## 1. Introduction

Modern life depends increasingly on the availability at all times of services and products provided by technological systems. Many areas, such as communication systems, water supply, power grids, urban transport systems are now completely automated. For such systems, the consequences of faults in component systems can be catastrophic. Reliability of such systems can be increased by ensuring that the faults will not occur, however, this objective unrealistic and often unattainable. In this context, it is very useful to design fault tolerant control systems that are able to tolerate possible faults in such systems to improve reliability and availability. Together with the increasing complexity of engineered systems and rising demands regarding reliability and safety, it is important to develop powerful fault-tolerant control methods.

A number of surveys are discussed various aspects of fault-tolerant control. For example, Stengel (1991) discusses analytical forms of redundancy using artificial intelligence methods. In (Rauch, 1994) a broad overview over basic methodologies based on classical control techniques (pseudo-inverse methods, adaptive approaches...) is given with several application examples (aircraft, unmanned underwater vehicles). In (Patton, 1997) (Zhang and Jiang, 2003) surveys on fault-tolerant control methods give a broad summary of the field. In the transport domain, to satisfy increasing safety, many new vehicles are equipped with different driver assisted systems such as Traction Control System (TCS) and Electronic Stabilization Program (ESP) to maintain stability and acceptable performances even when some sensors have failed. These systems use a combination of ABS information, yaw rate, wheel speed, lateral acceleration and steer angle to improve the stabilization of the vehicle in dangerous driving situations and then improve the active safety (Kienck and Nielsen, 2000, Dahmani, Chadli and al, 2012).

The most common approach in coping with such a problem is to separate the overall design in two distinct phases. The first phase concerns “Fault Detection and Isolation” (FDI) problem, which consists in designing filters (dynamical systems) able to detect the presence of faults and to isolate them from other faults/disturbances (Isermann, 2001; Ding, Schneider, Ding and Rehm, 2005; Blanke, Kinnaert, Lunze and Staroswiecki, 2003; Gertler, 1998; Oudghiri, Chadli and ElHajjaji, 2007; Oudghiri, Chadli and ElHajjaji, 2008). The second phase usually consists in designing a supervisory unit. This unit reconfigures the control so as to compensate for the effect of the fault and to fulfill performance constraints. In general, the latter phase is carried out by means of a parameterized controller which is suitably updated by the supervisory unit.

Our objective is to develop model-based FTC-scheme for vehicle lateral dynamics. This study is motivated by the practical demands for such monitoring systems that i) automatically and reliably detect and isolate faults from sensors ii) deliver reliable and fault tolerant estimates of the vehicle lateral dynamics and iii) are practically realizable. In this chapter, we propose an observer-based fault tolerant control to detect, identify and accommodate sensor failures. The given method is based on the single failure assumption which states that at most one sensor can fail at any time.

To know the vehicle response, the proposed controller needs to know the yaw rate and the lateral velocity in order to generate the suitable output. If the yaw rate can be directly measurable by a yaw rate sensor (gyroscope), the lateral velocity will have to be estimated using an observer because it is not measurable easily. In this paper, a fuzzy controller is designed by considering the lateral velocity estimated using a nonlinear observer. In the analysis and design, the vehicle lateral will be represented by a switching systems (Chadli and Darouach, 2011) or by a Takagi-Sugeno (T-S) fuzzy model (Takagi and Sugeno, 1985), largely used these last years (Xioodong and Qingling, 2003; Chadli, Maquin and Ragot, 2005; Kirakidis, 2001; Tanaka and Wang, 1998; Chadli and El Hajjaji, 2006; Guerra and al, 2011; Chadli and Guerra, 2012). It is usually referred to as the bicycle model. Moreover, we consider the uncertain Takagi-Sugeno (T-S) fuzzy model to describe the vehicle dynamics in large domains and by the same way to improve the stability of vehicle lateral dynamics (Oudghiri, Chadli and A. ElHajjaji, 2007b; Chadli, ElHajjaji and Oudghiri, 2008). The proposed algorithm is formulated in terms of linear matrix inequalities (LMI) (Boyd and al, 1994) which are easily solvable using classical numerical tools (such as LMI Toolbox for Matlab software).

The subject of this chapter concerns the area of active FTCS for lateral vehicle dynamics that is modeled by uncertain TS fuzzy model. A FDI algorithm based on fuzzy observer is developed and a design method of control law tolerant to some sensors faults is proposed. This chapter is structured as follows. Basic concepts and notions of the FTC field with several general approaches to achieve fault tolerance are described in Sections 2 and 3. In Section 4 applications of control reconfiguration are reviewed briefly. Section 4 describes the vehicle lateral and its representation by uncertain T-S fuzzy model. Section 5 presents the observer-based fault tolerant control strategy with simulations of sensor faults and result analysis. Conclusions are given in Section 6.

