Co-design of safe networked control systems

q,qq
Dominique Sauter

, Mohamed Amine Sid, Samir Aberkane, Didier Maquin

Universit de Lorraine, Centre de Recherche en Automatique de Nancy (CRAN), CNRS, UMR 7039, Vandoeuvre-ls-Nancy 54500, France
a r t i c l e i n f o
Article history:
Received 17 May 2013
Accepted 22 August 2013
Available online 26 October 2013
a b s t r a c t
Modeling, analysis and control of networked control systems (NCS) have recently emerged as topics of
signicant interest to the control community. The dening feature of any NCS is that information is
exchanged using digital band-limited serial communication channel among systems components and
usually shared by other feedback control loops. Conventional control theory with many ideal assump-
tions, such as synchronized control and non-delayed sensing and actuation must be revisited so that
the limitations on communication capabilities within the control design framework can be integrated.
Recent achievements showed that it is possible to solve communication problems and control problems
simultaneously, thus contributing to a more efcient NCS design. This paper aims at giving an overview of
Fault Diagnosis methods dealing with enhancement of robustness against network induced effects and
introducing co-design approaches making it possible to solve communication problems and control prob-
lems simultaneously, thus contributing to a more efcient design.
2013 Elsevier Ltd. All rights reserved.
1. Introduction
Networked Control Systems (NCS) are feedback control systems
wherein the control loops are closed through communication net-
works. It aims to ensure data transmission and coordinating
manipulation among spatially distributed components. Compared
with conventional point-to-point control systems, the advantages
of NCS are less wiring, lower install cost as well as greater agility
in diagnosis and maintenance. Because of these distinctive bene-
ts, typical application of these systems ranges over various elds,
such as automotive, mobile robotics, advanced aircraft, and so on.
However, the introduction of communication networks in the con-
trol loops makes the analysis and synthesis of NCS complex. There
are several network-induced effects that arise when dealing with
the NCS, such as time-delays, packet losses and limited communi-
cation. Because of the inherent complexity of such systems, the
control issues of NCS have attracted most attention of many
researchers with taking into account network-induced effects.
For instance, the stability and stabilization problems of NCS were
investigated in Ray and Halevi (1988), Nilsson (1998), Branicky,
Phillips, and Zhang (2000), Zhang (2001) for network-induced de-
lays, Seiler and Sengupta (2005) for packet losses, Hu and Zhu
(2003), Yue, Han, and Lam (2005) for network-induced delays
and packet losses, Nair and Evans (1997), Hristu (1999), Ishii and
Francis (2002) for limited communication. We refer the readers
to the survey in Tipsuwan and Chow (2003), Hokayem and
Abdallah (2004) and an up-to-date supplement (Yang, 2006) for
more information of NCS on modeling, design and analysis from
the viewpoint of estimation and control.
Regarding network access limitation, sometimes it is necessary
to provide a pre-dened sequence (i.e. communication sequence)
before designing a FDI (fault detection and isolation) module. It de-
scribes the instantaneous medium access status of the sensors and
actuators. However, choice of a communication sequence is not
trivial and that is depended on the structure of the system (Sid,
Aberkane, Sauter, & Maquin, 2012). In addition, in practice it is
not easy to nd a precise mathematical model. Proposed algorithm
guarantees the generation of communication sequences which
preserve some structural properties of the plant (Jan et al., 2012).
Furthermore, this algorithm can be implemented on uncertain
and large scale systems. Traditionally, applications of allocation
and scheduling techniques are based on ofine strategies. But un-
der ofine scheduling, performance of diagnostic system may not
be guaranteed when the plant is subject to unpredictable distur-
bances. In addition, online scheduling needs a large computation
which may not be always possible in case of embedded system
(Nejad, Sauter, & Aberkane, 2010). Thus, a semi-online scheduling
which preserves advantages of online scheduling and prevent
some limitations of ofine scheduling can be considered a
compromise solution (Sergio et al., 2011).
On the other hand, due to an increasing complexity of dynami-
cal systems, as well as the need for reliability, safety and efcient
1367-5788/$ - see front matter 2013 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.arcontrol.2013.09.010
q
This article is an extended version of a plenary lecture presented at the 8th IFAC
Symposium on Fault Detection, Supervision and Safety for Technical Processes
SAFEPROCESS 2012, Mexico City, Mexico, August 2931, 2012.
qq
This work was supported by European Union Project NeCST under Grant No. EU-
IST-2004-004303 and French Agence Nationale de la Recherche project Safe-Necs
under Grant No. ANR-ARA no. SSIA_NV_15.

Corresponding author.
E-mail address: dominique.sauter@univ-lorraine.fr (D. Sauter).
Annual Reviews in Control 37 (2013) 321332
Contents lists available at ScienceDirect
Annual Reviews in Control
j our nal homepage: www. el sevi er. com/ l ocat e/ ar cont r ol
operation, the model-based fault diagnosis and fault-tolerant con-
trol has been becoming an important subject in modern control
theory and practice, see e.g. (Chen & Patton, 1999; Frank, 1990;
Gertler, 1998; Mangoubi & Edelmayer, 2000; Willsky, 1976; Zhang
& Jiang, 2003) and the references therein. Owing to the network-
induced effects, the theories for traditional point-to-point systems
should be re-evaluated.
When sampling and control data are transmitted over network,
many network-induced effects such as time delays and packet
losses will naturally arise. Our works addressed the issues of mod-
eling, analysis and synthesis of NCS with taking into account the
network-induced effects from the viewpoint of fault diagnosis
and fault-tolerant control as well. In Section 2, we will rst sum-
marize the main ideas and obtained results on these topics. Then,
in Section 3 we will address the problem under communication
constraints. More specically, we will consider medium access
constraints. In this case, the shared network can only accommo-
dates a limited number of simultaneous communications between
components. Section 4 gives the conclusions and some future
works.
2. Fault diagnosis of NCS with network-induced effects
NCS is a multidisciplinary area closely afliated with computer
networking, signal processing, communication, robotic, informa-
tion technology and control theory. Data networking technologies
are applied widely in industrial and military control applications.
These applications include automobile, aeronautic, manufacturing.
The introduction of communication networks in control loops
make analysis and synthesis of NCSs complex. There are several
important network-induced effects that arise when dealing with
an NCS.
2.1. Network-induced delays
One major challenge for NCS design is network-induced delays
effects in a control loop. It occurs when the system components ex-
change data across the network. It can degrades control perfor-
mance signicantly or even destabilize the system. The delays in
NCS consist of:
v A communication delay between sensors and controllers, s
sc
;
v A communication delay between controller and actuators, s
ca
;
v Computational time in controller s
c
witch generally can be
included in the controller to actuator delay.
2.2. Packet dropouts
Packet dropouts are a typical feature of network communica-
tions. This network-induced effect can be the consequence of a link
failure. It can also be generated purposefully in order to avoid con-
gestion or to guarantee the most recent data to be sent. Although
most network protocols are equipped with transmission-retry
mechanisms, they can only re-transmit for limited time. After this
time has expired, the packets are dropped. Normally feedback con-
trollers can tolerate a certain amount of packet losses. But the con-
secutive packet losses have an adverse impact on the overall
performance.
2.3. Medium access constraints
This network constraint is faced when the communication med-
ium can only provide limited number of simultaneous medium ac-
cess channels for its user. As a consequence, only limited number
of sensors and/or actuators are allowed to communicate with the
controller at each instant k. Therefore in the context of NCSs with
constraint on communication access, it is only meaningful to spec-
ify a fault detection and isolation module in conjunction with a
communication policy which indicates the times at which the
plants sensors are to be granted medium access. This communica-
tion policy is known in the literature as communication sequence.
The communication sequence species which sensors are able to
send information to the detection lter at each time step.
The presence of these network induced effects can degrade the
performance of FD systems and implies more robust algorithms to
this communication constraints. We next introduce, a few methods
which make it possible to enhance FDI robustness against these
network induced effects;
2.4. Fault diagnosis of NCS with network-induced time delays
As it is depicted in Fig. 1, time-delays in the NCS system consist
of: (a) communication delay between sensors and controllers s
sc
,
(b) communication delay between controllers and actuators s
ca
,
and (c) computational time in controllers s
c
. Generally speaking,
computational time of controllers can be included in communica-
tion delay between controllers and actuators. Different industrial
networks have different communication delay features and real-
time performances, e.g., delay feature of Ethernet is uncertain sto-
chastic delay; delay feature of token-type eld bus is deterministic
bounded delay. These delays with different features can degrade
the performance of control systems and even destabilize the sys-
tems. Thus, the fault diagnosis for NCS with taking into account
network-induced time delays have gained attentions of many
researchers.
Let us assume that the fault free plant with actuator and sensors
is described by the following model :
_ x(t) = Ax(t) Bu(t)
y(t) = Cx(t)
(1)
where x(t) R
n
is the state vector, u(t) is the control input and
y(t) R
m
is the measurement signals vector. Let h be the sampling
period, considering at time instant kh the random and unknown
network-induced delay shorter than one sampling period, with
s
k
= s
ca
k
s
sc
k
then the NCS can be modeled as (Sauter & Boukhobza,
2006):
x
k1
= Ax
k
B
0;s
k
u
k
B
1;s
k
u
k1
y
k
= Cx
k
(2)
with:
A = e
Ah
B
0;s
k
=
_
hs
k
0
e
As
Bds
B
1;s
k
=
_
h
hs
k
e
As
Bds
(3)
Network
Plant Sensor Actuator
Controller
ca
k

