting
matrix R penalising control energy are stored for later
on-line reuse. After a fault is identified, a new controller is designed by recalculating the state feedback
using the model (7), (8) of the faulty plant and the
nominal weights Q, R, where Pf is the solution of a
matrix Riccati equation
K R1 BTf Pf
37
0 ATf Pf Pf Af Pf Bf R1 BTf Pf Q:
38
If the faulty plant is controllable, a controller is found

that solves the control problem with respect to the
original weighting in the optimal way, and the stabilisation goal is attained. Although neither the equilibrium nor the trajectory recovery goal are pursued
explicitly, gross violations of either goal are penalised
by the performance functional (36).
The main drawback of this method lies in completely discarding the nominal controller. Although
some information about the nominal case is retained
in the weights Q and R, the relation between those
nominal weights and the reconfigured closed-loop
performance is generally unclear. In particular, due to
fine-tuning during nominal controller design, the
adequateness of those weights for the faulty plant is
doubtful. There are also numerical issues to be considered. The matrices Bf and Cf should have full rank
372
in LQ-optimal regulator design in order to avoid

numerical singularities. However, these matrices
rarely satisfy this restriction after faults [43], and
model reduction steps become necessary in general.
4.4.2. Reconfiguration by Model Predictive Control
Model predictive control (MPC) is capable of solving
the reconfiguration problem with little extra effort
compared with control of the nominal plant [44, 54].
A basic model predictive control scheme generates at
each discrete time step an optimal sequence of control
inputs uk::kHu for the control horizon Hu with respect
to the predicted output error trajectory (Figure 12(b) ).
The input is calculated to minimise a cost function
Vk
Hp
X
k rk i yk i k2Q
iHr
H
u 1
X
39
k uk i k2R
i0
subject to constraints
G1 uk 0
G2 uk 0
40
41
G3 yk 0
42
where k x k2Q : xT Qx; Q QT 0, k x k2R : xT Rx;

R RT 0 impose weights on the state and input,
and u describes the change in control action from
one instant to another. G1 , G2 , and G3 are matrices
used to express constraints on the input change u,
the absolute input magnitude u, and the outputs y as
linear inequalities. Over the finite-time horizon subject
to the plant dynamics and constraints, the obtained
solution of the optimisation problem is a control input
sequence uk::kHu minimising that error. The horizons
for input and output penalty,Hp, Hu, need not coincide, and the output is frequently penalised not from
the beginning, but after time Hr. Only one step of the
input sequence is applied to the plant, which generates
the next output measurement, and the optimisation is
repeated.
To achieve control reconfiguration after fault
identification, the internal plant model of the MPC
is updated to reflect the faults. Faults are usually
expressed by additional inequality constraints (rate
limits, position limits), which already form an integral
part of the control approach. By that way, all kinds of
redundancy can be exploited, and the plant can be
stabilised if it is detectable as well as stabilisable with
the fault.
MPC is not limited to linear plants. Nonlinear and

even hybrid plants can be handled in principle, thus
also reconfigured by means of MPC. The major
drawbacks concern the high computing power
requirements that practically limit the applicability of
this method to slow plants and the requirement to
know the reference trajectory ahead of time, which
limits the applicability to recipe-like domains.
A relaxation of the on-line computational
requirements for MPC results from multi-parametric
extensions to model predictive control (see the
survey [48] for an introduction). In this approach,
the reference input is included into the optimisation
problem as a free parameter. The result is a controller in the form of an easily implementable lookup table. Consequently, the reference trajectory
needs no longer to be known a-priori. The practical
applicability depends on the allowable time-toreconfigure.
Chemical process control applications are frequently governed by slow nonlinear processes, which
is the reason why MPC is rooted and frequently used
within this domain.
4.5. Evaluation of Reconfiguration by Control

Redesign
Controller redesign is based on control synthesis
methods that have been developed for use by design
engineers. These methods are modified so that they
can be used on-line without the usual iterative engineering design cycle. Notably, predictive control also
handles system classes beyond linear systems.
However, there are two difficulties associated with
completely discarding the nominal controller and
designing a reconfigured controller for the faulty plant
from scratch. The first issue arises from the mentioned
iterative nature of manual controller design. The
controller structure and parameters contain more
information than can be coded into single-step synthesis parameters. In practice, the nominal controller
is a result of human inspection of the closed-loop time
responses and repetitive use of automated design
algorithms. This procedure cannot be repeated on-line
at fault-time.
Secondly, certain problem formulations of linear
control design turn out to be more suitable for automatic application than others. For example, the target
pole regions during pole placement are not a practically suitable specification for automatic design.
Design parameters with a closer relation to the time
response tend to yield better results.
373
These difficulties have led to the development of the

fault hiding paradigm, which retains the nominal
controller in the closed-loop system. This paradigm is
explained in the next section.
4.6. Commented Bibliography on Controller Redesign
The pseudo-inverse method was the first systematic
approach to control reconfiguration after actuator
faults [14]. Its origin lies in the domain of aircraft
applications. Surprisingly, in its original formulation,
the stability of the resulting closed-loop system is not
guaranteed, and it is limited to state feedback control.
The lack of stability guarantee was removed by Gao
and Antsaklis in an influential publication, presenting
the modified pseudo-inverse method [24]. Further concerns regarding the robustness of the obtained solution were addressed by Staroswiecki in the admissible
pseudo-inverse method [61], where constraints on the
closed-loop system behaviour are expressed as linear
matrix inequalities. The latter extended approach was
applied to a numerical example in [18].
Three approaches termed as linear model following use a similar methodology. A method for perfect
model following was developed by Gao and Antsaklis
in [25]. Recently, a variation using adaptive model
following was published by Chen et al. [17]. Another
adaptive approach is reported by Bodson and
Groszkiewicz [10], where several approaches to
adaptation are compared with a focus on dealing with
unanticipated faults. Variations are discussed regarding direct versus indirect controller adaptation, and
schemes based on the output error versus the input
error. An approach based on the eigenstructure
assignment of the reconfigured closed-loop system was
introduced by Jiang [35] and generalised by Ashari
et al. [4]. Implicit model following is a further method,
where the error between the reference model and the
reconfigured closed-loop system is minimised, as
detailed by Huang and Stengel [28].
Further linear model following approaches exist,
which are not discussed further in this article. The
generalised plant transfer function of the faulty plant
is matched to that of the nominal plant by an H1
criterion by Jonckheere and Yu [37]. The solution
is tested using a linear aircraft model. Two approaches
based on optimal control concepts depend on LQregulator design or model predictive control. LQregulator design was used by Looze et al. [40], and
more recently by Staroswiecki et al. [64]. Model predictive control was taken as a basis for control
reconfiguration by Maciejowski and Jones [45], and
Kerrigan et al. [39, 70].
5. Fault Hiding Approach

This section reviews the reconfiguration paradigm
that allows to keep the nominal controller in the
reconfigured closed-loop system, thus preserving the
design knowledge it contains after control reconfiguration.
First, the basic idea of fault-hiding is introduced,
followed by a discussion of virtual sensors and virtual
actuators, that achieve fault-hiding after sensor or
actuator faults and failures, respectively. The section
closes with bibliographical notes.
5.1. The Idea of Fault Hiding
The key idea of the fault-hiding paradigm of control
reconfiguration is to place a reconfiguration block
between the faulty plant and the nominal controller in
order to hide the fault from the controller (Figure 13).
From an implementation-oriented viewpoint, the
reconfiguration block is part of the reconfigured
controller. The reconfiguration block is connected to
all accessible sensors and actuators of the plant
through the signal vectors uf and yf, which include
those signals that are not used by the nominal controller. The fault-hiding goal is accomplished by rerouting the signal paths from the nominal controller
through the faulty plant and back to the controller by
means of the reconfiguration block. The nominal
controller is connected to the reconfiguration block by
means of the signals uc and yf.
For the purpose of designing the reconfiguration block, a different perspective is helpful. The
Fig. 13. Control reconfiguration from a fault-hiding perspective.

