Proactive Fault-Tolerant Model Predictive Control: Concept and

Application

Liangfeng Lao, Matthew Ellis, and Panagiotis D. Christofides

AbstractFault-tolerant control methods have been exten-sively researched over the last ten years in the context ofchemical process applications and provide a natural frameworkfor integrating process monitoring and control aspects in away that not only fault detection and isolation but also controlsystem reconfiguration is achieved in the event of a processor actuator fault. But almost all the efforts are focused on thereactive fault tolerant control. As another way for fault tolerantcontrol, proactive fault-tolerant control has been a popular topicin the communication systems and aerospace control systemscommunities for the last 10 years. At this point, no workhas been done on proactive fault-tolerant control within thecontext of chemical process control. In this paper, we proposea proactive fault-tolerant Lyapunov-based model predictivecontroller (LMPC) that can effectively deal with an incipientcontrol actuator fault. This approach to proactive fault-tolerantcontrol combines the unique stability and robustness propertiesof LMPC as well as explicitly accounting for incipient controlactuator faults in the formulation of the MPC. We apply ourtheoretical results to a chemical process example.

I. INTRODUCTION

The U.S. petrochemical industry suffers both large and

numerous minor process disturbances and faults that have a

significant accumulated effect on production outages and ex-

cess energy use over time [5]. Reliability and continuity are

important requirements in chemical process industries, which

especially apply to complicated safety-critical systems, such

as chemical process control systems [1].

Fault-tolerant control methods have made significant con-

tributions in keeping the reliability of complex chemical

process control systems. However, almost all the efforts up

to this point have focused on reactive fault-tolerant control,

i.e., the control system is actively reconfigured upon the

occurrence of a fault (see, for example, [22], [20], [15],

[16], [3], [4]). While fault detection and isolation as well

as reactive fault-tolerant control schemes remain an active

area of research, proactive fault-tolerant control is part of

an emerging area that will enable next generation manufac-

turing. Proactive fault-tolerant control has been extensively

researched in communication systems and aerospace con-

trol systems communities (see [2], [18] and the references

therein). Proactive fault-tolerant control systems can help

Liangfeng Lao and Matthew Ellis are with the Department of Chemicaland Biomolecular Engineering, University of California, Los Angeles, CA90095-1592, USA. Panagiotis D. Christofides is with the Departmentof Chemical and Biomolecular Engineering and the Departmentof Electrical Engineering, University of California, Los Angeles,CA 90095-1592, USA. Emails: liangfenglao@ucla.edu,matthewellis@ucla.edu pdc@seas.ucla.edu.Corresponding author: P. D. Christofides. Financial support from theNational Science Foundation is gratefully acknowledged.

to avoid process shut-down, product loss, and catastrophes

involving human and component damage by taking adequate

control measures to minimize the negative impact of incipient

control actuator faults on process operation [8]. Still, little

work has been done on proactive fault-tolerant control in the

context of chemical process control.

Currently, history based approaches is one of the main

types of fault detection and diagnosis techniques. Within

this framework, large quantities of historical data are first

collected on sensor and actuator faults. The average failure

data indicate that components may fail after a certain period

of time with a certain probability since their reliability de-

creases with time [7]. At this point, it is not hard to envision

leveraging this data to determine failure windows of process

control system components and the best time intervals to

schedule preventive process control system maintenance. In

terms of the determination of the time of the incipient fault,

existing probabilistic prediction methods mainly include

methods based on Markov [19] and Bayesian analysis [23].

In this work, we formulate a proactive fault-tolerant

model predictive controller (MPC) designed via Lyapunov-

based techniques for nonlinear systems. This approach to

proactive fault-tolerant control combines the unique stability

and robustness properties of Lyapunov-based MPC (LMPC)

as well as explicitly accounting for an incipient control

actuator faults in the formulation of the MPC. We apply

our theoretical results to a chemical process example and

demonstrate that the proposed proactive fault-tolerant model

predictive control method can achieve practical stability after

a control actuator fault.

II. PRELIMINARIES

A. Notation

The operator || is used to denote the Euclidean norm ofa vector and ||Q denotes the weighted Euclidean norm of

a vector (i.e., ||Q = xTQx). A continuous function :

[0, a) [0,) belongs to class K functions if it is strictlyincreasing and satisfies (0) = 0. We use to denote thelevel set := {x R

nx |V (x) }. The symbol diag(v)denotes a square diagonal matrix with diagonal elements

equal to the vector v.

