Chapter 1

Preliminary Notions and State of the Art 1

1.1. Overview

Basically, co-design needs to share, compare, and gather the knowledge and perspectives brought by the stakeholders involved in the design process. Indeed, the design of safe networked control systems involves many basic methodologies and technologies. The essential methodologies involved here are feedback control, real-time scheduling, fault detection and isolation (FDI), filtering and identification, networking protocols, and QoS metrics: each of them relies on theoretic concepts and specific domains of applied mathematics such as optimization and information theory. On the other hand, these concepts are implemented via various technologies and devices, for example, involving mechanical or chemical engineering, continuous and digital electronics and software engineering.

These basic domains are explained in existing literature; hence, this chapter is not meant to give an exhaustive overview of all the methodologies and technologies used further in the book. This book is also not meant to provide an exhaustive state of the art nor to be a definitive treatise on the open topic of safe NCS; it is aimed at recording and disseminating the experience gathered by the authors during the joint SAFENECS academic research project. The team brought together people from different horizons, with basic backgrounds in control or computer science, and expertise in various domains and technologies such as digital control design, modeling of dynamic systems, real-time scheduling, identification, and diagnosis. Fault-tolerant control (FTC), networking protocols, quality of service (QoS) analysis in networks, and model-based software development, among others.

Besides the knowledge provided by basic education in control and computer science, it appears that some topics that are useful in the joint design of control systems over networks are too specific, or too new and not disseminated enough, to be currently a part of basic education in control or industrial computing. So the next sections provide additional knowledge about such topics and will be useful in what follows.

Section 1.2 gives preliminary notions about real-time scheduling as well as some popular real-time scheduling policies. A particular focus is given on the so-called (m, k)-firm scheduling policy, which is, in particular, the groundwork for the control/networking co-design methodology that is developed in Chapter 5. Then, section 1.3 provides basic considerations and describes the current solutions for control-aware computing, i.e. providing computing architecture designs able to improve the quality of control of the system. One very appealing solution for the control of computing and networking resources subject to variable and/or badly known operating conditions uses a feedback-scheduling loop, whose basic design and implementation are described in section 1.4. Finally, section 1.5 provides a brief state of the art about fault diagnosis in control systems subject to network-induced effects.

1.2. Preliminary notions on real-time scheduling

When taking into account the implementation aspect of the control applications, one of the fundamental problems is to ensure timely execution of the tasks and transmission of messages related to control loops, e.g. transmission of a sampling data from a sensor to a controller, execution of the control task on a multitasking operating system (OS), sending the command from the controller to the actuator.

Control applications are typical real-time applications. The execution of a task or transmission of data is under time constraint (often under deadline constraint) in order to ensure the reactivity of the system and thus guarantee the stability and desired control performance. Real-time scheduling theory has been developed for studying how to effectively schedule the access to a shared resource of the concurrent tasks (through scheduling algorithm development) and to guarantee that the designed system can meet time constraints (through schedulability analysis).

This section is not intended to give a comprehensive review of the real-time scheduling theory, but rather provides the necessary basic background to facilitate the understanding of the remaining chapters of this book. Readers interested in more detail may refer to [LIU 00], and also to [LEU 04] for a broader view on scheduling.

The notion of priority is commonly used to order access to the shared resources such as a processor in multitask systems and a communication channel in networks. In the following, except in case of necessity, we will always use the term task which may represent either a task execution on a processor or a packet/message transmitted on a network channel.

A classic periodic task model is proposed by Liu and Layland [LIU 73]. Each periodic task of priority i, denoted by τi, is characterized by its worst-case execution time (WCET) Ci, its period Ti with which its execution is requested, and its relative deadline Di. The problem is how to schedule a set of n independent periodic tasks Γ = {τ 1, τ2,…, τn} on one processor to ensure that the deadline of each instance is met (i.e. executed before the deadline). This is called hard real-time guarantee. In priority-based scheduling, it is usual to use the value i = 1 for the highest priority and larger integer of i for lower priority. During the execution of a task instance of priority i, if a higher priority one arrives, two scheduling policies exist: pre-emptive and non-pre-emptive. In the pre-emptive case, on-going lower priority task execution is interrupted by the higher priority one and its execution is resumed after the end of the execution of the higher priority one if there is no other released higher priority ones. Pre-emption is often not allowed when dealing with packet transmission in a communication channel, or when the pre-emption overhead is too high.

This classic task model can be used for representing the control task execution on a processor where the deadline is deduced from the sampling period of the control loop. When several control tasks (or one control task and several other tasks) share the same processor, scheduling policies must be studied for ensuring the deadlines are met and consequently the Quality of Control (QoC). However, as mentioned earlier in the Introduction and Problem Statement, guaranteeing deadlines are met for all the task instances (i.e. hard real-time guarantee) generally requires huge resource reservation leading to the over-provisioning problem. While we know that feedback control loops have certain robustness with respect to timing uncertainty. Occasional deadline miss or instance non-execution can often be tolerated if they do not occur in a long-term consecutive way. In this case, the (m, k)-firm model introduced by [HAM 95] seems more suitable. In fact, a task meets the (m, k)-firm constraint if there are at least m among any k consecutive task instances meet their deadline. This can thus be used to specify how the deadline miss or instance discarding is tolerated.

In what follows, we will give some basic results on priority-based classic task model scheduling and (m, k)-firm one.

1.2.1. Some basic results on classic task model scheduling

In this part two scheduling algorithms are presented: rate monotonic (RM) and earliest deadline first (EDF). RM is a fixed-priority scheduling algorithm where the priorities are assigned to the tasks according to their periods (or appearing rates). The task with the smallest period has the highest priority. Note that the same principle can be used to get some variants such as deadline monotonic (DM) or generally speaking fixed priority according to whatever importance criteria. EDF is a typical example of dynamic priority scheduling algorithms. Priorities assigned to the tasks are inversely proportional to the absolute deadlines of the active tasks. That is, the earlier the deadline, the higher the priority. The priority assigned to a task is of course dynamic and recalculated every time there is a new active task or an execution completion.

Let us consider a set of n independent periodic tasks Γ = {τ1, τ2,…, τn} on one processor. For this system, the total normalized workload or processor utilization is , and the system is feasible when U ≤ 1.

1.2.1.1. Fixed priority scheduling

Let the priority of the tasks τi be classified in decreasing orders: the priority of τi is higher than that of τj; in the case of RM or DM, the priority of τi is .

In [LIU 73], under pre-emptive RM, the following sufficient condition is established on the feasibility of the task set for :

(1.1)

With n tending to infinity, n(21/n − 1) approaches ln2 ≈ 69.31%.

In [LIU 73], it has also been shown that the worst-case response time is obtained when the first instances of all the tasks are synchronized.

A sufficient and necessary condition for the non-concrete task set has been given in [JOS 86] based on the technique called worst response time analysis (RTA).

Formally, for , Ri is iteratively calculated by taking into account the interference caused by the higher priorities. For U ≤ 1 and , Ri is obtained with the following fixed point calculation:

The computing stops when the iteration can no longer progress or when Ri > Di.

In a general case with unrelated Di and Ti, and especially for the case of Di > Ti, this RTA technique has been extended [TIN 94].

Note that this technique is also applicable to the non pre-emptive case by including the blocking factor due to the on-execution low-priority task [TIN 94].

1.2.1.2. EDF scheduling

For a set of independent periodic tasks Γ = {τ1, τ2, …, τn} with and under pre-emptive EDF, the necessary and sufficient condition of the schedulability is [LIU 73]:

(1.2)

It is proved [BAR 90] that this condition is still true for the case . For a task set with , the previous condition is no longer sufficient. In [BAR 90] and [SPU 96], two necessary and sufficient conditions are given for task set with arbitrary Di and Ti.

Under non pre-emptive EDF, in the case of non-concrete tasks, a sufficient and necessary schedulability test with pseudo-polynomial complexity is given in [JEF 91]. The test is based on the processor demand calculation. When the tasks are synchronous, the same condition becomes only sufficient. It has been shown in [JEF 91] and [GEO 95] that determining the schedulability is an NP-hard problem.

1.2.1.3. Discussion

Fixed priority scheduling is now supported by most of commercial off-the-shelf (COTS) OS. It can also be found in some networks. For instance, CAN network uses a priority-based MAC protocol so that CAN messages schedulability can be analyzed using the RTA technique [TIN 94]. This scheduling algorithm is also present in some Ethernet switches. Chapter 3 will study the control and network QoS co-design of the NCS distributed around a CAN and switched Ethernet network, respectively.

EDF is known as an optimal scheduling algorithm. However its implementation can induce unacceptable high overhead due to the frequent context changes related to the dynamic priority assignment. Today, few COTS OS support EDF.

Ensuring hard real-time constraint by the schedulability analysis may lead to resource over-provisioning problem since in practice it is difficult to get a tight upper bound on the WCET, especially when dealing with packet transmission in a network. The worst-case workload scenario may never happen. To cope with these uncertainties, a system designer may try to either prevent overloads by making safe assumptions about workload or tolerate overloads (but still providing reduced-but-acceptable level of service). The latter is particularly interesting for feedback control applications thanks to the robustness of the control loops. For the overload management, fixed-priority scheduling has an advantage over EDF. In fact, during an overload situation, only low-priority tasks are affected in fixed-priority scheduling. EDF has very bad behavior during overload since it tries to always give the highest priority to the task that will miss its deadline, resulting in a general deadline miss of all tasks.

Many other approaches such as imprecise computation model, skippable model, (m, k)-firm model have been developed to deal with overloads. We introduce in the following some basic notions on (m, k)-firm. This model is then used in Chapters 2 and 5. Chapter 5 also gives further details before applying it to the overload management when several control loops share the same processor.