Fault-hiding is accomplished by introducing a reconfiguration
block such that the reconfigured plant has the same I/O behaviour
as the nominal plant with respect to the inputs uc and d and the
output yc or yf , respectively.
374
reconfiguration block connected to the faulty plant is

viewed as the reconfigured plant. The fault-hiding goal
is satisfied if the input/output (I/O) behaviour of the
reconfigured plant is identical to the I/O behaviour
of the nominal plant for a suitable initial state of
the reconfiguration block (Figure 13). The original
closed-loop-related reconfiguration goals described in
Section 1 are replaced by the following plant-related
goals as follows.
Stabilisability goal. The reconfigured plant should
be stabilised by the nominal controller.
Equilibrium recovery goal. The static I/O relation
of the reconfigured plant with respect to the input
uc, the disturbance d, and the outputs yf should be
the same as the static I/O relation of the nominal
t !1
plant: for all uc(t) ut : y(t) yf (t) ! 0.
Output trajectory recovery goal. The I/O behaviour of the reconfigured plant with respect to the
input uc and the disturbance d and the control
outputs yf should be dynamically the same as the
I/O behaviour of the nominal plant: for all uc(t),
d(t), t > 0 : y(t) yf (t) 0.
State trajectory recovery goal. The state trajectories of the faulty plant inside the reconfigured
plant and of the nominal plant should be identical
for all initial states and inputs: for all uc(t), t > 0:
x(t) xf (t) 0.
The state trajectory recovery goal is rather strong.
However, it is interesting to see under what conditions
this goal can be satisfied.
For linear systems, the plant-related goals are
equivalent to the closed-loop-related goals. For the
stabilisation goal of the reconfigured closed-loop
system, the stabilisation goal of the reconfigured plant
is necessary and sufficient. Equilibrium recovery of
the plant is equivalent to having the closed-loop
system meet the loop equilibrium recovery goal.
Further, the loop trajectory recovery goal is met if and
only if the reconfigured plant recovers the I/O behaviour of the nominal plant. The latter insight implies
that the reconfigured closed-loop system behaves
exactly like the nominal closed-loop system from an
exterior viewpoint.
The attainability of the stabilisation goal can be
directly derived from the fault-hiding principle for
linear time-invariant systems. It is attainable if and
only if the pair Af ; Bf is stabilisable and the pair
Af ; Cf is detectable [65]. No weaker goal is practically admissible. The attainability conditions for the
other goals are stated below within the contexts of the
virtual sensor and virtual actuator for sensor and
actuator faults and failures.
5.2. Reconfiguration after Sensor Failures:

The Virtual Sensor
The virtual sensor is a reconfiguration block R that
hides multiplicative sensor faults modeled by a
modified output matrix Cf . Its properties are only
briefly sketched, since it is essentially a state observer.
The virtual sensor is defined by the equations
x^_ t A x^t Buc t Lyf t; x^0 x^0 43
yc t C x^t Pyf t
44
uf t uc t
45
where
A : A LCf
46
C : C PCf
47
(Figure 14). It consists of a state observer for the

faulty plant, the output map C , a feedthrough P, and
an identity throughput at the input. Once the state is
estimated, the reconstruction of the closed-loop
output is straightforward. The stabilisation goal is
attainable if and only if the pair A; Cf is detectable.
In this case, the virtual sensor satisfies all reconfiguration goals. The state trajectory recovery goal is
met with the exception of the faulty sensor state,
Fig. 14. Control reconfiguration after sensor faults by means of a

virtual sensor. The virtual sensor consists of a Luenberger-type
state observer that reconstructs the plant state x^ using the faulty
measurements. The free design parameter L is chosen to stabilise
the pair AT ; CTf . The reconstructed state x^ together with the faulty
measurement yf are used to determine the nominal measurement yc
by means of the matrix C , which is fed back to the nominal
controller.
375
which cannot be recovered, but the physical quantity

to be measured is recovered. Disturbances are rejected in the same way as in the nominal closed-loop
system.
In the model of the faulty plant, only the matrix C is
changed to Cf . After attaching the virtual sensor to the
faulty plant and introducing the new state vector
et x^t xf t, the combined state equations for
the reconfigured plant become

0
xf t
A
et

Bd
B
dt
uc t
Bd
0

x~0
x0
x^0 x0
e0
x_ f t
_
et
A
0
and the virtual sensor (43)(45) form the reconfigured

closed-loop system
1
0
1 0
xf 0
xf 0
@ xc 0 A @ xc0 A
49
x^0
x^0
yf t
yc t
Cf
PCf
0
0
0
C
1
xf t
@ xc t A
x^t
50
It is straightforward to verify the closed-loop separation principle by introducing the state et x^t
xf t into Equations (48), (50).
5.3. Reconfiguration after Actuator Failures:
The Virtual Actuator
yc t Cxf t C et:
5.3.1. Structure of the Virtual Actuator

This model shows the success of reconfiguration. Due
to the well-known separation principle, the model
has two parts. The first state equation concerning xf
shows that the reconfigured plant behaves exactly like
the nominal plant, including the disturbance influence. Its eigenvalues are determined by the matrix A of
the nominal plant, and it is driven by the input uc
through the nominal input matrix B. The fault is
hidden asymptotically, unless the initial state x0 is
precisely known.
The error system with the difference state e is
autonomous and designed to be stable. The initial
observer error is non-vanishing, because, in general,
the initial state x0 is not precisely known. Hence, the
error vanishes asymptotically and the fault-hiding
goal is asymptotically satisfied. Its poles are assigned,
and determined by the matrix A LCf . The feedback
gain L ensures that the error signal asymptotically
vanishes. The reconfigured output equals the nominal
output once e has vanished. The feedthrough gain P
does not affect the error system stability. A good
heuristic choice for P is, for example, P Ir , where
the rows corresponding to faulty sensors should be set
to zero. The feedthrough gain P can also be used to
systematically decouple the output yc from constant
disturbances d.
The faulty plant (7), (8) together with the linear
controller (3), (4) in output regulation form (5), (6)
1 0
A BDc PCf
x_ f t
@ x_ c t A @
Bc PCf
LCf BDc PCf
x^t
0
BCc
Ac
BCc A
The virtual actuator is a reconfiguration block R

