A note on diagnosis and performance degradation detection in automatic control systems towards functional safety and cyber security

This note addresses diagnosis and performance degradation detection issues from an integrated viewpoint of functionality maintenance and cyber security of automatic control systems. It calls for more research attention on three aspects: (i) application of control and detection uniﬁed framework to enhancing the diagnosis capability of feedback control systems, (ii) projection-based fault detection, and complementary and explainable applications of projection- and machine learning-based techniques, and (iii) system performance degradation detection that is of elemental importance for today’s automatic control systems. Some ideas and conceptual schemes are presented and illustrated by means of examples, serving as convincing arguments for research eﬀorts in these aspects. They would contribute to the future development of capable diagnosis systems for functionality safe and cyber secure automatic control systems.


Introduction
In the era of industry 4.0, automatic control systems as the centrepiece of industrial cyber physical systems (CPSs) are fully equipped with intelligent sensors, actuators and an excellent information infrastructure. It is a logical consequence of ever increasing demands for system performance and production efficiency that today's automatic control systems are of an extremely high degree of integration, automation and complexity. Maintaining reliable and safe operations of automatic control systems is of elemental importance for optimally managing industrial CPSs over the whole operation life cycle. As an indispensable maintenance functionality, real-time monitoring and diagnosis are widely integrated in automatic control systems and run parallel to the embedded control systems.
In a traditional automatic control system, monitoring and diagnosis were mainly dedicated to maintaining functionalities of sensors and actuators as the key components embedded in the system [1,2]. As a response to wide networking in modern automatic control systems, monitoring and diagnosis of networked control systems as a whole have received considerable attention as well in recent years [3]. Over the past three decades, innumerable capable diagnosis schemes have been developed with various specifications, for instance, detecting abrupt component failures [4], identifying and predicting functionality loss caused by ageing in system components [5,6], and intermittent faults depending on system operation conditions [7]. Recently, new type of malfunctions, the so-called cyberattacks on automatic control systems, have drawn attention on the urgent need for developing new monitoring and diagnosis strategies [8][9][10][11]. Cyberattacks can not only considerably affect functionalities of sensors and actuators, but also impair communications among the system components and sub-systems, which may cause immense damage during system operations [12][13][14][15]. In addition, different from technical faults, cyberattacks are artificially created and could be designed by attackers in such a way that they cannot be detected using the existing diagnosis techniques. Such cyberattacks are called stealthy [11]. A further type of cyberattack is the so-called eavesdropping attack. Although such attacks do not cause changes in system dynamics and performance degradation, they enable an adversary to gain system knowledge which can be used to design, for instance, stealthy attacks. In a nutshell, the management of cyberattacks, besides functionality maintenance, raises cyber security issues in the framework of monitoring and diagnosis in automatic control systems.
The objective of this note was to address monitoring and diagnosis issues from an integrated viewpoint of functionality maintenance and cyber security of automatic control systems. We would like to draw the reader's attention to the following three aspects: • application of the control and detection unified framework [16] to enhancing the diagnosis capability of feedback control systems, • alternative technique of detecting faults in dynamic systems towards complementary and explainable applications of model-and machine learning (ML)-based methods to diagnosis, and • system performance degradation detection issues, which are, to our best knowledge, not the current research mainstream in the relevant thematic fields. We will report ideas and research efforts, present conceptual schemes, and illustrate, also by means of examples, why research efforts in these three aspects could contribute to the development of capable monitoring and diagnosis methods towards enhancing functionality safety and cyber security of automatic control systems. This note is motivated by our observations and research experiences in the field of fault diagnosis in technical systems and its industrial applications over the past years. Reviewing publications on fault diagnosis in automatic control systems gives a clear picture of research efforts. That is, they were mainly devoted to the development of fault diagnosis functionality as a separate system running in parallel to the control system. With the increasing complexity of control systems under consideration, from single-loop feedback control systems to networked control systems and recently CPSs, the set of investigated diagnosis issues has been continuously extended, and correspondingly capable but often complicated diagnosis methods have been developed, without paying attention to technical specifications and configurations of controllers embedded in the control system. For instance, successful solutions of detecting the so-called covert, zero dynamics and replay cyberattacks are achieved by extending the well-established observerbased detection scheme with a moving target or an auxiliary system [17][18][19] or injecting watermark signals [20][21][22]. On the other hand, the unified control and detection framework [16] not only highlights the common information basis of control and detection, but also gives a functionalization of a control system, which enables an integrated configuration of control and detection functionality with enhanced diagnosis capacity. Our recent work demonstrates successful applications of the unified framework to uniform detection of covert, zero dynamics and replay cyberattacks without adding additional systems or signals [23].