sc
k

h
) (t u
Fig. 1. The general conguration of networked control system.
322 D. Sauter et al. / Annual Reviews in Control 37 (2013) 321332
Introducing as usually the fault input, Eq. (2) can be further written
as
x
k1
= Ax
k
Bu
k
g
k
Ff
k
(4)
where
B = B
0;0
; g
k
= B
1;s
k
Du
k
; Du
k
= u
k
u
k1
: (5)
Thus, there exists a time-varying term g
k
in the state evolution
equation of system (4) . When s
k
is random, g
k
can be regarded as
a random disturbance in (4). When the sampling period h is suf-
cient small compared with the systems time constants, by using
the Taylor approximation of e
Ah
, g(k) will approximate to
g
k
~ E
s;k
s
k
E
s;k
= BDu
k
(6)
So g
k
has been transformed into an approximate form whose left
part is a known structure vector E
s,k
and whose right part is the un-
known s
k
2.4.1. Parity space approach
In Ye and Ding (2004) a time-varying parity space based ap-
proach is proposed for FDI.
Let
H
s;k
= H
T
(k s) H
T
(k s 1) H
T
(k)
_
T
(7)
where w may represent u, y, f, respectively.
Let
H
u;s
=
0 0 0
CB 0
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
0
CA
s1
B CB 0
_

_
_

_
(8)
and dene H
s,k
, H
f,s
, H
g,s
as the matrices obtained by replacing B in
(8) with F and identity matrix I, respectively. Let
H
o;s
=
C
T
A
T
C
T
(A
s
)
T
C
T
_ _
T
Residual generator is dened as
r
s;k
= v
s;k
(y
s;k
H
u;s
u
s;k
) (9)
whose dynamics is governed by
r
s;k
= v
s;k
(H
s;s;k
s
s;k
H
f ;s
f
s;k
) (10)
when v
s,k
P
s
, where
H
s;s;k
=
0 0 0 0
CE
s;ks
0 0 0 0
CAE
s;ks
CE
s;ks1
.
.
.
0 0
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
CA
s1
E
s;ks
CA
s2
E
s;ks1
CE
s;k1
0
_

_
_

_
(11)
To satisfy v
s,k
P
s
and to decouple the residual signal from the vec-
tor s
s,k
consisting of network-induced delays, the parity vector is
determined in each sampling period by solving
v
s;k
H
o;s
= 0 and v
s;k
H
s;s;k
= 0 (12)
It is shown that the approach has good robustness to unknown net-
work-induced delays only if both h and s
k
are small enough. In addi-
tion, since s
k
in (6) is a scalar signal, the existence condition of v
s,k
in
(12) is not difcult to be satised in most cases.
2.4.2. Isolation lter
In Sauter, Li, and Aubrun (2009), the authors assume that the
statistical behavior of network-induced delay s
k
is random and
governed by the Markov chain
h
k
o = 1; 2; . . . ; s; \k Z

(13)
with the transition probabilities k
ij
denoting as k
ij
= Pr[h
k+1
= j[h
k
= i],
k
ij
P0 and

s
j=1
k
ij
= 1 for any i o. For sake of simplifying nota-
tions, B
1;s
k
is denoted as B
1;h
k
and Du
k
as w
k
. Then, the model of
NCS given by the state space representation (4) is replaced by the
following particular Markov jump linear system:
x
k1
= Ax
k
Bu
k
Ff
k
B
1;h
k
w
k
;
y
k
= Cx
k
;
_
(14)
Remark 1. It is worth mentioning that the nature of the network-
induced time delay considered in Sauter et al. (2009) differs from
the one considered in Sauter and Boukhobza (2006). Indeed, in
Sauter et al. (2009) the delay appears as a discrete variable
assuming a nite set of possible values while in Sauter and
Boukhobza (2006) the delay appears as a continuous variable. For
more details, one car refer to the aforementioned references.
The following fault isolation lter (FIF) is presented as the resid-
ual generator of NCS (14):
^x
k1
= A^x
k
Bu
k
K(y
k
C^x
k
);
a
k
= L(y
k
C^x
k
);
_
(15)
where ^x
k
is the state of the lter, a
k
the residual signal or the fault
indicator. Filter gain K R
nm
and projector L R
qm
are unknown
matrices to be found for the solution of the fault detection and iso-
lation problem.
From (14) and (15), the state estimation error e
k
= x
k
^x
k
and
the output of the residual generator (15) propagate as
e
k1
= (A KC)e
k
Ff
k
B
1;h
k
w
k
a
k
= LCe
k
_
; k Z

; h
k
o (16)
Let G
fa
(z) be the transfer function from f
k
to the output residual a
k
.
Then the following theorem is presented to design K and L such that
G
f a
(z) = LC(zI (A KC))
1
F = diagz
q
1
; . . . ; z
q
q
; (17)
which ensures the isolation of multiple faults.
Theorem 1. Under the condition rank (W) = q, the solutions of (17)
can be parameterized as K = xP

K
h
k
R; L = P, with R = b(I WP),
P = W
+
, x= AD and W= CD, where

K
h
k
R
nmq
are the free
parameters to be designed, W
+
is the pseudo-inverse of W and b is
an arbitrary matrix chosen so that rank(R) = m q.
From Theorem 1, the FIF (15) is rewritten from the free param-
eter K
h
k
as:
^x
k1
= A^x
k
Bu
k
xa
k


K
h
k
R(y
k
C^x);
a
k
= P(y
k
C^x
k
);
_
(18)
The residual signal a
k
satises the relation:
a
k
=

a
k

f
1
kq
1
f
i
kq
i
f
q
kq
q
_ _
T
(19)
where a
k
is the faults indicator signal without faults and propagates
from the fault-free state estimation error ~e
k
= ~x
k
^x
k
as:
~e
k1
= (

A

K
h
k

C)~e
k
B
1;h
k
w
k
;
a
k
= PC~e
k
;
_
(20)
D. Sauter et al. / Annual Reviews in Control 37 (2013) 321332 323
where

A = A xPC;

C = RC and ~x
k
is the fault-free state. Note that
each component of the residual signal a
k
is sensitive to only one
fault.
The transfer function from w
k
to a
k
is then given by:
G
w a
(z) = PC(zI (

A

K
h
k

C))
1
B
1;h
k
: (21)
Let ^ a
k
be the faults indicator signal without disturbances. From Eq.
(17), the transfer function G
f ^ a
(z) from fault f to fault indicator ^ a
k
is a
pure delay and
G
f ^ a
(z)
_
_
_
_

:= sup
h
0
o
sup
0f
2
^ a | |
2
|f |
2
= 1; (22)
where |s|

2
= (

k=0
s
k
| |)
1=2
is the
2
norm of the signal s
k
.
Then the free parameters

K
h
k
are designed in order to:
v (C1) ensure that the energy ratio between useful and distur-
bance signal dened on the fault indicators is maximized;
v (C2) locate the closed-loop poles within a prescribed region in
the complex plane in order that the residual dynamical has
the given transient properties, which can be formulated as the
following theorem:
Theorem 2. For given disks D
i
(n
i
, d
i
), if there exist matrices
P
i
= P
T
i
> 0; G
i
and Y
i
for prescribed scalars
c > 0; 1 < n
i
d
i
< 1; \i = h
k
o such that the following LMIs
(linear matrix inequalities):
P
i
0
~
A
T
G
T
i

~
C
T
Y
T
i
C
T
P
T
0 c
2
I B
T
1;i
G
T
i
0
G
i
~
A Y
i
~
C G
i
B
1;i

P
i
G
i
G
T
i
0
PC 0 0 I
_

_
_

_
< 0; (23)
d
2
i
P
i
~
A
T
G
T
i

~
C
T
Y
T
i
n
i
G
T
i
G
i
~
A Y
i
~
C n
i
G
i
P
i
G
i
G
T
i
_ _
< 0; (24)
are feasible, where

A = A xPC;