used to hide multiplicative actuator faults modeled by
a modified input matrix Bf . Contrary to its dual, the
virtual sensor, the virtual actuator R is a new concept
for control reconfiguration [65]. It is defined by the
equations
x_ t A x t B uc t;
uf t Mx t Nuc t
x 0 x0 51
52
yc t Cx t yf t
53
Where
A : A Bf M
B : B Bf N
54
55
(Figure 15). The degrees of freedom for its design

consist in a feedforward matrix gain N and a feedback
matrix gain M. Both gains are chosen by means of
different techniques according to the attainable goals,
as described below.
The virtual actuator reduces to a static input correction block if the matrices M and B are set to zero.
If the state trajectory recovery goal is attainable and N
is designed accordingly, the relation B 0 holds and
the integrator of the virtual actuator never leaves the
origin and can be omitted in the implementation. If
10
1
1 0
0 1
BDc C
Bd
BDc
xf t
Bc C A@ xc t A @ Bc Art @ 0 Adt
BDc C
BDc
x^t
0
48
376
Fig. 15. Control reconfiguration after actuator faults by means of a

virtual actuator. The state x of the virtual actuator tracks the state
error between the nominal and faulty plants resulting from the
actuator fault. By means of the feedback M, the plant is stabilised.
A static feedforward block N ensures quick reaction to control
commands and is further used to achieve the equilibrium or
trajectory recovery goals.
B 6 0 holds, then the output is corrected to ensure

fault-hiding.
5.3.2. Analysis of the Reconfigured Plant
For the analysis of the reconfigured plant, the virtual actuator (51)(53) is combined with the plant
(7), (8), where only the input matrix Bf is faulty, and
all other matrices are nominal. After the state
transformation

xf t
I I
x~t
;
x t
0 I
x t
|{z}
T
1
with T
I I
0 I

56
the combined state equations for the reconfigured

plant become
!

x~t
B
A 0
x~_ t
uc t
x t
B
0 A
x_ t

Bd
dt
57
0
x~0
x 0
x0 x0
x0

58
Fig. 16. Analysis of the reconfigured closed-loop system. The

difference system is decoupled from the reconfigured plant. After
transformation, it is apparent that the fault is contained in the
autonomous difference system that is excited by the control
input but converges to the origin if it is not excited. The
reconfigured plant is decoupled from the difference system showing
that the reconfiguration is successful.

yc t C 0
x~t
x t

59
This model shows that, like for virtual sensors, a

separation principle holds for the reconfigured plant.
The first state equation concerning x~ shows that the
reconfigured plant model seen by the controller equals
the nominal plant model if x0 0 is chosen. The first
subsystem has the eigenvalue set A and it is driven
by the input uc through the nominal input matrix B.
The disturbance influence is nominal.
The second part concerns the state
x t xt xf t;
which, according to Equation (56), describes the
deviation of the state xf of the faulty plant from the
state x of the nominal plant. The difference system
has no connection to the control output yc . The
difference system is, therefore, structurally unobservable from the controller (Figure 16). Hence, the
fault-hiding goal is satisfied for x0 0. The difference system poles, which are given by
A Bf M, are assigned by appropriate choice of
the feedback gain M. Any state feedback controller
synthesis method is applicable for this task, such as
pole placement or LQ-design. If x0 0 holds, then
the transformed state x~ of the virtual actuator is
decoupled and equals the nominal case, see Equation (58).
In combination with the general linear feedback
controller (3), (4) in output regulation form (5), (6),
the reconfigured closed-loop system becomes
377
1 0
10
1 0
1
A Bf NDc C Bf NCc Bf M NDc C
xf t
Bf NDc
x_ f t
C B
CB
C B
C
B
Bc C
Ac
Bc C
A@ xc t A @ Bc Art
@ x_ c t A @
x_ t
B Cc
A B Dc C
B Dc
B Dc C
x t
1 0
1
0
0 1
x0
xf 0
Bd
C B
C
B
B C
@ 0 Adt; @ xc 0 A @ xc0 A
x0
0
x 0
0
yf t
yc t
C
C
0
1
x t
0 0 @ f A
xc t :
0 C
x t
61
The closed-loop separation principle is easily obtained

from Equation (60) by means of the transformation
(56). The fault-hiding and separation properties of the
virtual actuator do not depend on any specific controller [65]. Any arbitrary, even nonlinear, controller
can be used. However, the linear controller simplifies
the analysis of the reconfigured closed-loop system.
The virtual actuator handles multiplicative faults.
In addition, blockage off the operating point is handled as well, if the nominal closed-loop system rejects
constant disturbances, as shown in [57].
5.3.3. Design of the Virtual Actuator
This section summarises design approaches for the
reconfiguration goals stated above for actuator faults.
Lemma 5 (Stabilising virtual actuator [65]) The fault
hiding and stabilisation goals are attainable for the
faulty plant (7), (8), if and only if the pair A; Bf is
stabilisable. The reconfigured plant (57), (59) containing the virtual actuator (51)(53) satisfies the
stabilisation and fault hiding goals for x0 0, if a
stabilising gain M is determined using any state feedback synthesis approach.
The attainability condition mentioned in Lemma 5
means that the faulty plant must not contain any fixed
unstable pole.
The feedforward gain N may be arbitrarily chosen
for achieving the fault hiding and stabilisation goals,
where N I and N 0 are reasonable choices. The
former choice quickens the effect of healthy actuator
signals that would otherwise have to pass the virtual
actuator integrator. The matrix N adds a degree of
freedom that can be used systematically and independently of the stabilising step for designing M to
achieve steady state tracking (equilibrium recovery
goal). The following considerations summarise the
attainability of the equilibrium recovery goal and the
design of the virtual actuator for that case.
60
Consider the virtual actuator state (51). The steady

state tracking error between the nominal plant and the
reconfigured plant is obtained from setting x_ 0,
uc :
y C x CA Bf M1 B Bf N
For the equilibrium recovery goal, this error must
vanish for arbitrary constant inputs uc : y 0. The
goal is attainable after actuator faults if and only if

A Bf B
A Bf
rank
62
rank
Cz 0
Cz 0 0
holds. The solution is then given by
N CA Bf M1 Bf y CA Bf M1 B;
63
where y denotes the right-inverse.

