Published in IET Control Theory and Applications

Received on 11th June 2009

Revised on 30th January 2010
doi: 10.1049/iet-cta.2009.0294
ISSN 1751-8644
Hybrid fault detection and isolation strategy
for non-linear systems in the presence of large
environmental disturbances
N. Meskin
1
K. Khorasani
2
C.A. Rabbath
3
1
Department of Electrical Engineering, College of Engineering, Qatar University, PO Box 2713, Doha, Qatar
2
Department of Electrical and Computer Engineering, Concordia University, Montreal, Quebec, Canada H3G 1M8
3
Department of National Defence, Defence Research and Development Canada (DRDC), Valcartier, 2459 boul, Pie XI North,
Quebec, Canada
E-mail: kash@ece.concordia.ca
Abstract: The problem of designing and developing a hybrid fault detection and isolation (FDI) scheme for a
non-linear system that is subject to large environmental disturbances is investigated. In the proposed FDI
scheme, a hybrid architecture is introduced, which is composed of a bank of residual generators and a
discrete-event system (DES) fault diagnoser. A novel set of residuals is generated so that a DES fault
diagnoser will robustly detect and isolate actuator faults in the system by incorporating an appropriate
combination of residuals and their sequential features. Necessary and sufcient conditions for the existence
of a set of residuals that are used by the DES fault diagnoser are derived based on the non-linear geometric
FDI approach. The proposed hybrid FDI scheme is then applied to actuator fault detection and isolation of
an almost-lighter-than-air-vehicle. Simulation results presented demonstrate and validate the performance
capabilities of the proposed hybrid FDI scheme.
1 Introduction
One of the important issues in model-based fault detection
and isolation (FDI) schemes is their robustness
performance against environmental disturbances and
modelling errors. Broadly speaking, two general approaches
have been developed in the literature for the design of
robust FDI algorithms with respect to disturbance inputs
and modelling errors. Specically, they are known as
disturbance decoupling and disturbance attenuation
approaches. In the former approaches, a residual is
generated which is decoupled from the disturbance inputs.
Various techniques such as the unknown input observer
[1], parity space [2] and differential geometric [3] have
been developed for achieving the disturbance
decoupling property. One of the main limitations of the
disturbance decoupling approach is that the number of
output measurements may not be sufcient in relation to
the number of faults and disturbances that will
consequently limit the number of faults that can be
detected and isolated.
The disturbance attenuation approaches attempt to
minimise the effects of disturbance inputs on the residuals
by using techniques such as game theory, non-linear H
1
control [4, 5] or sliding mode observers [6]. In these
methods, the residual threshold limits are selected by
considering the worst-case analysis of the bounded
disturbance inputs. However, these thresholds are mostly
selected by considering the upper bounds of the disturbance
inputs that could generally lead to large thresholds and high
likelihoods of missing detection of incipient faults.
Moreover, the design of robust observers based on non-
linear H
1
approaches requires the solution to a complex set
of partial differential equations. Recently, an FDI strategy
based on entropy optimisation ltering is proposed for non-
linear stochastic systems [7, 8]. However, for this approach
to be applied, stochastic characteristics of the disturbances,
IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895 2879
doi: 10.1049/iet-cta.2009.0294 & The Institution of Engineering and Technology 2010
www.ietdl.org
such as their probability distribution functions (PDFs), are
required to be known.
In this paper, a novel hybrid FDI scheme for a non-linear
system that is subject to large environmental disturbances is
developed. Many modern systems such as aircraft and
balloons are expected to operate in harsh environments
where large disturbances (wind gust) may be present. One
of the main challenges in designing a robust FDI scheme
for these systems is to determine how to distinguish
between large environmental disturbances and faults or
failures. In this paper, we introduce a hybrid diagnosis
approach to tackle this problem for actuator faults.
Towards this end, a hybrid architecture for a robust FDI is
introduced that is composed of a bank of continuous-time
residual generators and a discrete-event system (DES) fault
diagnoser. First a set of residuals is generated for a family
of fault signatures with a given isolability index (dened
subsequently). Two threshold levels are assigned to the
residuals. It is further assumed that the external
disturbances can be categorised into two families, namely,
the tolerable disturbance inputs, and the large and
unexpected disturbances. The rst level of threshold is
selected such that using the residuals the tolerable
disturbance inputs do not generate any false alarms. Next, a
complementary set of residuals is generated by considering
the effects of disturbances on the rst set of generated
residuals. A DES fault diagnoser is then designed to
invoke an appropriate combination of the residuals and
their sequential features to not only detect and isolate faults
and guarantee no false alarms, but also to detect and
identify the occurrence of large external disturbances.
It should be emphasised that our proposed FDI approach
achieves simultaneous robust FDI as well as large and
unexpected disturbance detection without imposing any
limitations on the total number of faults that can be
detected and isolated. In contrast, in the previous FDI
algorithms developed in [3, 9, 10], the residuals are
decoupled from the disturbance inputs. However, the
number of output measurements may not be sufcient with
respect to the number of faults and disturbances, and
therefore one may not be able to achieve disturbance
decoupling as well as FDI properties simultaneously.
Our proposed hybrid FDI scheme is nally applied to
actuators FDI problem in an almost-lighter-than-air-vehicle
(ALTAV) system. The ALTAVs use buoyancy to oat in the
air complemented by the use of four motors to generate
sufcient lift forces. The Quanser ALTAV [11, 12] system
provides a platform to demonstrate and validate fault
diagnosis algorithms for a eet of unmanned aerial vehicles.
The ALTAV system that is used for simulation studies in
this paper (as well as in real-world experiments) has six
degrees of freedom, in which translational and rotational
motions are described by six variables, and four control inputs
are available corresponding to four motors on the vehicle.
The presence of both single and multiple simultaneous faults
inthe vehicles four input channels are shownto be detectedand
isolated by using our proposed FDI method. Moreover, it is
shown that no false alarms are generated because of wind
disturbances and changes in the buoyant force of the ALTAV
system. Preliminary results of our proposed FDI scheme for
the ALTAV system are presented in [13].
The remainder of this paper is organised as follows. In
Section 2, the non-linear geometric FDI approach of [3] is
briey reviewed and the notion of the structured FDI for
non-linear systems is introduced. Our hybrid FDI scheme
for a non-linear system that is subject to large disturbances
is developed and presented in Section 3. The proposed
FDI scheme is then applied to a non-linear ALTAV
system in Section 4. Simulation results corresponding to
different fault scenarios are provided in Section 5.
Conclusions and future work are presented in Section 6.
The following notation is used throughout the paper. For
any positive integer k, k denotes the nite set {1, 2, . . . , k}.
For a given set n, a combination is an un-ordered collection
of the elements of n and is a subset of n. The order of the
elements in a combination is not important and the
elements cannot be repeated. C(n, k) denotes a number of k
combinations (k-subset) of n which is equal to n!/k!(n k)!,
and T

X denotes the co-tangent space of the manifold X

and

L denotes the involutive closure of the distribution L.
For any 1 p , 1, we denote L
p
[0, 1] = {f (x)|f
p
=
(
_
1
0
|f (x)|
p
dx)
(1/p)
, 1} and L
1
= {f (x)|f 1 , 1},
where f
1
= inf {C 0: |f (x)| C for almost every x}.
2 Structured FDI for non-linear
systems
Consider a general class of non-linear systems that is
described by the following model
x = f (x) +g(x)u +

k
i=1
l
i
(x)m
i
y = h(x)
(1)
with the state x dened in a neighbourhood X of the origin in
R
n
, the input is denoted by u [ R
m
, the output is denoted by
y [ R
q
, the fault modes are denoted by m
i
[ R
k
i
, l
i
(x)s are
the fault signatures, f (x), g(x) and l
i
(x)s are smooth vector
elds, h(x) is a non-linear smooth mapping, and f (0) 0,
h(0) 0. It is assumed that span{l
1
i
(x), . . . , l
k
i
i
(x)}, i [ k is
non-singular, where l
j
i
denotes the jth column of l
i
. It
should be emphasised that the fault modes m
i
can be both
time dependent and state dependent.
The structured fault detection and isolation problem
(SFDIP) as introduced in [14] for linear systems is dened
formally as design of a dynamic residual generator that
takes the observables u(t) and y(t) as inputs and generates a
2880 IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895
& The Institution of Engineering and Technology 2010 doi: 10.1049/iet-cta.2009.0294
www.ietdl.org
set of j residuals r
j
(t), j [ J = {1, . . . , j} with the following
properties: (a) when no failure is present, all the residuals r
j
(t)
decay asymptotically to zero and (b) for each fault signal
m
i
(t), the residuals r
j
(t), j [ V
i
, J, are affected by m
i
(t),
and the other residuals r
a
(t), a [ JV
i
, are decoupled
from this fault.
The prespecied family of the coding sets V
i
# J, i [ k
should be chosen such that by knowing which r
j
(t) is zero
and which ones are not, one can uniquely identify the fault.
The resulting residual set which has the corresponding
required sensitivity to specic faults and insensitivity to others
is known as the structured residual set [15]. For detecting all
possible faults in the system, no coding set should be empty.
The minimum requirement for fault isolation is that all the
coding sets be distinct. Coding sets satisfying the above two
requirements are dened as weakly isolating. The weakly
isolating coding sets V
i
, i [ k is dened as being
strongly isolating if for each i, j [ k, i =j, V
i
V
j
. A
strongly isolating coding set prevents incorrect fault detection
when some of the residuals in V
i
do not exceed the respective
thresholds whereas the others do. For the given coding sets
V
i
, i [ k, the nite set G
j
, k, j [ J is dened as the
collection of all i [ k for which the ith failure mode affects
the jth residual, that is, G
j
= {i [ k| j [ V
i
}.
In the non-linear fundamental problem in residual
generation (lNFPRG) introduced in [3], the family of the
coding sets was chosen as V
i
= {i}. This family of coding
sets is also called a dedicated residual set [1]. In this
coding scheme, one needs to design a set of lters that
generates k residuals r
i
(t), i [ k such that the fault in the
ith component l
i
can only affect the residual r
i
(t) and no
other residuals r
j
(t)(i =j). With this coding scheme, one
can detect and isolate multiple faults in all channels.
The solvability conditions for the lNFPRGwas obtained in
[3]. Let for a given distribution L, the largest conditioned
invariant distribution which contains L be denoted by S
L

and the largest codistribution contained in L

as o.c.a.
((S
L

). The lNFPRG then has a solution only if there exist

observability codistributions P

i
= o.c.a.((S
L
i

) such that
(span{l
i
})