C = RC, then the free parameters
are designed as

K
i
= G
1
i
Y
i
ensuring the stochastic means square sta-
bility (SMS) of the error system (20) and the constraints C1 and C2.
At the minimal possible value of c leading to a solution
P
i
= P
T
i
> 0; G
i
and Y
i
, the energy ratio between useful and disturbance
signal dened on the fault indicators will be maximized.
Given disks D
i
(n
i
; d
i
); i = h
k
o, the search problem of the low-
est possible value of c can be formulated as the following convex
optimization problem:
OT : min
P
i
=P
T
i
>0;G
i
;Y
i
c
s:t:LMI (23); (24)
(25)
which can be effectively solved by the existing Matlab LMI toolbox.
2.4.3. Long time delays
It is noticed that in the references cited above, the total maxi-
mum of the network-induced delays is assumed to be less than
one sampling interval. However, in practice, the delays may be
more than one sampling period. In worse case, these long time de-
lays may distort the timing order of the message arriving at the re-
ceiver and/or induce data loss (Hu & Zhu, 2003; Lincoln &
Bernhardsson, 2000).
A way to eliminate data loss and keep the packets sequence is to
set up the transmission buffers, the lengths of which are longer
than the maximum delay time. Hence, the integrity and sequence
of the information transmission is guaranteed. Then the discrete
state model of the system with network-induced delay can be de-
scribed as
x(k 1) = Ax(k) B
0
u(k 1) B
1
u(k l 1) B
d
d(k) B
f
f
a
(k)
y(k) = Cx(k) f
s
(k)
(26)
which is a familiar discrete time system with input time delays.
Utilizing a reduced-order memoryless state observer with a c-sta-
bility margin, an observer-based fault detection method was pre-
sented for system (26) by comparing the output of the observer
with the actual output of the practical system (Zhang & Jiang,
2003). The residual function for this approach is
r(z) =QCP
1
B
d
d(z) QCP
1
B
f
f
a
(z) [Q QCP
1
(zI A)V(zI
n
K
r
)
1
L[f
s
(z)
(27)
where P = (zI
n
A)[I
n
V(zI
r
K
r
)
1
LC[.
To remove the effect of the disturbance, it is required that
QCP
1
B
d
= H(zI
n
P
T
)
1
B
d
= 0:
In Wang, Ye, and Wang (2006), a method for fault detection of NCS
with unknown network-induced delay, which may be greater than
h, is also proposed. In the method, an NCS model for unknown net-
work-induced delay which may be greater than h (Hu & Zhu, 2003;
Ray & Halevi, 1988) has been adopted, and the idea for handling
multiplicative faults (Gertler, 1998) has been used to deal with
the network-induced delay. However, from another point of view,
the method in Wang et al. (2006) can also be regarded as an exten-
sion of the one-dimensional Taylor approximation used in Ye and
Ding (2004) into a multi-dimensional Taylor approximation.
2.5. Fault diagnosis of NCS with packet losses
Packet losses happen when packets are dropped due to link fail-
ure or packets are purposefully dropped in order to avoid conges-
tion or guarantee the most recent data to receiver. Although a
single packet loss neither deteriorates system performance nor
destabilizes the system, the consecutive packet losses have an ad-
verse impact on overall performance. Therefore, it is necessary to
discuss how packet losses inuence fault diagnosis of NCS. General
speaking, packet losses can be modeled either in a deterministic or
stochastic sense. In the following, we will discuss the two cases
respectively.
2.5.1. Deterministic packet losses
The deterministic packet losses have been discussed, either in
terms of switching systems (Zhang, 2001), or in terms of delayed
differential equations (Yue, Han et al., 2005; Yu, Wang, Chu, &
Hao, 2005). As to the fault diagnosis of NCS with deterministic
packet losses, to our best knowledge, no work has been done. How-
ever, many existed research results on the fault diagnosis for
switching and time delay systems can be extended to or adopted
directly for NCS, some of which can be briey introduced as
follows:
2.5.1.1. Unknown input decoupling. Yang and Saif (1998) rst-ly ad-
dressed the fault diagnosis for a class of state-delayed dynamic
systems, in which the actuator and sensor faults as well as other
effects such as disturbances and higher-order nonlinearities were
considered as unknown inputs. More recently, Koenig, Bedjaoui,
and Litrico (2005) dealt with the problem of full-order observers
design for linear continuous delayed state and inputs systems with
unknown inputs and time-varying delays. A method to design an
Unknown Input Observer (UIO) for such systems was proposed
based on a delay-dependent stability conditions of the state esti-
324 D. Sauter et al. / Annual Reviews in Control 37 (2013) 321332
mation error system. A fault diagnosis scheme using a bank of such
UIO, was also presented and tested on a fault diagnosis problem re-
lated to irrigation canals.
2.5.1.2. H

-norm model matching formulation. Ding, Ding, and

Jeinsch (2002) developed a weighting transfer function matrix to
describe the desired behavior of residual respect to fault. The ob-
server-based fault detection lter for a class of linear systems with
time-varying delays was designed such that the error between the
generated residual and fault is as small as possible in the sense of
H

-norm. The design was then formulated into an H

-model
matching problem, which can be solved by an optimization tool,
such as the linear matrix inequality technique.
2.5.1.3. Two-objective optimization approaches. Liu and Frank
(1999) regarded the fault detection problem for linear systems
with constant time delays as a two-objective nonlinear program-
ming, namely enhancing the sensitivity of residual to fault and,
at the same time suppressing the undesirable effects of unknown
inputs and modeling errors. More recently, Jiang, Staroswiecki,
and Cocquempot (2003) extended the results of Liu and Frank
(1999) to the case discrete-time systems. Zhong, Ye, and Zhou
(2005) dealt with the robust fault detection lter problem for lin-
ear systems with time-varying delays and model uncertainty.
2.5.1.4. A unied optimization approach. Zhong et al. (2005) ex-
tended the results of Ding, Jeinsch, Frank, and Ding (2000) to linear
systems with L
2
-norm bounded unknown input and multiple con-
stant time delays. Then, an observer-based fault detection lter
was developed such that a performance index based on the ratio
of robustness and sensitivity was minimized. By appropriately
choosing a lter gain matrix and post-lter, a solution to fault
detection lter was derived in terms of Riccati equation.
2.5.1.5. Adaptive observer based FDI. With a structure restriction on
fault distribution, Jiang, Straroswiecki, and Cocquempot (2002) devel-
oped an adaptive observer to the fault identication for both linear sys-
tems with multiple state time delays and a class of nonlinear systems.
Jiang and Zhou (2005) proposed a new adaptive observer for the robust
fault detection and identication of uncertain linear time-invariant sys-
tems withmultipleconstant time-delays inbothstates andoutputs. Chen
andSaif (2006) investigatedaniterativelearningobserver basedadaptive
unknown input estimation with considering both the disturbance and
possible fault as unknown input.
2.5.2. Stochastic packet losses
The simplest stochastic model assumes that losses are realiza-
tions of a Bernoulli process (Nejad, Sauter, Aberkane, & Aubrun,
2011; Seiler, 2001; Sinopoli et al., 2004). Underlying nite-state
Markov chains can be used to model correlated packet losses
(Nilsson, Bernhardsson, & Wittermark, 1998; Seiler, 2001; Xiao,
Hassibi, & How, 2000) and Poisson processes can be used to model
stochastic losses in continuous time (Xu, 2006).
In Zhang, Ding, Frank, and Sader (2004), the fault detection
problem of systems with stochastic packet losses is discussed.
First, in order to cope with packet losses, the structure of standard
model based residual generator is modied and dynamic network
resource allocation is suggested as
e(k 1) =
(A LC)e(k) (E
f
LF
f
)f (k) Lh(k); c(k) = 0;
(A LC)e(k) (E
f
LF
f
)f (k); c(k) = 1:
_
(28)
r(k) =
WCe(k) WF
f
f (k) Wh(k); c(k) = 0
WCe(k) WF
f
f (k); c(k) = 1:
_
(29)
where h(k) is the difference between real value of the measurement
y(k) and the used value y
a
(k), namely h(k):=y(k) y
a
(k). c(k) is a sto-
chastic variable representing data communication status. c(k) = 1
means that the measurement at time point k arrives correctly, while
c(k) = 0 means that this measurement is lost. The dynamics of the
residual generator are thus characterized by a discrete-time Mar-
kovian jump linear system.
To reduce false alarm rate caused by missing measurement, a
residual evaluation scheme is then developed as:
r
eval
> J
th
; a fault is detected
r
eval
6 J
th
; no fault is detected
where r
eval
=

