Predictive maintenance of actuators in linear systems: A receding horizon set‐theoretic approach

This work is focused on a model predictive control (MPC) based approach for the regulation of systems whose actuators are subject to loss of effectiveness. Such a degradation process, whose evolution is assumed to be measurable and predictable, can lead to actuators breakdown whenever certain thresholds are exceeded. Within this context, if the control problem is defined with ad hoc operational constraints and/or running costs, the intrinsic MPC capability of mitigating faulty events arises. To this end, the proposed control scheme consists of two modules: the former is in charge of performing a prognostic activity on actuators' health, while the second one reconfigures the control law on the basis of actuators' degradation information. The core of the proposed method relies on modeling healthy and faulty plant configurations via a switching systems paradigm that is instrumental to offline determine sequences of precomputed inner approximations of one‐step ahead controllable sets. Such regions are online selected by a switching logic in order to determine a control signal properly weighted on the basis of the measured actuators degradation level.


INTRODUCTION
The degree of complexity of industrial control systems has been progressively increased so that their management may include ad hoc predictive maintenance tasks in order to preserve the overall integrity. Within this context, the notion of just-in-time predictive maintenance 1 is of interest here and refers to the capability of optimizing the assets repair at the requested time instant. Repairs performed too soon or too late could incur in added expenses and/or severe component failures. In order to guarantee the above mentioned properties, it is essential to develop effective supervision and diagnosis methods providing resiliency and fault tolerance. 2,3 According to the variety and severity of faults that may affect a given plant, different levels of performance have to be considered in several fault scenarios. Moving from safe to dangerous regions, degraded performance is often acceptable. In addition, in order to ensure that the closed-loop system is able to track a command input or a reference model/trajectory even in the event of faults, reconfigurable control strategies need to be synthesized to achieve safety and satisfactory performance. 4 Specific attention is here dedicated to the actuators' role which is crucial within a feedback control system. In fact, the actuator capability to deliver the demanded control action can be affected by degradation phenomena resulting in a best case performance reduction or complete plant fatal breakdown if the stability of the system is lost.
For these reasons, prognostics and health monitoring (PHM) for actuators are gaining interest among researchers. 3,5,6 Among them, a particular focus is related to the determination of the actuators' healthy status in order to estimate their time-to-failure or remaining-useful-lifetime (RUL). 7 The latter quantity can be exploited in a maintenance plan to schedule future interventions to prevent undesired monitored device crash. 8 In a control perspective, the RUL or other PHM information can be used to compensate for the degradation effects of the actuators by smartly balancing the control effort over them. 2,9,10 This is achieved by reconfiguring the control actions so as to preserve the desired dynamic and static performance of the system, as well as its stability, while protracting the life of the actuators until maintenance operations are carried out.
Within this context the model predictive control (MPC) approach seems to be a perfect candidate to properly regulate a plant while smartly distributing control effort on the actuators to achieve fault-tolerant capabilities. 11,12 Such an aspect can be handled in a generic and systematic manner in the MPC design. For this reason, such a strategy has attracted the attention of many researchers focusing on MPC-based FTC schemes, see  The first contribution 13 deals with the thermal damages reduction involving a boiler-turbine system. In this case, the MPC cost contains a term related to the dynamics of the degradation that is described by means of a linearized model. As a result, a substantial reduction in the accumulated damage was observed during a step response simulation, at the cost of some loss of performance. However, the damages depend on the cost function weights, as well as the step magnitude in the control task.
In the second contribution, 14 RUL estimates of increasingly degrading electromechanical actuators have been adopted for an MPC strategy. In order to mitigate the accumulated damage, the predictive controller was in charge of modifying the reference position to an internal control loop with the aim of limiting the transient actuator current. Moreover, the RUL constraint is managed via a soft approach where predicted violations are penalized in the MPC cost function. Anyway, there is no a priori guarantee that the actual constraint on the RUL value is enforced. As in Reference 13, the damage results depend on the tuning of the controller.
The third one 15 takes into consideration mixed logical dynamic expressions to represent hybrid systems. Using this approach, a hybrid model of the system to be controlled is obtained, which includes inherent hybrid phenomena and possible logical modes caused by faults occurrence. This allows one to adapt the system model on-line by taking into account the fault information provided by a fault diagnosis and isolation module. In this way, the controller can cope with the considered faults.
Finally, in Reference 16, the actuator degradation evolution is assumed to have a progress rate proportional to the control effort. The loss of effectiveness occurs when the degradation level overcomes an intermediate threshold. Within this scenario, an MPC control law is adopted that needs to solve a mixed-integer programming problem at each sampling step to deal with binary deviations along with the predictions.
In this article, an MPC strategy with FTC capabilities is proposed to take care of possible loss of actuator effectiveness due to degradation progress. As in Reference 16, the degradation rate is assumed to be proportionally related to the control effort and a modification (gain reduction) of the input map of the plant occurs when a specified threshold is overcome by the deterioration level. Unlike Reference 16, online mixed-integer programming is avoided and most of the computational effort is offline moved by resorting to one-step ahead controllable set concepts developed for a hybrid system paradigm. In particular, a group of system models is derived by considering all possible actuator faults configurations. Then, for each model, a family of one-step ahead controllable sets is determined. Such sets are used during the online operations in a receding horizon strategy aimed at steering the state toward the origin. Moreover, when the plant deviates with respect to its normal behavior, due to the degradation effects, the new corresponding configuration along with the related family of controllable sets is adopted for control purposes. The resulting FT scheme is based on the interactions between two interconnected modules: a PHM unit, being responsible for monitoring the actuator degradation level and a reconfigurable controller that is designed to adapt its action on the basis of the information conveyed by the PHM block. The main improvement with respect to Reference 16 relies on its reduced computational burdens since, as previously stated, any mixed-integer optimization is avoided. Furthermore, feasibility retention can be proved even during the recovery phase occurring when a faulty actuator is repaired/replaced. Finally, it is formally proved that the proposed strategy is able to ensure a minimum guaranteed RUL before a complete actuators' failure. Preliminary results of this work have been presented in Reference 17 that is here extended in several directions and by adding further contents. In particular, 1. The problem to be solved is introduced in a more formal and exhaustive way. 2. Relevant details are revealed about each stage of the working logic of the proposed control architecture. 3. All the theoretical results include a formal proof and have been presented in a more comprehensive fashion. 4. The simulation section has been enriched by presenting more detailed descriptions.
The article is organized as follows: in Section 2, the problem to be solved is formulated. Section 3 presents the proposed control architecture along with its main property. In Section 4, a simulative example is included to assess the presented methods. Finally, some conclusions end the article.