Thanks to the close relations of observers and controllers, observer-based diagnosis is the most popular technique applied for fault detection in automatic control systems [1,2]. Observing the recent development in the thematic field of monitoring and diagnosis in industrial systems and processes, it can be clearly identified that ML-based methods form the mainstream of research. A detailed survey of publications on ML-based diagnosis in automatic control systems reveals obvious deficits in making use of system knowledge, which is no doubt available, since most of plants, partially or as a whole, are engineering systems. In fact, most of ML-based diagnosis methods are, in their core, based on the principle of reconstructing process variables or simply modelling of system fault-free operations. Thanks to the learning capacity of ML algorithms, in particular neural networks (NNs), and on the assumption of availability of rich data, ML-methods are potential technical solutions. Nevertheless, such diagnosis solutions could be far from optimal with respect to diagnosis performance, also due to the reason that often diagnostic specifications are not or could not be integrated into the existing ML algorithms. In comparison, model-based diagnosis methods, especially the observer-based ones, are fully based on the dynamic model of the system under consideration, and pursue optimal diagnosis performance. To approach this objective, advanced methods of control theory serve as major investigation tools. On the other hand, these methods, compared with ML-based ones, are less capable of dealing with a huge number of data and, above all, lack the learning ability. From these observations, a reasonable question arises: is it possible to efficiently integrate the model-and ML-based diagnosis methods to significantly enhance diagnosis performance? Our recent work on the so-called projection-based fault detection strategy is motivated by this question [24]. The first results showcase that complementary applications of model-and ML-based methods result in enhanced detection performance. The proposed projection-based fault detection method not only provides us with an alternative and more capable modelbased solution than the observer-based ones, but also leads to explainable applications of ML-based methods.
It can be well observed that the major attention of the existing diagnosis methods has been dedicated to faults in hardware components of automatic control systems like sensors and actuators. We call those corresponding diagnosis methods component-oriented diagnosis (COD). In the recent decade, considerable efforts have been made in automation industry to increase the component reliability and, more recently, to enhance the intelligent degree of those key system components. Smart sensors and actuators are nowadays state of the art. In addition, the new generation of smart system components are of the ability of selfdiagnosis and self-repair. In an industrial CPS, COD is an issue to be addressed both at the process level and locally. At the system level, due to the extremely high degree of automation and complexity, the system performance is often susceptible to variations of operation and environmental conditions. Moreover, it could considerably suffer not only from faults in sub-systems, but also from, for example, mismatching of coupled and networked control loops and controller parameters, interferences in system information infrastructure and cyberattacks as well. This calls for research endeavour to develop new strategies of monitoring and detecting performance degradations, called performance-oriented diagnosis (POD) [25].
The remainder of this note consists of three main sections, respectively dedicated to the three topics, (i) the unified control and detection framework towards enhancing the diagnosis capability of feedback control systems, (ii) projection-based detection of faults in dynamic systems and complementary, explainable applications of model-and ML-based methods, and (iii) study on POD issues. We would like to emphasize that the main intention of this note is to report ideas, research efforts, and conceptual schemes for the development of capable monitoring and diagnosis methods towards enhancing functionality safety and cyber security of automatic control systems. So far, no comparison study or survey of relevant publications is included. Concerning related issues, only representative works will be cited if needed. In order to have easy understandable descriptions, we avoid rigorous control theoretical and mathematical formulations, when there is no misleading interpretation or confusion.
2 Unified control and detection framework towards enhancing the diagnosis capability of feedback control systems As the methodological basis of our subsequent discussion, we first introduce the unified framework of control and detection. On this basis, we present functionalization of a control system and its applications for enhancing the diagnosis capability of feedback control systems. Throughout this note, standard notations known in linear algebra and advanced control theory are adopted. In addition, RH ∞ is used to denote the set of all stable systems. In the context of cyberattacks, when signal ξ is attacked, it is denoted by ξ a , and the corresponding (injected) attack signal by a ξ , i.e. ξ a = ξ + a ξ .