+P

i
= T

X where L
i
= span{l
1
(x), . . . ,
l
i1
(x), l
i+1
(x), . . . , l
m
(x)}. If the observability codistribution
P

i
exists, one can nd a coordinate transformation such
that the subsystem of the new system in the new local
coordinates, denoted by the z
1
-subsystem [3], is only
affected by m
i
(t) and is decoupled from others. However,
the existence of the observability codistribution P

i
is not
sufcient to guarantee that a state observer can be built for
the z
1
-subsystem. To guarantee the existence of a state
observer, extra assumptions are needed ([3, Assumption
III]). We are now in a position to state our rst result.
Theorem 1: For a given family of the coding sets, the
SFDIP problem has a solution only if
span{l
i
} [P

j
]

, i [ G
j
where P

j
= o.c.a.((S
L
G
j

) and
L
G
j
= span{l
i
(x), i G
j
}, j [ J.
Proof: According to [3], the SFDIP problem can be solved
as j separate lNFPRG problems. Each residual r
j
(t), j [ J
can be generated by applying the lNFPRG results to the
following model
x(t) = f (x) +g(x)u(t) +

l
1
(x) m
1
(t) +

l
2
(x) m
2
(t)
y(t) = h(x)
where

l
1
(x) = {l
i
(x)|i [ G
j
},

l
2
(x) = {l
i
(x)|i [ k G
j
}, m
1
=
{m
i
|i [ G
j
} and m
2
= {m
i
|i [ k G
j
}. This completes the
proof of the theorem. A
It is clear that similar extra assumptions as in [3] are
required for the design of state observers as the residual
signal generators in SFDIP. A family of fault signatures
that satises the lNFPRG conditions above where V
i
= {i}
is said to be strongly detectable. It follows that a necessary
condition for the existence of a solution to the lNFPRG
is that Rank{l
1
(x), l
2
(x), . . . , l
k
(x)} =

k
i=1
k
i
, x [ X,
which implies that there should be no dependency among
the fault signatures. Recently in [16], a new coding set has
been introduced for the family of fault signatures that are
not strongly detectable. It is clear that for a family of fault
signatures that is not strongly detectable, one cannot detect
and isolate multiple faults in all channels. To formalise our
results, the following isolability index is introduced next.
Denition 1: For system (1) with a family of fault
signatures l
i
(x), i [ k, the isolability index m is dened as
the maximum number of multiple simultaneous faults that
can be detected and isolated.
It is clear that the weakly isolating coding sets V
i
s that can
be used for detecting and isolating the occurrence of up to
m multiple faults should have the following property that
for each two different 1 l, h m combinations
l
i
1
(x), . . . , l
i
l
(x) and l
j
1
(x), . . . , l
j
h
(x) of L
i
s
V
i
1
i
2
...i
l
=V
j
1
j
2
...j
h
(2)
where for each l combination l
i
1
, . . . , l
i
l
of l
i
s,
V
i
1
i
2
...i
l
=
_
i
l
j=i
1
V
j
. Moreover, in order to prevent false
fault isolation, it is desirable to have strongly isolating
coding sets V
i
1
i
2
...i
l
as dened below.
Denition 2: The coding sets that satisfy the condition (2)
are said to be strongly isolating with index m if for each two
different 1 l m combination l
i
1
, . . . , l
i
l
and l
j
1
, . . . , l
j
l
of
l
i
s, V
i
1
i
2
...i
l
V
j
1
j
2
...j
l
and V
i
1
i
2
...i
l
V
j
1
j
2
...j
l
. Moreover, if
the SFDIP problem for a given family of fault signatures
has a solution for a strongly isolating coding set with index
m, then we call the isolability index of that family as the
strongly isolability index m.
Lemma 1: The strong isolability index m of a given family
of fault signatures is either m k or m , k 21.
IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895 2881
doi: 10.1049/iet-cta.2009.0294 & The Institution of Engineering and Technology 2010
www.ietdl.org
Proof: Let V
i
, i [ k be strongly isolating with index
m k 21. Assume that concurrent faults have occurred in
all the fault signatures. Since V
i
s are weakly isolating
(none of them is empty), all residuals will be affected by
these concurrent faults. Moreover, since the strong
isolability of fault signatures is m, it is clear that for each
k 21 combination l
i
1
(x), . . . , l
i
k1
(x) of l
i
s, we have
V
i
1
i
2
...i
k1
=V
1,...,k
=
_
k
j=1
V
j
. Therefore one can also
detect whether there exist concurrent faults in all the
channels. Moreover, by assumption one can detect and
isolate up to k 21 concurrent faults. Consequently, we
have m k. A
It should be emphasised that not every coding set
satisfying condition (2) is strongly isolating with index m.
For instance, consider the coding sets
V
1
= {1, 2}, V
2
= {3, 4} and V
3
= {2, 3}. It can easily be
veried that these coding sets satisfy the condition (2) with
m 2 but they are not strongly isolating with index
2. Indeed, it is clear that V
2,3
, V
1,2
. Since strong
isolability index is more desirable and it prevents incorrect
detection and isolation, we will focus on strong isolability
index. The next theorem illustrates how one can construct
coding sets that have the strong isolability index m , k 21.
Theorem 2: Let G
j
, j [ J be dened as the k 2m
combinations of the set k. The corresponding sets V
i
,
i [ k dened as V
i
= {j [ J|i [ G
j
} are then strongly
isolating with index m.
Proof: Consider two different 1 l, h m combinations
i
1
, . . . , i
l
and j
1
, . . . , j
h
of the set k. In order to show that
(2) holds it is sufcient to show that the complement sets
JV
i
1
i
2
...i
l
and JV
j
1
j
2
...j
h
are not equal, where
JV
i
1
i
2
...i
l
= {j [ J|i
k
G
j
, i
k
[ {i
1
, . . . , i
l
}} (3)
Assume that l h. Since two combinations i
1
, . . . , i
l
and
j
1
, . . . , j
h
are different, there exists j
t
[ {j
1
, . . . , j
h
} such that
j
t
[ k {i
1
, i
2
, . . . , i
l
}. Since the sets G
j
, j [J are dened
as k 2m combinations of the set k and l m, there exists a
combination G
j
such that j
t
[ G
j
and
i
k
G
j
, i
k
[ {i
1
, . . . , i
l
}, therefore j JV
j
1
j
2
...j
h
and
j [ JV
i
1
i
2
...i
l
, which shows that (3) holds. The
combination G
j
can be found by rst selecting j
t
and then
selecting k 2m21 elements from the set
k {i
1
, i
2
, . . . , i
l
, j
t
}. It is clear that since l m, then
|k {i
1
, i
2
, . . . , i
l
}| k m and one can nd the
combination G
j
. Similarly, it can be shown that the coding sets
V
i
s satises conditions in Denition 2, and hence are strongly
isolating.
In order to show that m is the maximum number of
combinations that satisfy (2), it should be noted that
|JV
i
1
i
2
...i
l
| = C(k l , k m) therefore for l . m, the set
JV
i
1
i
2
...i
l
is empty and for any different l combinations
i
1
, . . . , i
l
and j
1
, . . . , j
l
, we have V
i
1
i
2
...i
l
= V
j
1
j
2
...j
l
. A
Theorem 3: A necessary condition for the SFDIP problem
for the non-linear system (1) to have a solution for the coding
sets introduced in Theorem 2 and a given family of fault
signatures is that for each m +1 combination
l
i
1
(x), . . . , l
i
m+1
(x) of l
i
(x)s, the dimension of the
distribution D = span[l
i
1
(x), . . . , l
i
m+1
(x)] is v
i
=

m+1
j=1
k
i
j
.
Proof: If there exists a m+1 combination l
i
1
(x), . . . , l
i
m+1
(x)
of l
i
(x)s such that the dimension of the distribution
D = span[l
i
1
(x), . . . , l
i
m+1
(x)] is less than v
i
=

m+1
j=1
k
i
j
,
then
there exists x [ X such that l
i
m+1
(x)
, D
i
= span{l
i
1
(x), . . . , l
i
m
(x)}. Due to the fact that the sets
G
j
are dened in Theorem 2 as the k 2m combinations of
the set k, one of the sets G
j
is equal to k {i
1
, i
2
, . . . , i
m
}
and span{l
i
m+1
} , (o.c.a.((S
D
i

))