1.2.2. (m, k)-firm model

A system meeting (m, k)-firm constraint requires a minimum QoS of m out of any k consecutive deadlines to meet in the worst case, where m and k are two positive integers (the case where m = k is equivalent to the ideal case, which is noted by (k, k)-firm and corresponds to the hard real-time constraint). In general cases, more than m deadlines are met as the system does not always run at the worst-case condition. This is to say that if the (m, k)-firm constraint is respected, during whatever window of k consecutive instance occurrences, there exist at least m instances that meet their deadline. Note that in general the k consecutive instance occurrences are not necessarily periodic, so the window of k consecutive instances does not necessarily have a constant time duration [LI 09]. However, in the networked control applications, most of the cases are periodic ones due to the sampling principle. Therefore in this book, a task τi is characterized by {Ci, Ti, Di, mi, ki}, with i = 1, 2, …, n representing the index of tasks (but not necessarily their priority). A task could be a stream of messages to transmit or a periodic task to execute.

A task under (m, k)-firm constraint can be found in one of the two following states: normal and dynamic failure [HAM 95]. Figure 1.1 shows an example of the statetransition diagram for (2, 3)-firm: 1 denotes that a deadline is met and 0 denotes a deadline missed, respectively. These states are evaluated according to the past situation of the system; every state that is either normal or dynamic failure depends on the last three deadlines services. The next deadline’s meet or miss will cause the system to transit to another state. If there is more than 1 missed deadline, the system is in a dynamic failure state. Otherwise, the system is in a normal state.

For the efficient overload management, we adopt dropping strategy: any instance that cannot be executed before its deadline is dropped. So whenever talking about (m, k)-firm in this book, a missed deadline is equivalent to an instance drop.

If a control system can accept control performance degradation until k − m deadlines misses (or equivalent packet losses) among any k consecutive ones, the system can then be designed according to the (m, k)-firm approach to offer the variable levels of control performance between (k, k)-firm (ideal case) and (m, k)-firm (worst case) with as many intermediate levels as the possible values there are between k and m. This results in a control system with graceful degradation of the control performance.

The problem of scheduling tasks under (m, k)-firm constraint has drawn particular attention in real-time community. Some important results have been obtained.

The first category concerns the development of the specific scheduling algorithms. The well-known one is distance-based priority (DBP) proposed in [HAM 95]. Considering n tasks sharing a common server (may be a processor or a communication channel) and each has its own (mi, ki)-firm constraint, the principle is to dynamically assign priorities to the different tasks according to the distance to the dynamic failure state. The closer the task to a failure state, the higher its priority. A failure state occurs when the task’s (mi, ki)-firm requirement is violated, i.e. there are more than ki − mi deadlines missed within the last k-length window. So to know the current state of a task we should examine the execution history of the last k instances. If we associate 1 with an instance with deadline met and 0 with an instance with deadline missed, this history is then entirely described by a word of k bits called the k-sequence. The k-sequence is a word of k ordered bits in which each bit keeps memory of whether the deadline is missed (bit= 0) or met (bit=1). In the k-sequence, the bit is ordered the most recent to the oldest task instance where the leftmost bit represents the oldest one. Each newly arrived instance causes a shift of all the bits toward the left, the leftmost exits the word and is no longer considered, while the rightmost will be a 1 if the instance has met its deadline (i.e. it has been served within) or a 0 otherwise. Figure 1.2 gives an example with (3,5)-firm constraint.

Thus for each task τi under (mi, ki)-firm constraint, the priority is assigned based on the number of consecutive deadline misses that leads the task to violate its (mi, ki)-firm requirement. This number of missed deadlines is referred to as the distance to failure state from the current state. DBP assigns priority to a given instance by the distance from the current k-sequence to a failure state. Considering the above example with (3, 5)-firm constraint, the current instance is assigned the priority of 2 if the current 5-sequence is (11011), and is set the priority of 3 if the current 5-sequence is (10111). Note that in case of equal priority, EDF is used to break the tie. For non-pre-emptive DBP, a first necessary schedulability condition has been given in [POG 03]. A sufficient schedulability condition is presented in [LI 04a]. Dynamic window constrained-scheduling (DWCS) is another similar algorithm proposed in [WES 99] with its schedulability analysis in [WES 04]. Other scheduling algorithms have also been developed specifically for control applications such as Markov chain-driven algorithm (MDA), dropout-rate-driven algorithm (DDA), and feedback-driven algorithm (FDA) [LIU 06].

The second category concerns the adaptation of the existing scheduling algorithms to the (m, k)-firm constraint. In [RAM 99], the RM algorithm is adapted to the (m, k)-firm model by defining the notion of (m, k)-pattern which is in fact a fixed k-sequence. This allows the instances to be classified in two priorities: mandatory and optional. The guarantee of the execution of the mandatory instances ensures meeting of the (m, k)-firm constraint. The sufficient schedulability condition is also presented. Enhanced fixed-priority (EFP) algorithm [QUA 00] proposes an improvement by introducing a heuristic rotation algorithm to reduce the effect of the worst-case interference point due to the superposition of the mandatory instances of tasks. This part will be further detailed in Chapter 5.

1.3. Control aware computing

Control and real-time computing have been associated for a long time, with the control of industrial plants and in embedded or mobile systems, e.g. automotive and robotics. However, both parts, control and computing, are often designed with poor interaction and mutual understanding. From the control design point of view, a constant and unique period is usually assumed. Delays are supposed negligible or constants, and jitter is ignored. The implementation design then follows, trying to meet these assumptions.

Real-time scheduling has mainly focused on how to dimension resources to meet deadlines, or equivalently, on the schedulability analysis for a given resource. Indeed, the real-time community has usually considered that control tasks have fixed periods, hard deadlines, and worst-case execution times. This assumption has served the separation of control and scheduling designs, but has led to under-utilization of CPU resources and inflexible design.

The hard and costly way consists in building a highly deterministic system, from the hardware, operating system and communication protocols sides, so that the actual implementation parameters meet the ideal ones. This extreme solution is used if, for instance, determinism is requested for formal verification and/or certification purpose, e.g. as in the synchronous programming approach [BEN 91] or in the time-triggered paradigm [KOP 03]. However, trying to nullify (even virtually) latencies and jitter generally leads to worst-case-based resources provisioning and tends to needlessly overconstraint the system’s design and implementation.

In fact, the hard real-time constraints can be often relaxed in a controlled way, e.g. considering the intrinsic robustness provided by the closed-loop paradigm. In a real control implementation, latencies and sampling jitter inevitably exist, in particular when actuators, sensors, and controllers are distributed over a network. A smart organization and use of network and processor resources, with control features in mind, may lead to serious improvements in the control performance, resources usage and overall cost.

1.3.1. Off-line approaches

A first set of methods consists of computing off-line the set of scheduling parameters which (ideally) maximize the control performance under schedulability constraints. The first step consists in getting a model of the control performance function of the execution parameters. The problem of optimal sampling period selection, subject to schedulability constraints, was first introduced in [SET 96]. Considering a bubble control system benchmark, the relationship between the control cost (corresponding to a step response) and the sampling periods was approximated using convex exponential functions. Using the Karush–Kuhn–Tucker (KKT) first-order optimality conditions, the analytic expressions of the optimal off-line sampling periods were established. The problem of the joint optimization of control and off-line scheduling has been studied in [REH 04; LIN 02a; BEN 06].

In a multitasking system, several control tasks share a common computing resource: the resulting pre-emption induces latencies due to the computations themselves, but also due to the interleaving between their executions. Models of the control behavior based on linear systems theory are used in [RYU 97] and [SAK 98] to derive cost functions which depict the control performance, e.g. the rise time, as a function of two execution parameters, the control period and loop delay. Then an optimization iterative algorithm (simplex) is used to tune the execution parameters in order to maximize the overall control performance with respect to the implementation feasibility. However, due to the complexity of the optimization process this method can be used only off-line.

Often the lazy way to implement a controller consists of programming a single real-time task when all the components of the controller are executed in sequence in a single loop. However, it appears that all the components of a control algorithm do not require the same timing parameters, and do not have the same weight in the final performance and stability. Some parts of the controller are more critical w.r.t. latencies, or require more frequent updating than others. Therefore, the controller can be split into modules according to these timing requirements, so that latencies can be minimized along some critical data paths, or to enforce the execution of safety critical functions even in the case of transient overload.

For example, it is possible to split the controller of a linear system in several parts according to their relative urgency, as shown in the following piece of pseudocode [ÅST 97]:

Here the input/output latency is minimized, as the control signals are computed and sent to the actuators immediately after updating the measures, while updating the model and internal state of the controller can be delayed until the end of the control period.

This method is, for example, used in [EKE 99] where this control task split is applied to the control of a set of concurrent inverted pendulums: compared with the naive implementation where all computations are made before sending the control signals, it provides an impressive increase in the control performance with no additional computing cost. A more complex and nonlinear system can also benefit from such separation of the control algorithm between fast and critical control paths (e.g. low-level stabilization loop) and slower components, e.g. vision-based navigation. Obviously the operating system and associated run-time framework must allow for such multitask/multi-rate implementation [SIM 05a]. This modular timing analysis seems to be an essential starting point for flexible and efficient real-time control implementation, as in the example depicted in section 1.4.2.3.

1.3.2. Quality of Service and flexible scheduling

Other approaches define a QoS criterion to depict, e.g. the relations between the performance and the controller’s period. This performance model can be used to configure an admission controller managing the overall system load [ABD 97], or to perform an on-line negotiation involving periods and priorities as in [SAN 00].

Besides control considerations, flexible and control aware solutions have also been provided by the computer science side. For example, let us cite the “Elastic Tasks” paradigm [BUT 00], where the sensitivity of the QoS relative to the execution period for every task is modeled by a “stiffness” and takes into account bounds in the allowed execution period. To make the task set schedulable, the task stack is “compressed” until the accumulated execution load fit with the allocated CPU capacity. Although this implementation is in open loop w.r.t. the actual QoS, it allows for an improved adaptation against transient overloads.