PROBLEM FORMULATION
Let us consider plants that can be modeled as where x(t) ∈ R n denotes the state, u(t) ∈ R m the input, (t) = [ 1 (t), … , m (t)] ∈ R m collects the degradation values of each actuators evolving as 16 and d(t) ∈ R d represents the process disturbance assumed to be confined into the compact set  containing the origin. Moreover the plant actuator input is subject to some saturation constraints with u max > 0 and  a compact subset of R m containing the origin as an interior point. It is evident from (2) that the actuator deterioration increases for nonzero control inputs. Moreover, the impact of the degradation process on the ith input matrix column B i ( i (t)) ∈ R n is modeled as follows Here B i denotes the nominal input column matrix and the real valued coefficient i , 0 < i < 1, quantifies the loss of ith actuator effectiveness when the degradation reaches the threshold lim,i . In this respect, the following three operative scenarios arise: 1. Normal phase: i < lim,i , the actuator is healthy and is able to work under nominal conditions. 2. Maintenance required phase: lim,i ≤ i ≤ max,i , in this scenario most of the efficiency of the actuator is lost, anyway the stabilizability of the system is guaranteed. 3. Actuator breakdown: i > max,i , the vector max,i ∈ R represents the maximum degradation level that can be tolerated without total breakdown of the actuators. In this situation the stabilizability of the system is not any longer guaranteed.
In view of the above envisaged scenarios, it is worth observing that the degradation process is itself not reversible. Anyway, an external fix procedure is nevertheless possible for the generic ith actuator during the system operations that basically resets its i degradation value to be lower than lim,i .
Moving from these considerations, we can define the following specific state space configurations of the original plant (1), each one related to fault occurrences of a subset of actuators  j ⊂ {1, m} where Moreover, it is assumed that for each realization of B j , (A, B j ) is a stabilizable pair. Model (5) represents a particular system configuration where a single or multiple actuators are partially available so that only the remaining healthy input devices belonging to {1, m} ⧵  j and associated with the input map B j are in charge of driving the plant. In this way, all admissible system configurations can be abstractly collected into a switching system where a logical rule that orchestrates the switching among 3 m − subsystems (5): Remark 1. Faulty model (4) is used in particular to model stuck faults, see, for example, Reference 18. In a more general case, the switching rule (4) can be seen as a workaround to approximate by quantization a continuous (and possibly nonlinear) loss of effectiveness fault generated by increasing the degradation level of the actuators. Better approximations could be achieved by using additional quantization levels, at the cost of an increase in the number of subsystem configurations (A, B j ).