System factorizations, observer-based residual generation, and signal subspaces
In automatic control engineering, transfer functions are a standard model form for system input-output dynamics, which is written as with u and y as the plant input and output vectors, respectively. It is assumed that G(z) is a proper real-rational matrix and its minimal state space realization is given by the following discrete-time linear time invariant (LTI) system, where x ∈ R n is the state vector and x 0 is the initial condition of the system. Matrices A, B, C, D are appropriately dimensioned real constant matrices. By means of the well-established coprime factorization, G(z) can be further factorized as with M (z),N (z) and (M (z), N (z)) as left and right coprime pairs (LCP and RCP), which lead to alternative system representations, for some signal v(z). Their state space realizations are given, respectively, bŷ System (7) is a state observer and builds, together with (8) (equivalently with (5)), an observer-based residual generator with residual vector r y as its output. Ifx(0) = x 0 or there exist uncertainties in the system, r y (k) will deviate from zero. In other words, r y (k) is an indicator for uncertainties in the system. In system (9)-(10), the input vector u(k) = F x(k) + v(k) can be interpreted as a state feedback controller with v as reference signal. Corresponding to these interpretations, matrices F and L are called state feedback gain and observer gain matrices and so selected such that A + BF and A − LC are Schur matrices. Systems K G in (5) and I G in (6) are also called stable kernel and image representations (SKR and SIR) of system (1).

Remark 1.
Hereafter, we may drop out the domain variable z or k when there is no risk of confusion.
SKR and SIR are two alternative representations of dynamic systems, based on which the following definitions of kernel and image subspaces are introduced [26].
Definition. Given the model (1) and the corresponding LCP and RCP M ,N and (M, N ) , the subspaces K G and I G defined by

Page 4 of 29
Security and Safety, Vol. 1, 2022004 are called kernel and image subspace of G, respectively. It is evident that K G and I G are subspaces in the (m + p)-dimensional data space and have the following properties: • I G is uniquely generated by the p-dimensional signal v, and thus • vector v can be understood as a latent (hidden) variable.
These properties enable applications of the projection-based technique to deal with fault diagnosis issues and hence build a bridge between the model-and ML-based methods. This promises the development of more efficient and capable methods for fault diagnosis, performance degradation monitoring and detection of cyberattacks, as will be discussed in the remainder of this note.
It follows from the definition of coprime factorization that there exist two RCP and LCP X ,Ŷ and (X, Y ) so that the so-called Bezout identity holds [26,27], It is of considerable interest to note their special state space realizations as controllers, i.e. an observerbased state feedback controller and its input-output dynamics [16], as well as an observer-based state feedback controller and a closed-loop "residual generator", ⇐⇒ v(z) = X(z)u(z) + Y (z)y(z).

Parameterization of stabilising controllers and basics of the unified control and detection framework
It is a well-known result that, given plant model (1), all stabilizing controllers are parameterized by with the parameter system Q(z) ∈ RH ∞ , where the RCPs and LCPs (M, N ), X ,Ŷ and M ,N , (X, Y ) are given before and satisfy Bezout identity (13). The parameterization expression (14)- (15) is called Youla parameterization [27]. It follows from (5) to (6) and Bezout identity [16,28] that any (stabilizing) output feedback controller, with v(z) being the reference signal can be equivalently written as wherex is the state estimate delivered by the observer (7). In other words, any output feedback controller is an observer-based controller and driven by the residual signal r y . In [16], a further parameterization form of all stabilizing controllers,

Page 5 of 29
Security and Safety, Vol. 1, 2022004 is introduced, where K 0 is an output stabilizing controller, and Q 0 denotes the parameterization system. Consequently, also those widely used industrial controllers like PI controllers can be written in the form of (19), as far as they stabilize the control loops.

Mapping from the signal space to residual space
Consider the feedback control loop sketched in Figure 1 with the plant model (1) and controller (17). It turns out, From (21), it is obvious that the system signal pair (u, y) consists of two terms: the first one reflects the feed-forward control and the second one the response to the feedback control driven by the residual signal. Denoting uncertainties related to the controller by r u , which may, for instance, be caused by attacks on actuators like the injection of unknown signal, we have, Relation (22) gives a one-to-one mapping between the signal pairs (u, y) and (r u , r y ) (for givenv). While (u, y) are the system measurement variables and represent the system dynamics, (r u , r y ) build an information (residual) space and act as indicators for uncertainties in the system, including not only disturbances and parameter variations, but also faults and cyberattacks when available. Hence, (22) can serve as a residual generator for detecting faults, performance degradation and cyberattacks. Recall that the core of feedback control is residual-driven. That implies the feedback of residuals is sufficient for the control purpose. In this context, system (22) can be interpreted as an encoder that delivers the residuals (r u , r y ) as code. It is noteworthy that, on the one hand, an identification of the system dynamics by means of the code (r u , r y ) is generally impossible, and on the other hand, the cyberattacks can be identified using the residual pair (r u , r y ) under certain conditions [23].