Lemma 6 (Setpoint-tracking virtual actuator [65]) The
equilibrium recovery goal is attainable for the faulty
plant (7), (8), if and only if Condition (62) is met. The
reconfigured plant (57), (59) containing the virtual
actuator (51)(53) solves the equilibrium recovery
goal, if M is designed as in Lemma 5, and the feedforward gain N is chosen as in Equation (63).
Another approach to achieve setpoint tracking consists in adding one new integrator per output to the
virtual actuator whose outputs are added on the input
uf in order to get setpoint tracking for the relevant states
[65].
The trajectory recovery goal is attainable after
actuator faults by using the static input reconfiguration block
uf t Nuc t
64
if and only if the condition

im SO B
im SO Bf
65
is satisfied, where SO denotes the observability matrix

of the nominal plant. The feedforward gain N is
obtained from the equation
N SO Bf SO B:
66
378
This approach is called Markov-parameter matching

because the rows of the matrix SO B constitute the
Markov parameters of the nominal plant.
static block (64). If Condition (67) is not met, the

pseudo-inverse solution (68) directly provides an
approximation [24].
Lemma 7 (Static trajectory recovery [55]) The trajectory recovery goal is attainable for the faulty plant
(7), (8) using the static input reconfiguration block
(64), if and only if Condition (65) is met. The reconfigured plant (7), (8), (64) solves the trajectory recovery
goal, if and only if N is designed as in Equation (66).
Example. In the yaw control example, after the rudder

failure the attainability conditions (62)(65) are all
satisfied. Hence, all goals are attainable with the
exception of the state trajectory recovery goal.
The design of a stabilising virtual actuator by pole
placement with target poles T 20; 21; 22
results in the feedback gain

0 0
0
M
;
0 3:1 323:1
holds for all frequencies s. To this end, the reconfiguration problem is reformulated as a disturbance
decoupling problem. The reconfiguration algorithm is
reported in [42, 65], where the disturbance decoupling
problem is solved using techniques from geometric
systems theory [5, 71].
The state trajectory recovery goal is attainable after
actuator faults by means of a static block (64) if and only if
im B
im Bf
67
holds. The matrix N realising that goal is obtained

from the equation
N B
f B:
68
If Condition (67) is met, Solution (68) recovers the

forcing action on the state. The difference state is
not excited and the virtual actuator reduces to the
which shows that especially deviations of the yaw rate

from their nominal trajectory are fed to the differential thrust input. Subsequent computation of an
equilibrium-recovering feedforward gain (63) results
in the feedforward gain

0 0
N
:
8:2 1
Now consider the application of the feedforward
reconfiguration block (64) without the virtual actuator dynamics. The application of Solution (66) to the
yaw control reconfiguration example (12)(14) leads
to the solution
0
1
0
0

0
0
0
B
C
0:13 A
N
@ 0:27
0 3:73 3:73
0:27 0:13

0 0
;
2 1
If Condition (65) is violated, the trajectory

recovery goal is attainable using the virtual actuator
if and only if

rank Gf s rank Gs Gf s
Fig. 17. Behaviour of the reconfigured aircraft yaw control loop after rudder failure. The virtual actuator is designed by two different
methods, which aims at the stabilisation with subsequent equilibrium recovery (left axes) or the Markov-parameter recovery (right axes). The
actual plant-related signals are shown in black, whereas the controller-related signals are shown in grey. Rudder motion is shown in solid,
differential turbine thrust in dash-dotted.
which shows that the first rudder input is correctly

redirected to the second differential thrust input
with a factor two. Figure 17 shows the behaviour
of the reconfigured closed-loop system. The stabilising approach with equilibrium recovery (left
axes) reaches the same setpoint, but a small difference between the fault-hiding signal yc and the
true yaw rate yf is visible in the transient phase. In
contrast to this, the Markov-parameter approach
(right axes) achieves the trajectory recovery goal,
as seen by agreement between the black (plantrelated) and grey (controller related) yaw rate
signals.
379
5.4. Experimental Evaluation: Reconfiguration of a

Thermofluid Process after Actuator Failures
To illustrate the function of the virtual actuator,
experimental results from a laboratory application are
described in this section. The chemical pilot plant
VERA at the Institute of Automation and Computer
Control in Bochum (Germany) was used for the
reconfiguration experiments (Figure 18).
A thermofluid process (Figure 19) that requires the
regulation of fluid level lTS , fluid electrical conductivity TS and fluid temperature #TS to given setpoints
was implemented. This continuous flow process
Fig. 18. Chemical pilot plant VERA. The plant consists of standard industrial components and contains 64 sensors as well as 82 actuators.
The automation equipment includes industrial programmable logic controllers, which provide safety interlocks, subordinate control loops
and an interface to the rapid prototyping environment MATLAB/Simulink.
380
Fig. 19. Flow scheme of the thermofluid continuous-flow process

realised on the pilot plant VERA. Cold non-salty water is
continuously blended with salt concentrate in the container TS.
The temperature, fluid level, and electrical conductivity in the
container TS are controlled by decentralised nominal control loops.
Failure of the control valve input uTB , the heater input uel;TS , or the
pump input uPS break one of the control loops. Reconfiguration
must automatically and adequately use the redundant components
to bring the control loop back into operation.
results from continuously blending warm salt concentration from the supply tank TB with salt-free
water at room temperature from the cold water supply
CW. The goal variables are controlled by manipulating the supply valve uTB , heater uel;TS and pump uPS by
means of decentralised control loops.
Three actuator fault scenarios were considered for
testing the virtual actuator, namely the failure of the
control valve uTB , the failure of the heater uel;TS , and
the failure of the pump uPS . All failures mean blocking
of the component at the operating point.
The process contains redundant components. The
cold water supply is kept at a constant flow rate in the
fault-free situation. However, the flow setpoint uCW
for its subordinate control loop is available as a free
plant input. In addition, the heater uel;TB in the supply
container TB is a manipulable input. The spare supply
container TM serves as a backup supply in case the
valve to the tank TB fails. The container TM holds the
same substance as the tank TB and is accessed
through the control valve uTM .
A linearised model (1), (2) for the entire plant,
including redundant inputs and components, was
derived from a nonlinear plant model at the desired
setpoint used as the operating point by means of
linearisation [57]. Fault models (7), (8) were obtained

by suitably modifying the input matrices Bf for all
three fault cases.
The successful use of the static reconfiguration
block (64) for trajectory recovery is shown in Figure
20. The output trajectories are recovered for all output
signals up to slightly increased oscillations, where the
nominal scenario is not shown separately because it
gives nearly the same response. The reconfiguration
process was fully automated and required no human
intervention at reconfiguration time. The solution was
found on the basis of the linear plant model.
The solution also shows the effects of nonlinearities
in the plant that are not captured by the linear model.
Relevant effects are actuator saturations, dead zones
and actuation range quantisation. Especially, the
effects of saturations are visible in the figure. The
heater uel;TS repeatedly reaches its limits 0 and 1. This
effect leads to the mentioned oscillations, which have
slightly larger magnitudes than in the fault-free case.
The linear theory makes no statements about the
effects of saturations and other nonlinear phenomena.
Table 1 summarises the shown results and further
experimental results not reported here by stating the
fault scenario together with the analytical attainability
of each goal by Conditions (62), (65). In addition, the
practical success of reconfiguration on the real plant is
given. On the one hand, the good agreement shows
that the attainability conditions are adequate and that
the virtual actuator is practically useful, if the plant
remains close enough to the equilibrium point used for
linearisation. On the other hand, the discrepancy in
certain cases shows the limits of the purely linear
theory if substantial nonlinear phenomena, as mentioned, become effective. In particular, the mentioned
saturation effects are more pronounced than in the
given example in some fault scenarios.
5.5. Commented Bibliography on Fault Hiding

