Chapter 13. Design of decentralized supervisory control

In a centralized control structure the main objective consist in a single main controller that send the control signals directly to the subsystems actuators. This kind of information flow increases the computational load in the central ECU requiring more powerful units. In the other hand the centralized structures are rigid, which limited its reconfiguration capabilities for integrating new elements in the control loop, so that if it is a need of integrating a new subsystem to the control loop the only solution is to redesign the complete control system. Also this type of topology forces the OEM’s to open its system architecture to its suppliers.

An integrated control system is designed in such a way that the effects of a control system on other vehicle functions are taken into consideration in the design process by selecting the various performance specifications. Redundancy on sensor and actuator levels makes it possible to realize the same functionality using different sensor and actuator configurations. Thus integrated design is also motivated by the needs of reconfigurable and reliable control, [131], [132].

A possible solution to an integrated control could be to set the design problem for the whole vehicle and include all the performance demands in a single specification. Besides the complexity of the resulting problem the formulation of a suitable performance specification is the main obstacle for this direct global approach. In the framework of available design techniques the formulation and successful solution of complex multi-objective control tasks are highly nontrivial, see e.g. [133], [134].

In a decentralized control structure every subsystem has its own independent controller and control objective which commands its particular actuator. The interaction among different control loops is limited to shared information obtained from a communication bus. This type of control structure was used in the early chassis control integration. In this scheme the integration lies on the OEM’s, while the supplier provides its systems interconnection options.

Another solution to the integrated control is a decentralized control structure where the components are designed independently, see e.g. [135], [136]. In the paper the decentralized control system is augmented with a supervisor as illustrated in Figure 151. The role of the supervisor is to meet performance specifications and prevent the interference and conflict between components. The supervisor has information about the current operational mode of the vehicle, i.e., the various vehicle maneuvers or the different fault operations. The supervisor is able to make decisions about the necessary interventions into the vehicle components and guarantee the reconfigurable and fault-tolerant operation of the vehicle. These decisions are propagated to the lower layers through predefined interfaces encoded as suitable scheduling signals.

The supervisory decentralized architecture of integrated control
Figure 13.1. The supervisory decentralized architecture of integrated control


The role of the supervisor is to coordinate the local components and handle the interactions between them. Since the performance specifications of local controllers are often in conflict, the supervisor must also guarantee a balance or trade-off between them. The information provided by the supervisor is composed of messages and signals sent by the monitoring components and fault detection and isolation (FDI) filters. Based on this information the supervisor is able to make decisions about the necessary vehicle maneuvers and guarantee reconfigurable and fault-tolerant operation of the vehicle and send messages to the local controllers. In order to implement a safety feature the operation of a local controller must be modified by a supervisory command. This is realized through appropriately set scheduling variables that are transmitted to the local controllers. At a local level the behaviour of the controller is affected by these scheduling variables through the performance weighting functions. The difficulty in the supervisory control is that global stability and performance are difficult to guarantee.

The design of the supervisor does not involve dynamical systems explicitly. However, due to the time variation of the signals the designer should check the validity of relations between the momentary values of the monitoring signals based on a temporal logic. The difficult part of the design is to ensure the correctness of the specification. It must be stressed at this point that the baseline configurations handle only one actuator, which is associated with a given task (functionality). The hierarchy of the configurations and corresponding scheduling variables ensure that the additional actuator(s) considered improve the stability properties of the given functionality.

In contrast to the controller switching strategy the proposed approach uses a performance weighting strategy. On the supervisor level the required configurations are defined uniquely by the specific values of a set of marker signals. These marker signals are used as scheduling variables on the level of local controllers. The task of the supervisor design is to specify these marker signals in such a way that the different combinations of their values define the specific event (functionality) in a unique way. The different combinations of the marker signals encode the designers specification (option) in dealing with multi-objective or conflicting scenarios.

A local component is a well-defined ensemble of a controller, an actuator and a set of related physical or virtual sensors, e.g., units for monitoring components and FDI filters. These elements are able to detect emergency vehicle operations, various fault operations or performance degradations in controllers. They send messages to the supervisor in order to guarantee the safe operation of the vehicle.

Each of the local components is governed by a local controller. A local controller must meet the predefined performance specifications. The signals of monitoring components and those of FDI filters are built in the performance specifications of the controller by using a parameter-dependent form. The performance specifications are formalized in a parameter-dependent way in which the corresponding scheduling variable is given by the supervisor. Thus the controller is able to modify or reconfigure its normal operations in order to focus on other performances instead of the actual performances. It sends messages about the changes to the supervisor and it receives messages from the supervisor about the special requirements.

The efficient operation of the supervisor and the local controllers require reliable and highly accurate signals from the system. To meet this requirement redundant sensors, diverse calculations and fault detection filters are needed. To achieve the efficient and optimal intervention the detections of faulty sensors are important since they must be substituted for in operations based on these sensors. Low cost solutions are preferred in the vehicle industry, thus simple sensors and software-based redundancy must be applied.

In the following two examples for monitored components related to specific control goals are presented:

  1. Yaw stability is achieved by limiting the effects of the lateral load transfers. The purpose of the control design is to minimize the lateral acceleration, which is monitored by a performance signal. Unilateral braking is one of the solutions, in which brake forces are generated in order to achieve a stabilizing yaw moment. In the second solution additional steering angle is generated in order to reduce the effect of the lateral loads. These solutions, however, require active driver intervention into the motion of the vehicle to keep the vehicle on the road.

  2. Roll stability is achieved by limiting the lateral load transfers on both axles to below the levels for wheel lift-off during various vehicle maneuvers. The aim of the control design is to reduce the maximum value of the lateral load transfer if it exceeds a predefined critical value.