Abstract—Model Predictive Control (MPC) has the ability to cope with hard constraints on control and state. It has, therefore, been widely applied in most industries specially, petrochemical industries. Dynamic Safety Margin (DSM) is a performance index used to measure the distance between a predefined safety boundary, described by a set of inequality constraints, in state space and system trajectory as it evolves. Designing MPC based on DSM is especially important for safety critical system to maintain a predefined margin of safety during transient and steady state. In this work, MPC based on DSM is used in fault tolerant control (FTC) design. The proposed method of FTC is suitable for single and multi-model system according to the fault type and fault information. It can compensate missed information about the fault and uncertainties in the faulty model. I.INTRODUCTION Fault tolerant control (FTC) system is a control system that can accommodate system component faults and is able to maintain stability and acceptable degree of performance not only when the system is fault-free but also when there are component malfunctions [5]. FTC prevents faults in a subsystem from developing into failures at system level. FTC system design techniques can be classified as passive and active (PFTC and AFTC) [4]-[6]. In PFTC, a system may tolerate only a limited number of faults, which are assumed to be known prior to the design of the controller. Once the controller is designed, it can compensate for anticipated faults without any access of on-line fault information. PFTC system treats the faults as if they were sources of modeling uncertainty [5]. AFTC either compensates the effect of faults by selecting a pre-computed control law, or by synthesizing a new control law in real-time. Both methods need a fault detection and identification (FDI) algorithm to identify the fault-induced changes and to reconfigure the control law on-line. Model Predictive control (MPC) is an optimization based strategy that uses a plant model to predict the effect of potential control action on the evolving state of the plant. At each time step, an optimal control problem is solved and the first input vector is injected into the plant until a new measurement is available. The updated plant information is used to formulate and solve a new optimal control problem [7]-[10]. Since MPC is formulated as an optimization problem, inequality constraints are a natural addition to the controller [10]. The ability to handle explic- itly hard constraints on control and states may be viewed as one of the major factors of the success of MPC in process control. Therefore, it has been widely applied in petrochemical and related industries. Hence, application of MPC in FTC is very important and useful, where most of the processes have control and state constraints, which specify the actuator limits and safety requirements of the components. Although, constraints improve the appeal of MPC as advanced control strategy, they make difficult the controller implementation. The idea of using MPC in FTC is firstly discussed in [11] and implemented on a simulation model of EL AL Flight 1862 in [12]. Both references argue that MPC provides suitable implementation architecture for fault tolerant control. The representation of both faults and control objective is relatively natural and straightforward in MPC. Some faults can be represented by modifying the constraints in MPC problem definition. Other fault can be represented by modifying the internal model used by MPC [12], [9]. In addition, MPC has a good degree of fault tolerant to some faults, especially actuator faults, under a certain conditions, even if the faults are not detected (PFTC). According to the definition of DSM [1]-[3], it indicates how far the system state is from a specified safety region, which determined by a set of inequality constraints. It is known that, the information about the fault from FDI in most cases is not very accurate or sufficient. Moreover, the uncertainties exist in faulty model. Therefore, considering DSM constraints in recovery controller, especially MPC, is useful to compensate the unavailable fault information and model uncertainties ([23]). In addition, DSM index can help in adapting MPC controller in order to find a feasible solution for constrained MPC and to satisfy the acceptable degraded performance. Thus, designing an FTC system against system faults to achieve an acceptable degraded of performance without violating the safety requirements of the overall system is the focus of the work presented here. The paper is organized as follows: Dynamic safety margin and safety controller requirements are defined in section II. It is followed by the discussion about MPC with constraints and the implementation of DSM in MPC in Section III. The proposed FTC system based on MPC and DSM is explained in Section IV. An implementation example is illustrated in Section V. Finally, conclusion and future work are given in Section VI. II. DMSDEFINITION AND S AFETY C ONTROL The idea of DSM is introduced in [1], [2]. Here, the general idea will briefly be explained. Let X be the state space in ℜ n , and consider that a subspace Φ ⊆ X, which defines the safe operation region for some system state variables x ∈ℜ m in the state subspace Φ, can be specified by a set of inequalities { φ i ( x ) 0 i =1,..., q }, where φ i : ℜ m →ℜ. φ i ( x ) > 0 indicates unsafe operation (Fig. 1). It is assumed that the system is stable in the sense of Lyapunov and that the safe region is fully contained in the stability region. Starting with the initial condition x 0 , the system trajectory will evolve to the operating point x s traversing the state space Application of Model Predictive Control for Fault Tolerant System Using Dynamic Safety Margin M. Abdel-Geliel, E. Badreddin, A. Gambier, Member, IEEE Automation Lab, University of Mannheim, Germany elgeliel@ti.uni-mannheim.de, badreddin@ti.uni-mannheim.de, gambier@ti.uni-mannheim.de A Proceedings of the 2006 American Control Conference Minneapolis, Minnesota, USA, June 14-16, 2006 FrB18.4 1-4244-0210-7/06/$20.00 ©2006 IEEE 5493