The fault-hiding paradigm was first used in a
loose sense by Looze et al. [40] and introduced as a
strict conceptual basis for a family of reconfiguration
approaches for sensor and actuator failures by
Lunze and Steffen [42, 65], where the loop-related
reconfiguration goals were also transformed into
plant-related goals. Lemmas 5 and 6 have been proven
in [65].
The authors have extended the virtual actuator
concept by new design approaches and put it into
relation with model following concepts [41, 58]. The
problem of attaining the trajectory recovery goal
using a static reconfiguration block was given special
381
Fig. 20. Output and input trajectories of thermofluid process with valve failure uTB at tf 340 s and reconfiguration at tr 350 s. A
reference step of TS 0:15 mS/cm was issued at t 300 s. Control reconfiguration is achieved by a static reconfiguration block that was
designed for trajectory recovery. The trajectories show that the setpoints are reached, hence the reconfiguration goal is achieved. The inputs
are shown twice: black curves correspond to controller commands uc , grey curves to the inputs uf of the plant. The valve uTB blocks at its
operating point (right figure in 4th row). After reconfiguration at t 350 s, the valve uTM is used, which was inactive before the fault (left
figure in 4th row). In addition, manipulation of the input uPS to the pump and the input uel;TB to the heater in TB are observed.
Table 1. Analytical (left) and practical (right) attainability of the stabilisation, equilibrium
recovery, and trajectory recovery goals. This table refers to practical reconfiguration
experiments conducted on the chemical pilot plant VERA. It shows the prediction of
reconfigurability in the sense of the goals (right) and the practical success with respect to that
goal. The scheme shows good agreement between the criteria and practice for stabilisability,
but reveals the tests inadequateness in general.
Goal
Stabilisation
Equilibrium recovery
Trajectory recovery (static block)
f1
pp
/
pp
/p
/
f2
p p
/
p
/
p
/
f3
pp
/
p
/
/
382
attention. A dual approach for sensor faults has been

given in [55], and the robustness of the design with
respect to slight violations of goal attainability conditions has been discussed in [58]. Furthermore, the
reconfiguration problem for Hammerstein systems
was solved by an extension of the virtual actuator
concept based on the fault-hiding principle. In particular, a stabilising synthesis method is provided for
the important class of saturated systems [56].
The virtual actuator was applied to a two-degreeof-freedom helicopter model [43], to a laboratory
two-tank system [65] and recently to a thermofluid
process [57].
6. Related Topics and Extensions

In this section, fault-tolerant control in a broader
perspective and several different but related topics and
approaches that concern dependability of controlled
systems are outlined.
6.1. Building Dependable Systems
It was noted in the introduction that control reconfiguration is one building block of active fault-tolerant
control. FTC denotes the general field of automatic
control that aims at creating closed-loop systems with
increased dependability compared to systems under
standard control. The following clarifies the basic
terminology used to characterise dependability.
Different terms describe system properties that are
related to fault tolerance [8]. A system is said to be safe
if faults cannot lead to dangerous situations. It is said
to be reliable if it can fulfill its function without
interruption for a specified period of time. Hence,
reliability is a statistical property and reliability analysis is concerned with failure probabilities. Availability expresses the fraction of time that the system
under consideration is operational when needed. In
contrast to reliability, availability also depends on
maintenance strategies. A dependable system is a safe,
reliable and highly available system. These notions are
used in dependability analysis of technical systems,
however they do not tell anything about how to
respond to a specific fault at plant operation time.
If an irregularity occurs during the operation of a
system, one of several possible actions is taken,
depending on its severity. Minor plant changes such as
worn brushes in electric DC motors require no immediate action, since they are accommodated by robust
control. In this case, repair can be postponed to
maintenance. On the other hand, if an irregularity
considerably affects the safety or reliability of the

plant, actions ranging from transfer to a safe operation
mode to complete plant shutdown may be necessary.
Control reconfiguration is such an action, which aims
at postponing the necessary plant shutdown by maintaining the plant in a safe and reliable condition.
6.2. Further Approaches to Fault-Tolerant Control
Fault-tolerant control describes techniques for
adapting controllers of closed-loop systems to faulty
plants [21, 5153] by using the available redundancy
(Figure 21). It aims at preventing component faults,
component failures or subsystem faults from causing a
system failure. Passive FTC denotes techniques to
make the controller tolerate a set of possible faults,
such as by means of robust control [78], by using the
integrity property [15, 23, 26, 59], by reliable H1 design [73], or by simultaneous stabilization [9, 67].
Once operational, the closed-loop system need not be
changed to respond to a fault. However, as known
from robust control, the set of faults that can be tolerated without active controller re-adjustment is
severely limited.
Active FTC denotes techniques to achieve fault
tolerance by changing the closed-loop system after
fault-time. All methods explained in this paper belong
to this class. Fault diagnosis seeks to find out whether
the plant is subject to a fault and to identify the fault
[8, 31]. Monitoring denotes system supervision by
analysis of the measurable variables. Analytic
redundancy relations are used to determine whether
systems meet the nominal constraints or not.
Controller re-design methods, which match the
controller to the faulty plant, are classified into the
following two groups. Fault accommodation is applicable whenever adaptation of the controller internals
(dynamic order, parameters) is sufficient for satisfying
Fig. 21. A classification of controller re-adjustment methods. In

passive approaches, the nominal controller is designed in order to
tolerate a set of possible faults without any re-adjustment, whereas
active approaches change the closed-loop system. Reconfiguration
adapts the closed-loop structure and the controller parameters,
whereas fault accommodation methods change the controller but
retain the structure of the closed-loop system.
383
the requirements on the closed-loop system with the

faulty plant. The controller uses the same measurements and control inputs to the plant as before the
fault. Control reconfiguration also changes the closedloop structure in response to the fault. After reconfiguration, the signals measured and manipulated by the
controller and the controller internals are adjusted to
the fault [8]. Control reconfiguration is the most
powerful and difficult approach to active control
re-adjustment, which aims at preventing faults and
malfunctions from turning into system-level failure.
6.3. Open Problems in Control Reconfiguration
Since fault diagnosis is not the focus of this article, it
has been assumed that the diagnostic task was already
solved. In applications, however, the interplay between
fault diagnostic and reconfiguration approaches poses
intricate problems both from a theoretical and from a
practical viewpoint. Problems are caused by missed,
delayed, and wrong fault detection, as well as by false
alarms [36, 76, 77].
While the problem of joint diagnosis and reconfigurable control has not yet been solved, some preliminary work on the topic is available. The effect of
delayed fault detection was explicitly considered in [64].
A very complex approach that models both the fault
processes and the diagnosis component as Markov
chains is shown in [46], where a stochastic stability
notion is defined and state-feedback controllers are
designed that maximise the probability of stable
operation. A similar approach was recently presented
that considers detection delay and results in output
feedback controllers [68]. An H1 -based reconfiguration approach that takes into account uncertain fault
models is reported in [38].
For nonlinear systems, few approaches have been
developed that qualify as control reconfiguration
methods by the above definition. The extension
to nonlinear dynamical systems is of paramount
importance, since faults usually take the plant outside
the validity of linearised models. When enlarging the
scope to include accommodation techniques, a few
approaches have been reported [11, 12, 33, 75]. In
hybrid systems, few approaches for special switching
schemes are available, for example [74]. Certainly, the
development of realistically applicable fault-tolerant
control approaches that take into account nonlinear
dynamics, as well as the integrated analysis and synthesis of diagnostic systems and fault-tolerant controllers remain the current frontier of fault-tolerant
control. The nonlinear model-matching might be a
suitable conceptual basis for the development of new
nonlinear fault-tolerant control approaches [29].
It is furthermore desirable to know a-priori the