Notation: symmetric definite positive matrix

## 2. Preliminaries and some definitions

This section introduces concepts and ideas from the field of fault-tolerant control (FTC). Consider the following state space representation of linear systems: *t*) R^{n} is the state, y(*t*) R^{r} is the output, u(*t*) R^{m} is the inputs which are measurable, A R^{n×n} is the state transition matrix, B R^{n×m} is the input distribution matrix, C R^{r×n} is the output matrix, B_{w} R^{n×n} is the disturbance matrix, and w_{1}(t) R^{n} and w_{2}(t) R^{r} are the disturbances which are unknowns.

Faults are modelled by changes of system matrices. For example, *Actuator faults* are modelled by modifing input matrix B_{f} by scaling columns or setting to zero of columns in case of actuator failure. The *Sensor faults* are modelled by a modified output matrix C_{f}. This matrix may contain scaled rows due to altered sensor characteristics or zero rows due to failed sensors i.e. the faulty sensor should be switched off. *Plant faults* are modelled by a modified system matrix A_{f}*.* In general, when all types of faults present simultaneously, the faulty system model becomes: *K)* could be designed as a static or dynamic output feedback controller.

In the following paragraphs, brief definitions of terms common in the fault-tolerant control community are provided (J. Lunze and J. Richter (2006).

Faults. Faults can cause technical systems to malfunction or operate at reduced performance. Reduced service quality is the consequence. Faults may be triggered internally, such as broken power links in a computer or blocked valves in a chemical batch plant, or externally, such as changes in environmental conditions like a temperature drop stopping a chemical reaction.

Faults can be further classified by their location in a block diagram. *Actuator faults* affect only actuation systems, such as pumps, valves, stirrers, switches, motors, brakes. They concern the efficiency of inputs on the system. *Plant faults* affect internal plant components, resulting in changed plant I/O properties, for example clogged pipes or leakages. They concern the system dynamics. *Sensor faults* result in erroneous measurements, such as biased, scaled or simply absent, constant zero readings (Blanke *et al.*, 2003). They concern the measured output of a system.

Failures. Failures contrast faults in the following sense. A fault reduces the system performance. The system can in general still serve its purpose, albeit with reduced functionality and/or performance. After a failure, the system provides no service any more. It cancels service availability completely. Faults and failures can occur both at the component level and at the aggregated system level. Fault-tolerant control aims at preventing component faults, component failures or subsystem faults from becoming system failures (Blanke *et al.*, 2003).

Fault-tolerance. The term *fault-tolerant system* (FTS) will be used to denote a controlled system which can still serve its purpose in spite of the occurrence of faults, at least for some time and to some degree, until the impaired components can be repaired.

*Fault-tolerant control (FTC)* denotes a framework of methods developed to turn control loops into fault-tolerant systems. The focus is on the design of the automatic control laws. That is, the means to achieve fault-tolerance are specific control design approaches with fault-tolerance in mind. The goal is to keep the loop in operation for as long as possible to minimise the cost of down-time. Shutting down a plant may be expensive due to loss of production, or due to resulting plant damage. The latter can be the case in some chemical reactions. As an example, absence of cooling can cause irreversible solidification of the reactor content of a batch process, which means loss of the reactor.

Fault diagnosis is an area of active research of its own. In most parts of this work, the diagnosis task is taken as a prerequisite already solved, as this work focuses on controller adjustment. When considering the joint properties of diagnosis and controller adjustment or in implicit approaches, diagnosis is covered as well.

## 3. Classification of fault-tolerant control

There already exist several approaches to achieve fault tolerance for control loops. The classification taken here is illustrated in Figure 1.

The classification can be done according to different criteria. The distinction between *passive* and *active* approaches is explained first, followed by *fault accommodation* and *reconfiguration*.

### 3.1. Passive and active FTC

*Passive* fault tolerance is achieved when the loop remains operational in spite of faults *without changing the controller*. If the controller is changed at fault detection time, for instance by controller parameters or even its structure, the approach is called *active*.

A typical example of a passive approach is robust controller design, a well-established and researched approach to achieve fault tolerance. Typically, faults that can be modelled as plant uncertainties can be well covered by robust design. A large number of publications concerning the achievement of fault tolerance using various robust design techniques exist in the literature.

In robustness approaches, a fixed controller is designed to accommodate a class of anticipated component faults or failures. Most robustness approaches are feasible only for faults representable as parameter drift (see for example Fujita and Shimermura, 1988, Campo and Morari, 1994).