. A
The above necessary condition provides a test to determine
the possible values of the isolability index for a family of fault
signatures. In the next section, based on our introduced
strongly isolating coding set with index m, a hybrid FDI
scheme for non-linear systems is developed that is
subjected to both large and unexpected disturbances as well
as actuator faults where the family of fault signatures is not
necessarily strongly detectable.
3 Hybrid non-linear FDI approach
Consider the following non-linear system
x = f (x) +g(x)u +

k
i=1
l
i
(x)m
i
+

P
l =1
p
l
(x)v
l
y = h(x) +v
(4)
where v
l
[ R
P
l
denotes the disturbance inputs, v represents
the measurement noise and l
i
(x) represents the actuator fault
signatures. It is assumed that v
l
, v [ L
p
[0, 1] for some
1 p 1 where L
p
[0, 1] denotes the space of L
p
norm
bounded signals, that is, v
p
, 1.
Assumption 1: The disturbance inputs are categorised into
two types, namely tolerable disturbance signals
D
1
= {v [ L
p
[0, 1]|v
p
, d
1
}, and large and
unexpected disturbance signals D
2
= {v [ L
p
[0, 1]|d
1
,
v
p
, d
2
}, where d
1
d
2
and d
2
can be considered to be
arbitrarily large.
As an example for the ALTAV system that is introduced
and described in detail in Section 4, the wind disturbance
forces (W ) can be categorised into two types, namely the
regular tolerable wind disturbances that satisfy W 0.5 (N)
and the large unexpected wind gust disturbances that satisfy
0.5 W, 5 (N).
Assumption 2: A given actuator fault and the unexpected
large disturbances have not occurred simultaneously and
there exists a sufcient time interval between the
occurrence of a fault and the disturbances.
2882 IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895
& The Institution of Engineering and Technology 2010 doi: 10.1049/iet-cta.2009.0294
www.ietdl.org
Our goal in this paper is to solve the problem of designing
a hybrid fault diagnoser (HFD) in order to detect and isolate
each fault m
i
while guaranteeing that the fault diagnoser
remains robust with respect to both types of disturbances as
described in Assumption 1. In other words, no false alarms
should be generated because of disturbances. The HFD is
composed of two modules, namely, a low-level bank of
residual generators and a high-level DES diagnoser. The
bank of continuous-time residual generators rst produces a
set of residuals based on the non-linear geometric FDI
approach. It then compares, using an evaluation function,
each residual to its corresponding threshold value, from
which a set of residual logic units is generated. Two levels
of thresholds are needed for certain residuals (this will be
discussed in more detail subsequently). The DES diagnoser
module is a nite-state automaton that takes the residual
logic units as inputs and estimates the current state of the
system. For designing such a DES diagnoser, the
combined non-linear plant and the bank of residual
generators is modelled as a nite-state Moore automaton
(G). The general architecture of our proposed HFD is
shown in Fig. 1.
One possible approach to design a robust FDI scheme for
the non-linear system (4) is to generate a set of residuals as in
[3] where each residual is affected by only one fault and is
decoupled from all other faults and all the disturbances. If
such a set of residuals exist, then one can robustly detect
and isolate faults despite the presence of disturbances.
Under this scenario, there will be no need to have a hybrid
structure for the fault diagnoser. However, owing to the
availability of a limited number of output measurements in
practically most realistic situations in comparison with the
existence of a potentially large number of faults and
disturbances, our proposed HFD becomes the only
available methodology for a general class of non-linear
systems.
In the next section, the procedure for designing an HFD
that is composed of a bank of residual generators and a
DES diagnoser is described in detail.
3.1 Bank of continuous-time residual
generators
In this section, a systematic approach is proposed to design a
set of residual generators that provides the required
information for the DES diagnoser. Towards this end, two
sets of residuals are developed. The rst set is generated
according to the coding set that is introduced in Section 2
for a family of fault signatures with a given isolability index.
The HFD that is developed below is guaranteed to remain
robust with respect to both tolerable disturbance inputs
(v
l
[ D
1
) and measurement noise (v) by selecting
appropriate threshold values associated with the residuals.
To ensure that the HFD is also robust to large disturbance
inputs (v
l
[ D
2
), a second set of complementary residuals
is generated so that the DES diagnoser by utilising the
entire two sets of residuals will robustly detect and isolate a
fault.
In the following, we assume that the strongly isolability
index of l
i
s is m k where as shown in Lemma 1, either
m k or m , k 21. Therefore the SFDIP problem has a
solution for the strongly isolating coding set V
i
, and a set
of j = C(k, m) residuals r
j
, j [ J can be generated. Let us
denote R
1
= {r
j
, j [ J}. Let L
j
denote the set of
disturbance signatures p
l
s that affect the residual r
j
, that is,
L
j
= {l [ P|span{p
l
} (P

j
)

}, j [ J where P

j
is
dened in Theorem 1. Note that for most practical
scenarios the isolability index m of k fault signatures is close
to k, and hence the value of C(k, m) remains close to k.
However, in order to achieve a given isolability index for a
family of fault signatures that is not strongly detectable one,
in some cases, a potentially large number of C(k, m)
residuals may be required.
Assume that one can generate a set of complementary
residuals R
2
= {r
j+j
, j [ J} such that r
j+j
is decoupled
from the disturbance inputs specied by L
j
but is affected
by all the faults m
i
, i [ G
j
and possibly other fault modes.
The residuals r
j
[ R
2
can be generated only if there exist
the observability codistributions P

j+j
= o.c.a.((S
L
j+j

), j [
J such that span{l
i
(x)} [P

j+j
]

, j [ J for all i [ G
j
and
L
j+j
= span{p
l
(x), l [ L
j
}, j [ J.
Remark 1: It should be noted that the necessary condition
for generating the residual signal r
j
[ R
2
is that
span{l
i
(x)} =span{p
l
(x)}, for all i [ G
j
and l [ L
j
.
It should be noted that for a system where L
j
= L, j [ J,
that is, the set of disturbances that affects all the residuals
r
i
[ R
1
are the same, only a single extra residual r
j+1
is
sufcient for designing our hybrid FDI scheme.
Figure 1 General architecture of our proposed hybrid
diagnoser
IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895 2883
doi: 10.1049/iet-cta.2009.0294 & The Institution of Engineering and Technology 2010
www.ietdl.org
For each disturbance input v
l
[ P and fault mode
m
i
, i [ k, the coding sets V
p
l
and V
f
i
are dened,
respectively, as
V
p
l
= {j [ {1, . . . , 2j}|span{p
l
} (P

j
)

}
V
f
i
= V
i
<Y
f
i
(5)
where Y
f
i
= {j [ {j +1, . . . , 2j}|span{l
i
} (P

j
)

}}. In
other words, the sets V
p
l
and V
f
i
are the index set of those
residuals r
j
[ R
1
<R
2
that are affected by v
l
and m
i
,
respectively. Fig. 2 shows an incidence matrix for a system
with three fault signatures and two disturbance inputs
where a 1 in the (i, j )th entry indicates that the residual r
j
is affected by fault or disturbance, where a 0 indicates that
the residual is decoupled from that fault or disturbance,
and where an X indicates that the value 1 or 0 is
indifferent in the proposed FDI approach. All the sets that
are used in this work (V
i
s, V
f
i
s, V
p
l
s, L
j
s and Y
f
i
) are
identied and are shown in Fig. 2.
Assumption 3: Let l <
k
j=1
L
j
for some disturbance input
v
l
, then V
p
l
= .
The disturbances that satisfy Assumption 3 have no effect
on the residuals, and therefore the hybrid diagnoser does not
need to be robust to them. In other words, the generated set
of residuals is already decoupled from these disturbances and
no further invoking of the DES diagnoser is required.
In the following example, we demonstrate how to generate
the above set of residuals for a given non-linear system.
Example 1: Consider a non-linear system that has three
fault signatures and one disturbance input as governed by
the following dynamics
x
1
= x
1
x
2
+m
1
+exp(x
2
)m
2
+2m
3
+v
1
x
2
= x
2
1
2
x
2
x
1
m
1
+m
2
+0.5m
3
0.2v
1
with the output measurement y = [x
1
, x
2
]

. Note that
associated with the fault signatures we have
Rank
1
2
x
2
x
1

,
exp(x
2
)
1
_ _
,
2
0.5
_ _

= 2
and consequently, the above family of fault signatures does not
satisfy the necessary condition of the lNFPRG. In other
words, the fault signatures are not strongly detectable.
Therefore, according to Lemma 1, the strong isolability
index satises m , 2. Now we show that the strong
isolability index for the above fault signatures is 1, that is,
m 1. First, we generate the coding sets that are required
for the family of fault signatures with m 1. Towards this
end, the sets G
j
, j 1, 2, 3 are selected as two combinations
of the set {1, 2, 3}, namely G
1
= {1, 2}, G
2
= {1, 3} and
G
3
= {2, 3}. The corresponding coding sets V
i
, i 1, 2, 3
are given by V
1
= {1, 2}, V
2
= {1, 3} and V
3
= {2, 3} and
the number of residuals is j C(3, 1) 3. Our next step
involves checking the solvability conditions for the SFDIP
problem. According to Theorem 1, one rst needs to obtain
the unobservability codistributions P

j
, j = 1, 2, 3. These
codistributions are found by using the algorithm that is
presented in [3] and are given as P

1
= span{d(x
1

4x
2
)}, P

2
= span{d(x
1
exp (x
2
))} and P

3
= span{d(x
2
1
x
2
)}.
It can be veried that the necessary conditions of Theorem 1
are satised, and hence the isolability index for the above family
of fault signatures is 1. We are now ready to design the residual
generators. Towards this end, the z
1
-subsystem for generating
the residuals r
j
, j 1, 2, 3 should be found from the
unobservability codistributions P

j
, i 1, 2, 3. As an
illustration, the z
1
-subsystem for generating the residual r
1
can
be obtained as follows (see equation at the bottom of the page)
It follows that L
j
= L = {1} (the disturbance input v
1
affects
all the residuals r
j
, j 1, 2, 3) and only one extra residual is
required. To generate this residual, one needs to nd P