Functionalization of all stabilizing feedback controllers
In light of the observer-based realization of stabilizing controllers given in (18), a feedback controller can be divided into several functional modules [16]: • an observer and an observer-based residual generator, as given in (7)- (8), which serve as an information provider for the controller and diagnostic system, and deliver a state estimation,x, as well as the primary residual, r y = y −ŷ, • the control law, including a feedback controller, Fx − Qr y , and a feed-forward controller,V v, and in addition, • for the detection purpose, a detector R(z)r y (z) with R(z) as a stable post-filter.
This modular structure provides us with a clear parameterization of the functional modules: the state observer is parameterized by the observer gain L, the feedback controller by F, Q, the feed-forward controller byV , and the detector by R. Although all five parameters are available for the design and online optimization objectives, they have evidently different functionalities, as summarized below [16]: • state feedback and observer gains determine the stability and eigen-dynamics of the closed-loop, • R,V have no influence on the system stability, and R serves for the optimization of the detectability, whileV for the tracking behavior, and • Q is used to enhance the system robustness and control performance. The design and update of Q will have influence on the system dynamics and stability, when parameter uncertainties or degradations are present in the system.
It is evident that the above five parameters have to be, due to their different functionalities, treated with different priorities. Recall that system stability and eigen-dynamics are the fundamental requirement on an automatic control system. This requires that the system stability should be guaranteed, also in case of cyberattacks. Differently, Q, R andV are used to optimize control or detection performance. In case that a temporary system performance degradation is tolerable, the real-time demand and the priority for an online optimization of Q, R,V are relatively low.
When an automatic control system is integrated into a CPS, the cyber security becomes a critical issue. In this context, the unified framework and the functionalization of controllers offer a useful design tool towards a cyber security-conscious system configuration. To delineate potential applications, consider the controller in its original form and in the observer-based realization form, respectively, and suppose that the plant is networked with a control station (refer to Figure 2 as an example). It is clear that for the implementation of the controller in its original form, i.e. (17), the system data (u, y) should be real-time transmitted over the network. Moreover, for any optimization or degradation recovering effort, controller K(z) should be updated which may yield unexpected dynamic behaviour. Differently, for the implementation of observer-based controller (18), an observer and an observer-based residual generator can be implemented on the plant side. This offers several benefits: • transformation of residual r y from the plant (local) side to the control station andv(z) − Q(z)r y (z) from the control station to the plant, which prevent adversary to gain system knowledge by means of eavesdropping attacks [23], • when performance optimization or degradation recovery is the need, real-time tuning Q(z) is an effective way, as reported in [29], which can run in the control station, • updating feedback gain and observer gain matrices, F and L, which will be performed only in very critical operation situations (and thus occasionally) and in the control station. Their transmission to the plant should be well encrypted [30].
As reported in our recent work [23], the modules of the observer-based controller (18) together with the Bezout identity (13) can serve as encoders and decoders distributed at the plant and control station sides. It is noteworthy that the observer-based controller form (18) can be viewed as "control sharing", which is similar to the secret sharing scheme well-known in cryptography [30]. This additional function enables efficient detection of cyberattacks and enhances the cyber security of automatic control systems, which are, for instance, implemented in the form of cloud-based control [30].
In the following example, we introduce a conceptual configuration of an encrypted control system based on the above controller functionalization.
and networked with a control and monitoring system (CMS). It receives signalū from CMS, where v is the reference signal and Q(z)y(z) represents a correction of the control signal, for instance, to recover control performance degradation [16]. A natural procedure to realize the control law (23) is, as shown in Figure 2, as follows: (i) the plant sends the measurement data y to CMS, and (ii) CMS computes u and sends it to the plant. Suppose that integrity cyberattacks could be executed on the system I/O interface via the network. Now, we introduce a conceptual reconfiguration of the systems on both network sides, on the basis of the unified control and detection framework, aiming at: • a reliable detection of integrity cyberattacks, and • preventing attackers to gain system knowledge by means of system identification using the transmitted data (ū, y) .
Moreover, it is required that the local controller K 0 should not be changed. For our purpose, consider the control signal, Following the functionalization of control systems, u 0 and u can be equivalently written into Run the following residual generation algorithm on the plant side,