j=0
r
T
(j)r(j)
_ _
1=2
. To compute the threshold J
th
, a con-
vex optimization problem is then developed to nd the minimum of
E[|r|
2
[
|h|
2
, which is formulated as disturbance attenuation problem of
Markovian jump linear systems (28) and (29). Further, a co-design
approach of time-variant residual generator and threshold is pro-
posed to improve the dynamics and the sensitivity of the fault
detection system to the faults.
It should be noted that there are some research work discussing
the NCS with taking into account simultaneous time-delays and
packet losses, see e.g. (Zhong et al., 2005). However, the obtained
results may be somewhat conservative because they are based
on the worst-case based scenarios. To our best knowledge, there
is no previous work analyzing estimation where observation pack-
ets are subject to simultaneous random delay and packet losses in
a probabilistic framework.
2.6. Fault diagnosis of NCS with limited communication
The capacity of the communication network and its ability to
carry a reasonable amount of information per unit of time plays
an important role in characterizing the stability of NCS. When
introducing the network into the control loop, issues like the
channel/network capacity, encoding/decoding schemes and quan-
tization naturally arise. Examples of NCS with limited communica-
tion include unmanned air vehicles owing to stealth requirements,
wireless sensor network due to long-endurance energy-limited,
and so on.
Inspired by the Shannon information theory, there is an increas-
ing attention to characterize the minimumbit rate which is needed
to stabilize NCS through feedback, see e.g. (Sahai, 2000; Savkin &
Petersen, 2003; Tatikonda, 2000) and the references therein. In
order to describe the quantization effects on the performance
NCS, much research effort has been devoted to develop new
quantization scheme to achieve lower bit-rates, see e.g. (Brockett
& Liberzon, 2000; Delchamps, 1989; Elia & Mitter, 2000; Ishii &
Francis, 2002; Wong & Brockett, 1997) and the references therein.
For more details on this topic, we refer the readers to the survey
(Hokayem & Abdallah, 2004).
In Zhang and Jiang (2003), the fault detection problem of
networked control systems with limited data transmission rate is
considered. In order to reduce the network load and thus avoid
the uncertainty caused by transmission delays and packet loss, a
so-called periodic communication sequence is introduced as:
y(k) = N
k
y
p
(k) (30)
u
p
(k) = M
k
u(k) (31)
where y R
xm
represents the sensor signals transmitted from the
sensors to the central station through the network, N
k
R
xmm
is
a h-periodic matrix formed by selecting x
m
rows of the identity
matrix. u R
p
represents the signal generated by the controller,
M
k
R
pp
is a h-periodic diagonal matrix with a number of x
p
non-zero element 1 on the diagonal. The dynamics of the NCS is
then characterized by
D. Sauter et al. / Annual Reviews in Control 37 (2013) 321332 325
x(k 1) = Ax(k) BM
k
u(k) E
d
d(k) E
f
f (k)
y(k) = N
k
(Cx(k) Du(k) F
d
d(k) F
f
f (k))
(32)
The input-output relation of NCS (32) over a moving nite horizon
[k s, k], where s is an integer representing the length of the hori-
zon, can be expressed by
Y(k) = H
s;k
x(k s) H
u;k
U(k) H
d;k
D(k) H
f ;k
F(k); (33)
Matrices H
s,k
, H
u,k
, H
d,k
, H
f,k
in parity relation (33) are h-periodic with
respect to k. The residual generator is then constructed as
r(k) = v
k
(Y(k) H
u;k
U(k)) (34)
where v
k
R
1(s1)xm
is the periodic parity vector to be designed
such that v
k
H
s,k
= 0 for any k. The residual dynamics is not inu-
enced by the initial state x(k s) and governed by
r(k) = v
k
(H
d;k
D(k) H
f ;k
F(k)): (35)
There are two cases to be considered:
v If rank H
s;k
H
d;k
H
f ;k
[ [ > rank H
s;k
H
d;k
[ [ for any k, then the
residual signal can be decoupled from the unknown distur-
bances by designing v
k
in such a way that
v
k
H
s;k
H
d;k
[ [ = 0; v
k
H
f ;k
0 holds for any k;
v If a full decoupling is not achievable, then a suitable compro-
mise between robustness to unknown disturbances and sensi-
tivity to faults can be achieved by solving the optimization
problem
min
v
k
J
k
= min
v
k
v
k
H
d;k
H
T
d;k
v
T
k
v
k
H
f ;k
H
T
f ;k
v
T
k
s:t: v
k
H
s;k
= 0:
to get the optimal periodic parity vector v
k
.
Then, the inuence of the new communication pattern on fault
detection, including full decoupling and optimal achievable perfor-
mance, is analyzed. Finally, the optimal selection of the periodic
communication sequence is discussed.
3. Fault isolation lter and sensors scheduling co-design
In classical control systems, information from all sensors is as-
sumed to be instantaneously available for FD system. However in
NCSs, no matter what networks are used, several network effects
will be introduced into control loop during communication. In this
section the problem of fault detection and isolation in NCS with
communication constraints will be studied. More specically, we
will consider medium access constraints. In this case, the shared
network can only accommodate a limited number of simultaneous
communications between components as depicted in Fig. 3 where
output channels are referred to communication links that enables
data transmission from sensors to central station (controller/FDI)
and input channels are links between controller and actuators. In
this context, it is only meaningful to specify a fault detection and
isolation module in conjunction with a communication policy
which indicates the times at which the plants sensors are to be
granted medium access. This communication policy is known in
the literature as communication sequence (Hristu-Varsakelis,
2008). The communication sequence species which sensors are
able to send information to the detection lter at each time step.
Hence, the considered problem leads naturally to a co-design prob-
lem. That is, the design of a fault detection and isolation lter in
conjunction with sensor scheduling sequence. If the FDI and sche-
dule co-design are formalized into a single optimization problem,
then, we will regain the condence to say that the FDI and the
schedule are the best possible FDI-schedule combination. Without
any scheduling policy, the resulting network congestion, leads to
undesirable phenomena such as network induced delays and pack-
et dropout. According to the best of the authors knowledge, most of
the co-design works in literature consist of control/scheduling and
estimation/scheduling co-design. In the next we review results
from FDI/scheduling co-design.
Co-design techniques can be categorized into three big sets
according to the used scheduling policy:
v Ofine (static, open loop or time triggered)
v Online (dynamic, closed loop or event triggered)
v Hybrid codesign
Ofine scheduling is based on the allocation of the communica-
tion channel before runtime (Walsh & Ye, 2001). The simplest off-
line communication policy is the Round Robin (RR) or periodic
scheduling. RR assigns time slots to each node equally, in order
and without priority. In Zehui, Bin, and Shi (2009) a periodic com-
munication sequence that insures the reachability and observabil-
ity of the nonlinear NCS is chosen. Then, an observer-based FD is
designed based on those sequences. In Wang et al. (2009) a fault
detection scheme with packet-based periodic communication
strategy is proposed. Two kinds of optimal observer-based residual
generators are provided later. The rst residual generator is based
on the lifted model of NCS and the second generates residual sig-
nals every sampling period to be more suitable for fast fault detec-
tion. In Sid et al. (2012), the authors consider a set of sensors
monitoring the process in which only limited number of them
can operate at each time-step. A nite horizon schedule algorithm
allows to choose which sensors group should operate at each time-
step to minimize an objective function of the estimation error
covariances. Chen, Zhao, Krishnamurthy, and Djonin (2007) pro-
pose a network lifetime maximization policy under an estimation
quality constraint. Mo, Ambrosino, and Sinopoli (2011) provides
a multi-step sensor selection strategy to schedule sensors to trans-
mit for a next nite time steps with the goal of minimizing an
objective function of the estimation error covariance matrix. Then,
a relaxed convex framework is used to solve a large class of sched-
uling problems under energy constraints. A stochastic sensors
scheduling is proposed in Gupta, Chung, Hassibi, and Murray
(2006). This technique, easy to implement and computationally
tractable, is based on the minimization of the expected error
covariance. Similarly the approach in Chen et al. (2007) considers
the sensor data scheduling over packet-dropping networks. The
work in Zhang and Ding (2009) shows the degradation of the opti-
mal fault-detection performance index when the sampling period
is increased by an integer multiple.
The different ofine scheduling methods are practically attrac-
tive, because of their ease of implementation and their degree of
determinism in the NCS. However, this scheduling presents less
robustness against network perturbations. Furthermore, less
important information may be transmitted before the more impor-
tant one, this, affects largely the real time performance of the FDI.
The idea of online co-design (event triggered) is to design, at every
sampling instance, an FDI scheme with a communication schedule.
In Li, Sauter, and Xu (2011) sensor data is transmitted only when
the absolute value of difference between the current sensor value
and the previously transmitted one is greater than the given
threshold value. Compared with the classical sampling, the pro-
posed technique improves the resource utilization with graceful
fault isolation performance degradation. The work in Astrom and
Bernhardsson (2002) shows that, for a rst-order stochastic sys-
tem, the event based sampling leads to a smaller error variance
compared with the periodic sampling. In Imer and Basar (2005)
an observer is designed to make the decision whether to send some
326 D. Sauter et al. / Annual Reviews in Control 37 (2013) 321332
observation information to the estimator. The work in Li Lichun,
Lemmon, Wang, and Xiaofeng (2010) extended the same results
to vector linear systems. In Sijs and Lazar (2012) a sum of Gaussian
lter is used. The estimated state is predicted synchronously, using
the knowledge that the sensor value lies within a bounded subset
of the measurement space and the plant model. When the sam-
pling event occurs the predicted state is updated using the trans-
mitted measurement.
A novel hybrid sensor schedule which introduce an event-trig-
gering mechanism on top of an optimal ofine schedule, for getting
the best compromise between ofine and online scheduling is pro-
posed in Sergio et al. (2011). It is shown that the hybrid sensor
schedule has better performance than the optimal ofine co-design
and less computation compared to the online one. An improved
version of the hybrid sensor schedule is given in Wu et al. (2012).
In the rest of this section, we will present some of the authors
results on (ofine) FDI/scheduling co-design. The sensor schedul-
ing sequence and the proposed detection and isolation lter are
built in order to ensure the fault isolability property and noise ef-
fect minimization. In what follows, we will consider both the nite
and innite-horizon case. The interested reader can refer to Sid et
al. (2012) and Sid, Aberkane, Maquin, and Sauter (2013) for a more
detailed presentation and discussion of these results.
3.1. Problem formulation
The state space representation of the plant under actuator and/
or component faults is given as follows:
x
k1
= Ax
k
Bu
k
Ff
k
w
k
y
k
= Cx
k
v
k
_
(36)
where x
k
R
n
is the state vector, u
k
R
p
is the control input,
F = [F
1
; F
2
; . . . ; F
l
[ R
nl
is the fault distribution matrix,
f
k
= [f
1
k
; f
2
k
; . . . ; f
l
k
[
T
R
l
is the fault vector and y
k
R
m
is the mea-
surement signals vector. We assume that each component of the
output vector y
i
represents the sensor i {1, 2, . . . , m}. The initial
state vector x
0
, process noise w
k
and measurement noise v
k
are
uncorrelated, white Gaussian random processes with
x
0
~ N(x
0
; P
0
); w
k
~ N(0; W) and v
k
~ N(0, R) respectively, where
P
0
; W and R are symmetric, positive denite matrices.
The diagnosis lter introduced in Section 2 is now revisited in
the context of co-design. The main objective consists in the design
of a fault detection and isolation lter that takes into account the
medium access constraints induced by the shared communication
medium. More specically, we will specify a fault isolation lter in
conjunction with a communication policy which indicates the
times at which the plants sensors are to be granted medium
access.
We will consider that the communication medium connecting
the sensors and the residual generator has b output channels, with
1 6 b 6 m (37)
At any time, only b of the m sensors can access these channels to
communicate with the residual generator while others must wait.
We then have r = C
b
m
=
m!
b!(mb)!
possible congurations.
3.1.1. Communication sequence
Let us introduce the application: l
k
: Z / = 1; . . . ; r, that
determine at each sample time the corresponding sensors group
index. We call this application the switching pattern for the sensor
side. In Fig. 2, the signal y
k
R
b
is related to y
k
by the following
relation: y
k
= S(l
k
)y
k
. The switch matrix S(l
k
) R
bm
is used to se-
lect the subset of measures that will be sent to the controller at
each time step k. This subset is indexed by the values of the
switching pattern l
k
. Considering the band limited effect, the
extended plant model is described by
x
k1
= Ax
k
Bu
k
Ff
k
w
k
y
k
= c
l
k
x
k
v
k
_
(38)
where c
l
k
= S(l
k
)C and v
k
= S(l
k
)v
k
.
3.1.2. Filter design
The fault detection and isolation lter proposed in this section
and already discussed in Section 2 is a modied version of the lter
proposed in Keller (1999). The state space representation of this l-
ter is given by
^x
k1
= A^x
k
Bu
k
K
k
( y
k
^ y
k
)
^ y
k
= c
l
k
^x
k
_
(39)
where ^x
k
and ^ y
k
denote the state and output estimation vectors,
respectively.
It is important to note that in the context considered in this pa-
per, both the lter gain K
k
and the switching pattern l(k) are de-
sign parameters.
First recall some basic denitions that will be used in the
sequel.
Denition 1. Keller (1999) The linear stochastic system (36) is
said to have fault detectability indexes q = {q
1
, q
2
, , q
l
} if
q
i
= min{m:CA
m1
F
i
0, m = 1, 2, . . .}.
Denition 2. The time-varying fault detectability matrix associ-
ated with the extended plant is dened as
D
l
k
= c
l
k
W (40)
where
W = [F
1
; AF
2
; . . . ; A
s1
F
s
[ (41)
Let s = max{q
i
, i = 1, 2, , l} be the maximum value of fault detect-
ability indexes. We dene