THE FAULT TOLERANT CONTROL SCHEME FOR PREDICTIVE MAINTENANCE OPERATIONS (PM-FTC)
The proposed solution for MOFTC problem is based on set-theoretic ideas (see Reference 19 for a comprehensive tutorial) tailored to a control framework in order to deal with faulty occurrence. The main design step is at offline determining for each mode j of the switching system (6) a family of one-step ahead controllable sets. Then, during the online operations, whenever the prognostic module detects a loss of effectiveness in the actuators and the related jth mode is selected, the model-based controller exploits the related sets family to compute a command input via the receding horizon strategy developed in Reference 20. While the discrimination task among the given l ∶= 3 m − systems mode is quite easy, because the degradation signals i is assumed to be perfectly known, the control reconfiguration task is quite critical as it involves a switching (j → h, j ≠ h,) in the model exploited by the control law and as a consequence the closed-loop stability and constraints fulfillment could be invalidated if proper operations are not correctly performed.
To deal with such an issue, we proposed the control architecture presented in Figure 1 and composed by two modules: (1) a prognostic module where m detector units are in charge of monitoring actuators health and a switching logic that defines the current system mode ( (⋅)) on the basis of actuators status and the operating scenario (s(⋅)) for the controller, respectively; (2) a reconfigurable control unit that determines a control input u(t) on the basis of the system configuration (t) and one of the operating status s(t) ∈ {HEALTHY, FAULTY, RECOVERY} to be clarified in next sections.

Controllable set sequences for switching systems
The crucial task in the design of the proposed strategy is concerned with the determination of families of one-step ahead controllable sets for each system configuration (6) j, that is, with N ∈ Z + denoting the last level for the sequence growth (please refer to Reference 19 for detailed notation).

F I G U R E 1 The AFTC strategy scheme
Such a notion in the present context needs to be generalized to take into account possible safe transitions from healthy to faulty configuration and vice versa. To this end, it is worth observing that at each time instant t, the control input u(t) is computed by using the active mode j = (t) and the related sets family In this situation, if a system configuration modification j ← h occurs, because of faulty/recovery event, the application of this command could produce one-step ahead state evolution x(t + 1) not belonging to any element of the sequences The above stated considerations motivate the determination of controllable set sequences as follows: where It is worth noticing that recursions (8) relate to the computations of the set sequence associated to the healthy condition (j = 0) and take into account all the possible fault occurrences in order to guarantee healthy-to-faulty transitions. In other words, starting from a generic state x ∈  0 k and by applying the corresponding computed command input u(x), the requirements in (8) guarantee that the one-step state evolution x(t + 1) will belong to  0 k−1 or to some of  j k−1 under a fault occurrence: this essentially ensures a healthy-to-faulty transition. In this respect, Figure 2 depicts for better clarification an illustrative scenario of healthy-to-faulty transitions of two systems configurations. There, the state estimate x belongs to  0 2 and the command input u is computed on the basis of the healthy model configuration ( = 0). When u is applied to (1), two situations could occur: (i) No damages (Figure 2 continuous path): The model configuration of (1) is not modified so that the one-step state evolution x(t + 1) is driven to  0 1 thanks to the set-membership requirement: x(t + 1) ∈  1 1 because of the requirement in (8)