Page 8 of 29
Security and Safety, Vol. 1, 2022004 with a u denoting integrity cyberattacks on the actuators. It yields, recalling (22), Thus, attack a u can be detected. In the attack-free case, r y is sent to CMS, otherwise, alarm is triggered. On the CMS side, a detection algorithm is applied to check if the residual signal received from the plant side is corrupted by attack signal a y , i.e. r a y (z) = r y (z) + a y (z).
In case of no attack,ū computed using algorithm (24) is sent to the plant side. Figure 3 shows the above described control system schematically.
We would like to summarize the main results of this example as follows: • the proposed control system is capable for a reliable attack detection thanks to the use of the residual pair (r u , r y ) , • system (24) and residual generator (25) serve simultaneously as encoders, and • the control system operates stable also in the case of an interrupted communication between the plant and CMS.
It should be moreover mentioned that the control system located at the plant side runs only based on the controller parameters, K 0 (z) as well as F 0 , Q 0 (z), without knowledge about Q 1 (z) that is set by CMS for enhancing the control performance.
With the following remarks we would like to conclude this section.
• The control and detection unified framework forms a methodical basis for the development of advanced diagnosis methods aiming at maintaining system functionality and enhancing cyber security of automatic control systems. It deals with the implementation of control, detection and monitoring algorithms. In this context, the information infrastructure for the configuration of automatic control systems plays an essential role. For instance, the networked system in Figure 3 could be alternatively configured using cloud-based system structure, in which the CMS is realized by means of cloud computing. • Although only LTI systems are addressed in this note, an extension of the unified control and detection framework to linear time-varying (LTV) systems is straightforward using the well-established system coprime factorization methods and Youla parameterization of LTV control systems [31].
Concerning nonlinear control systems, corresponding results have been reported in [16,32,33]. • In our example, the application of the unified framework to the detection of cyberattacks is schematically and shortly illustrated. The reader is referred to [23] for a more systematic and detailed description of this application. In a nutshell, this work results in the detection of those stealthy cyberattacks, which cannot be detected using the existing observer-based detection methods [34]. These include the so-called covert, zero dynamics and replay cyberattacks [8][9][10][11].

Projection-based diagnosis methods and their ML-aided explainable realization
In this section, we introduce a new framework for fault diagnosis in dynamic control systems. The theoretical foundation of this framework is the alternative system representations SIR, SKR and the associated image and kernel subspaces, as well as orthogonal projection technique. Although this framework has been developed in the model-based fashion [24], the associated concepts, algorithms and diagnosis approaches can be realized in the data-driven form and using ML-based methods.
In this section, the following notations are adopted.
is the time domain space of all square summable Lebesgue signals (signals with bounded energy) [35]. For transfer matrix G(z), G * (z) = G T (z −1 ). P K is an orthogonal projection operator onto subspace K, whose norm is denoted by P K . P * K is the adjoint of P K . K ⊥ represents the orthogonal complement of K.

Basic idea
The basic idea of (orthogonal) projection-based fault detection can be schematically explained by Figure 4. Given a system subspace as the nominal system model, which can be presented in the model-based form (in terms of SIR or SKR) or data-driven or by means of an NN, by (orthogonally) projecting the measurement vector u y onto the system subspace, the distance between the measurement vector and its projection indicates if the measurement vector belongs to the nominal system operations or it is faulty. To this end, the following mathematical concepts and work are necessary: • definition and computation of orthogonal projection operator,

Page 10 of 29
Security and Safety, Vol. 1, 2022004 • computation of dist u y , K , • online realization algorithms towards constructing a fault detection system, and • determination of threshold for decision making.

Orthogonal projection: mathematical preliminaries
An orthogonal projection on a subspace V, denoted by P V , in Hilbert space endowed with the inner product, is a linear operator satisfying [36] x, y ∈ V, P 2 The following well-known properties and definitions of an orthogonal projection are of importance for our subsequent study [36]: • given a closed subspace V ∈ L 2 and a vector y ∈ L 2 , the distance between y and V, dist (y, V) , is defined as which, following (28), can be computed as dist (y, V) = (I − P V ) y = P V ⊥ y.
Here, I is the unit operator.
In order to measure the distance between two (closed) subspaces in Hilbert space, the concept of gap metric is established [36]. Given two closed subspaces V, U ∈ L 2 , the gap metric between them is defined by Here, − → δ (V, U) is called directed gap. The following properties are well-known [36] and useful for our subsequent investigation:

Orthogonal projection onto image subspace and its system realizations
In our subsequent study on projection-based fault diagnosis framework, the so-called normalized SKR and SIR play an important role, which are denoted by K N and I N and defined by where M 0 ,N 0 and (M 0 , N 0 ) are LCP and RCP with special settings of the observer and state feedback gain matrices using the known algorithms, for example, given in [37]. It is a known result that the orthogonal projection onto the image subspace I G is given by Correspondingly, the difference between u y and p I G is subject to and called projection-based residual. Due to the relation, projection-based residual generation (32) can be equivalently written as The l 2 -norm of r I G , is the distance from u y to I G . Moreover, the fact that K N is a normalized SKR leads to the following implementation form of the residual vector, That means, for the detection purpose with the residual evaluation function r I G 2 , the needed online computation is the observer-based residual generator (7)- (8) or equivalently the SKR (5) with the observer gain setting for a normalized SKR.
Next, on the assumption that the system dynamics with uncertainty is described by the threshold is to be determined. Considering that the idea of setting threshold is to avoid false alarms caused by model uncertainty during fault-free operations, a basic requirement on the threshold is that which is obviously different from I G0 ,