4
that
is given by P

4
= span{d(x
1
+5x
2
)}. Consequently,
the coding sets V
p
1
and V
f
i
, i 1, 2, 3 are determined as
follows: V
p
1
= {1, 2, 3}, V
f
1
= {1, 2, 4}, V
f
2
= {1, 3, 4} and
V
f
3
= {2, 3, 4}.
It should be noted that since the above family of fault
signatures is not strongly detectable, the method proposed
in [3] cannot be applied to this system. Moreover, as a
comparison with some methods in the literature that
consider disturbances as faults [3, 9, 10], if the disturbance
input v
1
is treated as the fourth fault, the isolability index
for the new family of fault signatures (four faults) is 1,
implying that one still cannot detect the concurrent
Figure 2 Incidence matrix
r
1
:
z
1
= 2
z
2
1
y
2
y
4
2
+ 2
z
1
y
2
exp
z
1
y
2
2
_ _
+y
2
2
_ _
m
2
+ 4
z
1
y
2
+0.5y
2
2
_ _
m
3
+ 2
z
1
y
2
0.2y
2
2
_ _
v
1
y
1
= z
1
= x
1
4x
2
, y
2
= x
2

2884 IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895
& The Institution of Engineering and Technology 2010 doi: 10.1049/iet-cta.2009.0294
www.ietdl.org
occurrence of a fault and a disturbance. However, as will be
shown subsequently, our proposed hybrid FDI scheme
enables one to detect a single fault in the system despite
the fact that a large disturbance input is applied through v
1
.
Corresponding to each residual r
j
[ R
1
<R
2
, an
evaluation function J
r
j
is now assigned. Various functions
can be considered for this purpose as introduced in the
literature [17], namely:
instantaneous value of the residual signal, that is, J
r
i
= r
i
,
the average value of the residual signal over a time interval
[t 2T, t], that is, J
r
i
= (1/T)
_
t
tT
r(t)dt,
root-mean-square (RMS), which measures the average
energy over a time interval (0, T), that is,
J
r
i
=
_
(1/T)
_
T
0
r(t)
2
dt
_
1/2
, and
Truncated RMS which measures the average energy over a
time interval [t 2T, t], that is, J
r
i
= (1/T)
_
t
tT
r(t)
2
dt.
The residual evaluation function should be selected based on
the systems characteristics. For instance, for systems having
oscillatory residuals one cannot select the evaluation
function J
r
i
= r
i
since the residuals may switch in and out
of the fault detection threshold boundaries. Moreover, the
evaluation function J
r
i
= ((1/T)
_
T
0
r(t)
2
dt)
1/2
cannot
also be used for detection of an intermittent fault. Note
that the truncated RMS evaluation function is always
positive, and hence only one threshold level is required.
However, the average value of the residual function
J
r
i
= (1/T)
_
t
tT
r(t) dt can be both positive and negative,
and hence one requires two threshold levels.
Inthis work, for the residuals r
j
[ R
1
two different thresholds
are required as J
b
th
j
= sup
v[L
p
,v[D
b
,m
i
=0,i[k
(J
r
j
)j [ J, b 1,
2. In determining the rst threshold, only tolerable disturbance
inputs (v
l
[ D
1
) are considered. However, the second
threshold incorporates all the possible disturbance inputs. The
supremum that arises in determining the threshold values J
1
th
j
and J
2
th
j
may be obtained analytically by solving the
optimisation problem or empirically from the evaluation of J
r
j
corresponding to and during the healthy operation or
simulation of the system by considering the worst-case effects
of the disturbances v
l
in D
1
and D
2
, respectively.
It should be noted that one may choose to only consider
the threshold level that is given by J
2
th
j
as the worst-case
scenario associated with large disturbances. In this case, no
false alarms will be generated due to this type of
disturbances. However, this may lead to the selection of
higher threshold values that would unnecessarily reduce the
sensitivity of the FDI algorithm to low severity faults. As
will be shown subsequently, by selecting two threshold levels
and considering the temporal and sequential characteristics
of the residuals, one can not only enhance the fault
sensitivity characteristics, but also design a robust FDI scheme.
The threshold values for the residuals r
j
[ R
2
are selected
according to
J
1
th
j
= sup
v[L
p
,v
l
[D
2
,i[V
p
l
,m
i
=0,i[k
(J
r
j
), j [ {j +1, . . . , 2j}
For a system such as in Example 1 and the ALTAV system
that is discussed in Section 4, where the residuals r
j
[ R
2
are affected by a few or even no disturbance input channels,
one can select lower threshold values for these residuals. In
other words, the residuals r
j
[ R
2
are generally less
sensitive to the disturbance inputs than the residuals
r
j
[ R
1
. It should be emphasised that for systems where
L
j
= L, j [ J, the residual r
j+1
is decoupled from all
disturbance inputs, and hence the threshold values for these
residuals are denitely less than the ones for r
j
, j [ J.
For each residual r
j
[ R
1
dened at a given point in time
t, we can choose the corresponding two threshold logic units
R
1
j
(t) and R
2
j
(t) according to
R
b
j
(t) =
1 if J
r
j
(t) . J
b
th
j
,
0 otherwise,
_
j [ J, b = 1, 2 (6)
Similarly, for each residual r
j
(t) [ R
2
, the threshold logic
unit is assigned as follows
R
1
j
(t) =
1 if J
r
j
(t) . J
1
th
j
,
0 otherwise,
_
j [ {j +1, . . . , 2j} (7)
The denition below describes the classication of faults into
three separate classes in view of the threshold logic unit R
1
j
(t)
that was dened above.
Denition 3: The fault scenarios considered for the non-
linear system (4) are categorised into the following three
classes, namely high severity faults, low severity faults and
non-detectable faults. Their specic characteristics are as
follows: (i) the high severity faults correspond to faults that
will affect the residual logic units R
1
j
, j [ {1, . . . , 2j}, (ii)
the low severity faults correspond to faults that will affect
only R
1
j
, j [ {j +1, . . . , 2j} and (iii) the non-detectable
faults correspond to faults that do not affect any of the
residual logic units R
1
j
, j [ {1, . . . , 2j}.
3.2 DES fault diagnoser
For the sake of simplicity and without loss of generality, let us
assume that multiple faults in two actuators are possible.
Furthermore, let us consider the scenario where only
concurrent occurrence of one fault and one large
disturbance is allowed. This assumption will only limit the
number of all possible operational states of the DES
system. However, our proposed scheme is easily expandable
IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895 2885
doi: 10.1049/iet-cta.2009.0294 & The Institution of Engineering and Technology 2010
www.ietdl.org
to more general cases, but because of space limitations that is
not addressed here.
First, the non-linear system along with a bank of residual
generators is modelled as a nite-state Moore automaton
[18] that is specied according to G = (S, S, d, s
0
, Y , l),
where S, S, Y are the nite state, the event and the output
sets, s
0
is the initial state, d: S S 2
S
is the transition
function and l: S Y is the output map (2
S
denotes the
power set of S). For the non-linear system (4), the state
set is given by S = {s
0
, s
1
, . . . , s
k
, s
1,2
, . . . , s
k1,k
, s
D
,
s
1,D
, . . . , s
k,D
}, where the state s
0
corresponds to the normal
operational mode of the system (i.e. no faults and no large
disturbance inputs exist), the states s
i
, i [ k correspond to
faults in the ith component, the states s
i, j
, i, j [ k, i =j
correspond to multiple faults in the ith and jth components,
the state s
D
corresponds to occurrence of a large disturbance
input and the states s
i,D
correspond to a concurrent fault in
the ith component and a large disturbance input.
The event set is denoted by S = {F
o
1
, . . . , F
o
k
,
F
r
1
, . . . , F
r
k
, D
o
, D
r
}, where the events F
o
i
and F
r
i
, i [ k
correspond to the occurrence and removal of a fault in the
ith actuator, respectively, the event D
o
corresponds to the
occurrence of a large disturbance in one of the v
l
, l [ P
channels and the event D
r
corresponds to the removal of a
disturbance from all the channels. The output set is
denoted by Y = {(R
1
1
, . . . , R
1
2j
, R
2
1
, . . . , R
2
j
) [ B
k
}, where
B = {0, 1} and k can be either 2j +1 or 3j depending on
the property of L
j
.
Based on the above denitions, the transition function d is
now dened formally as d(s
0
, D
o
) = s
D
, d(s
D
, D
r
) =
s
0
, d(s
D
, F
o
i
) = s
i,D
, d(s
0
, F
o
i
) = s
i
, i [ k d(s
i
, F
o
j
) = s
i, j
, i,
j [ k, i =j, d(s
i
, D
o
) = s
i,D
, d(s
i
,F
r
i
) = s
0
, i [ k,
d(s
i, j
, F
r
i
) = s
j
, d(s
i, j
, F
r
j
) = s
i
, i, j [ k, i =j d(s
i,D
, F
r
i
) =
s
D
and d(s
i,D
, D
r
) = s
i
. As an illustration, Fig. 3 shows the
corresponding transition function of the non-linear system
that was considered in Example 1. It should be noted that
since for this system the isolability index is m 1, multiple
fault states are not applicable. As shown in Fig. 3, the
DES model of the non-linear system in Example 1 has
eight states, namely the normal operational state s
0
, three
faulty states s
i
, i 1, 2, 3, three concurrent faults and large
disturbance states s
i,D
, i 1, 2, 3, and the large disturbance
input s
D
. The event set and the output set for this system
are given by S = {F
o
1
, F
o
2
, F
o
3
, F
r
1
, F
r
2
, F
r
3
, D
o
, D
r
} and
Y = {(R
1
1
, . . . , R
1
4
, R
2
1
, . . . , R
2
3
) [ B
7
}, respectively.
The output map l depends on the severity of a fault and
the threshold values of the residuals. As mentioned in the
previous section, the threshold values for the residuals
r
j
[ R
2
are usually lower than those of r
j
[ R
1
. Therefore
there could be a low severity fault scenario where the
residual logic unit R
1
j+j
becomes one whereas R
1
j
is zero. In
dening the output map l, such scenarios are also
incorporated. Table 1 shows the corresponding output map
l. Consequently, some states may have different outputs
that would depend on the severity of the fault and
disturbances. Moreover, non-detectable fault scenarios
(refer to Denition 3) are not observable from residual
logic units, and therefore they cannot be detected and
isolated. These types of faults are not considered in l. In
other words, no event is assigned to such faults.
The objective of the DES diagnoser is to use the output
sequence of the system (residual logic units) as inputs and
to generate an estimate of the state of the system. In this
work, a DES diagnose is modelled as a nite-state
automaton H = (S
H
, I
H
, d
H
, z
0
, Y
H
, l
H
), where
S
H
, I
H
, Y
H
denote the nite state, the input and the output
sets, z
0
is the initial state of the diagnoser,
d
H
: S
H
I
H
S
H
denotes the transition function and l
H
is the output map. In order to eliminate any possible
ambiguity in the DES model (G) output, two additional
states with respect to the state set of G are considered for
H, namely S
H
= {S, s
F
, s
F,D
}, where s
F
corresponds to the
faulty state where one cannot isolate the faulty channel and
s
F,D
which corresponds to the concurrent occurrence of a
fault and a large disturbance in the system when a fault
may not be isolated. The input set for the diagnoser is an
output set of G (set Y ). The output set is the same as the