As sharing the computing resource between controllers is a central issue, some variants of the Control Bandwidth Server (CBS) approach [ABE 98] have been used to enforce protection between competing control activities. For example in [CAC 00] the nominal control periods of the competing controllers are computed thanks to the optimization process of [SET 96] aiming at maximizing the control performance under scheduling constraints. The on-line execution time variations of the controllers are locally processed inside the computing budget allocated by the CBS server.

Let us cite also the control server ([CER 03b]) where a fraction of the total CPU power is statically reserved to each control thread. Then the system behaves as if each controller was isolated using its own computation resource, in particular an overloaded controller does not disturb its neighbors. Inside each computing segment the individual controllers are organized to minimize their I/O latency and jitter. In the case of transient overload, the missing computing budget for one controller is postponed to its next reserved slice, with no impact on the others.

This mainly concerns the integration of control performance knowledge in the scheduling parameters assignment. Indeed, once a control algorithm has been designed, a first job consists of assigning timing parameters, i.e. period of tasks and deadlines, so that the controller’s implementation meets the control objective. This may be done off-line or on-line.

In off-line control/scheduling co-design, the task of setting adequate values for the timing parameters rapidly fall into case studies based on simulation and experiments. For instance in [RYU 97] off-line iterative optimization is used to compute an adequate setting of periods, latencies, and gains resulting in a requested control performance according to the available computing resource and implementation constraints. Also in [SAN 02] the temporal requirements of the control system are described using complex temporal attributes (e.g. nominal period and allowed variations, precedence constraints, etc.): this model is then used by an off-line iterative heuristic procedure to assign the scheduling parameters (e.g. priorities and offsets) to meet the constraints.

Concerning co-design for on-line implementation, recent results deal with varying sampling rates in control loops in the framework of linear systems: for example [SCH 02] show that, while switching between two stable controllers, too frequent control period switches may lead to instability. Unfortunately, most real-life systems are nonlinear and the extrapolation of timing assignment through linearization often gives rough estimations of allowable periods and latencies or they can even be meaningless. In fact, as shown later in the examples, knowledge of the plant’s behavior is necessary to get an efficient control/scheduling co-design.

1.4. Feedback-scheduling basics

Besides traditional assignment of fixed scheduling parameters, more flexible scheduling policies have been investigated. The main idea is that fast sampling and computing are costly, so running the controllers only when useful or necessary is expected to save computing power, network bandwidth and energy. Networked control systems can be made of autonomous and/or mobile devices connected by wireless communications. As these devices may have a limited on-board energy storage, optimizing the cost of computations and communications induced by the control activities is again gaining interest.

As already mentioned in section 0.2, the on-line adaptation of the sampling interval as a function of the system’s behavior and state has been studied from the beginning of computer-controlled systems [DOR 62; HSI 74]. Besides the time-triggered approach and variations around the sampling period adaptation, an even more radical approach is the so-called “Event-based control” concept. Indeed, this approach is natural in some application domains, as in engine control where the basic events scale is linked to the crank-shaft position turning at a variable speed rather than to clocks. However, it has been proposed as an alternative to time-triggered sampling when the execution resources used by the controller are constrained.

Within the event-triggered control approach the decision to compute and apply a new control action is based on the level crossing of some signal of interest, e.g. the error signal between the desired set-point and actual measurement as in [ÅRZ 99] and [DUR 09]. Note that even if the controller is sleeping most of the time waiting for awaking events, the controlled plant must be continuously observed for event detection at a rate fast enough to allow for fast reactions and effective disturbance rejection.

Anyway, effective real-time management of the computing and networking resources needs to close the loop between the execution resource utilization and the actual scheduling parameters. The feedback-scheduling approach has been initiated both from the real-time computing side [LU 00; LU 02] and from the control side [CER 00; EKE 00; CER 02]. The idea consists of adding to the process controller an outer sampled feedback loop (“scheduling regulator”) to control the scheduling parameters as a function of a QoC (Quality of Control) measure. It is expected that an on-line adaptation of the scheduling parameters of the controller may increase its overall efficiency w.r.t. timing uncertainties coming from the unknown controlled environment. Also we know from control theory that closing the loop may increase performance and robustness against disturbances when properly designed and tuned (otherwise it may lead to instability).

Figure 1.3 gives an overview of a feedback scheduler architecture where an outer loop (the scheduling controller) adapts in real time the scheduling parameters from measurements taken on the computer’s activity, e.g. the computing load. Ideally it would be also fed by measures related to the quality of control, thus really providing integrated control and scheduling, which is the topic of Chapter 4. Besides this controller working periodically (at a rate larger than the sampling periods of the plant control tasks), the system’s structure may evolve along a discrete time scale upon occurrence of events, e.g. for new task admission or exception handling. These decisional processes may be handled by another real-time task, the scheduling manager, which is not further detailed in this paper. Notice that such a manager may give a reference to the controller resource utilization.

The design problem can be stated as control performance optimization under constraint of available computing resources. Early results come from [EKE 00] where a problem of optimal control under computation load constraints is theoretically solved by a feedback scheduler, but leads to a solution too complex to be implemented in real time. Then [CER 03a] shows that this optimal control problem can often be simply implemented by computing the new task periods by the re-scaling:

where Usp is the utilization set-point and U the estimated CPU load. The feedback scheduler then controls the processor utilization by assigning task periods that optimize the overall control performance. This approach is well suited for a “quasi-continuous” variation of the sampling periods of real-time tasks under control of a pre-emptive real-time operating system (RTOS).

Another approach has been used in the framework of the so-called (m, k)-firm schedulability policy, where the scheduling strategy ensures the successful execution of at least m instances of a given task (or message sending) for each time window of length k slots. Hence a selective data drop policy (as in [JIA 07]) or a computing power allocation to selected tasks (as in [BEN 06]) can be used to perform optimal control of a plant under constraint of computing or communication limitations. This latter approach is well suited for non pre-emptive scheduling of control tasks and for networked control systems subject to message loss: the tasks or messages are scheduled to jointly perform congestion avoidance and optimal control.

Indeed, in all cases the adaptive behavior of a feedback scheduler, associated with the relative tolerance of the control system w.r.t. the implementation induced timing uncertainties, allows for the design and implementation of real-time control systems based on their average execution behavior rather than on pessimistic worst-case estimates.

1.4.1. Control of the computing resource

Feedback scheduling is a dynamic approach allowing a better use of the computing resources, in particular when the workload changes e.g. due to the activation of an admitted new task. Indeed, the CPU activity will be controlled according to the resource availability by adjusting scheduling parameters (i.e. period) of the plant control tasks.

In the approach proposed here, a way to take into account the resource sharing over a multitasking process is developed. In what follows, the control design issue is described including the control structure, the specification of control inputs and measured outputs, as well as the modeling step.

1.4.1.1. Control structure

In Figure 1.4 scheduling is viewed as a dynamic system between control task frequencies and processor utilization. As far as the adaptation of the control tasks is concerned, the load of the other tasks is seen as an output disturbance.

1.4.1.2. Sensors and actuators

As stated in section 1.3, priorities must be assigned to control tasks according to their relative urgency; this ordering remains the same in the case of a dynamic scheduler. Dynamic priorities, e.g. as used in EDF, only alter the interleaving of running tasks and will fail in adjusting the computing load w.r.t. the control requirements.

Consequently, we have elected the task periods to be the primary actuators of the system running on top of a fixed-priority scheduler. Note that if the control timing setting, based only on the scheduling adaptation, becomes out of reach (e.g. because the requested intervals would be out of bounds), possible secondary actuators are variants of the control algorithms, with different computing costs and QoS contributions to the whole system. Such variants must be handled by the scheduling manager working on a discrete events time scale.

As the aim is to adjust on-line the sampling periods of the controllers in order to meet the computing resource requirements, the control inputs are thus the periods of the control tasks. The measured output is the CPU utilization. Let us first recall that the scheduling is here limited to periodic tasks. In this case the processor load induced by a task is defined by where c and h are the execution time and period of the task. Hence, processor load induced by a task is estimated, in a similar way [CER 02], for each period hs of the scheduling controller, as:

(1.3)

where h is the sampling frequency currently assigned to the plant control task (i.e. at each sampling instant khs) and is the mean of its measured job execution-time. λ is a forgetting factor used to smooth the measure.

1.4.1.3. Control design and implementation

The proposed control design method for feedback scheduling is here developed. First one should note that, as shown in [SIM 03], if the execution times are constant, then the relation, (where fi = 1/hi is the frequency of the task) is a linear function (while it would not be the case if expressed as a function of the task periods). Therefore, using (1.3), the estimated CPU load is given as:

(1.4)

An illustration, for the case of a single control task system, is given in Figure 1.5 where the estimated execution-times are used on-line to adapt the gain of the controller for the original CPU system (1.4) (this allows us to compensate the variations of the job execution time).

As depends on the run-time environment (e.g. processor speed) a “normalized” linear model of the task i (i.e. independent of the execution time), Gi, is used for the scheduling controller synthesis where is omitted and will be compensated by on-line gain scheduling as shown below:

(1.5)

According to this control scheme, the design of the controller K can be made using any control methodology at hand. In fact all the control toolbox resources may be adapted for feedback-scheduling purpose, e.g. as reviewed in [XIA 08].

One of the most frequently used is the well known P.I.D. control: it has been for example used for the on-line regulation of purely computing systems as web and mail servers, as shown in section 1.4.2.1. Another popular approach is the linear quadratic (LQ) control method, whose application to scheduling control has also been investigated as shown in section 1.4.2.2.