Page 12 of 29
Security and Safety, Vol. 1,2022004 In [24], it is proved that the threshold setting problem (37) is equivalent to with δ (I G , I G0 ) denoting the gap metric between I G0 and I G . It leads to Compared with the well-established threshold setting for observer-based fault detection schemes [38], threshold (38) is of significant advantage that it is considerably robust against uncertainties and sensitive to the faulty operations. In fact, this point becomes more apparent, when the threshold and the residual are normalized as follows: It can be seen that the threshold J th,N (u, y) reaches its maximal value during the fault-free operations, and becomes smaller as the system is in faulty operations. In this way, the robustness and fault detectability are remarkably enhanced.
Example 2. In this example, we introduce a data-driven realization of the projection-based detection scheme. Departing from the system model (2)-(3), the system dynamics can be written as where y s (k), u s (k) are signal vectors of the data format and s is an integer giving the length of the time interval [k − s, k] of interest. To simplify our study, assume that the system is stable, and x (k − s) is neglectable. By defining the orthogonal projection, a projection-based residual vector is constructed as follows:

Page 13 of 29
Security and Safety, Vol. 1,2022004 Note that r s (k) = Π 1/2 (y s (k) − H u,s u s (k)) builds a residual vector and can be interpreted as a data-driven realization of an observer-based residual generator. .

It turns out
Suppose that ∆ Hu,s represents the uncertainty in the system, Define the residual evaluation function, J (u s , y s ) = r I (k) = r s (k) .

Remark 2.
At the end of this subsection, we would like to give an interpretation of the orthogonal projection P I G in the context of reconstructing the system variables (u, y) and its relation to the latent variable v. It is apparent that û y := P I G u y = I N I * N u y is an estimation of (u, y) for the nominal operations. Note that I * N is the conjugate of I N . Let the state space representation of I * N be denoted by It is known that the above system is dual to I N and its output can be interpreted as a reconstruction of the input variable of I N , i.e. v [16]. In other words, the reconstruction of (u, y) is achieved by an estimation of latent variable v. This interpretation is helpful to extend the projection-based detection method to nonlinear control systems. To this end, the so-called Hamiltonian extension of nonlinear systems and its application to the construction of normalized (nonlinear) image representations build useful tools [16,39]. Moreover, aided by this interpretation, we will introduce, in the next subsection, explainable ML-based fault diagnosis methods.

Complementary and explainable application of model-based and ML-based methods
In this subsection, we would like to discuss about a complementary and explainable application of modelbased and machine learning methods to enhancing the capability of fault diagnosis systems. To this end, we will demonstrate the realization of the projection-based fault diagnosis schemes using the so-called auto-encoder method, a well-established ML-technique.

Page 14 of 29
Security and Safety, Vol. 1, 2022004 Figure 5. Basic configuration of an auto-encoder

Auto-encoder technique: preliminaries
As sketched in Figure 5, the essential function of an auto-encoder (AE) is to reconstruct (estimate) the system variables under consideration using NNs and learning mechanisms. In Figure 5, N N en and N N de represent two neural networks serving as encoder and decoder, respectively, and their parameters, θ en and θ de , are, roughly speaking, learnt using sufficient measurement data, (u, y) , by minimizing the loss function with respect to θ en and θ de . The basic idea of applying an AE to fault detection can be schematically described as follows. Under assumption that the AE is well trained using fault-free operation data, the minimum value of L (θ en , θ de ) can be adopted as the threshold, It is well-known that hidden variable h in an AE plays a central role as the information carrier of the system under consideration and, more importantly, in the context of the so-called information bottleneck [40,41]. Unfortunately, this aspect has been merely taken into account in most of AE applications to fault diagnosis issues. Typically, the hidden variable is viewed as features, as it is (generated) and as the output of the optimization (training) process, without any explainable interpretation with regard to the system and the fault diagnosis problem under consideration. This motivates the work presented in the next subsection.