The class of faults covered by robust control is in general more limited in comparison to active approaches. In addition, the necessary trade-off between nominal performance and fault tolerance introduces conservatism.

### 3.2. Fault accommodation - fault reconfiguration

*Fault accommodation* denotes the case where the variables measured and manipulated by the controller remain unchanged (Blanke *et al.*, 2003). Only the controller internals (including its dynamic order) may change, but the same measurement and actuation signals as in the nominal case must be used. Adaptive control is an example of an accommodation technique (Ahmed-Zaid *et al.*, 1991; Bodson and Groszkiewicz, 1997).

The approach also has its specific limitations. The most serious one concerns the severity of faults and the speed of adaptation. Only faults representable as slowly changing plant parameters can be well accommodated by adjusting controller parameters. Structural damage is not covered. In addition, adaptive control works well in case of slow plant parameter variations in linear plants with respect to signal variation speed. This assumption is very questionable for faults that occur abruptly and rapidly lead out of the region of valid plant linearisation. Adaptive controllers are generally too slow to compensate abrupt faults.

Switching among a bank of predesigned controllers may be used as an accommodation technique.

*Control reconfiguration* is an active approach where both the controller and its measured and manipulated variables may change. Reconfiguration allows the structure of the control loop to be changed in response to faults. This goes beyond structural changes inside the controller by including dynamic signal re-routing of inputs and outputs.

## 4. FTC for vehicle dynamics

### 4.1. Vehicle model

Vehicle lateral dynamics have been studied since the late 1950’s. Segel (Segel, 1956) developed a three-degree-of freedom vehicle model to describe the vehicle directional responses, which includes the yaw, lateral and roll motions. Most of the previous research works on vehicle lateral control have relied on the bicycle model (figure 2) that considers only lateral and yaw motions. It is based on the following assumptions:

There is no roll, pitch or bounce

The relative yaw between the vehicle and the road is small

The steering angle is small

The tire lateral force varies linearly with the slip angle

The following simplified model is obtained:

where

(2) |

Coefficients *D*_{i}*, C*_{i}*, B*_{i} and *E*_{i} (*i = f,r*) depend on the tire characteristics, road adhesion coefficient

where

To obtain the TS fuzzy model, we have represented the front and rear lateral forces (2) by the following rules:

If _{1} then

If _{2} then

where

The overall forces are obtained by:

where ^{th} bell curve membership function of fuzzy set *M*_{j}. They satisfy the following constraints

The expressions of membership functions

with

The membership function parameters and consequence of rules are obtained using an identification method based on the Levenberg-Marquadt algorithm (Lee, Lai and Lin, 2003) combined with the least square method, allow to determine parameters of membership functions (

Using the above approximation idea of nonlinear lateral forces by TS rules and by considering that

nonlinear model (1) can be represented by the following TS fuzzy model:

If _{1} then

If _{2} then

where

The output vector of system

The defuzzified output of this T–S fuzzy system is a weighted sum of individual linear models

From the expressions of front and rear forces (4), (5), we note that stiffness coefficients *C*_{fi} and *C*_{ri} are not constant and vary depending on the road adhesion. To take into account these variations, we assume that these coefficients vary as follows:

where *d*_{i} indicates the deviation magnitude of the stiffness coefficient from its nominal value.

After some manipulations, the TS fuzzy model can be written as:

where

with

### 4.2. Output feedback design

Consider the general case of uncertain T-S fuzzy model (Takagi and Sugeno, 1985):

with properties

where ^{th} state matrix, the i^{th} input matrix and the i^{th} output matrix respectively. Vector

The overall fuzzy observer has the same structure as the TS fuzzy model. It is represented as follows:

where

Like the fuzzy observer, the TS fuzzy controller is represented as follows

where

From systems (20), (21) and (22), we have

The augmented system can be expressed as:

where

The global asymptotic stability of the TS fuzzy model (25) is summarized in the following theorem:

*Theorem 1:* If there exist symmetric and positive definite matrices

with

Proof: The proof can be inspired directly from (Chadli & El Hajjaji 2006).

**Remarks **

In the case of common input matrix

*Corollary 1*: If there exist symmetric and positive definite matrices

with

Proof: The result is obtained directly from theorem 1.