achievable control goals for a given faulty system. In
particular, it is valuable to characterise the class of faults
that permit a recovery of some nominal closed-loop
performance. These ideas have led to the development
of reconfigurability notions, where reconfigurability
should be interpreted as a system property, quite similar
to the well-known concepts of controllability and
observability. The notions developed so far are based on
structural considerations [7, 27, 62, 63, 65], [8 Chapter
5], and on energy considerations [60, 72]. In practical
systems, however, the actuation limitations typically
represent the true problem. Further work on the topic is
hence necessary.
7. Conclusion
This article has presented the state of the art in the
field of control reconfiguration, which handle component failures in addition to faults that change
component characteristics. Several approaches have
been explained and evaluated. The focus of this article
was on automatic redesign approaches that enable
autonomous reconfiguration at fault time, which is a
crucial requirement in most practical applications,
since the combinatorial effort of off-line pre-designing
fault-case specific controllers is often overwhelming.
In conclusion, the linear reconfiguration framework
provides basic and fundamental insight into the feasibility and applicability of control reconfiguration.
This linear framework is, however, not sufficient for
solving practical problems that are governed by nonlinear dynamics. These observations motivate the
further exploration of nonlinear fault-tolerant control
techniques. In particular, the presence of input limitations and state bounds for safe plant operation
present particular challenges for control reconfiguration after actuator failures, since usually the failed
actuators have the best effect on some controlled
output, and any redundant components usually have
much less effect on the controlled quantity.
Furthermore, the interplay between diagnosis
components and reconfigurable controllers in closedloop configuration, as well as the consideration of
uncertain diagnosis results are important topics that
require deeper investigation.
References
1. Ahmed-Zaid F, Ioannou P, Gousman K, Rooney R.
Accommodation of failures in the F-16 aircraft using
adaptive control. IEEE Control Syst Mag 1991; 11(1):
7378
384
2. Anderson BDO, Moore JB. Optimal control Linear
quadratic methods. Prentice Hall, 1989
3. Aravena J, Zhou K, Li XR, Chowdhury F. Fault
tolerant safe flight controller bank. In Proceedings of
the 6th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes (Safeprocess),
pp 859864, Beijing, 2006
4. Ashari AE, Sedigh AK, Yazdanpanah MJ. Reconfigurable control system design using eigenstructure assignment: static, dynamic and robust approaches. Int J
Control 2005; 78(13): 10051016
5. Basile G, Marro G. Controlled and Conditioned Invariants in Linear Systems Theory. Prentice Hall, University of Bologna, 1992
6. Ben-Israel A, Greville TNE. Generalized inverses
theory and application, vol. 15 of CMS Books in
Mathematics. Springer, New York, second edition,
2003. ISBN 0387002936
7. Bingulac SP, Krtolica RV. On admissibility of pseudoobservability and pseudocontrollability indices.
IEEE Trans Autom Control 1987; 32 (10): 920922
8. Blanke M, Kinnaert M, Lunze J, Staroswiecki J.
Diagnosis and Fault-Tolerant Control. Springer Verlag,
Heidelberg, 2nd. edition, 2006. ISBN 3-540-35652-5
9. Blondel VD. Simultaneous Stabilization of Linear Systems, volume 191 of Lecture Notes in Control and
Information Sciences. Springer Verlag, Heidelberg,
1994. ISBN 3-540-19862-8
10. Bodson M, Groszkiewicz JE. Multivariable adaptive
algorithms for 46 reconfigurable flight control. IEEE
Trans Control Syst Technol 1997; 5(2): 217229
11. Bonivento C, Gentili L, Paoli A. Internal model based
fault tolerant control of a robot manipulator. In
Proceedings of 43rd IEEE Conference on Decision
and Control, Paradise Island, Bahamas, 2004
12. Bonivento C, Isidori A, Marconi L, Paoli A. Implicit
fault-tolerant control: application to induction motors.
Automatica 2004; 40(3): 355371
13. Burcham FW Jr, Maine TA, Burken JJ, Bull J. Using
engine thrust for emergency flight control: MD-11 and
B-747 results. Technical Report NASA/TM-1998206552, NASA, Dryden Flight Research Center and
NASA Ames Research Center, 1998
14. Caglayan AK, Allen SM, Wehmuller K. Evaluation of a
second generation reconfiguration strategy for aircraft
flight control systems subjected to actuator failure/
surface damage. In Proceedings of the 1988 National
Aerospace and Electronics Conference, pp 520529, 1988
15. Campo PJ, Morari M. Achievable closed-loop properties of systems under decentralized control: Conditions
involving the steady-state gain. IEEE Trans Autom
Control 1994; 39(5): 932943
16. Chen J, Patton RJ. Robust Model-Based Fault Diagnosis
for Dynamic Systems. Kluwer Academic, 1999
17. Chen S, Tao G, Joshi S. On matching conditions for
adaptive state tracking control of systems with actuator
failures. IEEE Trans Autom Control 2002; 47(3):
473478
18. Ciubotaru B, Staroswiecki M, Christophe C. Fault
tolerant control of the Boeing 747 short-period mode
using the admissible model matching technique. In
Proceedings of 6th IFAC Symposium on Fault Detection Supervision and Safety for Technical Processes,
Beijing, China, 2006
19. Farrell J, Berger T, Appleby B. Using learning techniques to accommodate unanticipated faults. IEEE Control Syst Mag 1993; 13(3): 4049
20. Frank PM. Fault diagnosis in dynamic systems using
analytical and knowledge-based redundancy a survey
and some new results. Automatica 1990; 26: 459474
21. Frank PM. Analytical and qualitative model-based
fault diagnosis a survey and some new results. Eur J
Control 1996; 2(1): 628
22. Frank PM, Blanke M. Fault diagnosis and faulttolerant control. In: Control Systems, Robotics and
Automation, from Encyclopedia of Life Support Systems
(EOLSS), Developed Under the Auspices of the
UNESCO. Eolss Publishers, Oxford, UK, 2004
23. Fujita M, Shimermura E. Integrity against arbitrary
feedback-loop failure in linear multivariable control
systems. Automatica 1988; 24(6): 765772
24. Gao Z, Antsaklis PJ. Stability of the pseudo-inverse
method for reconfigurable control systems. Int J Control
1991; 53(3): 717729
25. Gao Z, Antsaklis PJ. Reconfigurable control system
design via perfect model following. Int J Control 1992;
56(4): 783798
26. Gndes AN. Stability of feedback systems with sensor or
actuator failures: analysis. Int J Control 1992; 56(4):
735753
27. Hoblos G, Staroswiecki M, Aitouche A. Fault tolerance
with respect to actuator failures in LTI systems. In
Proceeding of SAFEPROCESS 2000: 4th Symposium on
Fault Detection, volume 2, pp 804809, Budapest,
Hungary, 2000
28. Huang CY, Stengel RF. Restructurable control using
proportional integral implicit model following. J Guid
Control Dyn 1990; 13(2): 303309
29. Huijberts HJC, Nijmeijer H. Local nonlinear model
matching: from linearity to nonlinearity. Automatica
1990; 26(6): 973983
30. Proceedings of IEE Colloquium on Intelligent and SelfValidating Sensors, Jun 1999. IEE. http://ieeexplore.
ieee.org/servlet/opac?punumber 6421
31. Isermann R. Fault-Diagnosis Systems. An Introduction
from Fault Detection to Fault Tolerance. Springer
Verlag, Berlin Heidelberg, 2006. ISBN 3540241124
32. Isermann R, Schwarz R, Stolzl S. Fault-tolerant driveby-wire systems. IEEE Control Syst Mag 2002; 22(5):
6480
33. Jiang B, Staroswiecki M, Cocquempot V. Fault accommodation for nonlinear dynamic systems. IEEE Trans
Autom Control 2006; 51(9): 15781583
34. Jiang J. Fault-tolerant control systems an introductory overview. Acta Automatica Sinica 2005; 31(1):
161174
35. Jiang J. Design of reconfigurable control systems using
eigen structure assignments. Int J Control 1994; 59(2):
395410
36. Jiang J, Zhang Y. Fault diagnosis and reconfigurable
control of a pressurizer in a nuclear power plant. In
Proceedings of the 5th IFAC Symposium on Fault
Detection, Supervision and Safety of Technical Processes (SAFEPROCESS), pp 10951100, Washington
D.C., USA, 2003
37. Jonckheere EA, Yu G-R. Propulsion control of crippled
aircraft by H1 model matching. IEEE Trans Control
Syst Technol 1999; 7(2): 142159
385
38. Kanev S, Verhaegen M. Controller reconfiguration in