AE-aided realization of projection-based fault detection and estimation
The basic idea of applying AE technique to realize a projection-based fault detection consists in training the NNs to follow the major properties of an orthogonal projection onto the system image subspace. In the sequel, we briefly describe the conceptual realization of the idea by means of two examples. For our purpose, recurrent neural networks are used for the realization of dynamic systems, denoted by RN N en and RN N de for encoder and decoder.

Page 15 of 29
Security and Safety, Vol. 1, 2022004 Example 3. AE-aided realization of projection-based fault detection. Let P AE defined by û y := P AE u y , P AE u y := RN N de (θ de , h) = RN N de θ de , RN N en θ en , u y be an AE. Suppose that M batches of system data are available for the training purpose, and each of them includes N system data, Given vectors α (k j ) , β (k j ) ∈ R κ , j = 1, · · · , N, let For training purpose, a cost function consisting of three or four terms is defined, Except the basic term, , the following regularized terms are added: • realization of idempotent operator P AE (refer to (27)), • realization of self-adjoint operator P AE , • (optional) realization of the normalized SIR,

Page 16 of 29
Security and Safety, Vol. 1,2022004 It follows from the projection-based fault detection method that the (online) residual evaluation function and the threshold are defined by where δ denotes the value achieved by training.
This example clearly demonstrates that, • the objective of the construction and, in particular, the training of the AE is the realization of the projection-based optimal fault detection; • hidden variable h can be interpreted as the so-called reference signal v in the context of SIR and image subspace, and this information is fully integrated in the training process. Considering that during fault-free operations the system variables (u, y) are uniquely determined by v and thus can be fully recovered using v without any redundancy, such an AE is optimal in the context of information bottleneck [40,41]; • trained AE is embedded in the residual evaluation and threshold computation as well, which, in most of AE-based fault detection schemes, has not been incorporated.
As a next example, we present a conceptual scheme of optimal fault estimation in dynamic systems. To this end, the fault estimation problem is firstly formulated in a general form: considering system dynamics described by find an estimatorf = E f y, where operator G represents the system dynamics, operator E f is a dynamic estimator, y is an mdimensional measurement vector, and f denotes a p-dimensional unknown input vector that is called fault vector, but could also be cyberattack signals or disturbances. It is well-known that the solution of (42) is not unique. We are interested in solving the above estimation problem in the data-driven fashion, that is, instead of the system model G, sufficient data, y (i) (k j ) , f (i) (k j ) , j = 1, · · · , N, i = 1, · · · , M, are available and used for the estimation purpose. Moreover, the estimate should be the so-called least squares (LS) estimationf LS , i.e.
∀f satisfying y = Gf , f LS 2 ≤ f 2 with a specified confidence.
In the sequel, we first briefly introduce the model-based LS-solution, which serves as the basis for our AE-based algorithm. Let G = G co • G ci be a co-inner-outer factorization of G [16]. Here G co , G ci are co-outer and co-inner operators, respectively, satisfying G ci • G * ci = I, Q = G −1 co being stable and causal,

Page 17 of 29
Security and Safety, Vol. 1, 2022004 Figure 6. Schematic configuration of the fault estimator with G * ci as conjugate of G ci . It is well known that is the LS estimate of f . Furthermore, the estimation error, is defined as a specified confidence whose distribution and certain norm indicate the estimation performance.
Example 4. Optimal fault estimation in dynamic systems. An AE-based realization of the dynamic estimator (44) is schematically described in this example. As delineated in Figure 6,f LS is achieved by means of two recurrent neural networks RN N Q (θ Q ) and RN N de (θ de ) , where RN N de (θ de ) is the decoder trained in the AE for constructing G * ci . The AE is trained using the data set (y, f ) , y (i) (k j ) , f (i) (k j ) , j = 1, · · · , N, i = 1, · · · , M, while the confidence η is generated based on the AE. To train the NNs, the total loss function L (θ Q , θ en , θ de ) consists of three terms and is set as follows: • L 1 (θ Q ) : The specified confidence could be computed using the (sample) distribution or a certain norm of variable η.