Model predictive control is known to cope well with control of complex systems under control and/or state constraints. As scheduling control deals with control under computing and/or communication limitations, this control design has also been investigated, as shown by the example in section 4.3.

Finally, as a digital control system combines uncertainties and modeling errors from both the plant and the control implementation, robustness seems to be a crucial issue: the well known H∞ control theory, which can lead to a robust controller w.r.t modeling errors (see [ZHO 96] for details on H∞ control), is also a good candidate to perform. Moreover, it provides good properties in presence of external disturbance, as emphasized in the robot control example below (1.4.2.3).

1.4.2. Examples

1.4.2.1. Feedback scheduling a web server

One of the most popular and widely used controller for SISO systems is the so-called proportional integral derivative (PID). The basic formulation for a continuous time PID controller is [ÅST 97]

where U is the control signal to be applied to the process input and e is the error signal between the desired set-point yd and the measured output y. It is largely used in industry as it can be applied to many SISO systems with an easy tuning and a minimal modeling effort.

This simple design has been used to control and tune the behavior of computation devices submitted to QoS constraints, for example web (Figure 1.6) or mail servers ([LU 01], [PAR 02]). Design basics, control oriented models for computing devices, and case studies for feedback control of computing systems can be found in [LU 00; LU 02], and [HEL 04] among other references.

For each period of the scheduling controller, the measures are the total CPU load U(k) and the miss ratio M(k). The corresponding gains GA and GM are images of the modeling uncertainties.

The execution of requests Ti is modeled by at least two levels of quality, i.e. couples (QoS contribution, execution cost). The actuation provided is the choice of the execution mode corresponding to a given cost, at every sampling period. The accumulated regulated cost is finally the global CPU load.

If the sampling period h is large enough, the transfer function of the CPU load submitted to computing requests Δu can be modeled by an integrator, where GA and GM are the weakly known gains of the open loop process:

Thus, a simple proportional regulator is able to control the server load

Figure 1.7 (borrowed from [LU 02] with permission of the author) shows the steady state behavior (CPU load U(k) and deadlines missed M(k)) as a function of the desired load Ud. The role of the underlying scheduling policy can be observed: using EDF (on the right picture) allows for nullifying the deadlines missed up to Ud = 1, but exhibits degradation in the case of permanent overload faster than a static DM priority policy. However, in all cases, the server shows some ability for automatic adaptation to the arrival of sporadic requests and for recovery against sporadic overloads, thus leading to a kind of self-administration at a very low-computing cost.

1.4.2.2. Optimal control-based feedback scheduling

The aforementioned PID regulation approach is very simple to design and tune. The downside of the very limited number of tuning parameters is the limited capabilities of, e.g. shaping robustness templates or decoupling several transfer modes.

Let us come back to the initial problem, which may consist formally in the optimization of a control performance under constraints of limited computing resources. This problem has been analytically solved by [EKE 00] and [CER 03a] for the following case study. A given computing resource is shared by n real-time control tasks, each one is used to control a linear stochastic process; each controller has an hi period and a Ci execution time. A sampling frequency dependent quality criterion Ji(hi) is attached to each controller. The control goal is the maximization of a global cost function over the set of controller, with respect of a desired computing load Ud:

The control variables are the control periods hi. The problem is solved using the cost function

This particular cost function allows for a theoretical state feedback controller performing the optimization. However, the execution of such a controller would require to solve Lyapunov and Ricatti equations at each sample which is clearly two expensive to be executed in real time with reasonable computing resources.

Fortunately, approximations can often be found. The cost functions can be often approached by linear Ji(h) = αi + γih or quadratic Ji(h) = αi + βih2 functions. Computing the optimal values for the hi periods becomes particularly easy if all the cost functions are either linear or quadratic [CER 02].

In this case, the periods are given by the following algorithm:

– the initial control frequencies fi = 1/hi are chosen proportionally to (βi/Ci)1/3 (quadratic costs) or to (γi/Ci)1/2 (linear costs);

– these values provide a nominal computing load ;

– estimation of the execution times and filtering with the λ forgetting factor ;

– for a different CPU desired load the new periods are given by a simple re-scaling ;

– the new control gains can be either computed on-line, or extracted from a pre-calculated table;

– the values desired for CPU loads Usp are elaborated by a supervision process called feed-forward, whose role is similar to the admission controller of the previous section.

Figure 1.8 shows some simulation results using TrueTime, a toolbox for Mat-lab/Simulink dedicated to models of real-time systems and networks ([OHL 07]).

In this experiment, four control tasks share a common computing resource. Each task Ti, i = 1,…, 4 controls an inverted pendulum, under a fixed-priority ordering . The performance criterion is the classic quadratic cost . T1 and T2 are executed when the system starts, then T3 is admitted at t = 2 s and T4 at t = 4 s.

Without adaptation (Figure 1.8(a)) all controllers remain executed at their nominal frequency, the computer becomes overloaded, and finally the lowest priority tasks T1 and T2 are so disturbed by pre-emption that they can no longer stabilize their pendulum (and their criterion becomes ∞).

The controlled scheduler (Figure 1.8(b)) adapts on-line the control periods; thus, it avoids the processor overload and keeps stability for all the process. (Note that the control quality decreases for lower priority process). Adding a feed-forward admission controller (Figure 1.8(c)) allows for future tasks cost anticipation and for enhanced transient behavior.

Note that here the optimality of the process control performance relies on open-loops pre-computed cost functions and that robustness issues are not taken into account. Also nothing is done here to analyze the effect of on-the-fly switching periods on the system’s stability, as studied in section 2.4.

1.4.2.3. Feasibility: feedback-scheduler implementation for robot control

We consider here a seven degrees of freedom Mitsubishi PA10 robot arm that has been previously modeled and calibrated [SIM 05b].

1.4.2.3.1. Plant modeling and control structure

The problem under consideration is to track a desired trajectory for the position of the end-effector. Using the Lagrange formalism, the following model can be obtained:

(1.6)

where q stands for the positions of the joints, M is the inertia matrix, Gra is the gravity forces vector, and C gathers Coriolis, centrifugal, and friction forces.

The structure of the (ideal) linearizing controller includes a compensation of the gravity, Coriolis/centrifugal effect and inertia variations as well as a proportional-derivative (PD) controller for the tracking and stabilization problem, of the form

(1.7)

leading to the linear closed-loop system .

This controller is divided into four tasks, i.e. a specific task is considered for the PD control, for the gravity, inertia and Coriolis compensations, in order to use a multi-rate controller. In this first cautious feedback-scheduling scheme, only the periods of the compensation tasks will be adapted, as they are time-consuming compared with the PD task while being less critical for the stability.

1.4.2.3.2. Scheduling controller design

The block diagram of Figure 1.9 is considered for the H∞ design where G′(z) is the model of the scheduler, the output of which is the vector of all task loads. To get the sum of all task loads, we use C′ = [111]. The H(z) transfer function represents the sensor dynamic behavior which measures the load of the other tasks. It may be a first-order filter. The template We specifies the performances on the load-tracking error as follows:

(1.8)

with Ms = 2, ωs = 10 rad s−1, to obtain a closed-loop settling time of 300 ms, a static error less than 1 % and a good robustness margin. Matrix M is defined as M = [1 − 1 − 1].

The contribution of each of the compensation tasks to the controller performance w.r.t to its execution period has been evaluated via numerous simulations. However, due to the nonlinear nature of the robot arm, only a very rough cost function could be identified, leading to static relative costs.

The template Wx allows the load allocation between the control tasks to be specified. With a large gain in Wx, it leads to

i.e. we allocate more resources for the gravity compensation.

All templates are discretized with a sampling period of 30 ms. Finally, a discrete-time H∞ synthesis produces a discrete-time-scheduling controller of order 4.

1.4.2.3.3. Implementation of the feedback scheduler

After preliminary simulations using TrueTime [CER 03a], we have developed a feedback-scheduler prototype running in real time inside a “hardware-in-the-loop” simulator: a well-calibrated model of the robot arm is numerically integrated in parallel with the execution of the controller, on top of a real-time, pre-emptive, and fixed priorities operating system.

The process controller uses the so-called computing torque controller which is split into several computing modules to implement a multi-rate controller as in [SIM 98] (Figure 1.10). The system is implemented using only the basic features of an off-the-shelf RTOS, which anyway must be instrumented with a task-execution-time operator1. In this application, the period of the feedback scheduler has been fixed to 30 ms to be larger than the robot control tasks (whose limits have been set here from 1 ms to 30 ms).

In this experiment, due to the poor quality of the cost functions which were identified, the feedback scheduler directly controls the CPU usage rather than taking into account the state of the physical system as in an ideal case. In the experiment depicted in Figure 1.11, the desired CPU usage is initially set to 60% of the maximum usage and then lowered to 40% after 1.5 s. The upper plots show the tasks periods and CPU usage. Note that the processor also executes the robot arm numerical integration which induces a high and varying load, inducing some unpredictable overloads.

These first experimental results are encouraging: they show that such a feedback-scheduling architecture can be quite easily designed and implemented on top of an off-the-shelf RTOS with fixed priority and pre-emption.

In this particular case, the scheduling controller is a low-order state feedback, which, moreover, is executed at a slow rate: hence, its computing cost is very low (about 75 μs every 30 ms on a 400 Mhz Pentium 2), i.e. less than 1% of the total control cost.

Indeed, compared with a fixed rate controller, the gain in control performance measured by the integrated tracking error is not impressive: this is due to the very rough modeling of the performance/control rate relationships of this nonlinear system. The real improvement lies in the robustness of the system against transient overloads, and in the automatic setting of the tasks periods: the designer only needs to set reasonable initial values based on easily measured average execution times. As stated in [CER 05], it must be noticed that the recovery strategies used in the case of CPU overload can be selected in a set of predefined behaviors to improve the overall control performance. Here we used the Skip overrun processing, where the overrunning task finishes its current job but prevents its next expected schedule to be executed. Note that, thanks to the robustness of the closed-loop system w.r.t. jitter and occasional data loss, overruns must not be considered as fatal events as they would be in a system specified as “hard real time”.