B. Class of nonlinear systems

In this work, we consider a class of input-affine nonlinear

systems described by the following state-space model

x(t) = f(x(t)) +G(x(t))(u(t) + u(t)) (1)

2013 American Control Conference (ACC)Washington, DC, USA, June 17-19, 2013

978-1-4799-0178-4/$31.00 2013 AACC 5140

where x(t) Rn is the state vector, u(t) Rm is themanipulated input vector, and u(t) Rm is the controlactuator fault vector. We consider that u + u is bounded ina nonempty convex set U Rm defined as U := {u Rm | |ui + ui| u

maxi , i = 1, . . . ,m}. We assume that

f : Rn Rn and G : Rn RnRm are locally Lipschitzvector and matrix functions, respectively. We use j = 0 todenote the fault-free system and j = 1, . . . ,m to denote thesystem with a fault in the jth control actuator.We assume that the nominal system of Eq. 1 (u 0)

has an equilibrium point at the origin. We also assume

that the state x of the system is sampled synchronouslyand continuously and the time instants where the state

measurements become available is indicated by the time

sequence {tk0} with tk = t0 + k, k = 0, 1, . . . wheret0 is the initial time and is the sampling time.

C. Lyapunov-based controller

We assume that there exists a Lyapunov-based controller

u(t) = h0(x) which renders the origin of the fault-freeclosed-loop system asymptotically stable under continuous

implementation. This assumption is essentially a stabiliz-

ability requirement for the system of Eq. 1. Furthermore,

we assume after the jth control actuator fails that thereexists another Lyapunov-based controller u(t) = hj(x) thatrenders the origin of the resulting faulty closed-loop system

asymptotically stable. Using converse Lyapunov theorems

[14], [9], [13], this assumption implies that there exist

functions i,j(), i = 1, 2, 3, 4, j = 0, 1, 2, . . . ,m of class Kand continuous differentiable Lyapunov functions Vj(x) forthe closed-loop system that satisfy the following inequalities:

1,j(|x|) Vj(x) 2,j(|x|) (2)

Vj(x)

x(f(x) + g(x)hj(x)) 3,j(|x|) (3)

Vj(x)

x

4,j(|x|) (4)

hj(x) U (5)

for all x D Rn where D is an open neighborhood of theorigin. We denote the region j D as the stability regionof the closed-loop system under the control u = hj(x). Notethat explicit stabilizing control laws that provide explicitly

defined stability regions j for the closed-loop system havebeen developed using Lyapunov techniques for input-affine

nonlinear systems (see [6], [10], [12]).

We assume that after some known time tf the jth controlactuator fails. We note that there exists a horizon tf t0sufficiently large such that the controller h0(x) can force thesystem into the stability region j by the time tf startingfrom any initial state x(t0) 0 (more precisely, it willdrive the system to the intersection between j and 0).We also assume that V0 = V1 = = Vm = V .By continuity and the local Lipschitz property assumed

for the vector fields f and G, the manipulated inputs u isbounded in a convex set, and the continuous differentiable

property of the Lyapunov function V , there exists positiveconstants M and Lx such that

|f(x) +G(x)(u+ u)| M (6)

V

x(f(x) +G(x)(u+ u))

V

x(f(x) +G(x)(u+ u))

Lx |x x| (7)

for all x, x j and u+ u U .

III. PROACTIVE FAULT-TOLERANT MPC

In this section, we introduce the proposed proactive fault-

tolerant Lyapunov-based model predictive controller and

prove practical stability of the closed-loop system of Eq. 1

with the proactive fault-tolerant LMPC.

A. Implementation strategy

The implementation strategy is as follows: from t0 to tf ,the LMPC with sampling period and prediction horizon Nrecomputes optimal control actions at every sampling period

by solving an on-line optimization problem while accounting

for the actuator fault that occurs at tf . It does so by workingto drive the system into the stability region j by thetime tf . After the fault renders the jth actuator inactive, theproactive fault-tolerant LMPC drives the system to the origin

using its available (remaining) m 1 actuators.With this implementation strategy, we point out that the

key difference between this proactive approach to dealing

with actuator faults and reactive fault tolerant control is

that when there is an incipient fault it may be necessary

to expend more control energy to drive the system to the

stability region j before the jth control actuator failscompared to a controller which does not account for an

upcoming fault. This guarantees the remaining m1 controlactuators can stabilize the system after the fault occurs.