Result of corollary 1 derive directly from the TS fuzzy model (15) (with common input matrix

The derived stability conditions are LMI on synthesis variables

## 5. FTC strategy

It is important to be able to carry out fault detection and isolation before faults have a drastic effect on the system performance. Even in case of system changes, faults should be detected and isolated. Observer based estimator schemes are used to generate residual signals corresponding to the difference between measured and estimated variables (Chen and Patton, 1999). The residual signals are processed using either deterministic (e.g. using fixed or variable thresholds) (Ding, Schneider, Ding and Rehm, 2005) or stochastic techniques (based upon decision theory) (Chen and Liu, 2000). Here, the first one is used.

The method that we propose is illustrated in figure 2, where it can be seen that the FDI functional block uses two observers, each one is driven by a single sensor output. The failure is detected first, and then the faulty sensor is identified. After that, the state variables are reconstructed from the output of the healthy sensor. The lateral control system enters the degraded mode that guaranteed stability and an acceptable level of performance.

Figure 2 shows the block diagram of the proposed closed system,

Assumptions

Let^{th}row of matrix

Sensor failures are modeled as additive signals to sensor outputs

where

For failure of sensor 1

For failure of sensor 2

We also assume that at any time one sensor only fails at the most. This assumption has been implied by the two possible values of

**Observer-based FDI design**

If each

For observer 1, the state is estimated from the output of the first sensor (

For observer 2, the state is estimated from the output of the second sensor (

where ^{th} rows of matrices

The TS fuzzy controller is represented as follows

With

We define the residual signals as

Note that

The FDI scheme developed in this study follows a classical strategy such as the well-established observer based FDI methods (Isermann, 2001; Huang and Tomizuka, 2005; Oudghiri, Chadli and El Hajjaji, 2007). The residual signals

Detection: if

Switching: if

Since model uncertainties and sensor noise also contribute to nonzero residual signals under the normal operation, threshold

**Simulation results**

To show the effectiveness of the proposed FTC based on bank of observer algorithm, we have carried out some simulations using the vehicle model (1) and MATLAB software. In the design, the vehicle parameters considered are given in table 1. To take account of uncertainties, stiffness coefficients C_{fi} and C_{ri} are supposed to be varying depending on road adhesion.

Parameters | I_{z}Kg.m ^{2} | m kg | a_{f}m | a_{r}m | U m/s | Nominal stiffness Coefficients (N/rad) | |||

C_{f10} | C_{f20} | C_{r10} | C_{r20} | ||||||

Values | 3214 | 1740 | 1.04 | 1.76 | 20 | 60712 | 4812 | 60088 | 3455 |

with the following uncertainties

We point out that only the yaw rate is directly measurable by a yaw rate sensor (gyroscope), the lateral velocity is unavailable and is estimated using the proposed observer.

By solving the derived stability conditions of theorem 1, the designed controller and observer gains are:

Figure 4 shows the additive signals that represent sensor failures. The first one has been added to sensor 1 output between 2s and 8s, and the second one has been added to sensor 2 output between 10s and 16s.

All the simulations are realized on the nonlinear model given in (1) with vehicle speed 20 m/s. The simulation results are given in figures 5 and 6 with and without the FTC strategy. In figure 5 the law control is based on one observer (observer 2) without using the switching bloc. We can see between 10s and 16s that the vehicle lost its performance just after the yaw rate sensor became faulty.

Figure 6 shows vehicle state variables and their estimated signals, when the law control is based on the bank of two observers with the switch bloc. We can note that the vehicle remains stable despite the presence of faults, which shows the effectiveness of the proposed FTC strategy.

The switching from observer 1 to observer 2 is visualized clearly at t ≈ 8s (figure 7). We notice that switching observers is carried out without loss of control of the system state.

The second simulations are realized to show the importance of the proposed FTC method based on an output fuzzy controller, on the stability of the vehicle dynamics. Simulations propose to show the difference between the vehicle dynamics behaviour with TS fuzzy yaw control based on a fuzzy observer (figure 6) and its behaviour with the linear yaw control based on a linear observer (figure 8). Figure 8 clearly shows that the linear control fails to maintain the stability of the vehicle in presence of sensor faults despite a short magnitude of the additive signal (

## 6. Conclusion

Using an algorithm based on a bank of two observers, a fault tolerant control has been presented. The vehicle nonlinear model is first represented by an uncertain Takagi-Sugeno fuzzy model. Then, a robust output feedback controller is designed using LMI terms. Based on the designed robust observer-based controller, a fault tolerant control method is utilized. This method uses a technique based on the switching principle, allowing not only to detect sensor failures but also to adapt the control law in order to compensate the effect of the faults by maintaining the stability of the vehicle and the nominal performances. Simulation results show that the proposed FTC strategy based on robust output TS fuzzy controller are better than these with linear control in spite of a short magnitude of the additive signal and very low front steering angle.