the presence of uncertainty in the FDI. In Proceedings
of the 5th IFAC Symposium on Fault Detection,
Supervision, and Safety of Technical Processes (SAFEPROCESS), pp 145150, Washington, D.C., USA,
2003
39. Kerrigan EC, Bemporad A, Mignone D, Morari M,
Maciejowski JM. Multi-objective priorisation and reconfiguration for the control of constrained hybrid
systems. In Proceedings of the 2000 American Control
Conference, vol 3, pp 16941698, 2000
40. Looze DP, Weiss JL, Eterno JS, Barrett NM. An
automatic redesign approach for restructurable control
systems. Control Syst Mag 1985; 5(2): 1622
41. Lunze J, Richter JH. Entwurfsmethode fur den verallgemeinerten virtuellen Aktor zur Rekonfiguration
von Regelkreisen. Automatisierungstechnik 2006; 54(7):
353361
42. Lunze J, Steffen T. Control reconfiguration after
actuator failures using disturbance decoupling methods.
IEEE Trans Autom Control 2006; 51(10): 15901601
43. Lunze J, Rowe-Serrano D, Steffen T. Control reconfiguration demonstrated at a two-degrees-of-freedom
helicopter model. In Proceedings European Control
Conference, Cambridge, UK, 2003
44. Maciejowski JM. Predictive Control with Constraints.
Pearson Education Limited, Harlow, England, 2002.
ISBN 0201398230PPR
45. Maciejowski JM, Jones CN. MPC fault-tolerant flight
control case study: Flight 1862. In Proceedings of the
SAFEPROCESS 2003: 5th Symposium on Fault Detection and Safety for Technical Processes, number M1C1, pp 121126, Washington D.C., USA, 2003. IFAC
46. Mahmoud M, Jiang J, Zhang Y. Active Fault Tolerant
Control Systems, volume 287 of Lecture notes in Control
and Information Sciences. Springer Verlag, Berlin
Heidelberg, 2003. ISBN 3540003185
47. McMahan J. Flight 1080. Air Line Pilot 1980; 47(7):
611
48. Morari M, Baotic M, Borrelli F. Hybrid systems
modeling and control. Eur J Control 2003; 9(23):
177189
49. Noura H, Sauter D, Hamelin F, Theilliol D. Faulttolerant control in dynamic systems: Application to a
winding machine. IEEE Control Syst Mag 2000; 20(1):
3349
50. Patton R, Chen J. A review of parity space approaches
to fault diagnosis. In IFAC-Symposium on Fault Detection Supervision and Safety for Technical Processes,
pp 239255, Baden-Baden, 1991. SAFEPROCESS91
51. Patton RJ. Fault-tolerant control: the 1997 situation. In
Patton R, Chen J, eds, Preprints of IFAC Symposium on
Fault Detection Supervision and Safety for Technical
Processes, pp 10331055, Kingston upon Hull, 1997.
SAFEPROCESS97
52. Rauch HE. Intelligent fault diagnosis and control
reconfiguration. IEEE Control Syst Mag 1994; 14(3):
612
53. Rauch HE. Autonomous control reconfiguration. IEEE
Control Syst Mag 1995; 15(6): 3748
54. Rawlings JB. Tutorial overview of model predictive
control. IEEE Control Syst Mag 2000; 20(3): 3852
55. Richter JH, Lunze J. Markov-parameter-based control
reconfiguration by matching the I/O-behaviour of the
56.
57.
58.
59.
60.
61.
62.
63.
64.
65.
66.
67.
68.
69.
70.
71.
72.
plant. In Proceedings of the European Control Conference (ECC) 2007, pp 29422949, Kos, Greece, July 25,
2007
Richter JH, Lunze J. Reconfigurable control of Hammerstein systems after actuator faults. Proceedings
of 17th IFAC World Congress, Seoul, Korea, 2008,
pp. 32103215.
Richter JH, Schlage T, Lunze J. Control reconfiguration after actuator failures by Markov parameter
matching (2008). International Journal of Control
Vol. 81, No. 9, pp. 13821398.
Richter JH, Lunze J, Schlage T. Control reconfiguration after actuator failures by Markov parameter
matching. Int J Control 2008; 81(9): 13821398.
Sala A, Albertos P. Fault-tolerant time-invariant feedback control. In Proceedings of the 16th IFAC World
Congress. IFAC, 2005
Staroswiecki M. On reconfigurability with respect to
actuator failures. In Proceedings of the 15th IFAC World
Congress, pp 257262, Barcelona, Spain, 2002
Staroswiecki M. Fault tolerant control: The pseudoinverse method revisited. In: Piztek P, ed. Proceedings of
the16th IFACWorld Congress, Prague, Czech Republic,
2005
Staroswiecki M, Attouche S, Assas ML. A graphic
approach for reconfigurability analysis. In 10th International Workshop on Principles of Diagnosis DX 99,
Loch Awe, UK, 1999
Staroswiecki M, Hoblos G, Aitouche A. Fault tolerance
analysis of sensor systems. In Proceeding of 38th IEEE
Conference on Decision and Control, vol 4, pp 3581
3586, Phoenix, AZ, 1999
Staroswiecki M, Yang H, Jiang B. Progressive accommodation of aircraft actuator faults. In Proceedings of
the 6th IFACSymposium on Fault Detection Supervision
and Safety for Technical Processes, pp 877882, Beijing,
China, 2006
Steffen T. Control Reconfiguration of Dynamical Systems: Linear Approaches and Structural Tests, vol 320 of
Lecture Notes in Control and Information Sciences.
Springer-Verlag, Heidelberg, 2005. ISBN 3540257306
Stengel RF. Intelligent failure-tolerant control. IEEE
Control Syst Mag 1991; 11(4): 1423
Stoustrup J, Blondel VD. Fault tolerant control: a
simultaneous stabilization result. IEEE Trans Autom
Control 2004; 49(2): 305310
Tao F, Zhao Q. Synthesis of stochastic fault tolerant
control systems with random FDI delay. Int J Control,
2007; 80(5): 684694
Tortora G, Kouvaritakis B, Clarke D. Fault-accommodation with intelligent sensors. Automatica 2003;
39(7): 12271233
Tsuda K, Mignone D, Ferrari-Trecate G, Morari M.
Reconfiguration strategies for hybrid systems. In Proceedings of the 2001 American Control Conference, vol
2, pp 868873, Arlington, VA, USA, 2001
Wonham WM. Linear Multivariable Control: A Geometric Approach, vol 10 of Applications of Mathematics.
Springer-Verlag, New York Heidelberg Berlin, second
edition, 1979
Wu NE, Zhou K, Salomon G. On reconfigurability. In
Proceeding of SAFEPROCESS 2000: 4th Symposium on
Fault Detection, vol 2, pp 50 846851, Budapest,
Hungary, 2000
386
73. Yang G-H, Zhang S-Y, Lam J, Wang J. Reliable control
using redundant controllers. IEEE Trans Autom Control
1998; 43(11): 15881593
74. Yang H, Jiang B, Cocquempot V, Staroswiecki M.
Adaptive fault tolerant strategy for hybrid systems
with faults independently affecting on outputs. In
Proceedings of the 6th IFAC Symposium on Fault
Detection, Supervision and Safety of Technical Processes
(SAFEPROCESS), pp 10211026, Beijing, China,
2006
75. Yang H, Jiang B, Staroswiecki M. Observer-based faulttolerant control for a class of switched nonlinear
systems. IET Proc Control Theory Appl 1(5): 15231532
76. Zhang Y, Jiang J. Bibliographical review on reconfigurable fault-tolerant control systems. In Proceedings of
the SAFEPROCESS 2003: 5th Symposium on Fault
Detection and Safety for Technical Processes, number
M2-C1, pp 265276, Washington D.C., USA, 2003
77. Zhang Y, Jiang J. Issues on integration of fault diagnosis
and reconfigurable control in active fault-tolerant control systems. In Proceedings of the 6th IFAC Symposium
on Fault Detection Supervision and Safety for Technical
Processes, pp 15131524, Beijing, China, 2006
78. Zhao Q, Jiang J. Reliable state feedback control system
design against actuator failures. Automatica 1998;
34(10): 12671272, 1998