This strategy differs from reactive fault tolerant control that

cannot proactively drive the system to a region whereby

stability is guaranteed after the jth actuator fails. After a faultoccurs and has been identified with reactive fault-tolerant

control, the closed-loop system may lose stabilizability with

the remaining control actuators. We note that we are not

introducing a fault-tolerant control scheme that can replace

classical reactive fault-tolerant control shemes that deal with

any type (potentially unexpected) fault.

B. Formulation

We formulate an LMPC based on the conceptual frame-

work proposed in [14], [17] for use as a proactive fault-

tolerant controller. The LMPC is based on the Lyapunov-

based controllers h0(x) and hj(x) because the controllersare used to define a stability constraint for the LMPC

which guarantees that the LMPC inherits the stability and

robustness properties of the Lyapunov-based controllers. The

proactive fault-tolerant LMPC is based on the following

optimization problem:

5141

minuS()

tk+Ntk

[|x()|Qc + |u()|Rc ]d (8a)

s.t. x(t) = f(x(t)) +G(x(t))(u(t) + u(t)), (8b)

u(t) U, (8c)

uj(t) =

{0, if t < tf ,

uj(t), if t tf ,(8d)

x(tk) = x(tk), (8e)

V

x(f(x(tk)) +G(x(tk))u(tk))

V

x(f(x(tk)) +G(x(tk))h0(x(tk))) ,

if tk+1 < tf , (8f)

V

x(f(x(tk)) +G(x(tk))u(tk))

V

x(f(x(tk)) +G(x(tk))hj(x(tk))) ,

if tk+1 tf (8g)

where S() is the family of piece-wise constant functionswith sampling period , N is the prediction horizon of theLMPC, u(t) is the actuator fault trajectory, x(t) is the statetrajectory predicted by the model with manipulated input

u(t) computed by the LMPC. The optimal solution of theoptimization problem of Eq. 8 is denoted by u(t|tk) and isdefined for t [tk, tk+N ).In the optimization problem of Eq. 8, the first constraint

of Eq. 8b is the nonlinear system of Eq. 1 used to predict

the future evolution of the system. The constraint of Eq.

8c defines the control energy available to all manipulated

inputs. The constraint of Eq. 8d is the fault of the jth controlactuator that cause the actuator to be unusable for t tf . Theconstraint of Eq. 8e is the initial condition of the optimization

problem. The constraints of Eq. 8f and 8g ensure that over

the sampling period t [tk, tk +) the LMPC computes amanipulated input that decreases the Lyapunov function by

at least the rate achieved by the Lyapunov-based controllers

h0(x) when tk+1 < tf and hj(x) when tk+1 tf when theLyapunov-based controllers are implemented in a sample-

and-hold fashion. We note that in the optimization problem

of Eq. 8 the time instance that is used to determine which

Lyapunov-based constraint to use is tk+1 to account for afault that may occur between two sampling times. In this

manner, the controller is proactively regulating the closed-

loop system trajectory.

C. Stability analysis

In this section, we provide sufficient conditions whereby

the proactive fault-tolerant controller of Eq. 8 guarantees

practical stability of the closed-loop system. Theorem 1

below provides sufficient conditions such that the proactive

fault-tolerant LMPC guarantees that the state of the closed-

loop system is always bounded and is ultimately bounded in

a small region containing the origin.

Theorem 1: Consider the system in closed-loop under

the proactive fault-tolerant LMPC design of Eq. 8 based

on controllers hj(x), j = 0, 1, . . . ,m that satisfies the

Fig. 1: Process flow diagram of the reactor and separator

chemical process.

TABLE I: Notation used for the process parameters and

variables.