state set of the diagnoser (Y
H
= S
H
) and the output map
l
H
: S
H
Y
H
is an identity map.
Figure 3 Transition function corresponding to Example 1
Table 1 Output map of the plant
Output map l
s
0
(0, . . . , 0)
s
D
{(R
1
1
, . . . , R
2
j
) [ Y|l [ P, j [ V
p
l
, R
1
j
1}
s
i
{(R
1
1
, . . . , R
2
j
) [ Y|b [ {1, 2}, j [ V
f
i
, R
b
j
1}
s
i,j
{(R
1
1
, . . ., R
2
j
) [ Y|b [ {1, 2}, l [ V
f
i
< V
f
j
, R
b
t
1}
s
i,D
{(R
1
1
, . . . , R
2
j
) [ Y|b [ {1, 2}, j [ V
f
i
,
R
b
j
1} < {(R
1
1
, . . . , R
2
j
) [ Y|l [ P, j [ V
p
l
,
R
1
j
1}
2886 IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895
& The Institution of Engineering and Technology 2010 doi: 10.1049/iet-cta.2009.0294
www.ietdl.org
The main step that is left is the design of a transition map
d
H
. First, we consider the case when the system is in a normal
operational mode s
0
and try to nd the transition function
corresponding to this mode. Based on Assumption 2, three
transitions are possible in the normal operation, namely
transition to the state s
i
which corresponds to the occurrence
of a fault in the ith actuator (event F
o
i
), transition to the
state s
D
which corresponds to the occurrence of a large
disturbance in one of the input disturbance channels (event
D
o
), and nally the transition to the fault mode s
F
which
corresponds to the occurrence of a low severity fault in one
of the actuators that may not be isolable.
Lemma 2 below shows that the HFD can easily distinguish
the effects of a fault and a disturbance by using the coding
sets V
f
i
and V
p
l
, and therefore the sets V
f
i
and V
p
l
can be
used for the transition to states s
i
and s
D
, respectively.
Lemma 2:
(a) The coding sets V
p
l
and V
f
i
are distinct, that is,
V
p
l
=V
f
i
, l [ P, i [ k, and (b) the coding sets V
f
i
and
V
f
j
, i =j are distinct, that is, V
f
i
=V
f
j
, i, j [ k, i =j.
Proof:
(a) First we consider the disturbances v
l
, l [ P such that
l [ L
j
for some j [ J (v
l
affects at least one of the
residuals r
j
[ R
1
). Since the residual r
j+j
is decoupled
from v
l
and is affected by all the faults m
i
, i [ G
j
, we have
j +j V
p
l
and j +j [ V
f
i
, i [ G
j
. Hence, we have
V
p
l
=V
f
i
, i [ G
j
. Moreover, for all m
i
, i [ ks such that
i G
j
, we have j [ V
p
l
and j V
f
i
; hence
V
p
l
=V
f
i
, i G
j
. Therefore V
p
l
=V
f
i
, i [ k. Next, we
consider the disturbances v
l
, l [ P such that l <
j
j=1
L
j
,
that is, disturbance inputs that do not affect any of the
residuals r
j
, j [ J. Therefore we have j V
p
l
, j [ J.
However, for any i [ k, there exists at least one residual
r
j
[ R
1
such that j [ V
f
i
; hence, V
p
l
=V
f
i
, i [ k.
(b) Given the procedure in Section 2 for generating the
residuals r
i
, i [ J, we conclude that V
i
=V
j
, i, j [ k,
i =j. Let us dene a new set Y
f
i
according to
Y
f
i
= V
f
i
>{j +1, . . . , 2j}, i [ k. Consequently, we can
write V
f
i
= V
i
<Y
f
i
, i [ k. Since V
i
>{j +1, . . . ,
2j} = 0, i [ k, it follows that V
f
i
=V
f
j
, i, j [ k, i =j.
This completes the proof of the lemma. A
The only remaining case of interest is when the occurrence
of a low severity fault (refer to Denition 3) in the ith actuator
will lead to changes in only R
1
j+i
. The next lemma shows that
the occurrence of a low severity fault can be distinguished from
the occurrence of large disturbance inputs.
Lemma 3: The coding sets V
p
l
and Y
f
i
are distinct.
Proof: For the disturbance inputs v
l
[ P such that l [ L
j
for some j [ J, the proof follows along the same lines as
that in the proof of part (a) of Lemma 2. According to
Assumption 3, for the disturbances that do not affect any of
the residuals r
j
[ R
1
, that is, l [ P such that l <
j
i=1
L
i
,
we have V
p
l
= . But j +i [ Y
f
i
, and hence
V
p
l
=Y
f
i
. A
To summarise, our proposed HFD can detect the
occurrence of a fault, since V
p
l
=Y
f
i
. However, we may
have Y
f
i
= Y
f
j
for some i, j [ k, and therefore the fault
cannot be isolated. In this case, the state of the fault
diagnoser will change to s
F
.
The next step is now to consider scenarios when initially a
large disturbance is applied to the system followed by a fault
that is concurrently present in one of the system actuators.
Therefore it is assumed that the system has a transition from
the normal operation state s
0
to the disturbance state s
D
where we dene a set D = {1 j j|R
1
j
= 1}. In this
state, the second threshold logic units R
2
i
are used for all the
residuals r
j
, j [ D. It can be shown that the effects of the
fault is not nullied by a large disturbance input. Indeed, for
a given residual r
j
[ D, the fault signal m
i
(t), i [ G
j
can
nullify the effects of the disturbance v
l
[ L
j
if we have
l
i
(x)m
i
(t) = p
l
(x)v
l
(t) (8)
The necessary condition for satisfying the above condition is
that span{l
i
(x)} = span{p
l
(x)}, which is in contradiction with
the necessary condition that is stated in Remark 1.
Remark 2: For large disturbances v
l
that are beyond the
considered bound d
2
in Assumption 1 the fault diagnoser
can still distinguish the occurrence of the disturbance from
the fault by using the coding sets V
f
i
and V
p
l
and by
correctly changing its state to s
D
. However, certain residuals
may also exceed the second threshold level J
2
th
j
due to the
fact that v
l
. d
2
and the threshold values J
2
th
j
are
computed based on the boundedness assumption of the
disturbance with a bound d
2
. Therefore in this case only
the occurrence of a concurrent fault can be detected by
using the coding set Y
f
i
, although the diagnoser cannot
isolate the fault while a large disturbance is present. It is
evident that after the removal of a larger disturbance, the
fault can be isolated by using the coding sets V
f
i
s.
Now, let us consider a scenario where a fault is detected in
the ith actuator and the state of the fault diagnoser is s
i
.
Generally, we should investigate three possible cases, namely
(i) the removal of a detected fault, (ii) the occurrence of a
second fault in the jth actuator, and (iii) the occurrence of a
disturbance in v
l
, l [ P. Actually, the main challenge here
is to distinguish between cases 2 and 3, since the removal of
a fault can be easily detected when all the threshold logic
units become zero. The necessary condition for
distinguishing between the cases 2 and 3 is governed by
V
f
i
<V
f
j
=V
f
i
<V
p
l
, i, j [ k; l [ P (9)
IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895 2887
doi: 10.1049/iet-cta.2009.0294 & The Institution of Engineering and Technology 2010
www.ietdl.org
The next lemma provides a sufcient condition for satisfying
the condition (9).
Lemma 4: If the number of residuals r
i
[ R
1
that are
affected by each disturbance input is more than
|V
i
<V
j
| = j C(k 2, k m), that is, |V
p
l
>J| . j
C(k 2, k m), l [ P, then the condition (9) is satised
for all the disturbance inputs l [ P as well as the fault
modes m
i
, m
j
, i =j.
Proof: If |V
p
l
>J| . j C(k 2, k m), then for any two
fault modes m
i
, m
j
, i, j [ k, i =j, there exists at least one
residual r
a
[ R
1
such that r
a
[ V
p
l
and r
a
V
f
i
<V
f
j
,
and therefore it follows that V
f
i
<V
f
j
=V
f
i
<V
p
l
. This
completes the proof of the lemma. A
It can be easily veried that the system where L
i
= L,
i [ k satises the above sufcient condition if m . 1, since
|V
p
l
>J| = j and |V
f
i
<V
f
j
| , j.
Remark 3: In the situation where V
f
i
<V
f
j
, V
f
i
<V
p
l
,
one could potentially have a false alarm associated with the
second fault while a large disturbance input is present. To
remedy this problem, the DES diagnoser will declare the
detection of the second fault after a specic waiting-time
interval t
0
, if all the residual threshold logics specied by
V
f
i
<V
f
j
are at 1 while the remaining residual threshold
logic units specied by {V
f
i
<V
f
j
} {V
f
i
<V
p
l
} remain at
zero.
Tables 2 and 3 summarise all the transitions of the DES
diagnoser. By specifying these transitions, the design of our
proposed hybrid DES diagnoser is now completed.
Table 2 Transition function of the states s
0
, s
D
and s
i
, i [ k
Current state Input (R
1
1
, . . . , R
1
2j
, R
2
1
, . . . , R
2
j
) Next state Corresponding event in G
s
0
_
j[V
f
i
R
1
j
= 1 s
i
, i [ k F
o
i
s
0
l [ k such that
_
j[Y
f
l
R
1
j
= 1 s
F
F
o
i
[ {F
o
1
, . . . , F
o
k
}
s
0
l [ P such that
_
j[V
p
l
R
1
j
= 1 s
D
D
o
i
s
D
all inputs become zero s
0
D
r
s
D
_
j[V
f
i
>D
R
2
j
_
l[V
f
i
R
1
l
= 1 s
i,D
F
o
i
s
D
i [ k and l [ P such that
_
j[Y
f
i
<V
p
l
R
1
j
= 1 s
F,D
F
o
i
[ {F
o
1
, . . . , F
o
k
}
s
i
all inputs become zero s
0
F
r
i
s
i
_
l[V
f
i
<V
f
j
R
1
l
= 1 for the time interval t
0
s
i,j
F
r
j
s
i
l such that
_
j[V
f
i
<V
p
l
R
1
j
= 1 s
i,D
D
o
Table 3 Transition function of the states s
F
, s
F,D
, s
i,D
and s
i,j
Current state Input (R
1
1
, . . ., R
1
2j
, R
2
1
, . . ., R
2
j
) Next state Corresponding event in G
s
F
_
j[V
f
i
R
1
j
= 1 for the time interval t
0
s
i
F
o
i
s
F
i [ k and l [ P such that
_
j[Y
f
i
<V
p
l
R
1
j
= 1 s
F,D
D
o
s
F,D
_
j[V
f
i
>D
R
2
j
_
l[V
f
i
R
1
l
= 1 s
i,D
F
o
i
s
F,D
l [ k such that
_
j[Y
f
l
R
1
j
= 1 s
F
D
r
s
F,D
l [ P such that
_
j[V
p
l
R
1
j
= 1 s
D
F
r
i
[ {F
o
1
, . . . , F
o
k
}
s
i,D
l [ P such that
_
j[V
p
l
R
1
j
= 1 s
D
F
r
i
[ {F
o
1
, . . . , F
o
k
}
s
i,D
_
j[V
f
i
R
1
j
= 1 s
i
D
r
s
i,j
_
l[V
f
i
R
1
l
= 1 s
i
F
r
j
s
i,j
_
l[V
f
j
R
1
l
= 1 s
j
F
r
i
2888 IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895
& The Institution of Engineering and Technology 2010 doi: 10.1049/iet-cta.2009.0294
www.ietdl.org
Example 1 (cont.): According to the coding sets that were
obtained for the non-linear system in Example 1, the DES
diagnoser can be designed as follows: the state set is
specied by S
H
= {s
0
, s
1
, s
2
, s
3
, s
D
, s
F
, s
1,D
, s
2,D
, s
3,D
}, the
input set is dened by I
H
= {R
1
1
, R
1
2
, R
1
3
, R
1
4
, R
2
1
, R
2
2
, R
2
3
}
and the transition map l
H
is given in Table 4. Therefore
the design of our proposed hybrid diagnoser for the non-
linear system in Example 1 is now completed. In the next
section, our proposed FDI scheme will be applied to the
ATLAV system.
4 Hybrid FDI design for the ALTAV
system
Example 1 worked out in the previous section belonged to a
class of non-linear systems with not strongly detectable
family of fault signatures. In this section, we consider the
application of our proposed FDI methodology to an
ALTAV system where the actuator fault signatures are
strongly detectable. The ALTAV system considered in
this paper is a six degrees-of-freedom unmanned aerial
vehicle (refer to [19]). The states/variables describing the
motion of the system are x, y, z, u, g and f. These states
correspond to the translation in the x, y and z directions
(m) and rotations about the z, y and x axes (rad)
(heading, pitch and roll angles) in the local horizontal/
local vertical frame, respectively. It is assumed that these
states and their rst-order derivatives are available for
measurement.
The dynamics of the ALTAV system is governed by the
following equations [11]
M x =