f
k
= [

f
1T
k
;

f
2T
k
;

f
sT
k
[
T
; F = [F
1
; F
2
; . . . ; F
s
[.
Where

f
i
k
R
l
i
represents the part of faults having detectability in-
dex q
i
and distribution matrix F
i
R
n;l
i
. The extended system can be
equivalently rewritten as
x
k1
= Ax
k
Bu
k
F

f
k
w
k
y
k
= c
l
k
x
k
v
k
_
Plant
Controller
FDI
2
y
1
y
p
y
1
y
2
y
p
y
1
u
2
u
m
u
1
u
1
u
m
u
Input
Channels
Output
Channels
Fig. 2. Remote ltering.
D. Sauter et al. / Annual Reviews in Control 37 (2013) 321332 327
Consider the lter given by (39). Dene the estimation error
e
k
= (x
k
^x
k
) and the output residuals q
k
= ( y
k
^ y
k
). One gets:
e
k1
= (A K
k
c
l
k
)e
k
F

f
k
K
k
v
k
w
k
;
q
k
= c
l
k
e
k
v
k
_
_
_
(42)
From superposition principle, it follows that for an additive faults
occurring at time instant r (with k > r + s), the output residuals q
k
can be expressed as:
q
k
=

q
k
q
k;r

f
T
r


f
T
ks


f
T
k2

f
T
k1
_
T
(43)
with
q
k;r
= c
l
k
G
k1;r
F G
k1;k(s1)
F G
k1
F F
_
G
k1;kj
= G
k1
G
k2
G
kj
G
k
= A K
k
c
l
k
_ _
and q
k
corresponds to the output residuals for the non-faulty case.
Following similar arguments as in Keller (1999), the following
result is derived.
Proposition 1 (Fault isolability condition). Under the condition
rank(c
l
k
) = l, the solutions of the algebraic constraints:
(A K
k
c
l
k
)

W = 0 can be parameterized as K
k
= xP
l
k


K
k
R
l
k
with
R
l
k
= a
l
k
(I
m
D
l
k
P
l
k
); P
l
k
= D

l
k
and x = A

W (44)
where K
k
R
n;bl
is the reduced gain describing the remaining free-
dom of design, D

l
k
is the generalized inverse or pseudo-inverse of
D
l
k
and a
l
k
is an arbitrary matrix determined so that matrix R
l
k
is of full rows rank.
Under these conditions, the residual signal q
k
can then be ex-
pressed as
q
k
=

q
k
D
l
k

f
1T
k1

f
2T
k2


f
sT
ks
_
T
(45)
Remark 2. In the result given above, it is important to recall that
the matrices c
l
k
depend on the switching pattern l
k
(l
k
being a
design parameter). It follows that the switching patterns that
contain sequences which violate the rank condition in Proposition
1 have to be excluded. Hence, let us dene the set of admissible
switching patterns N

given by
N
+
= l
k
: Z /
+
#/
_ _
(46)
where /
+
contains the indices corresponding to sensor congura-
tions (traduced by corresponding matrices c
l
k
) that verify the rank
condition rank(c
l
k
) = l.
Based on the development above, the fault isolation lter can be
designed by computing the free parameter K
k
so that the trace of
covariance matrix P
k
= E(e
k
e
T
k
) is minimized.
Proposition 2 (Fault isolation lter design). For a xed switching
pattern l
k
N

, the proposed fault detection lter described by the

following relations:
^x
k1
= A^x
k
Bu
k
xq
r
k
K
l
k
c
k
(47)
P
k1
= (A
l
k
K
l
k
C
l
k
)P
k
(A
l
k
K
l
k
C
l
k
)
T
K
l
k
V
l
k
K
T
l
k
W
l
k
(48)
= /
l
k
(P
k
) (49)
K
l
k
= A
l
k
P
k
C
T
l
k
(C
l
k
P
k
C
T
l
k
V
l
k
)
1
(50)
with
A
l
k
= A xP
l
k
c
l
k
(51)
C
l
k
= R
l
k
c
l
k
(52)
V
l
k
= R
l
k
R
T
l
k
; (53)
W
l
k
= W xP
l
k
P
T
l
k
x
T
(54)
where
c
k
= R
l
k
( y
k
c
l
k
^x
k
) (55)
q
r
k
= P
l
k
( y
k
c
l
k
^x
k
) (56)
have the following properties
v c
k
is decoupled from the faults
v q
r
k
satisfy the relation
q
r
k
= P
l
k

q
k


f
1T
k1

f
2T
k2


f
sT
ks
_
T
(57)
Each component of the reduced output residual signal q
r
k
R
l
is
sensitive to only one fault. Thus, it is used for the fault isolation.
Proof. The proof of this proposition follows similar arguments as
the proof of Theorem 3.1 in Keller (1999). One can see that the
evolution of the covariance matrix given by the Riccati Eq. (48)
depends on the initial covariance matrix P
0
and the switching
pattern given by l
k
. Hence, in addition to the isolability condition
(see Remark 2), the scheduling strategy can be generated to
optimize the covariance matrix evolution. This point will be further
exposed in the next section. h
3.2. Finite horizon optimal scheduling
The problem addressed here is to choose which b sensors
should operate at each time-step to minimize a function of the er-
ror covariance of the state estimation at each time step. Dening
the scheduling strategy s
N
is equivalent to dene the values of l
k
for each k = 0, , N 1, or equivalently
s
N
= l
0
l
1
l
N1
[ [. Let o
N
= /
N
be the set of all possible
N-horizon scheduling strategies and let o
+
N
be the set of all admis-
sible N-horizon scheduling strategies (see Remark 1). The problem
of optimal scheduling is formulated as
min
s
N
o
+
N
(s
N
) (58)
where (s
N
) =