CAj0 Concentration of A in the feed stream to vessel j, j = 1, 2Ci,j Concentration of species i, i = A,B,C in vessel j, j =

1, 2, 3Ci,r Concentration of species i, i = A,B,C in the recycle

streamTj0 Temperature of the feed steam to vessel j, j = 1, 2Tj Temperature in vessel j, j = 1, 2, 3Tr Temperature in the recycle streamFj0 Flow rate of the feed stream to vessel j, j = 1, 2Fj Flow rates of the effluent stream from vessel j, j = 1, 2, 3Fr Flow rate of the recycle streamFp Flow rate of the purge streamVj Volumes of vessel j, j = 1, 2, 3Ek Activation energy of reaction k, k = 1, 2kk Pre-exponential factor of reaction k, k = 1, 2Hk Heat of reaction k, k = 1, 2Hvap Heat of vaporizationi Relative volatilities of species i, i = A,B,C,DMWj Molecular weights of species i, i = A,B,C,DCp Heat capacityR Gas constant

conditions of Eqs. 2-5. Let > 0, 0 > 0, 0 > s,0 > 0,j > 0, and j > s,j > 0 satisfy:

3,0(12,0(s,0)) + LxM 0/ (9)

3,j(12,j(s,j)) + LxM j/ (10)

If x(t0) 0 , min j and tf t0 is sufficiently largesuch that x(tf ) j , then the state x(t) of the closed-loop system is always bounded and is ultimately bounded in

min where min = max{V (x(t+)) : V (x(t)) s,j}.We refer the reader to [11] for a detailed proof of Theorem

1.

IV. APPLICATION TO A CHEMICAL PROCESS

Consider a three vessel, reactor-separator chemical process

consisting of two CSTRs in series followed by a flash tank

separator as shown in Figure 1. Two parallel first-order

reactions occur in each of the reactors that have the form:

Ar1 B

Ar2 C

where B is the desired product and C is an undesired by-product. Each reactor is supplied with a fresh stream of

the reactant A contained in an inert solvent D. A recyclestream is used to recover unreacted A from the overheadvapor of the flash tank and feed it back to the first CSTR.

5142

TABLE II: Process parameter values.

T10 = 300, T20 = 300 KF10 = 5, Fr = 1.9, Fp = 0 m3/hrCA10 = 4, CA20 = 3 kmol/m

3

V1 = 1.0, V2 = 0.5, V3 = 1.0 m3

E1 = 5 104, E2 = 5.5 104 kJ/kmolk1 = 3 106, k2 = 3 106 1/hrH1 = 5 104, H2 = 5.3 104 kJ/kmolHvap = 5 kJ/kmolCp = 0.231 kJ/kg KR = 8.314 kJ/kmol K = 1000 kg/m3

A = 2, B = 1, C = 1.5, D = 3 unitlessMWA =MWB =MWC = 50, MWD = 18 kg/kmol

Some of the overhead vapor from the flash tank is condensed,

and the bottom product stream is removed. All three vessels

are assumed to have static holdup and are equipped with a

jacket to supply/remove heat from the vessel. The dynamic

equations describing the behavior of the system, obtained

through material and energy balances under standard mod-

eling assumptions, are given below:

dT1

dt=F10

V1(T10 T1) +

Fr

V1(T3 T1) +

H1

Cpk1e

E1RT1 CA1

+H2

Cpk2e

E2RT1 CA1 +

Q1

CpV1(11)

dCA1

dt=F10

V1(CA10 CA1) +

Fr

V1(CAr CA1) k1e

E1RT1 CA1

k2eE2RT1 CA1 (12)

dCB1

dt=

F10

V1CB1 +

Fr

V1(CBr CB1) + k1e

E1RT1 CA1 (13)

dCC1

dt=

F10

V1CC1 +

Fr

V1(CCr CC1) + k2e

E2RT1 CA1 (14)

dT2

dt=F1

V2(T1 T2) +

F20

V2(T20 T2) +

H1

Cpk1e

E1RT2 CA2

+H2

Cpk2e

E2RT2 CA2 +

Q2

CpV2(15)

dCA2

dt=F1

V2(CA1 CA2) +

F20

V2(CA20 CA2) k1e

E1RT2 CA2

k2eE2RT2 CA2 (16)

dCB2

dt=F1

V2(CB1 CB2)

F20

V2CB2 + k1e

E1RT2 CA2 (17)

dCC2

dt=F1

V2(CC1 CC2)

F20

V2CC2 + k2e

E2RT2 CA2 (18)

dT3

dt=F2

V3(T2 T3)

HvapFrm

CpV3+

Q3

CpV3(19)

dCA3

dt=F2

V3(CA2 CA3)

Fr

V3(CAr CA3) (20)

dCB3

dt=F2

V3(CB2 CB3)

Fr

V3(CBr CB3) (21)

dCC3

dt=F2

V3(CC2 CC3)

Fr

V3(CCr CC3) (22)

where the notation is defined in Table I and the process

parameter values are given in Table II.