4
i=1
F
i
sin(g) C
x
x +W
x
M y =

4
i=1
F
i
sin(f) C
y
y +W
y
M z =

4
i=1
F
i
cos(g) cos(f) F
B
+Mg C
z
z
J
u

u = (F
1
l F
2
l +F
3
l F
4
l ) sin(r) C
u

u
J
g
g = (F
1
l F
3
l ) F
B
L
B
sin(g) C
g
g
J
f

f = (F
2
l F
4
l ) F
B
L
B
sin(f) C
f

f
(10)
where the four input forces F
i
, i 1, . . . , 4 (N) are produced
by the propellers that are controlled through four vectoring
brushless DC motors subject to the constraints
0 F
i
F
max
i
, C
x
, C
y
, C
z
denote the drag coefcients, M
denotes the mass (kg), J denotes the moment of inertia
(kg m
2
), l denotes the perpendicular distance between the
motors and vehicle centre of gravity (m), F
B
denotes the
Buoyant force (N), W
x
, W
y
, W
z
denote the wind
disturbance forces (N), and r denotes the angular offset
from the vertical of the motor thrust vectors.
Common actuator faults that are considered here may
include [20]: (i) freezing or lock in-place (LIP) fault, (ii)
oat fault, (iii) hard-over fault (HOF), and (iv) loss of
effectiveness (LOE) fault. In case of the LIP fault, the
actuator states freezes at a particular value and will not
respond to subsequent commands. HOF is characterised by
the actuator moving to its upper or lower saturation limits
regardless of the commanded signal. The actuator transient
response time is bounded by its rate limits. Float fault
occurs when the actuator oats with zero output and does
not contribute to the control authority. Loss of
effectiveness is characterised and represented by lowering
the actuator gain with respect to its nominal value.
A bank of residual generators are rst designed for the four
input channels of the ALTAV system. The state-space
representation of the ALTAV system is rewritten as follows

X = f (X) +

4
i=1
g
i
(X)F
i
+

3
j=1
p
j
(X)v
j
Y = X +v
(11)
where F
1
, . . . , F
4
are the input force control channels,
X
T
= [x y z x y z u g f

u g

f], v
1
and v
2
represent the
wind disturbances in the x- and the y-directions,
respectively, v
3
represents a change in the buoyant force
F
B
, X = {X
i
}
12
i=1
and Y = {Y
i
}
12
i=1
.
Table 4 Transition function of Example 1
Current
state
Input (R
1
1
, . . . , R
1
4
, R
2
1
, . . . , R
2
3
) Next
state
s
0
R
1
1
_
R
1
2
_
R
1
4
= 1 s
1
s
0
R
1
1
_
R
1
3
_
R
1
4
= 1 s
2
s
0
R
1
2
_
R
1
3
_
R
1
4
= 1 s
3
s
0
R
1
1
_
R
1
2
_
R
1
3
= 1 s
D
s
0
R
4
1
1 s
F
s
i
all zero s
0
s
D
all zero s
0
s
D
R
2
1
_
R
2
2
_
R
1
4
= 1 s
1,D
s
D
R
2
1
_
R
2
3
_
R
1
4
= 1 s
2,D
s
D
R
2
2
_
R
2
3
_
R
1
4
= 1 s
3,D
s
F
all zero s
0
s
F
R
1
1
_
R
1
2
_
R
1
4
= 1 s
1
s
F
R
1
1
_
R
1
3
_
R
1
4
= 1 s
2
s
F
R
1
2
_
R
1
3
_
R
1
4
= 1 s
3
s
F
R
1
1
_
R
1
2
_
R
1
3
_
R
1
4
= 1 s
F,D
IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895 2889
doi: 10.1049/iet-cta.2009.0294 & The Institution of Engineering and Technology 2010
www.ietdl.org
First, we need to generate residuals r
i
, i = 1, . . . , 4 such
that each residual r
i
is only affected by F
i
and is decoupled
from all other faults F
j
, j =i. Towards this end, the
largest observability codistributions P

i
= o.c.a.((

L
i

)
should be found where L
1
= span{g
2
(X), g
3
(X), g
4
(X)},
L
2
= span{g
1
(X), g
3
(X), g
4
(X)}, L
3
= span{ g
1
(X), g
2
(X),
g
4
(X)} and L
4
= span{g
1
(X), g
2
(X), g
3
(X)}, such that
span{g
i
(X)} (P

i
)