N
i=1
tr(P
i
) =

N1
i=0
tr(/
l
i
(P
i
)) and l
i
= s
N
(i).
3.2.1. The search algorithm
Search algorithms are used for solving optimization problem
(58). The trivial way of solution is to perform all possible
scheduling cases. This enumerating method is only tractable for
relatively short time horizons. It requires much resources in
memory and computational time for longer estimation horizons.
To overcome this limitation, we will use in this paper a pruning
technique proposed in Vitus, Zhang, Abate, Hu, and Tomlin
(2010). As in Vitus et al. (2010), the proposed algorithm can signif-
icantly reduce the computation complexity. Before proceeding, we
will rst recall some denitions to ease the reading of the paper.
Denition 3 (Characteristic sets). Let H
k

N
k=0
be dened as the
characteristic sets as they completely characterize the objective
function. Each set is of the form (P; c) /R

(/ being the set of

all symmetric positive semidenite matrices) and is generated
recursively by
H
k1
= p
/
+ (H
k
) from H
0
= (P
0
; tr(P
0
))
_ _
328 D. Sauter et al. / Annual Reviews in Control 37 (2013) 321332
with
p
/
+ (H) = (/
i
(P); c tr(/
i
(P)) \i /
+
; \(P; c) H
Note that the above denition differs from the original one in Vitus
et al. (2010) by using /
+
instead of /. This is due to the fault isol-
ability constraints in our context.
The sets H
k
; k = 1; N, express the covariance of the estimate
and the objective cost at every time-step under every possible sen-
sor schedule. Let H
k
(i) be the i
th
element of H
k
; P
k
(i) and c
k
(i) be the
covariance matrix and objective cost corresponding to H
k
(i); /
+k
the set of all ordered sequences of admissible (in terms of isolabil-
ity constraint) sensor schedules of length k; k(P
k
(i)) /
+k
be the
ordered sensor schedule corresponding to the covariance matrix
P
k
(i) and k

be the optimal sensor schedule for the problem.

Denition 4 (Algebraic redundancy). (Vitus et al., 2010) A pair
(P; c) H is called algebraically redundant with respect to
H (P; c), if there exist nonnegative constants a
i

l1
i=1
such that

l1
i=1
a
i
= 1 and
P 0
0 c
_ _
P

l1
i=1
a
i
P(i) 0
0 c(i)
_ _
where l = card(H) and (P(i); c(i))
l1
i=1
is an enumeration of
H (P; c).
The following theorem provides a condition which character-
izes the branches that can be pruned without eliminating the opti-
mal solution of the sensor scheduling problem.
Theorem 3 (Vitus et al. (2010)). If the pair (P; c) H
k
is algebra-
ically redundant, then the branch and all of its descendants can be
pruned without eliminating the optimal solution from the search tree.
We are now in position to describe the sensor scheduling algorithm.
Before doing this, let us recall the notion of equivalent subset of the
search tree. This one is dened as a set that still contains the optimal
sensor schedule after pruning realized using Theorem 1. The compu-
tation of the equivalent subsets is done via Algorithm 1 in Vitus et al.
(2010) The sensor scheduling algorithm is given as follows
Algorithm 1. Sensor scheduling for a nite horizon
(i) H
0
= (P
0
; tr(P
0
))
(ii) for k = 1, ,N, do
H
k
= p
/
+ (H
k1
)
Perform Algorithm 1 given in (Vitus et al., 2010)
with H
k
end for
(iii) k
+
= arg min
j1;;card(HN)
(k(H
N
(j)))
Remark 3. In Vitus et al. (2010), the authors proposed a subopti-
mal solution which consists in approximating the search tree by
pruning branches which are numerically redundant. To this end,
they use the notion of -redundancy. As pointed out by the
authors, the -redundancy concept can typically eliminate many
more branches of the search tree leading to less complexity
problems.
3.3. Innite horizon scheduling
The innite horizon scheduling problem is much more chal-
lenging than its nite-horizon counterpart. In this section, we de-
scribe an innite-horizon scheduling technique. This technique is
inspired from Gupta et al. (2006) and is based on the idea of letting
the sensors switch randomly according to some optimal (in a sense
that will be precised later) probability distribution. Among other
advantages, the stochastic sensor selection strategy when com-
pared to other innite-horizon scheduling strategies has the
advantage of being easy to implement and computationally tracta-
ble. The measurement scheduling being random, the switched pat-
tern l
s
k
N
+
is also random and it is designed to obtain the best
expected steady-state performance. Indeed, it is important to note
that due to the random nature of the switching pattern, the error
covariance matrix P
k
is also random. This is why we are interested
in its expected value and evaluate it for k ?.
We will now describe the scheduling procedure we use in our
FDI/scheduling co-design setting. First, recall that the Riccati recur-
sion (48) corresponding to the stochastic switching pattern l
s
k
is
given by:
P
k1
= (A
l
s
k
K
l
s
k
C
l
s
k
)P
k
(A
l
s
k
K
l
s
k
C
l
s
k
)
T
K
l
s
k
V
l
s
k
K
T
l
s
k
W
l
s
k
= /
l
s
k
(P
k
) (59)
At each time step k, the stochastic switched pattern l
s
k
corresponds
to the selection of a sensor group indexed by i {1, . . . , r} with the
probability:
P(l
s
k
= i) = p
k
i
for i = 1; . . . ; r
We assume that the probabilities p
k
i
tend asymptotically to con-
stants p
i
, i = 1, . . . , r. We look at the expected value of the error
covariance P
k1
. The dynamic equation describing the evolution of
E[P
k
[ is given by:
E[P
k1
[ = E[/
l
s
k
(P
k
)[ =

r
i=1
p
k
i
E[/
i
(P
k
)[ (60)
As pointed out by Gupta et al. (2006), evaluating the expectation
above is intractable. One looks instead for an upper bound of this
term. The optimal stochastic scheduling problem is then reformu-
lated in term of the minimization of this upper bound. Following
similar arguments as in Gupta et al. (2006), one can show the
following:
v The upper bound of the expected error covariance is given by
the recursion:
D
k1
=

r
i=1
p
k
i
A
i
D
k
A
T
i
A
i
D
k
C
T
i
(C
i
D
k
C
T
i
V
i
)
1
C
i
D
k
A
T
i
W
i
_ _
(61)
with initial condition D
0
= P
0
.
v If there exist matrices

K
1
; ;

K
r
and a positive denite matrix
X such that
X >

r
i=1
p
i
/
i
(X;

K
i
) (62)
where
/
i
(X;

K
i
) = (A
i


K
i
C
i
)X(A
i


K
i
C
i
)
T

K
i
V
i

K
T
i
W
i
(63)
then the upper bound D
k
converges and the limit D

is the unique
positive semi-denite solution of the equation
D

r
i=1
p
i
A
i
D

A
T
i
A
i
D

C
T
i
(C
i
D

C
T
i
V
i
)
1
C
i
D

A
T
i
W
i
_ _
(64)
We are now in position to formulate the problem of FDI/scheduling
co-design:
D. Sauter et al. / Annual Reviews in Control 37 (2013) 321332 329
min
p
i
tr(D

) (65)
subject to (64) and

r
i=1
p
i
= 1; 0 6 p
i
6 1.
The FDI lter gains are then given by:
K
i
= A
i
D

C
T
i
(C
i
D

C
T
i
V
i
)
1
; i = 1; ; r (66)
This optimization problem can be solved by a gradient based meth-
od or by exploring the search space for reasonable number of sen-
sors congurations r. After nding the probability values, the
sensors are selected according their corresponding probabilities.
3.4. Illustrative example
We consider the discrete-time system (36) with 3 output chan-
nels (b = 3) and 4 sensors, given by the matrices
A =
0:1 0 0:43 0:2
0 0:9 0:1 0:4
0 0 0 0:1
0:5 0:1 0:4 1
_