F I G U R E 2 Healthy-to-faulty transitions
On the other hand, faulty-to-healthy transition will take place in a safe way thanks to following set inclusions that hold true by construction thanks to the structure of both recursions (8) and (7). Then, when a recovery from the jth fault configuration occurs, the computed command u(t) will drive the state evolution x(t) toward  j 0 . Then, (9) guarantees that, in a finite time t, t ≥ 1, x(t + t) will belong to  j N ∩  0 k for some k ≥ 0 so the controller can be reconfigured to compute command input by exploiting the nominal sets family Furthermore, it is worth noticing that in recursions (7) the damaged actuators u i , i ∈  j are further constrained to belong to the restricted set  i in order to guarantee a minimum and fixed remaining useful time 21 within the jth system configuration. The following proposition specifies this aspect in a more formal way. Proposition 1. Let the degradation laws (2) be given within the maintenance phase, that is, i (t ′ ) ≥ lim,i for some t ′ > 0. Then, if the control input u i (t) for the ith actuator is maintained within  i for t ≥ t ′ , the minimum guaranteed remaining lifetime before a total breakdown is given by Proof. The proof is trivial and consists of determining the time instant k ′ needed to reach max,i starting from lim,i when applying a constant input u i (t) ≡ū i (maximum magnitude), then From the latter equation, by imposing that i (k ′ ) = max,i , one obtains Then, the proposition statement directly follows. ▪ Finally, the determination to be performed offline of the terminal regions  j 0 , j = 0, 1, … , l, with related control gains K j , j = 0, 1, … , l, are here introduced by considering the system dynamics (6). It can be performed by exploiting switching stability arguments and technicalities proposed in References 22 and 23: Proposition 2. Given the switching system (6), there exist pairs ( j 0 , K j ), j = 0, 1, … , l, with  j 0 ≠ ∅ robustly invariant sets with associated K j stabilizing state feedback control laws for each model configuration of (6) complying with the input constraints (3), if the following set-valued inclusions are satisfied: and Proof. See the Appendix. ▪

Prognostic module
The logic underlying the prognostic module depicted in Figure 1 is here presented. A bank of m monitoring devices provides the degradation signals of the actuators to a switching logic that exploits such an information to performs the task of determining the active mode (t) of the system (6) and establish the operating status s(t) for the control unit. In this way, at the control level, a family of controllable set sequences can be properly selected in order to compute an admissible control action. In particular the switching signal (t) is given by (t) = j, if  j collects damaged actuators only (16) and the intrinsic switching logic follows the semantic of the state automata depicted in Figure 3 that is hereinafter outlined: • Whenever one or more actuators are damaged, that is, i (t) > lim,i for some j ∈ {1, m}, a transition from healthy status to faulty status takes place. In this scenario, according to Proposition 1 a complete breakdown of some actuators can occur after at least MGRUL i time instants. Then, any repairing procedure should be accomplished within this time interval.
• If no actuators are damaged, that is, i (t) ≤ lim,i for all i ∈ {1, m} and if the current state x(t) belongs to some set of the family { 0 k } N 0 k=0 , then a transition from faulty to healthy status can be triggered. This rule can be fully understood in view of the fact the in healthy mode, the control unit determines the control actions by means of the nominal sets family { 0 k } N k=0 . Anyway, since in the faulty status the control unit is instructed to maintain the state x(t) into the controllable set sequence { when the involved actuators belonging to  j are repaired and their degradation signals are resumed to default values. So, in this scenario the switching logic reconfigures the control unit in order to work in the recovery status until condition becomes true.
• A transition to healthy status is triggered from the recovery status after positive checking of condition (17). Nevertheless, a transition to faulty status is still possible if a new actuator is damaged.