From the sampled control point of view, it may be observed that abrupt and/or frequent period switches may lead to control instability, even if each periodic controller is stable for each constant sampling period [SCH 02]. Adding a low-pass filtering template in the H∞ scheduling controller here provides period variations smoother than the one provided by a simple period re-scaling; however, this does not guarantee stability and a wiser solution is looked for in section 2.4.

1.5. Fault diagnosis of NCS with network-induced effects

The introduction of communication networks in the control loops makes the analysis of NCS complex. There are several network-induced effects that arise when dealing with the NCS, such as time-delays, packet losses and limited communication. Because of the inherent complexity of such systems, the control issues of NCS have attracted most attention of many researchers, taking into account network-induced effects. For instance, the stability and stabilization problems of NCS were investigated in [HAL 88; NIL 98; BRA 00; ZHA 01b; LI 05] for network-induced delays, [LIN 02b; SEI 05] for packet losses, [HU 03; YUE 05; LI 06] for network-induced delays and packet losses, [NAI 97; HRI 99; ISH 02] for limited communication. We refer the readers to the survey in [TIP 03; HOK 04] and an up-to-date supplement [YAN 06] for more information of NCS on modeling, design and analysis from the viewpoint of estimation and control.

On the other hand, due to an increasing complexity of dynamic systems, as well as the need for reliability, safety and efficient operation, the model-based fault diagnosis and fault-tolerant control has been becoming an important subject in modern control theory and practice, see [MAN 00; ZHA 03]. Disturbances decoupling FDI methods include the works done by [FRA 94; PAT 00]. Extended reviews on FDI have been given in [GER 98; QIN 01]. Owing to the network-induced effects, the theories for traditional point-to-point systems should be reevaluated.

1.5.1. Fault diagnosis of NCS with network-induced time delays

Time-delays in the NCS system consist of: a) communication delay between sensors and controllers τsc, b) communication delay between controllers and actuators τca, c) computational time in controllers τc. Generally speaking, computational time of controllers can be included in communication delay between controllers and actuators. Under the assumption that there is no packet dropout during signal transmission, the sensor-to-controller delay and controller-to-actuator delay can be lumped together as [ZHA 01b], τ = tausc + tauca where τ is supposed to be smaller than the sampling period h. An extended survey on FDI of NCS can be found in [FAN 07].

1.5.1.1. Low-pass post-filtering

Consider the random and unknown network-induced delay shorter than one sampling period, then the NCS with unknown inputs d and faults f can be modeled as [ZHA 01a]:

(1.9)

which can be further written as [LI 07b; YE 06b; YE 06a]

(1.10)

where

(1.11)

Different from the sampled-data system without taking into account the network-induced delay, there exists a time-varying term g(k) in the state evolution equation of system (1.10) and (1.11). When τk is random, g(k) can be regarded as a random disturbance in (1.10). Therefore, it’s natural to adopt a low-pass filter to reduce the impact of g(k) on the residual signal. However, the idea could not be done by only designing a traditional optimal residual generator first and then adding a low-pass filter to its output. The reason is that the optimization of the traditional residual generator does not mean that NCS consisting of it and a post-filter is still optimal. So it is necessary to consider both of the two parts of the new system (i.e. the residual generator and the low-pass filter) when designing the fault detection system [YE 04a].

As an extension of the results in [YE 04b], a fault detection approach based on parity space and Stationary Wavelet Transform (SWT) for NCS with random network-induced delay has been introduced in [YE 04a], which is briefly introduced as follows.

Let

(1.12)

where * may represent u, y, d, f, respectively.

Let

(1.13)

and define Hs,k, Hf,s, Hg,s as the matrices obtained by replacing in (1.13) with and identity matrix I, respectively.

Let

Then a parity space and SWT based residual generator is defined by

(1.14)

(1.15)

whose dynamics is governed by

(1.16)

(1.17)

where υs is the parity vector to be designed which should be selected from the parity spaces Ps defined by , and denotes the approximation coefficients of the SWT of rs,k, under scale jm, which can be considered as a low-pass filtering of rs,k. The dynamics can be written in the following explicit form [YE 04a]

where are known matrices, whose definitions can be found in [YE 04a].

1.5.1.2. Structure matrix of network-induced time delay

According to (1.10) and (1.11), [WAN 06a; YE 06a; YE 04a; LIU 05] have proposed a so-called structure matrix of τk to address the fault diagnosis for NCS. The main procedures are a) transforming g(k) into a form of (known part) × (unknown part), where the known part can extract the known information (such as A, B, Δuk) from g(k) as much as possible, and the unknown part includes the unknown information related to τk, b) using traditional robust fault detection methods to make the robustness to τk. These results are further summarized as Taylor approximation [YE 04a], eigenvalue-decomposition and Padé approximation [YE 06b], accurate structure matrix of τk and PCA [YE 06a].

Consider a simpler NCS model such as:

(1.18)

When the sampling period h is small enough, using the Taylor approximation of eAh, g(k) will approximate to

(1.19)

A time-varying parity space based residual generator is defined as

(1.20)

with

(1.21)

when , where

(1.22)

To meet and to decouple the residual signal from the network-induced delays, the parity vector is determined by solving

(1.23)

This approach has good robustness to network-induced delay only if both h and τk are small enough.

1.5.1.3. Robust deadbeat fault filter

In [LI 07b], the authors assume that the statistical behavior of network-induced delay τk is random and governed by the Markov chain

(1.24)

with the transition probabilities λij denoting as and for any . For sake of simplifying notations, is denoted as and Δuk as wk. Then, the model of NCS is by replaced the state space system (1.10) with the following particular Markov jump linear system:

(1.25)

The following filter is presented as the residual generator of NCS (1.25):

(1.26)

where is the state of the filter, αk the residual generator or the fault indicator. Filter gain and projector are unknown matrices to be found for the solution of the fault detection and isolation problem.

From (1.25) and (1.26), the state estimation error and the output of the filter αk propagate as

(1.27)

Let Gnα(z) be the transfer function from fk to the output residual αk. Then the following theorem is presented to design K and L such that

(1.28)

which ensures the isolation of multiple faults.

THEOREM.– Under the condition rank(ψ) = q, the solutions of (1.28) can be parametrized as , with and ψ = CD, where is the free parameter to be designed, ψ+ is the pseudo-inverse of ψ and β is an arbitrary matrix chosen so that rank(Σ) = m − q.

From the theorem above, the FIF (1.26) is rewritten from the free parameter as:

(1.29)

where αk is a deadbeat filter of fault nk and given by:

(1.30)

where is the fault indicator signal without faults and propagates from the fault-free state estimation error as:

(1.31)

where and is the fault-free state. The transfer function from wk to is then given by:

(1.32)

Let be the faults indicator signal without disturbances. From Equation (1.28), the transfer function from fault f to fault indicator is a pure delay and

(1.33)

where norm is the norm of the signal sk.

Then the free parameters are designed in order to

C1: ensure that the energy ratio between useful and disturbance signal wk defined on the fault indicators is maximized,

C2: locate the closed-loop poles within a prescribed region in the complex plane in order that the residual dynamics has the given transient properties,

which can be formulated in the following theorem:

THEOREM.– For given discs Di (ξi, δi), if there exist matrices , Gi and Yi for prescribed scalars such that

(1.34)

(1.35)

where , then the free parameters are designed as ensuring the SMS of the error system (1.31) and the constraints C1 and C2. At the minimal possible value of γ leading to a solution , Gi and Yi, the energy ratio between useful and disturbance signal defined on the fault indicators will be maximized.

Given discs , the search problem of the lowest possible value of γ can be formulated as the following convex optimization problem:

(1.36)

1.5.1.4. Other work

In practice, the delay may be more than one sampling period. In some cases, this long time delay may distort the timing order of the message arriving at the receiver [HU 03; LIN 00; LI 04b; HAL 88].

In this way, the integrity of the information transmission is guaranteed. The discrete state model of the system with network-induced delay can be described as

(1.37)

which is a familiar discrete time system with input time delays utilizing a reduced-order memory-less state observer with a γ-stability margin, an observer-based fault detection method was presented for system (1.37) by comparing the output of the observer with the actual output of the practical system [ZHE 03]. The residual function for this approach is

(1.38)

where .

To remove the effect of the disturbance, it is required that

The simulation results demonstrating the feasibility of this approach can be found in [ZHE 03].

A method for fault detection in NCS with unknown network-induced delay, which may be greater than h, is proposed in [WAN 06b]. In this method, an NCS model for unknown network-induced delay which may be greater than h [HAL 88; HU 03] has been developed.

1.5.2. Fault diagnosis of NCS with packet losses

Packet losses happen when packets are dropped due to link failure or packets are dropped on purpose in order to avoid congestion or guarantee the most recent data to receiver. Although a single packet loss neither deteriorates system performance nor destabilizes the system, the consecutive packet losses have an impact on overall performance.

1.5.2.1. Deterministic packet losses

The deterministic packet losses have also been discussed, either in terms of switching systems [SEI 05; TIP 03; ZHA 01b; WAN 06b] or in terms of delayed differential equations [YUE 05; YU 05]. [YAN 98] firstly addressed the fault diagnosis for a class of state-delayed dynamic systems, in which the actuator and sensor faults as well as other effects such as disturbances and non-linearities were considered as unknown inputs. More recently, [KOE 05] dealt with the problem of full-order observer design for linear continuous delayed state and input systems with unknown input and time-varying delays. A method to design an unknown input observer (UIO) for such systems was proposed based on delay-dependent stability conditions of the state estimation error system.