, i 1, . . . , 4.
For the ALTAV system, since we have assumed full state
measurements X
i
, i 1, . . . , 12 and

L
i
= L
i
, we conclude
that P

i
= L

i
. It can be easily shown that
P

1
= span{dX
1
, dX
2
, dX
3
, dX
7
, dX
8
, dX
9
, dz
11
, dz
12
, dz
13
},
where z
11
= 2J
g
sin(r) sin(X
8
) X
11
+J
u
sin(X
8
) X
10
+
lM sin(r)X
4
, z
12
= 2J
g
sin(r) sin(X
9
)X
11
+J
u
sin(X
9
)X
10
+
lM sin(r)X
5
and z
13
= 2J
g
sin(r) cos(X
8
) cos(X
9
) X
11
+
J
u
cos (X
8
) cos(X
9
)X
10
lM sin(r)X
6
. Given that we have
full state measurements, each of the three states z
11
, z
12
and z
13
can be used for generating the residual r
1
such that
it is only affected by F
1
and is decoupled from F
j
, j =1. It
should be noted that other state candidates, that is, X
i
,
i 1, 2, 3, 7, 8, 9 are not affected by F
1
, and hence
cannot be selected for generating the residual r
1
. It is
evident that each of the states z
11
, z
12
and z
13
is affected
by one disturbance input (W
x
, W
y
and F
B
, respectively).
Therefore by selecting only one of the states for the
residual generation, the residual becomes decoupled from
all the other disturbance inputs. Moreover, the full state
measurement assumption can be relaxed since from the
states X
4
, X
5
, X
6
only one is needed for generating the
residual r
1
. This redundancy in generating the residuals
from different measurements can be used whenever one
considers the presence of a fault in the sensors (this is
beyond the scope of the current work). In the following, we
only use the measurement X
4
for generating the residuals
and the following set of states can be found such that z
i
,
i 1, . . . , 4 is affected by F
i
and is decoupled from the
other input channels F
j
, j =i, namely
z
1
= 2J
g
sin(r) sin(X
8
)X
11
+J
u
sin(X
8
)X
10
+lM sin(r)X
4
z
2
= 2J
f
sin(r) sin(X
8
)X
12
J
u
sin(X
8
)X
10
+lM sin(r)X
4
z
3
= 2J
g
sin(r) sin(X
8
)X
11
+J
u
sin(X
8
)X
10
+lM sin(r)X
4
z
4
= 2J
f
sin(r) sin(X
8
)X
12
J
u
sin(X
8
)X
10
+lM sin(r)X
4
It can be checked that L
i
= {p
1
, p
3
}, i 1, . . . , 4, and one
needs only to generate one extra residual that is decoupled
from v
1
and v
3
. Towards this end, the largest observability
codistribution P

5
= o.c.a.((

L
5

) should be found where

L
5
= {p
1
, p
3
} such that span{g
i
(X)} (P

5
)

, i 1, . . . , 4.
For the ALTAV model, we have P

5
= L

5
. Based on
P

5
, the following set of states can be found that are
decoupled from p
1
and p
3
and are affected by all the
control inputs F
i
s, namely z
5
= X
10
and z
6
= X
5
.
However, only one of the above states is sufcient and in
order to satisfy Assumption 3, one can only select z
5
for
this purpose, since V
p
3
= {r
6
}, where r
6
corresponds to the
residual that is generated by the observer of the state z
6
.
The coding sets for the fault channels F
1
, . . . , F
4
and the
disturbance inputs v
1
and v
3
are as follows:
V
f
1
= {1, 5}, V
f
2
= {2, 5}, V
f
3
= {3, 5}, V
f
4
= {4, 5} and
V
p
1
= V
p
3
= {1, 2, 3, 4}. Moreover, it is clear that the
sufcient condition in Lemma 4 is also satised for the
ALTAV system.
It should be emphasised that for generating the residuals
that are decoupled from the disturbance inputs W
x
, W
y
and
F
B
, the following observability codistributions should be
obtained, namely, P

i
= o.c.a.((

L
i

), where L
i
=
span{L
i
(x), p
1
(x), p
2
(x), p
3
(x)}. It can be veried that
span{g
i
(X)} , (P

i
)

, i 1, . . . , 4, and therefore FDI is

not feasible. However, based on our proposed approach, we
can accomplish both FDI among the actuator faults and
robustness with respect to the disturbance inputs.
Once the residuals r
j
(t), j 1, . . . , 5 are constructed, the
next step is to determine the threshold values J
th
j
and the
evaluation functions J
r
j
(t). In this paper, the following
evaluation functions are selected J
r
j
(t) =
_
t
tT
0
r
T
j
(t)r
j
(t) dt,
j 1, . . . , 5, where T
0
is the length of the evaluation
window. The main advantage of these evaluation functions
is that one can also detect intermittent faults easily. The
residual logic units R
1
j
, j 1, . . . , 5 and R
2
j
, j 1, . . . , 4
are selected according to (6) and (7), respectively, where the
corresponding threshold values are found as discussed in
Section 3. It should be noted that the supremum that arises
in determining the threshold values can be estimated from
simulations by considering the worst-case effects of the
measurement noise and input disturbances on the residuals.
It is interesting to note that the trivial evaluation functions
J
r
j
(t) = r
j
(t) are not applicable to the ALTAV system since
according to our extensive simulation studies (refer to
Section 5, Fig. 6) it turns out that oscillations are
present in the residuals r
j
, i j, . . . , 4 when we have
simultaneously a fault in one of the input channels F
j
and
the state g happens to be also varying about zero. Under
these circumstances, the corresponding residuals will also
behave similar to that of g, and therefore cannot be used to
conduct fault detection.
The nal step is to design a DES fault diagnoser H. The
state set of H is dened as S
H
= {s
0
, . . . , s
4
, s
1,2
, . . . ,
s
3,4
, s
1,D
, . . . , s
4,D
, s
F
, s
F,D
}, where the cardinality of S is 23.
The input set of the diagnoser is
I = {R
1
1
, . . . , R
1
5
, R
2
1
, . . . , R
2
4
}, and the output set is equal
to S
H
. The transition function l
H
can be found by
following the results that are given in Section 3. This
derivation is not included here owing to space limitations.
5 Simulation results
In this section, simulation results of our proposed hybrid FDI
scheme as applied to the non-linear ALTAV system are
2890 IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895
& The Institution of Engineering and Technology 2010 doi: 10.1049/iet-cta.2009.0294
www.ietdl.org
presented. Various actuator faults are considered in the four
input channels of the ALTAV system. In a surveillance-
type manoeuvring mission, the ALTAV initiates its motion
from a given coordinate and follows a rectangular path in
the xy plane, and then changes its altitude and follows
the same pattern in this altitude. The output measurement
noise and tolerable disturbance inputs D
1
that are
considered in the simulation results below are as follows:
a uniform random variable +1 (deg) for the output
measurements g and f, a uniform random variable +0.1
(m/s) for the measurement x, a uniform random variable
+0.5 (deg/s) for the measurements