_
_

_
; F =
1 0:2
0:5 0
0 0:4
0 0:1
_

_
_

_
C =
1 0 0 0
0 1 0 0
0 0 1 0
0 0 0 1
_

_
_

_
; W =
0:095 0 0 0
0 0:088 0 0
0 0 0:059 0
0 0 0 0:87
_

_
_

_
The fault associated to the rst column of the matrix F occurs at
time instant r
1
= 20, with f
1
k
= 25sin(0:4k), while the second fault
(associated to the second column of F) occurs at time r
2
= 40 with
f
2
k
= 25.
Fig. 3 shows the reduced output residuals q
r
k
= q
r1
k
q
r2
k
_
T
, in
the case of using an arbitrary periodic schedule (Round Robin),
the pruning based algorithm (optimal solution) and the stochastic
scheduling approach respectively. In the case of stochastic schedul-
ing the sensor are selected according to the following probabilities
p = 0:0626 0:0222 0:0270 0:8881 [ [
that result from solving the problem (65).
One can see that based on the proposed lter, one has the pos-
sibility to detect and isolate multiple faults. It is also clear that the
stochastic scheduling algorithm leads to a near-optimal solution in
the steady state which is much better than the periodic solution.
0 20 40 60 80 100
40
20
0
20
40
time
0 20 40 60 80 100
20
0
20
40
time
q
r
2
0 20 40 60 80 100
40
20
0
20
40
time
0 20 40 60 80 100
40
20
0
20
40
time
q
r
2
0 20 40 60 80 100
40
20
0
20
40
time
q
r
1
q
r
1
q
r
1
0 20 40 60 80 100
20
0
20
40
time
q
r
2
Periodic scheduling (Roundrobin)
Pruning based algorithm
Stochastic scheduling
Fig. 3. Reduced output residuals.
0 10 20 30 40 50 60 70 80 90 100
0
2
4
6
8
10
12
14
16
18
time
Pruning based algorithm
Periodic scheduling (Roundrobin)
Stochastic scheduling
Fig. 4. tr(P
k
).
330 D. Sauter et al. / Annual Reviews in Control 37 (2013) 321332
Fig. 4 shows the evolution of the trace of the covariance matrix
of the estimation error for the three cases: periodic, pruning and
stochastic schedule. One can see clearly the advantage and the per-
formance of the proposed methods.
4. Conclusion
In this report, we discussed and summarized the model-based
fault diagnosis for NCS, including parity space and observer-based
methods, which continue to be topics of active research. Our
works-in-progress include more reasonably modeling of NCS, fault
diagnosis and fault-tolerant control of NCS with simultaneous
time-delays and packet losses or even limited communication.
More specically, we have considered the issue of sensor schedul-
ing and fault isolation co-design under limited bandwidth capacity.
We have proposed a detection and isolation lter in addition with
an optimal (or suboptimal) sensor scheduling sequence that ensure
the fault isolability property and noise effect minimization. Future
directions of research will include the innite horizon case and
extension to online scheduling techniques. Another interesting is-
sue will be the extension of the co-design methods to systems
including both controller-actuator link and sensor-controller link
constraints.
References
Astrom, K. J., & Bernhardsson, B. M. (2002). Comparison of riemann and lebesgue
sampling for rst order stochastic systems. In Proceedings of the 41st IEEE
conference on decision and control, 2002 (Vol. 2, pp. 20112016). 2002.
Branicky, M. S., Phillips, S. M., & Zhang, W. (2000). Stability of networked control
systems: Explicit analysis of delay. In Proceedings of the American control
conference.
Brockett, R. W., & Liberzon, D. (2000). Quantized feedback stabilization of linear
systems. IEEE Transactions on Automatic Control, 45, 12791289.
Chen, J., & Patton, R. J. (1999). Robust model-based fault diagnosis for dynamic systems.
Boston: Kluwer Academic Publishers.
Chen, W., & Saif, M. (2006). An iterative learning observer for fault detection and
accommodation in nonlinear time-delay systems. International Journal of Robust
and Nonlinear Control, 16, 119.
Chen, Yunxia, Zhao, Qing, Krishnamurthy, V., & Djonin, D. (2007). Transmission
scheduling for optimizing sensor network lifetime: A stochastic shortest path
approach. IEEE Transactions on Signal Processing, 55(5), 22942309 (ISSN 1053-
587X).
Delchamps, D. F. (1989). Extracting state information from a quantized output
record. System and Control Letters, 13, 365372.
Ding, S. X., Ding, E. L., Jeinsch, T. (2002). A new optimization approach to the design
of fault detection lters. In Proc. of SAFEPROCESS.
Ding, S. X., Jeinsch, T., Frank, P. M., & Ding, E. L. (2000). A unied approach to the
optimization of fault detection systems. International Journal of Adaptive Control
and Signal Processing, 14, 7.
Elia, N., & Mitter, S. K. (2000). Quantized linear systems in system theory: Modeling,
analysis, and control. Kluwer.
Frank, P. M. (1990). Fault diagnosis in dynamic systems using analytical and
knowledge based redundancy-a survey and some new results. Automatica, 26.
Gertler, J. (1998). Fault detection and diagnosis in engineering systems. USA: Marcel
Dekker.
Gupta, Vijay, Chung, Timothy H., Hassibi, Babak, & Murray, Richard M. (2006). On a
stochastic sensor selection algorithm with applications in sensor scheduling
and sensor coverage. Automatica, 42(2), 251260 (ISSN 0005-1098).
Hokayem, P. F., & Abdallah, C. T. (2004). Inherent issues in networked control
systems: A survey. In Proceeding of the 2004 American control conference.
Hristu, D. (1999). Optimal control with limited communication. PhD thesis, Harvard
University.
Hristu-Varsakelis, D. (2008). Short-period communication and the role of zero-
order holding in networked control systems. IEEE Transactions on Automatic
Control, 53, 5.
Hu, S. S., & Zhu, Q.-X. (2003). Stochastic optimal control and analysis of stability of
networked control systems with long delay. Automatica, 39, 11.
Imer, O. C., & Basar, T. (2005). Optimal estimation with limited measurements. In
44th IEEE Conference on Decision and Control, 2005 and 2005 European Control
Conference. CDC-ECC 05 (pp. 10291034).
Ishii, H., & Francis, B. (2002). Stabilization with control networks. Automatica.
Jan Lunze, Cristina Verde, & Bo Zhou. (2012). Joint design of scheduling strategy and
fault detection system for networked control systems (pp. 892897).
Jiang, B., Straroswiecki, M., & Cocquempot, V. (2002). Fault identication for a class
of time-delay systems. In Proceedings of Amer. Contr. Conf.
Jiang, B., Staroswiecki, M., & Cocquempot, V. (2003). H fault detection lter design
for linear discrete-time systems with multiple time delays. International Journal
of Systems Science, 34, 5.
Jiang, C., & Zhou, D. H. (2005). Fault detection and identication for uncertain linear
time-delay systems. Computers and Chemical Engineering, 30, 228242.
Keller, J. Y. (1999). Fault isolation lter design for linear stochastic systems.
Automatica, 35, 10.
Koenig, D., Bedjaoui, N., & Litrico, X. (2005). Unknown input observers design for
time-delay systems application to an open-channel. In Proceedings of 44th IEEE
conference on decision and control and the European control conference.
Li Lichun, Lemmon, M., & Wang, Xiaofeng (2010). Event-triggered state estimation
in vector linear processes. In American Control Conference (ACC), 2010 (pp. 2138
2143).
Lincoln, B., & Bernhardsson, B. (2000). Optimal control over networks with long
random delays. In Proceedings of the international symposium on mathematical
theory of networks and systems.
Li, Shanbin, Sauter, Dominique, & Xu, Bugong (2011). Fault isolation lter for
networked control system with event-triggered sampling scheme. Sensors,
11(1), 557572.
Liu, J. H., & Frank, P. M. (1999). h detection lter design for state delayed linear
systems. In Proc. 14th IFAC world congress.
Mangoubi, R. S., & Edelmayer A. M. (2000). Model-based fault detection: The
optimal past, the robust present and a few thoughts on the future. In
Proceedings of SAFEPROCESS.
Mo, Yilin, Ambrosino, Roberto, & Sinopoli, Bruno (2011). Sensor selection strategies
for state estimation in energy constrained wireless sensor networks.
Automatica, 47(7), 13301338 (ISSN 0005-1098).
Nair, G. N., & Evans, R. J. (1997). State estimation via a capacity-limited
communication channel. In Proceedings of the Conf. on Dec. and Contr.
Nejad, H. H., Sauter, D., & Aberkane, S. (2010). On-line scheduling and fault
detection in NCS with communication constraints in drone application. In 2010
Conference on Control and Fault-Tolerant Systems (SysTol) (pp. 867872). IEEE
Nejad, H. H., Sauter, D., Aberkane, S., & Aubrun, C. (2011). Fault detection and
isolation in networked control systems with access constraints and packet
dropouts. In 19th Mediterranean Conference on Control and Automation (MED).
Nilsson, J. (1998). Real-time control systems with delays. PhD thesis, Lund University.