[DIN 00] developed a weighting transfer function matrix to describe the desired behavior of residual respect to fault. The observer-based fault detection filter for a class of linear systems with time-varying delays was designed such that the error between the generated residual and fault is as small as possible in the sense of H∞-norm.

1.5.2.2. Stochastic packet losses

In [ZHA 04], the fault detection problem of systems with stochastic packet losses is developed. The structure of standard model based residual generator is modified and dynamic network resource allocation is represented as

(1.39)

(1.40)

where θ(k) is the difference between real value of the measurement y(k) and the used value ya(k), namely θ(k):= y(k) − ya(k). γ(k) is a stochastic variable representing data communication status. γ(k) = 1 means that the measurement at time point k arrives correctly, while γ(k) = 0 means that this measurement is lost.

To reduce the false alarm rate caused by missing measurements, a residual evaluation scheme is then developed as:

where . To compute the threshold Jth, a convex optimization problem is then developed to find the minimum of , which is formulated as a disturbance attenuation problem of Markovian jump linear systems.

[MAO 07] designed a robust fault detection filter for networked control systems with large transfer delays. The multi-rate sampling method is combined with the augmented state matrix method to model the long random delay networked control systems as Markovian jump systems. The H∞ fault detection filter is designed based on the obtained model.

Some works take into account simultaneous time-delays and packet losses, see e.g. [YUE 05; ZHA 05; YU 05].

1.5.3. Fault diagnosis of NCS with limited communication

The capacity of the communication network and its ability to carry a reasonable amount of information per unit of time plays an important role in the stability of NCS. When introducing the network into the control loop, issues like the channel/network capacity, encoding/decoding schemes and quantization naturally arise.

There is increasing attention to define the minimum bit rate which is needed to stabilize NCS through feedback, see e.g. [SAH 00; TAT 00; SAV 03] and the references therein. In order to describe the quantization effects on the performance NCS, some research effort has been devoted to develop new quantization scheme to achieve lower bit-rates, see e.g. [BRO 00; DEL 89; ELI 00; ISH 02; WON 97; HOK 04].

In [ZHA 06], the fault detection problem for networked control systems with limited data transmission rate is considered. In order to avoid the uncertainty caused by transmission delays and packet loss, a periodic communication sequence is proposed as:

(1.41)

(1.42)

where represents the sensor signals transmitted from the sensors to the central station through the network, is a θ-periodic matrix formed by selecting ωm rows of the identity matrix. represents the signal generated by the controller, is a θ-periodic diagonal matrix with a number of ωp non-zero element 1 on the diagonal.

1.5.4. Fault-tolerant control of NCS

Based on the fault diagnosis algorithm for NCS at section 1.5.2, the fault-tolerant control of NCS can be obtained. The existing methods of fault tolerant control (FTC) techniques against actuator faults can be categorized into two groups: passive [SEO 96; CHE 04] and active approaches [ZHA 02; ZHA 03]. [ZHE 03] proposed a passive controller for NCS by considering random time-delays. If a failure outside those considered in the design occurs, the stability and performance of the closed-loop system cannot be guaranteed. Such potential limitations of passive approaches motivate the research of the active FTC (AFTC).

With regard to AFTC, it is meant an on-line and real-time fault diagnosis process and a controller reconfiguration mechanism. Since the AFTC approaches propose a flexibility to select different controllers according to different component failures, better performance of the closed-loop system is expected. However, the above case holds true only if the fault diagnosis process does not make an incorrect or delayed decision. Some results have been obtained on AFTC which is immune to imperfect fault diagnosis process, see [MAH 03; WU 97]. [MAK 04] further developed the above issue by using the cost control approach and on-line controller switching in order to guarantee the stability of a closed-loop system. However, the NCS case is not considered in this work.

[LI 07a] addressed the stability guaranteed active fault tolerant control of NCS. The design of the procedures are summarized down below:

i) design a passive fault-tolerant controller so that the closed-loop system stability is guaranteed for all actuator failure modes;

ii) under the assumption that a particular actuator is fault free, the controller is repeatedly redesigned using only this actuator so that the robust performance is improved without jeopardizing the stability property of the design in i).

1.6. Summary

When control systems are implemented on top of a RTOS, scheduling policies are used to allocate scheduling parameters, i.e. usually priorities, to the control tasks. Traditional policies, such as RM and EDF, are designed only with computational constraints in mind, thus they are not necessarily suited when a control performance is the main objective to achieve. To better cope with control problem, flexible scheduling policies must be used, where the scheduling parameters are chosen according to control constraints. This is for example the case of the (m, k)-firm selective dropping policy described in section 1.2.2. This capability is further exploited to set up accel-erable tasks in section 2.3 and to co-design control loops and real-time scheduling in section 4.3 and in Chapter 5.

Another way to implement control aware scheduling policies consists in continuously adapting the scheduling parameters in a closed loop controller. In this way feedback schedulers, whose basic design and examples are provided in section 1.4, actively control the execution resources usage, such as CPU load, network bandwidth or processor speed and voltage. They can be further used as stand-alone components to control computing related devices, as sketched in section 1.4.2.1 and surveyed in [LU 02] and [HEL 04]. Beyond pure execution resource control, feedback schedulers can be used as building blocks to implement integrated control of the plant and computing/networking resources as designed in Chapter 4.

Finally, when the capabilities of control loops are exceeded, e.g. due to uncertainties overshooting or to the appearance of faults, diagnosis and FTC techniques must supplement pure control robustness and adaptivity. Some basic concepts of modelbased fault diagnosis, including observer-based parity space methods and FTC for NCS, are discussed in section 1.5. Other basic concepts in FDI/FTC, together with specific issues related to the processing of faults in networked control systems, are discussed in detail in Chapter 6 and assessed with the test-bed in Chapter 7.

1.7. Bibliography

[ABD 97] ABDELZAHER T., ATKINS E., SHIN K., QoS Negotiation in Real-Time Systems and Its Application to Automated Flight Control, IEEE Real-Time Technology and Applications Symposium, Montreal, Canada, June 1997.

[ABE 98] ABENI L., BUTTAZZO G., Integrating Multimedia Applications in Hard Real-Time Systems, Proceedings of the 19th Real-Time Systems Symposium, Madrid, Spain, 1998.

[ÅRZ 99] ÅRZÉN K.-E., A Simple Event-Based PID Controller, 14th IFAC World Congress, Beijing, China, July 1999.

[ÅST 97] ÅSTRÖM K. J., WITTENMARK B., Computer-Controlled Systems, Information and System Sciences Series, Prentice Hall, third edition, 1997.

[BAR 90] BARUAH S., MOK A., ROSIER L., Preemptively scheduling hard-realtime sporadic tasks on one processor, Real-Time Systems Symposium, Lake Buena Vista, USA, p. 182– 190, December 1990.

[BEN 91] BENVENISTE A., BERRY G., The synchronous approach to reactive and real-time systems, Proceedings of the IEEE, vol. 79, num. 9, p. 1270–1282, 1991.

[BEN 06] BEN GAID M., ÇELA A., HAMAM Y., IONETE C., Optimal Scheduling of Control Tasks with State Feedback Resource Allocation, American Control Conference ACC’06, Minneapolis, USA, June 2006.

[BRA 00] BRANICKY M. S., PHILLIPS S. M., ZHANG W., Stability of Networked Control Systems: Explicit Analysis of Delay, American Control Conference ACC’00, vol. 4, Chicago, USA, June 2000.

[BRO 00] BROCKETT R. W., LIBERZON D., Quantized Feedback Stabilization of Linear Systems, IEEE Transactions on Automatic Control, vol. 45, num. 7, p. 1279–1289, 2000.

[BUT 00] BUTTAZZO G., ABENI L., Adaptive Rate Control through Elastic Scheduling, 39th Conference on Decision and Control, Sydney, Australia, December 2000.

[CAC 00] CACCAMO M., BUTTAZZO G., SHA L., Elastic Feedback Control, 12th Euromicro Conference on Real-Time Systems, Stockholm, Sweden, June 2000.

[CER 00] CERVIN A., EKER J., Feedback Scheduling of Control Tasks, 39th IEEE Conference on Decision and Control, Sydney, Australia, December 2000.

[CER 02] CERVIN A., EKER J., BERNHARDSSON B., ARZEN K.-E., Feedback-Feedforward Scheduling of Control Tasks, Real-Time Systems, vol. 23, num. 1-2, p. 25–53, July 2002.

[CER 03a] CERVIN A., Integrated Control and Real-Time Scheduling, PhD thesis, Department of Automatic Control, Lund Institute of Technology, Sweden, April 2003.

[CER 03b] CERVIN A., EKER J., The Control Server: A Computational Model for Real-Time Control Tasks, 15th Euromicro Conference on Real-Time Systems, Porto, Portugal, p. 113-120, July 2003.

[CER 05] CERVIN A., Analysis of Overrun Strategies in Periodic Control Tasks, 16th IFAC World Congress, Prague, Czech Republic, July 2005.

[CHE 04] CHENG C., ZHAO Q., Reliable control of uncertain delayed systems with integral quadratic constraints, IEE Proceedings Control Theory Applications, vol. 151, num. 6, p. 790–796, 2004.

[DEL 89] DELCHAMPS D. F., Extracting state information from a quantized output record, System and Control Letters, vol. 13, num. 5, p. 365–372, 1989.

[DIN 00] DING S. X., DING E. L., JEINSCH T., A new optimization approach to the design of fault detection filters, SafeProcess’00, Budapest, Hungary, p. 250–255, June 2000.