To model the separator, we assume that the relative volatil-

ity of each species remains constant within the operating

temperature range of the flash tank and that the amount of

reacting material in the separator is negligible. The following

algebraic equations model the composition of the overhead

stream of the separator:

CAr =ACA3

K, CBr =

BCB3

K, CCr =

CCC3

K(23)

K = ACA3MWA

+ BCB3

MWB

+ CCC3

MWC

+ DxD (24)

Frm =Fr

MWD[ CA3MWA CB3MWB CC3MWC

+ (CA3 + CB3 + CC3)MWD ] (25)

where xD is the mass fraction of the solvent in the flash tankliquid holdup and Frm is the recycle molar flow rate.The process has four manipulated input variables: the heat

supplied/removed for each vessel and the inlet flow rate F20to the second reactor. The available control energy is |Qi| 3 105 kJ/hr, i = 1, 2, 3 and 0 F20 10m

3/hr. Thecontrol objective we consider is to drive the system to the

unstable steady-state:

xTs = [T1 CA1 CB1 CC1 T2 CA2 CB2 CC2 T3 CA3 CB3 CC3]= [370 3.32 0.17 0.04 435 2.75 0.45 0.11 435 2.88 0.50 0.12]

while proactively accounting for an incipient fault in the heat

input/removal actuator that renders Q2 = 0 kJ/hr at t =0.051hr.To design the Lyapunov-based controller h(x), we con-

sider a quadratic Lyapunov function V (x) = xTPx withP = diag([20 103 103 103 10 103 103 103 10 103 103 103])and design the controller h(x) as three PI controllers withproportional gains Kp1 = 5000, Kp2 = 7000, Kp3 = 7000and integral time constants I1 = I2 = I3 = 10 based onthe deviation of temperature measurements of T1, T2, andT3 from their respective steady-state temperature values. Thefeed flow rate into the second reactor is set to be a constant

F20 = 5 kmol/m3 in the controller h(x). The auxiliary

controller h(x) is used in the design of a proactive fault-tolerant LMPC of Eq. 8 with weighting matrices chosen to

be Qc = P , R = diag([51012 51012 51012 100]),

prediction horizon of N = 6, and sampling period of = 0.005 hr = 18 sec. The LMPC optimization problemof Eq. 8 is solved at each sampling period using IPOPT [21].

We implement the proactive fault-tolerant LMPC on the

reactor-separator chemical process of Eq. 11. To compare

the proactive fault-tolerant controller with the closed-loop

system without proactive fault-tolerant control, we imple-

ment another LMPC that does not account for the fault. The

reactor-separator system is initialized at the stable steady-

state T1 = T2 = T3 = 301 K, CA1 = 3.58, CA2 = 3.33,CA3 = 3.50, CB1 = CB2 = CB3 = 0, and CC1 =CC2 = CC3 = 0, and we consider a fault in the heatsupplied to/removed from CSTR2 that renders Q2 = 0 fort 0.051 hr. The results of two one hour closed-loopsimulations are shown in Figures 2-4. Figure 2 shows a

plot of the input trajectories for (a) the closed-loop system

without accounting for the fault and (b) the closed-loop

system with the proposed proactive fault-tolerant LMPC

from t = 0 hr to t = 0.3 hr to better highlight thedifferences between the two types of controllers. Figure 3

shows the closed-loop system evolution with LMPC, but

without accounting for the fault and Figure 4 shows the

closed-loop system evolution with the proposed proactive

fault-tolerant LMPC.