Nilsson, J., Bernhardsson, B., & Wittermark, B. (1998). Stochastic analysis and
control of real-time systems with random time delays. Automatica, 34, 5764.
Ray, A., & Halevi, Y. (1988). Integrated Communication and Control Systems: Part II
Design considerations. ASME Journal of Dynamic Systems, Measurement and
Control, 110, 4.
Sahai, A. (2000). Evaluating channels for control capacity reconsidered. In
Proc. Amer. Conf. Contr.
Sauter, D. & Boukhobza, T. (2006). Robustness against unknown networked induced
delays of observer based. In 6th IFAC Symposium Fault Detection and Safety of
Technical Processes.
Sauter, D., Li, S., & Aubrun, C. (2009). Robust fault diagnosis of networked control
systems. International Journal of Adaptive Control and Signal Processing, 23,
722736.
Savkin, A. V., & Petersen, I. R. (2003). Set-valued state estimation via a limited
capacity communication channel. IEEE Transactions on Automatic Control, 48,
676680.
Seiler, P. J. (2001). Coordinated control of unmanned aerial vehicles. PhD thesis,
University of California Berkeley, 2001.
Seiler, P., & Sengupta, R. (2005). An H approach to networked control. IEEE
Transactions on Automatic Control, 50, 3.
Sergio Bittanti, Edoardo Mosca, & Ling Shi. (2011). Time and event-based sensor
scheduling for networks with limited communication resources (pp. 13263
13268).
Sid, M. A., Aberkane, S., Sauter, D., & Maquin, D. (2012). Fault isolation lter and
sensors scheduling co-design for networked control systems. In Fault isolation
lter and sensors scheduling co-design for networked control systems.
Sid, M. A., Aberkane, S., Maquin, D., Sauter, D. (2013). Ordonnancement des mesures
pour la dtection et la localisation de dfauts dans un systme contrl en
rseau. In 5mes Journes Doctorales / Journes Nationales MACS, JD-JN-MACS
2013, Strasbourg.
Sijs, J., & Lazar, M. (2012). Event based state estimation with time synchronous
updates. Automatic Control IEEE Transactions on, 57(10), 26502655 (ISSN 0018-
9286).
Sinopoli, B., Schenato, L., Franceschetti, M., Poolla, K., Jordan, M., & Sastry, S. (2004).
Kalman ltering with intermittent observations. IEEE Transactions on Automatic
Control, 49, 14531464.
Tatikonda, S. (2000). Control under communication constraints. PhD thesis,
Massachusetts Institute of Technology.
Tipsuwan, Y., & Chow, M. Y. (2003). Control methodologies in networked control
systems. Control Engineering Practice, 11, 10.
Vitus, M. P., Zhang, W., Abate, A., Hu, J., & Tomlin, C. J. (2010). On efcient sensor
scheduling for linear dynamical systems. In American Control Conference (ACC).
Walsh, G. C., & Ye, Hong (2001). Scheduling of networked control systems. IEEE
Control Systems, 21(1), 5765 (ISSN 1066-033X).
Wang, Yongqiang, Ding, Steven X., Ye, Hao, Wei, Li., Zhang, Ping, & Wang, Guizeng
(2009). Fault detection of networked control systems with packet based
periodic communication. International Journal of Adaptive Control and Signal
Processing, 23(8), 682698 (ISSN 1099-1115).
D. Sauter et al. / Annual Reviews in Control 37 (2013) 321332 331
Wang, Y. Q., Ye, H., & Wang, G. Z. (2006). A new method for fault detection of
networked control systems. In 1st IEEE conference on indutrial electronics and
applications.
Willsky, A. S. (1976). A survey of design methods for failure detection in dynamic
systems. Automatica, 12.
Wong, W. S., & Brockett, R. W. (1997). Systems with nite communication
bandwidth constraints-Part I: state estimation problems. IEEE Transactions on
Automatic Control, 42, 12941299.
Wu Junfeng, Johansson, K. H., & Shi Ling. (2012). An improved hybrid sensor
schedule for remote state estimation under limited communication resources.
In 2012 IEEE 51st Annual Conference on Decision and Control (CDC) (pp. 3305
3310).
Xiao, L., Hassibi, A., & How, J. (2000). Control with random communication delays
via a discrete-time jump system approach. In Proceedings of American Control
Conference.
Xu, Y. (2006). Communication scheduling methods for estimation over networks. PhD
thesis, University of California, Santa Barbara.
Yang, T. C. (2006). Networked control system: A brief survey. IEE Proceedings-Control
Theory and Applications, 153, 4.
Yang, H. L., & Saif, M. (1998). Observer design and fault diagnosis for state-retarded
dynamical systems. Automatica, 34, 2.
Ye, H., & Ding, S .X. (2004). Fault detection of networked control systems with
network-induced delay. In Proceedings of the 8th international conference on
control, automation, robotics and vision.
Yue, D., Han, Q. L., & Lam, J. (2005). Network-based robust H control of systems
with uncertainty. Automatica, 41, 9991007.
Yu, M., Wang, L., Chu, T., & Hao, F. (2005). Stabilization of networked control
systems with packet dropout and transimission delays: Continuoust-time case.
European Journal of Control, 11.
Zehui, Mao, Bin, Jiang, & Shi, Peng (2009). Protocol and fault detection design for
nonlinear networked control systems. IEEE Transactions on Circuits and Systems
II: Express Briefs, 56, 255259 (ISSN 1549-7747).
Zhang, W. (2001). Stability analysis of networked control systems. PhD thesis, Case
Western Reserve University.
Zhang, Y. M., & Jiang, J. (2003). Bibliographical review on recongurable fault-
tolerant control systems. In 5th IFAC Symposium on Fault Detection, Supervision
and Safety of Technical Processes (SAFEPROCESS03).
Zhang, Ping, & Ding, S. X. (2009). Inuence of sampling period on a class of optimal
fault-detection performance. IEEE Transactions on Automatic Control, 54(6),
13961402 (ISSN 0018-9286).
Zhang, P., Ding, S. X., Frank, P. M., & Sader, M. (2004). Fault detection of networked
control systems with missing measurements. In Fifth Asian Control Conf.
Zhong, M., Ye, H., & Zhou, G. W. D. H. (2005). Fault detection lter for linear time-
delay systems. Nonlinear Dynamics and Systems Theory, 5, 3.
Dominique Sauter is a full Professor at University of Lorraine, where he teaches
Automatic Control and Fault Diagnosis. He has been the head of the Electrical
Engineering Department during 4 years and Vice-Dean of the Faculty of Sciences
and Technology. He is a member of the Research Center In Automatic Control of
Nancy (CRAN) and the is co-leader of the research Department on Control Identii-
cation and Diagnosis including 40 permanent researchers. His current research
interests are focused on model-based fault diagnosis and fault tolerant with
emphasis on networked control systems. Prof. Sauter is currently serving as an
associate editor for the journal of Applied Mathematics and Computer Science and
senior editor for the Journal of Intelligent & Robotic Systems. He is a member of
SafeProcess Technical Committee of the International Federation of Automatic
Control (IFAC) and he has also been appointed by The IEEE control system society to
the position of general chair for the organisation of the IEEE Multi Conference on
system and control 2014 (MSC14).
Mohamed Amine Sid received the M.Sc. degree from Ferhat Abbas University, Stif,
Algeria, in 2010. He is currently preparing his Phd thesis at the Research Center In
Automatic Control (CRAN), France. His research interests include networked control
systems (NCSs), fault diagnosis of dynamical systems and co-design techniques in
diagnosis of NCSs.
Samir Aberkane was born in Algeria, in 1979. He received the M.Sc. degree from
Polytechnic Institute of Lorraine, Nancy, France, in 2003 and the Ph.D. degree from
Henri Poincar University, Nancy, France, in 2006, both in control theory. In 2007,
he held a Post-Doctoral position at Universit Libre de Bruxelles, Belgium. He is
currently Associate Professor at University of Lorraine, France. His research inter-
ests include recongurable control systems, stochastic hybrid systems and robust
control theory.
Didier Maquin is a professor of automatic control at the University of Lorraine,
France. He teaches automatic control, data analysis and applied mathematics in
various engineering schools. He is a member of the Research Center in Automatic
Control of Nancy. From January 2005 to December 2012, he was the scientic leader
of a research group called Dependability and System Diagnosis, which gathered
about twenty researchers and as many Ph.D. students. From a national point of
view, Didier Maquin is involved in the French Automatic Control Research Group.
He has been on its directorate staff since 2001 and currently serves as the head of
the theme Dependability, Supervision and Maintenance. Didier Maquin has co-
authored around 50 journal articles and 140 conference communications.
332 D. Sauter et al. / Annual Reviews in Control 37 (2013) 321332