[DOR 62] DORF R., FARREN M., PHILLIPS C., Adaptive sampling frequency for sampleddata control systems, IEEE Transactions on Automatic Control, vol. 7, num. 1, p. 38–47, 1962.

[DUR 09] DURAND S., MARCHAND N., Further Results on Event-Based PID Controller, European Control Conference ECC’09, Budapest, Hungary, August 2009.

[EKE 99] EKER J., CERVIN A., A Matlab Toolbox for Real-Time and Control Systems Co-Design, 6th International Conference on Real-Time Computing Systems and Applications, Hong-Kong, China, December 1999.

[EKE 00] EKER J., HAGANDER P., ARZEN K.-E., A feedback scheduler for real-time controller tasks, Control Engineering Practice, vol. 8, num. 12, p. 1369–1378, 2000.

[ELI 00] ELIA N., MITTER S. K., Quantized linear systems In System Theory: Modeling, Analysis, and Control, Kluwer, 2000.

[FAN 07] FANG H., YE H., ZHONG M., Fault diagnosis of networked control systems, Annual Reviews in Control, vol. 31, num. 1, p. 55–68, 2007.

[FRA 94] FRANK P., Enhancement of robustness in observer-based fault detection, International Journal of Control, vol. 59, num. 4, p. 955–981, 1994.

[GEO 95] GEORGE L., MUHLETAHLER P., RIVIERRE N., Optimality and nonpreemptive realtime scheduling revisited, Report num. RR2516, INRIA, 1995.

[GER 98] GERTLER J., Fault Dectection and Diagnosis in Engineering Systems, Marcel Dekker, USA, 1998.

[HAL 88] HALEVI Y., RAY A., Integrated Communication and Control Systems: Part I- Analysis, ASME Journal of Dynamic Systems, Measurement and Control, vol. 110, num. 4, p. 367–373, 1988.

[HAM 95] HAMDAOUI M., RAMANATHAN P., A dynamic priority assignment technique for streams with (m, k)-firm deadlines, IEEE Transactions on Computers, vol. 44, num. 4, p. 1443–1451, December 1995.

[HEL 04] HELLERSTEIN J., DIAO Y., PAREKH S., TILBURY D., Feedback Control of Computing Systems, Wiley-IEEE Press, New York, 2004.

[HOK 04] HOKAYEM P. F., ABDALLAH C. T., Inherent issues in networked control systems: a survey, American Control Conference ACC’04, Boston, USA, p. 4897–4902, June 2004.

[HRI 99] HRISTU D., Optimal control with limited communication, PhD thesis, Harvard University, 1999.

[HSI 74] HSIA T. C., Analytic design of adaptive sampling control law in sampled data systems, IEEE Transactions on Automatic Control, vol. 19, num. 1, p. 39–42, 1974.

[HU 03] HU S.-S., ZHU Q.-X., Stochastic optimal control and analysis of stability of networked control systems with long delay, Automatica, vol. 39, num. 11, p. 1877–1884, 2003.

[ISH 02] ISHII H., FRANCIS B., Stabilization with control networks, Automatica, vol. 38, num. 10, p. 1745–1751, 2002.

[JEF 91] JEFFAY K., STANAT D. F., MARTEL C. U., On non-preemptive scheduling of periodic and sporadic tasks, Real-Time Systems Symposium, San Antonio, USA, p. 129–139, December 1991.

[JIA 07] JIA N., SONG Y. -Q., SIMONOT-LION F., Graceful Degradation of the Quality of Control through Data Drop Policy, European Control Conference ECC’07, Kos, Greece, July 2007.

[JOS 86] JOSEPH M., PANDYA P., Finding Response Time in a Real-Time System, BCS Computer journal, vol. 29, num. 5, p. 390–395, October 1986.

[KOE 05] KOENIG D., BEDJAOUI N., LITRICO X., Unknown input observers design for time-delay systems application to an open-channel, 44th IEEE Conference on Decision and Control and the European Control Conference, Sevilla, Spain, p. 5794–5799, December 2005.

[KOP 03] KOPETZ H., BAUER G., The time-triggered architecture, Proceedings of the IEEE, vol. 91, num. 1, p. 112–126, 2003.

[LEU 04] LEUNG J., Handbook of scheduling: algorithms, models, and performance analysis, Chapman Hall/CRC, 2004.

[LI 04a] LI J., SONG Y. -Q., SIMONOT-LION F., Schedulability analysis for systems under (m,k)-firm constraints, IEEE WFCS2004, Vienna, Austria, September 2004.

[LI 04b] LI S., WANG Z., SUN Y., Observer-based compensator design for networked control systems with long time delays, 30th Annual Conference of IEEE Industrial Electronics Society, Busan, Korea, p. 678–683, November 2004.

[LI 05] LI S., YU L., WANG Z., SUN Y., Approach to Guaranteed Cost Control for Networked Control Systems, Developments in Chemical Engineering and Mineral Processing, vol. 13, num. 3, p. 351–361, 2005.

[LI 06] LI S., SAUTER D., AUBRUN C., Robust Fault Isolation Filter Design for Networked Control systems, 11th IEEE International Conference on Emerging Technologies and Factory Automation, Prague, Czech Republic, p. 681–688, September 2006.

[LI 07a] LI S., SAUTER D., AUBRUN C., YAMÉ J.-J., Stability guaranteed active fault tolerant control of networked control systems, European Control Conference, ECC’07, Kos, Greece, p. 180–186, July 2007.

[LI 07b] LI S., WANG Y., XIA F., SUN Y., G uaranteed cost control of networked control systems with time-delays and packet losses, International Journal of wavelets, multiresolution and information processing, vol. 4, num. 4, p. 691–706, 2007.

[LI 09] LI J., SONG Y.-Q., DLB: a novel real-time QoS control mechanism for multimedia transmission, International Journal High Performance Computing and Networking, vol. 6, num. 1/2, p. 4–14, 2009.

[LIN 00] LINCOLN B., BERNHARDSSON B., Optimal Control over Networks with Long Random Delays, International Symposium on Mathematical Theory of Networks and Systems, Perpignan, France, p. 84-90, July 2000.

[LIN 02a] LINCOLN B., BERNHARDSSON B., LQR Optimization of Linear System Switching, IEEE Transactions on Automatic Control, vol. 47, num. 10, p. 1701–1705, October 2002.

[LIN 02b] LING Q., LEMMON M. D., Robust performance of soft real-time networked control systems with data dropouts, 41st IEEE Conference on Decision and Control, Las Vegas, USA, p. 1225–1230, December 2002.

[LIU 73] LIU C., LAYLAND J., Scheduling Algorithms for Multiprogramming in Hard Real-Time Environment, Journal of the ACM, vol. 20, num. 1, p. 40–61, February 1973.

[LIU 00] LIU J., Real-time systems, Prentice-Hall, Inc., 2000.

[LIU 05] LIU H., CHENG Y., YE H., A combinative method for fault detection of networked control systems, 20th IAR/ACD Annual Meeting, Mulhouse, France, p. 59–63, November 2005.

[LIU 06] LIU D., HU X., LEMMON M., LING Q., Firm real-time system scheduling based on a novel QoS constraint, IEEE Transactions on Computers, vol. 55, num. 3, p. 320–333, March 2006.

[LU 00] LU C., STANKOVIC J., ABDELZAHER T., TAO G., SON S., MARLEY M., Performance Specifications and Metrics for Adaptive Real-Time Systems, Real-Time Systems Symposium, Orlando, USA, December 2000.

[LU 01] LU C., ABDELZAHER T. F., STANKOVIC J. A., SON S. H., A Feedback Control Approach for Guaranteeing Relative Delays in Web Servers, IEEE Real-Time Technology and Applications Symposium, Taipei, Taiwan, June 2001.

[LU 02] LU C., STANKOVIC J.-A., TAO G., SON S.-H., Feedback Control Real-Time Scheduling: Framework, Modeling, and Algorithms, Real Time Systems, vol. 23, num. 1, p. 85-126, 2002.

[MAH 03] MAHMOUD M., JIANG J., ZHANG Y., Stabilization of active fault tolerant control systems with imperfect fault detection and diagnosis, Stochastic Analysis and Applications, vol. 21, num. 3, p. 673–701, 2003.

[MAK 04] MAKI M., JIANG J., HAGINO K., A stability guaranteed active fault-tolerant control against actuator failures, International Journal of Robust and Nonlinear Control, vol. 14, num. 12, p. 1061–1077, 2004.

[MAN 00] MANGOUBI R. S., EDELMAYER A. M., Model-based fault detection: the optimal past, the robust present and a few thoughts on the future, SafeProcess’00, Budapest, Hungary, p. 64–75, June 2000.

[MAO 07] MAO Z., JIANG B., SHI P., H∞ fault detection filter design for networked control systems modelled by discrete Markovian jump systems, Control Theory & Applications, IET, vol. 1, num. 5, p. 1336–1343, 2007.

[NAI 97] NAIR G. N., EVANS R. J., State estimation via a capacity-limited communication channel, 36th Conference on Decision and Control, San Diego, USA, p. 866–871, December 1997.

[NIL 98] NILSSON J., Real-time control systems with delays, PhD thesis, Lund University, Sweden, 1998.

[OHL 07] OHLIN M., HENRIKSSON D., CERVIN A., TrueTime 1.5–Reference Manual, January 2007.

[PAR 02] PAREKH S., GANDHI N., HELLERSTEIN J., TILBURY D., JAYRAM T., BIGUS J., Using Control Theory to Achieve Service Level Objectives in Performance Management, Real-Time Systems Journal, vol. 23, num. 1-2, p. 127–141, 2002.

[PAT 00] PATTON R., CHEN J., On eigenstructure assignment for robust fault diagnosis, International Journal of Robust and Non Linear Control, vol. 10, num. 14, p. 1193–1208, 2000.