From Figure 2, we observe that the proactive fault-tolerant

LMPC feeds more reactant into CSTR2 leading up to the

5143

0 0.05 0.1 0.15 0.2 0.25 0.34567

F20

[m3/hr]

0 0.05 0.1 0.15 0.2 0.25 0.3024

Q1

105

[kJ/h

r]

0 0.05 0.1 0.15 0.2 0.25 0.3024

Q2

105

[kJ/h

r]

0 0.05 0.1 0.15 0.2 0.25 0.3024

Q3

105

[kJ/hr]

Time [hr]

(a)

0 0.05 0.1 0.15 0.2 0.25 0.34567

F20

[m3/hr]

0 0.05 0.1 0.15 0.2 0.25 0.3024

Q110

5

[kJ/hr]

0 0.05 0.1 0.15 0.2 0.25 0.3024

Q210

5

[kJ/hr]

0 0.05 0.1 0.15 0.2 0.25 0.3024

Q310

5

[kJ/hr]

Time [hr]

(b)

Fig. 2: The closed-loop input trajectories: (a) without proac-

tive fault-tolerant control and (b) with the proposed proactive

fault-tolerant LMPC. The fault renders Q2(t) = 0 for t 0.051 hr.

fault compared to the closed-loop system without proactive

fault-tolerant control. In this manner, the proactive controller

is taking advantage of the exothermic reaction to increase the

temperature in CSTR2 before the fault happens. Furthermore,

we see that the proactive controller shuts off the manipulated

input Q2 the sampling time before the fault occurs and usesonly the feed flow rate into CSTR2 to bring the temperature

and species concentrations of CSTR2 to the desired set-

points. From Figure 3 and 4, the post-fault behavior of

these two control strategies is observed. The closed-loop

system without proactive fault-tolerant control settles on an

offsetting steady-state; whereas, the closed-loop system with

the proposed proactive fault-tolerant LMPC settles at the

desired steady-state.

V. CONCLUSION

In this work, we proposed a proactive fault-tolerant

Lyapunov-based MPC that can account for a known future

fault and work for complete fault rejection. We proved

practical stability of a closed-loop nonlinear system with

the proposed proactive fault-tolerant LMPC. The proposed

controller was demonstrated through a chemical process con-

sisting of two CSTRs in series followed by a flash separator.

The simulated process demonstrated that the proactive fault-

tolerant LMPC was able to achieve practical stability of the

closed-loop system.

REFERENCES

[1] R. Billinton and R. N. Allan. Reliability evaluation of engineeringsystems: concepts and techniques. Discrete Applied Mathematics,8:213214, 1984.

[2] M. Castro and B. Liskov. Practical byzantine fault tolerance andproactive recovery. ACM Transactions on Computer Systems, 20:398461, 2002.

[3] D. Chilin, J. Liu, X. Chen, and P. D. Christofides. Fault detection andisolation and fault tolerant control of a catalytic alkylation of benzeneprocess. Chemical Engineering Science, 78:155166, 2012.

[4] D. Chilin, J. Liu, J. F. Davis, and P. D. Christofides. Data-basedmonitoring and reconfiguration of a distributed model predictive con-trol system. International Journal of Robust and Nonlinear Control,22:6888, 2012.

[5] P. D. Christofides, J. F. Davis, N. H. El-Farra, D. Clark, K. R. D.Harris, and J. N. Gipson. Smart plant operations: Vision, progressand challenges. AIChE Journal, 53:27342741, 2007.

[6] P. D. Christofides and N. H. El-Farra. Control of Nonlinear andHybrid Process Systems: Designs for Uncertainty, Constraints and

Time-Delays. Springer-Verlag, Berlin, Germany, 2005.[7] D. A. Crowl and J. F. Louvar. Chemical process safety: fundamentals

with applications. Prentice Hall, 2001.[8] C. Engelmann, G. R. Vallee, T. Naughton, and S. L. Scott. Proactive

fault tolerance using preemptive migration. In Proceedings of the17th Euromicro International Conference on Parallel, Distributed and

Network-based Processing of IEEE Computer Society, pages 252257,Washington, DC, 2009.