u, g and

f, a uniform
random variable +0.5 (N) for the disturbance inputs W
x
and W
y
, and a uniform random variable +2 (N) for DF
B
.
Since large changes in the buoyant force F
B
do not
produce any changes in the residuals, only the wind
disturbance in the x-direction needs to be considered for
simulations (the wind disturbance in the y-direction is
unobservable from the residuals), that is,
D
2
= {W
x
|0.5 W
x
, 5(N)}. By considering the worst-
case scenario of the residuals corresponding to the healthy
mode of the ALTAV system subject to the measurement
noise and tolerable input disturbances D
1
, the threshold
values of J
1
th
j
= 6e 4, J
2
th
i
= 4.5e 3, j = 1, . . . , 4 and
J
1
th
5
= 3e 5 and the evaluation windows of T
0
= 5 s and
T
0
= 10 s are selected for the residuals r
1
, . . . , r
4
and r
5
,
Figure 5 Fault diagnoser states corresponding to a oat fault in the F
1
actuator
Figure 4 Residual evaluation functions corresponding to a oat fault in F
1
actuator (the dashed dots lines correspond to the
threshold values J
1
th
i
6e 24, i 1, . . . , 4 and J
1
th
5
3e 25, the dashed lines correspond to the threshold value
J
1
th
i
4.5e 23)
IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895 2891
doi: 10.1049/iet-cta.2009.0294 & The Institution of Engineering and Technology 2010
www.ietdl.org
respectively. It should be pointed out that since the residual r
5
is decoupled from all the disturbance inputs, one can select a
lower threshold value for it.
Fig. 4 shows the residual evaluation functions
corresponding to a permanent oat fault in the input
channel F
1
at t 100 s. A concurrent wind disturbance
gust that is represented by a rectangular pulse of a constant
amplitude 3 (N) in the x-direction between t 80 and
t 120 s is also applied to the ALTAV system in this
simulation. Fig. 5 depicts the states of the DES fault
diagnoser. As shown in this gure, the diagnoser state rst
changes to s
D
at t 83 s after the occurrence of the large
wind disturbance in the x-direction with no false alarms
generated. Later when a fault in the input channel F
1
is
injected, the diagnoser state rst switches to the s
F,D
at
t 101.3 s and then after about 2 s it switches to state s
1,D
at t 103 s. Consequently, one can conclude that the
diagnose can perfectly detect and isolate the fault despite
the presence of a large concurrent disturbance. Finally, after
the disturbance is removed at t 120 s, the diagnoser
switches to the state s
1
at time t 123 s. It should be
emphasised that if one only uses the rst four residuals
r
1
, . . . , r
4
, not only a false alarm will be generated because
of the wind disturbance, but also the actual fault at
t 100 s cannot be detected and isolated. However, by
using our proposed hybrid FDI methodology, we are able
to distinguish the occurrence of a fault as well as large wind
disturbance in the x-direction (v
1
[ D
2
) by designing only
one additional residual.
Figure 6 Residuals corresponding to a oat fault in the F
1
actuator
Figure 7 Residual evaluation functions corresponding to a hard over fault in F
2
actuator (the dashed dots lines correspond to
the threshold values J
1
th
i
6e 24, i 1, . . . , 4 and J
1
th
5
3e 25, the dashed lines correspond to the threshold value
J
2
th
i
4.5e 23)
2892 IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895
& The Institution of Engineering and Technology 2010 doi: 10.1049/iet-cta.2009.0294
www.ietdl.org
Fig. 6 shows the residuals r
1
and r
2
corresponding to the
above fault scenario. As stated in the previous section, it
should by now be evident from this gure as to why one
cannot directly evaluate the residual signals using their
thresholds, that is, J
r
j
= r
j
, since owing to the dynamics of
the ALTAV system after the occurrence of a fault, the
residuals tend to oscillate in and out of their threshold bounds.
Fig. 7 depicts the residual evaluation functions associated
with a permanent HOF in the input channel F
2
that is
applied at t 100 s, and Fig. 8 shows the corresponding
fault diagnoser state. A wind disturbance gust that is
represented by a rectangular pulse of a constant amplitude
3 (N) in the x-direction is also injected between t 50
and t 80 s in the simulations. As seen from Fig. 8, the
diagnoser rst detects the fault at t 100.2 s and also
isolates the fault at t 107.5 s. Moreover, no false alarms
are generated due to the presence of the disturbance input.
As shown in Fig. 7, the residual evaluation function J
r
2
does not exceed the second threshold value J
2
th
j
.
Consequently, if one only uses a conventional FDI method
and chooses the threshold values by considering the entire
disturbance set, that is, D
2
, then the hard over fault cannot
be detected and isolated. However, by using our proposed
approach, this fault can easily be detected and also isolated
despite the presence of a large wind disturbance.
Figure 8 Fault diagnoser states corresponding to a hard over fault in the F
2
actuator
Figure 9 Residual evaluation functions corresponding to multiple faults in F
1
and F
4
actuators (the dashed dot lines
correspond to the threshold values J
1
th
i
6e 24, i 1, . . . , 4 and J
1
th
5
3e 25, the dashed lines correspond to the
threshold value J
2
th
i
4.5e 23)
IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895 2893
doi: 10.1049/iet-cta.2009.0294 & The Institution of Engineering and Technology 2010
www.ietdl.org
The last scenario we consider corresponds to the presence
of multiple faults in the ALTAV actuators. For the generated
residuals, we have V
f
i
<V
f
j
, V
f
i
<V
p
1
. Therefore,
according to Remark 3, a waiting time interval of t
0
= 1 s
is considered for detecting the second fault. Figs. 9 and 10
show the corresponding residual evaluation functions and
the fault diagnoser, respectively, to an intermittent oat
fault in the input channel F
1
that is applied between
t 100 and t 150 s, a permanent 50% loss of
effectiveness fault in the input channel F
4
that is applied at
t 120 s, and a wind gust disturbance that is represented
by a rectangular pulse of a constant amplitude 3 (N) that is
injected in the x-direction between t 50 and t 80 s.
According to these gures, one does clearly detect and
isolate faults in F
1
and F
4
at t 104 and t 121 s,
respectively. It is worth mentioning that according to
Denition 3, a hard over and a oat fault are categorised as
high severity faults and a 50% loss of effectiveness fault is
considered as a low severity fault.
6 Conclusions
A novel hybrid FDI scheme is proposed for a non-linear
system that is subject to large disturbances. The proposed
scheme consists of two modules, namely a bank of residual
generators and a DES-based fault diagnoser. The notions
of strongly and not strongly detectable fault signatures for a
non-linear system are introduced. A new coding set for not
strongly detectable fault signatures is then developed. A
novel set of complementary residuals for not strongly
detectable fault signatures is proposed and constructed
based on the non-linear geometric approach. A DES
diagnoser is developed which uses the residuals and their
temporal behaviour to robustly detect and isolate the faulty
channels. Our proposed hybrid FDI methodology is
applied to the problem of actuator FDI for an ALTAV
system. Simulation results clearly illustrate and demonstrate
the effectiveness and advantages of our proposed approach
compared to the available methods in the literature in
detecting and isolating four common fault types in the
input channels/actuators of the ALTAV system.
7 Acknowledgment
The authors would like to acknowledge the support received
from Quanser Inc. [11, 19] for the mathematical model of
the ALTAV system. This research is supported in part by a
grant from National Sciences and Engineering Research
Council of Canada (NSERC) under the Strategic Projects
program.
8 References
[1] CHEN J., PATTON R.J.: Robust model-based fault diagnosis
for dynamic systems (Kluwer Academic Publishers, Boston,
Dordrecht, London, 1999)
[2] STAROSWIECKI M., COMTET-VARGA G.: Analytical redundancy
relations for fault detection and isolation in algebraic
dynamic systems, Automatica, 2001, 37, (5), pp. 687699
[3] PERSIS C.D., ISIDORI A.: A geometric approach to nonlinear
fault detection and isolation, IEEE Trans. Autom. Control,
2001, 46, (6), pp. 853865
[4] KRENER A.J.: Necessary and sufcient conditions
for nonlinear worst case (H
1
) control and estimation,
J. Math. Syst. Estimation Control, 1994, 4, (4), pp. 125
[5] PERSIS C.D., ISIDORI A.: On the design of fault detection
lters with game-theoretic-optimal sensitivity, Int. J.
Robust Nonlinear Control, 2002, 12, pp. 729747
[6] JIANG B., STAROSWIECKI M., COCQUEMPOT V.: Fault estimation
in nonlinear uncertain systems using robust/sliding-mode
observers, IEE Proc. Control Theory Appl., 2004, 151, (1),
pp. 2937
Figure 10 Fault diagnoser states corresponding to multiple faults in the F
1
and F
4
actuators
2894 IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895
& The Institution of Engineering and Technology 2010 doi: 10.1049/iet-cta.2009.0294
www.ietdl.org
[7] GUO L., WANG H.: Fault detection for nonlinear non-
Gaussain stochastic systems using entropy optimization
principle, Trans. Inst. Meas. Control, 2006, 28, pp. 145161
[8] GUO L., YIN L., WANG H., CHAI T.: Entropy optimization
ltering for fault isolation of nonlinear non-Gaussain
stochastic systems, IEEE Trans. Autom. Control, 2009, 54,
(4), pp. 804810
[9] SELIGER R., FRANK P.M.: Fault diagnosis by disturbance
decoupled nonlinear observer. Proc. IEEE Conf. on
Decision and Control, 1991, pp. 22482253
[10] BERDJAG D., CHRISTOPHE C., COCQUEMPOT V.: Nonlinear model
decomposition for fault detection and isolation system
design. Proc. 45th IEEE Conf. on Decision and Control,
2006, pp. 33213326
[11] EARON E.: Almost-lighter-than-air-vehicle eet
simulation. Technical Report V.0.9, Quanser Inc., Toronto,
Canada, 2005
[12] LECHEVIN N., RABBATH C.A., EARON E.: Towards decentralized
fault detection in uav formations. Proc. American Control
Conf., 2007, pp. 57595764
[13] MESKIN N., JIANG T., SOBHANI E., KHORASANI K., RABBATH C.A.: A
nonlinear geometric fault detection and isolation
approach for almost-lighter-than-air-vehicles. Proc.
IEEE Multi-Conf. on Systems and Control, 2007,
pp. 10731078
[14] MASSOUMNIA M.A., VERGHESE G.C., WILLSKY A.S.: Failure
detection and identication, IEEE Trans. Autom. Control,
1989, 34, (3), pp. 316321
[15] GERTLER J.: Analytical redundacy methods in failure
detection and isolation. Proc. IFAC Fault Detection,
Supervision and Safety for Technical Processes, 1991,
pp. 921
[16] MESKIN N., KHORASANI K.: Fault detection and isolation in
a redundant reaction wheels conguration of a satellite.
Proc. IEEE Int. Conf. on Systems, Man, Cybernetics, 2007,
pp. 31533158
[17] DING S.X., ZHANG P., FRANK P.M., DING E.L.: Threshold
calculation using LMI-technique and its integarion in the
design of fault detection systems. Proc. 42th Conf. on
Decision and Control, 2003, pp. 469474
[18] HASHTRUDIZAD S., KWONG R.H., WONHAM W.M.: Fault diagnosis
in discrete-event systems: framework and model
reduction, IEEE Trans. Autom. Control, 2003, 48, (7),
pp. 11991212
[19] EARON E.: ALTAV MK II information, Pre-release
specication (Quanser Inc., Toronto, Canada, 2007)
[20] BOSKOVIC J.D., BERGSTROM S.E., MEHRA R.K.: Retrot
recongurable ight control in the presence of control
effector damage. Proc. American Control Conf., 2005,
pp. 26522657
IET Control Theory Appl., 2010, Vol. 4, Iss. 12, pp. 28792895 2895
doi: 10.1049/iet-cta.2009.0294 & The Institution of Engineering and Technology 2010
www.ietdl.org