[POG 03] POGGI E.-M., SONG Y. -Q., KOUBAA A., WANG Z., Matrix-DBP for (m, k)-firm real-time guarantee, Conference of Real Time Systems, Paris, France, p. 457–482, April 2003.

[QIN 01] QIN S., LI W., Detection, identification and reconstruction of faulty sensors with maximized sensitivity, A.I. Ch. E. Journal, vol. 34, num. 39, p. 1963–1976, 2001.

[QUA 00] QUAN G., HU X., Enhanced Fixed-priority Scheduling with (m, k)-firm Guarantee, Real-Time Systems Symposium, Orlando, USA, p. 79–88, Nov. 2000.

[RAM 99] RAMANATHAN P., Overload Management in Real-Time Control Applications Using (m, k)-Firm Guarantee, IEEE Transactions on Parallel and Distributed Systems, vol. 10, num. 6, p. 549–559, June 1999.

[REH 04] REHBINDER H., SANFRIDSON M., Scheduling of a limited communication channel for optimal control, Automatica, vol. 40, num. 3, p. 491–500, March 2004.

[RYU 97] RYU M., HONG S., SAKSENA M., Streamlining real-time controller design: from performance specifications to end-to-end timing constraints, IEEE Real Time Systems Symposium, San Francisco, USA, December 1997.

[SAH 00] SAHAI A., Evaluating channels for control capacity reconsidered, American Control Conference, Chicago, USA, p. 2358–2362, June 2000.

[SAK 98] SAKSENA M., PTAK A., FREEDMAN P., RODZIEWICZ P., Schedulability Analysis for Automated Implementations of Real-Time Object-Oriented Models, IEEE Real-Time Systems Symposium, Madrid, Spain, December 1998.

[SAN 00] SANFRIDSON M., Problem Formulations for QoS Management in Automatic Control, Report num. TRITA-MMK 2000:3, ISSN 1400-1179, ISRN KTH/MMK-00/3-SE, KTH, Stockholm, Sweden, 2000.

[SAN 02] SANDSTRÖM K., NORSTRÖM C., Managing Complex Temporal Requirements in Real-Time Control Systems, 9th IEEE International Conference and Workshop on the Engineering of Computer-Based Systems (ECBS’02), Lund, Sweden, April 2002.

[SAV 03] SAVKIN A. V., PETERSEN I. R., Set-valued state estimation via a limited capacity communication channel, IEEE Transactions on Automatomatic Control, vol. 48, num. 4, p. 676–680, April 2003.

[SCH 02] SCHINKEL M., CHEN W.-H., RANTZER A., Optimal control for systems with varying sampling rate, American Control Conference ACC’02, Anchorage, USA, May 2002.

[SEI 05] SEILER P., SENGUPTA R., An H∞ approach to networked control, IEEE Transactions on Automatic Control, vol. 50, num. 3, p. 356–364, 2005.

[SEO 96] SEO C., KIM B., Robust and reliable H∞ control for linear systems with parameter uncertainty and actuator failure, Automatica, vol. 32, num. 3, p. 465–467, 1996.

[SET 96] SETO D., LEHOCZKY J. P., SHA L., SHIN K. G., On Task Schedulability in Real-Time Control Systems, 17th IEEE Real-Time Systems Symposium, New York, USA, December 1996.

[SIM 98] SIMON D., CASTILLO E., FREEDMAN P., Design and Analysis of Synchronization for Real-time Closed-loop Control in Robotics, IEEE Transactions on Control Systems Technology, vol. 6, num. 4, p. 445–461, July 1998.

[SIM 03] SIMON D., SENAME O., ROBERT D., TESTA O., Real-time and delay-dependent control co-design through feedback scheduling, CERTS’03 Workshop on Co-design in Embedded Real-time Systems, Porto, Portugal, July 2003.

[SIM 05a] SIMON D., BENATTAR F., Design of real-time periodic control systems through synchronisation and fixed priorities, International Journal of Systems Science, vol. 36, num. 2, p. 57–6, 2005.

[SIM 05b] SIMON D., ROBERT D., SENAME O., Robust control / scheduling co-design: application to robot control, 11th IEEE Real-Time and Embedded Technology and Applications Symposium, San Francisco, USA, March 2005.

[SPU 96] SPURI M., Analysis of deadline scheduled real-time systems, Report num. RR2772, INRIA, January 1996.

[TAT 00] TATIKONDA S., Control under communication constraints, PhD thesis, Massachusetts Institute of Technology, 2000.

[TIN 94] TINDELL K., Fixed Priority Scheduling of Hard Real-Time Systems, PhD thesis, Department of Computer Science, University of York, UK, 1994.

[TIP 03] TIPSUWAN Y., CHOW M.-Y., Control Methodologies in Networked Control Systems, Control Engineering Practice, vol. 11, num. 10, p. 1099–1111, 2003.

[WAN 06a] WANG Y. Q., YE H., CHENG Y., WANG G. Z., Fault detection of ncs based on eigendecomposition and Pade approximation, SafeProcess’06, Beijing, China, p. 937–941, June 2006.

[WAN 06b] WANG Y. Q., YE H., WANG G. Z., A new method for fault detection of networked control systems, 1st IEEE Conference on Industrial Electronics and Applications, Singapore, China, p. 1–4, May 2006.

[WES 99] WEST R., SCHAWN K., Dynamic window-constrained scheduling for multimedia applications, 6th IEEE International Conference On Multimedia Computing and Systems, ICMCS’99, Florence, Italy, June 1999.

[WES 04] WEST R., ZHANG Y., SCHWAN K., POELLABAUER C., Dynamic Window-Constrained Scheduling of Real-Time Streams in Media Servers, IEEE Transactions on Computers, vol. 53, num. 6, p. 744–759, June 2004.

[WON 97] WONG W. S., BROCKETT R. W., Systems with finite communication bandwidth constraints-Part I: state estimation problems, IEEE Transactions Automatic Control, vol. 42, num. 9, p. 1294–1299, 1997.

[WU 97] WU N. E., Robust feedback design with optimized diagnostic performance, IEEE Transactions on Automatic Control, vol. 42, num. 9, p. 1264–1268, 1997.

[XIA 08] XIA F., SUN Y., Control and scheduling Codesign: Flexible resource management in real-time control systems, Springer, 2008.

[YAN 98] YANG H. L., SAIF M., Observer design and fault diagnosis for state-retarded dynamical systems, Automatica, vol. 34, num. 2, p. 217–227, 1998.

[YAN 06] YANG T. C., Networked control system: a brief survey, IEE Proc.-Control Theory Applications, vol. 153, num. 4, p. 403–412, 2006.

[YE 04a] YE H., DING S. X., Fault detection of networked control systems with network-induced delay, 8th International Conference on Control, Automation, Robotics and Vision, Kunming, China, p. 294–297, December 2004.

[YE 04b] YE H., WANG G. Z., DING S. X., A new parity space approach for fault detection based on stationary wavelet transform, IEEE Transactions Automatic Control, vol. 49, num. 2, p. 281–287, 2004.

[YE 06a] YE H., LIU R. H. H., WANG G. Z., A new approach for fault detection of networked control systems, 14th Symposium on System Identification SYSID’06, Newcastle, Australia, p. 654–659, March 2006.

[YE 06b] YE H., WANG Y. Q., Application of parity relation and statinary wavelet transform to fault detection of networked control systems, Proceedings of 1th IEEE Conference on Industrial Electronics and Applications, Singapore, China, May 2006.

[YU 05] YU M., WANG L., CHU T., HAO F., Stabilization of networked control systems with packet dropout and transimission delays:continuoust-time case, European Journal of Control, vol. 11, num. 1, p. 40–49, 2005.

[YUE 05] YUE D., HAN Q.-L., LAM J., Network-based robust H∞ control of systems with uncertainty, Automatica, vol. 41, num. 6, p. 999–1007, 2005.

[ZHA 01a] ZHANG W., Stability analysis of networked control systems, PhD thesis, Case We stern Reserve University, Cleveland, Ohio, USA 2001.

[ZHA 01b] ZHANG W., BRANICKY M. S., PHILLIPS S. M., Stability of networked control systems, IEEE control systems Magazine, vol. 21, num. 1, p. 84–99, 2001.

[ZHA 02] ZHANG Y. M., JIANG J., An active fault-tolerant control system against partial actuator failures, IEE Proceedings Control Theory and Applications, vol. 149, num. 1, p. 95–104, 2002.

[ZHA 03] ZHANG Y. M., JIANG J., Bibliographical review on reconfigurable fault-tolerant control systems, 5th SafeProcess’03, Washington, USA, p. 265–276, June 2003.

[ZHA 04] ZHANG P., DING S. X., FRANK P. M., DADER M., Fault detection of networked control systems with missing measurements, 5th Asian Control Conference, Melbourne, Australia, p. 1258–1263, July 2004.

[ZHA 05] ZHANG L., CHEN Y. S. T., HUANG B., A new method for stabilization of networked control systems with random delays, IEEE Transactions on Automatic Control, vol. 50, num. 8, p. 1177–1181, 2005.

[ZHA 06] ZHANG P., DING S. X., Fault detection of networked control systems with limited communication, SafeProcess’06, Beijing, China, p. 1135–1140, June 2006.

[ZHE 03] ZHENG Y., Fault diagnosis and fault tolerant control of networked control systems, PhD thesis, Huazhong University of Science and Technology, China, 2003.

[ZHO 96] ZHOU K., DOYLE J. C., GLOVER K., Robust and optimal control, Prentice-Hall Inc., 1996.

---

1 Chapter written by Christophe AUBRUN, Daniel SIMON and Ye-Qiong SONG.

1. As in the several real-time variants of Linux we have used, i.e. RTAI (www.rtai.org) and Xenomai (www.xenomai.org)