Reconfigurable Fault-Tolerant Control: A Tutorial Introduction

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Reconfigurable Fault-Tolerant Control: A Tutorial Introduction

Uploaded by

Copyright:

Available Formats

European Journal of Control (2008)5:359386

Reconfigurable Fault-tolerant Control: A Tutorial Introduction

Correspondence to: J. Lunze, E-mail: lunze@atp.rub.de

control is an ideal technology for increasing the

Received 15 November 2007; Accepted 29 June 2008

Boeing-747 at low altitude, resulting in asymmetrical

J. Lunze and J.H. Richter

1.2. Fault-Tolerant Control

Reconfigurable Fault-tolerant Control

control. A fault is an unpermitted condition that

the reconfiguration step for discussion, assuming that

1.3. Control Reconfiguration

J. Lunze and J.H. Richter

fault from the controller. The nominal controller

Fig. 5. Block diagram of the nominal control loop in state-space

matrix, and d 2 Rp the disturbance ( Figure 5). The

2.1. Plant Modelling

where xt 2 Rn is the state, yt 2 Rr the output,

This representation includes the important classes of

static state feedback controllers (Ac Fc Gc

Reconfigurable Fault-tolerant Control

2.2. Fault Modelling Strategies

For actuators and sensors, a component failure is

The zero columns or rows are justified, for example, in

(8) is adequate. Hence, all control reconfiguration

is obtained if the matrices are represented in terms of a

Fig. 6. Reconfiguration goals compare the nominal closed-loop

J. Lunze and J.H. Richter

on-line, operate together with any nominal controller

reasons used in the normal operation mode. The

2.4. Illustrative Example: Aircraft Yaw Control

where the inputs uR and uT drive the first-order models

Failure of the control channel that moves the

Reconfigurable Fault-tolerant Control

framework and follows one of the following paradigms (Figure 7):

The concepts following this paradigm originate from

systems without mechanical backup [32]. In such

3.4. Reconfiguration by Learning a New Control

J. Lunze and J.H. Richter

too restrictive in practice and has led to the idea of

3.5. Reconfiguration by Controller Redesign

Reconfigurable Fault-tolerant Control

experience as possible even after faults. Third, in the

4. Controller Redesign Approach

Fig. 8. Comparison of the controller redesign and fault-hiding

should have the same dynamics as the reference model

J. Lunze and J.H. Richter

When the model-matching approach is used for

such that the conditions

pseudo-inverse matrix, which gives the methods its

The solution is given in terms of pseudo-inverse

Vf arg min J2 B

4.2. Pseudo-Inverse Methods for Control

Fig. 9. Pseudo-inverse method for control reconfiguration. The

Reconfigurable Fault-tolerant Control

exactly matching the specified dynamic behaviour

to the plant consists of the stabilising part with gain ke

hold. Then the output error e ym yp is described

4.3. Linear Model-Following Approach to Control

J. Lunze and J.H. Richter

This error model motivates to use a controller where

K_ 1j t G1j xteT tPbj ;

(Figure 11), where an adaptive scheme for the gains

B 6 0 holds, then the output is corrected to ensure