[9] H. K. Khalil. Nonlinear Systems. Prentice Hall, 2002.[10] P. Kokotovic and M. Arcak. Constructive nonlinear control: a historical

perspective. Automatica, 37:637662, 2001.[11] L. Lao, M. Ellis, and P. D. Christofides. Proactive fault-tolerant model

predictive control. AIChE Journal, 2013, in press.[12] Y. Lin and E. D. Sontag. A universal formula for stabilization with

bounded controls. Systems & Control Letters, 16:393397, 1990.[13] J. L. Massera. Contributions to stability theory. The Annals of

Mathematics, 64:182206, 1956.[14] P. Mhaskar, N. H. El-Farra, and P. D. Christofides. Stabilization of

nonlinear systems with state and control constraints using Lyapunov-based predictive control. Systems & Control Letters, 55:650659,2006.

[15] P. Mhaskar, A. Gani, C. McFall, P. D. Christofides, and J. F. Davis.Fault-tolerant control of nonlinear process systems subject to sensorfaults. AIChE Journal, 53:654668, 2007.

[16] P. Mhaskar, C. McFall, A. Gani, P. D. Christofides, and J. F. Davis.Isolation and handling of actuator faults in nonlinear systems. Auto-matica, 44:5362, 2008.

[17] D. Munoz de la Pena and P. D. Christofides. Lyapunov-based modelpredictive control of nonlinear systems subject to data losses. IEEETransactions on Automatic Control, 53:20762089, 2008.

[18] A. B. Nagarajan, F. Mueller, C. Engelmann, and S. L. Scott. Proactivefault tolerance for HPC with Xen virtualization. In Proceedings of the21st Annual International Conference on Supercomputing, pages 2332, New York, NY, USA, 2007.

[19] F. Salfner and M. Malek. Using hidden semi-Markov models for effec-tive online failure prediction. In 26th IEEE International Symposiumon Reliable Distributed Systems, pages 161174, Beijing, China, 2007.

[20] V. Venkatasubramanian, R. Rengaswamy, K. Yin, and S. N. Kavuri.A review of process fault detection and diagnosis: Part I: Quantitativemodel-based methods. Computers & Chemical Engineering, 27:293 311, 2003.

[21] A. Wachter and L. T. Biegler. On the implementation of an interior-point filter line-search algorithm for large-scale nonlinear program-ming. Mathematical Programming, 106:2557, 2006.

[22] Y. Zhang and J. Jiang. Bibliographical review on reconfigurable fault-tolerant control systems. Annual Reviews in Control, 32:229252,2008.

[23] Z. Zhao, F. Wang, M. Jia, and S. Wang. Probabilistic fault prediction ofincipient fault. In Chinese Control and Decision Conference (CCDC),pages 39113915, Mianyang, China, 2010.

5144

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1300

350

400T

1[K

]

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1300

350

400

450

T2

[K]

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1300

350

400

450

T3

[K]

Time [hr]

(a)

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 12.5

3

3.5

4

CA

[km

ol/

m3]

CSTR1 CSTR2 Separator

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10

0.2

0.4

0.6

CB

[km

ol/

m3]

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10

0.05

0.1

0.15

CC

[km

ol/

m3]

Time [hr]

(b)

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 14567

F20

[m3/hr]

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1024

Q1

105

[kJ/hr]

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1024

Q2

105

[kJ/h

r]

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1024

Q3

105

[kJ/hr]

Time [hr]

(c)

Fig. 3: The closed-loop system state and input trajectories

(solid lines) and set-points (dashed lines): (a) vessel tem-

peratures, (b) species concentrations, (c) manipulated inputs

without proactive fault-tolerant control applied. The fault

renders Q2(t) = 0 for t 0.051 hr.

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1300

350

400

T1

[K]

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1300

350

400

450

T2

[K]

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1300

350

400

450

T3

[K]

Time [hr]

(a)

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 12.5

3

3.5

4

CA

[km

ol/

m3]

CSTR1 CSTR2 Separator

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10

0.2

0.4

0.6C

B[k

mol/

m3]

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10

0.05

0.1

0.15

CC

[km

ol/

m3]

Time [hr]

(b)

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 14567

F20

[m3/hr]

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1024

Q110

5

[kJ/hr]

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1024

Q210

5

[kJ/hr]

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1024

Q310

5

[kJ/hr]

Time [hr]

(c)

Fig. 4: The closed-loop state and input system trajectories

(solid lines) and set-points (dashed lines): (a) vessel tempera-

tures, (b) species concentrations, (c) manipulated inputs with

proactive fault-tolerant control applied. The fault renders

Q2(t) = 0 for t 0.051 hr.

5145