MPC based control unit design
The operations of the control unit depicted in Figure 1 are here described in the following algorithm that takes as input the pair ( (t), s(t)) conveyed by the prognostic module and implements the receding horizon control approach based on the arguments presented in Section 3.1 Please notice that the running costs used in the previous algorithm are chosen according to the following prescriptions: • J 0 (u) ∶= ||u|| 2 Q 0 is adopted to safeguard the actuators health while steering the state into the successor set  0 k(t)−1 .
is used in order to postpone as much as possible further damages in healthy actuators not belonging in  j while steering the state into the successor set  j k(t)−1 . Observe that, according to Proposition 1, constraints (21) ensure a certain amount of time MGRUL j before a complete failure of at least one damaged actuators in  j .
, in order to speed up the steering process of x(t) into  0 N so that the healthy status can be activated. (2) is the same considered in Reference 16 and evolves whenever the control input is nonzero in a way that depends on its amplitude only. However, more sophisticated degradation laws can be considered with slight modifications of the solution control scheme. In this respect, it is important to remark that the proposed control strategy does not strictly depend on this specific degradation model but it can be adapted to generic monotonically increasing degradation signal.

Properties
The main properties of the PM-AFTC algorithm are summarized in the following proposition.  u(t) ← K (t) x(t) 12: else 13: 14: end if 15: goto 22 16: RECOVERY: 17: if i(t) = 0 then 18: u(t) ← K (t) x(t) 19: else 20: 21: end if 22: apply u(t) to the plant (1); 23: set t ← t + 1; 24: goto 1 Proof. The proof is aimed at showing that while the state x(t) is into x(0) ∈ ⋃ l j=0  j N a solution at time t + 1 is always ensured to exist through the resolution of one of the optimization problems in steps 6, 13, and 20 of Algorithm 1. To this end, it is worth to discriminate four possible scenarios: (i) if at the generic instant t, s(t) = healthy and the state x(t) ∈  0 k(t) , an input vector u complying with constraints (3) ensuring Ax(t) + Bu belongs to  0 k(t)−1 can be selected by solving the optimization program in step 6 of Algorithm 1, that in this case is feasible by construction of (8); (ii) if a jth configuration fault occurs, s(t) is modified to faulty and by construction of the sequence  0 k the state evolution Ax(t) + Bu will belong to  (iv) a further possible situation is represented by the case where s(t) = recovery, (t) = 0 and x(t) ∉  0 N . Even in this case recursions (7) guarantee the existence of a command vector u such that Ax(t) + Bu ∈  j k(t)−1 or to  0 N . ▪

ILLUSTRATIVE EXAMPLE
In order to assess the proposed approach, we consider a discrete-time unstable system having the same structure (1) and identified by the following matrices with the sampling time is T s = 0.02 s. The degradation process involving the unique actuator is modeled as in (2)

Case study 1
In order to emphasize the benefits of the proposed approach, a comparison has been performed with similar RHC schemes not owning fault-tolerant capabilities and designed in the following way: • MPC 1 : This is a predictive controller that does not consider neither the degradation dynamics nor any fault occurrence. It consists on the control unit designed in Section 3 and online operated with constant switching signals (t) ≡ 0 and s(t) = healthy. The solved control problem coincides with (19) with running cost J R (x, ).
• MPC 2 : In this case, the predictive controller takes into account degradation dynamics in the cost only but it is not able to explicitly deal with fault occurrences. It consists on the control unit designed in Section 3 and online operated with constant switching signals (t) ≡ 0 and s(t) = healthy. The solved control problem coincides with (19) with running cost J 0 ( ).
Simulation results are depicted through Figures 4-6. From these figures, it is evident that the considered counterpart schemes are not able to accomplish the control goals. In fact the MPC 1 presents an aggressive behavior ( Figure 5 (top)). Then, the actuator degradation growth reaches the lim value in a very short time ( Figure 5 (middle)) and there is no way for the controller to keep the state inside its domain of attraction (DoA)  60 0 , as depicted in Figure 4, even if the actuator were repaired because the feasibility of the scheme is irreversibly lost. As a consequence, the simulation is stopped.
The MPC 2 controller behaves in a similar way (see Figures 4 and 5). Anyway, in this case, the degradation growth is significantly delayed thanks to the modified running cost. On the contrary, a different scenario arises when the proposed PM-AFTC scheme is adopted. In particular, the control goals are successfully achieved and the state is steered toward the origin (Figure 4) despite of fault events occurring at time instants t = 0.68 s, t = 2.21 s. Moreover, from Figure 6 it is possible to observe that after the first fault occurrence ( Figure 6B), the state is steered along the sets of the family {  1 k } 118 k=0 , successor to  85 1 ( Figure 6C). The same controllable set sequence is used even after the repair/replace occurrence at time t = 0.99[s] ( Figure 6B) because the state x(0.99) does not belong to  0 60 ( Figure 6C). Then, few time instants are spent into the recovery status ( Figure 6D) in order to steer x(t) into  0 60 so that the healthy status is activated at time instant t = 1.04. Then, a second fault occurs after 1.14 seconds and even in this case the switch to the faulty status is performed. Also in this case, after the actuator reparation, the healthy status is instantly activated because the state x(2.64) is already contained into  0 60 .

Case study 2
A second comparison has been performed with the RHC scheme of Vieira et al. 16 that explicitly takes into account in the online optimization problem the degradation on the input matrix B in Equation (5) by means of mixed-integer slack variables. In Figure 7, the DoA of such a scheme is compared, for different values of the prediction horizon N, with our proposed scheme obtained by considering the sets union depicted in Figure 4. The significantly "lower size" of the DoA of the contrasted method is mainly due to the presence of a terminal constraints imposing that the final predicted state is equal to 0. A further reason is that this approach is not able to manage a recovery phase of the broken actuator.
The comparison analysis has been carried out also in terms of control performance by simulating our approach and the Vieira et al. 16 method, N = 20 case, starting from an admissible initial condition x(0) = [−0.26, 2.89] T , (0) = 0.2. In this respect, the simulation results can be observed in Figure 8. Clearly, the method of Vieira et al. 16 outperforms our method as it is able to steer the state to 0 in a shorter time without exceeding the fault threshold lim,i . Anyway, such performance require a significant computational burden (see Table 1) that makes this method impractical in many applications. On the contrary, the PM-AFTC, although behaving in a worse way, needs a very low amount of CPU time to perform the online computations.

CONCLUSIONS
In this work, a receding-horizon-based control strategy has been presented for dealing with loss of actuators effectiveness. To this end, the degradation effect of actuators has been assumed to be proportional to the control effort. Within this context, the loss of effectiveness occurs when the deterioration level overcomes a threshold placed between nominal working range and complete actuator breakdown. A fault-tolerant control strategy with reconfiguration capabilities has been proposed for linear discrete-time systems subject to input constraints. The key idea was at exploiting set-invariance notions to design a control architecture to properly manage actuator fault occurrences.

APPENDIX. PROOF OF PROPOSITION 1
We will suppose that the structure of the terminal set is and we want to derive a set of matrix inequalities under which the state invariance condition the sets inclusion and input constraints condition are verified. The condition (A2) translates into the following implication where In terms of the vector [ x T d T ] T , the right-hand side of (A5) can be rewritten as The same can be done for the left hand term inequalities of (A5) Thanking to S-procedure arguments, the validity of (A6)-(A8) reduces to the satisfaction of which turns to be satisfied if the following LMIs hold true Finally, the inequality (A9) can be turn into via standard congruence transformation.
The sets inclusion condition (A3) can be managed quite easily due to the ellipsoidal structure of  j 0 , j = 0, … , l. By considering the related shaping matrices P j 0 we have Let us now consider the input constraints inequality (A4) which is equivalent to the following implication where K i j denotes the ith row of K j and, via S-procedure arguments, we have that are satisfied if and