A critical remark
The current enthusiasm for ML and big data technologies is significantly influencing the developments in the diagnosis research and engineering domains. It is a logical consequence that most of the existing ML methods and concepts have been introduced into this thematic field. Reviewing the course of this development, it seems that it is becoming a competition of publishing applications of newly developed ML-methods and algorithms to fault diagnosis. The consequence of this "copy-and-paste" style of research efforts is that very essential engineering requirements on diagnosis in automatic control systems have not been or cannot be fully considered in the use of ML-methods and algorithms. The reason is simple: the construction of most popular learning machines like deep NNs is less explainable, in particular in the context of diagnosis in dynamic systems. This issue becomes even more critical, when such methods are applied for the purpose of functional safety and cyber security. It is remarkable that explainability and interpretability build a very actual research focus in the ML-community [42]. This research endeavour is helpful for applying ML-based methods to diagnosis in automatic control systems. On the other hand, it should be kept in mind that, although enormously powerful and capable, ML-technology is a tool and its engineering applications should meet technical requirements and be explainable in the engineering context. In this regard, considerable efforts should be made to achieve diagnosis-oriented explainable applications of ML-based methods. Our discussion and the examples in this subsection have plainly documented that complementary and explainable application of model-and ML-based methods is a convincing way to develop advanced diagnosis methods towards enhancing functional safety and cyber security.

Performance degradation monitoring towards functional safety and cyber security
Control performance monitoring is an application-driven research area and has its applications mainly in process industry [43]. Roughly speaking, the essential tasks of control performance monitoring consist of assessment of control loop performance, detection of performance degradation and diagnosis of (component) faults [25]. Recently, new research efforts on POD can be observed [29,44], in which performance of automatic control systems is assessed at the system level and under various aspects like energy consumption, system reliability safety etc. Moreover, different from the traditional efforts focused on recovering performance degradation caused by component faults [45][46][47], advanced methods for control performance degradation monitoring and loop performance recovery have been reported [25,44,48].
In this section, we address POD issues with a focus on residual-centred modelling and detection of system performance degradation.

Residual-centred system model
In [16], a so-called observer-based input-output model is introduced, which models the input-output dynamics of any LTI automatic control systems and is expressed, given the system nominal model (1)-(3), byx It is evident that the centrepiece of the above model is a state observer. Different from the state space model (2)-(3) that solely represents the nominal system dynamics, model (46)-(47) gives the system input-output dynamics also for the case that uncertainties exist in the system. As illustrated in [16], the influences of any uncertainties in the system are showcased by residual vector r, which is available and accessible in the model (46)- (47). Moreover, in light of the observer-based and residual-driven realization of any feedback controllers introduced in Section 2, any standard control loop shown in Figure 1 can be equivalently represented by the model (46)- (48), which is called residual-centred system model to underline the role of the residual vector in the model. Figure 7 showcases the equivalence between the standard control loop and its residual-centred model, in which ∆ is used to denote system uncertainties schematically. The advantages of the residual-centred system model lie on hand: • all system variables in the model, independent of the existence of any uncertainties, are accessible (for further computations),

Page 19 of 29
Security and Safety, Vol. 1, 2022004 • the implementation of the model is numerically reliable and stable, since only stable dynamics are concerned in the model, and • with the embedded residual vector, the model is equipped with a capable indicator for the existence of uncertainties in the system.
The last function can be further ground using the projection-based method introduced in the previous section. According to (35), the l 2 -norm of the residual vector generated by the normalized SKR (and the corresponding observer) is the distance of the measurement data (u, y) to the system image subspace and thus an indicator for the intensity of the uncertainty in the system. Accordingly, is an indicator for the quality of the residual-centred model as well as system operation performance. It can, for instance, substitute the numerical involved algorithm for online estimation of gap metric and system stability margin adopted in [29].
Example 5. In this example, we introduce a conceptual configuration of automatic control systems, which consists of four functional layers and is schematically sketched in Figure 8. "Information layer" is the core of the multi-layer configuration, whose centrepiece is the observer-based input-output model (46)- (47). Except for providing the needed online information for real-time control and diagnosis, various additional functionalities, in particular those safety and cyber security-related ones, can be well integrated in this layer, for instance, serving as • a fusing algorithm of sensor data, • soft sensors for estimation of plant key variables, • an encoder for encrypting the plant data as described in Section 2, • an indicator for system uncertainties as given by (49).
In "Real-time control and diagnosis layer", the standard (feedback) control and diagnosis algorithms described in Section 2.3 are performed. "Performance monitoring and optimization layer" includes advanced performance degradation detection and recovery algorithms, for instance reported in [25,29,44,48] or described below. In "Learning and adaptation layer", ML-algorithms like the AEs introduced in Section 3.2 run aiming at updating the functional layers to match changes in the system.

Functionality-oriented performance degradation monitoring
Consider system (1)-(3). Associated with it, the following Lyapunov equation provides us with a basic form of performance models for the system functionality and control, S T P S − P + Q = 0, P > 0, Q ≥ 0, S is Schur.
Here, matrices S, Q ∈ R n×n are functions of the system matrices (A, B, C) and state feedback gain matrix F , which are given corresponding to the following (representative) system functionalities and controller configuration: Page 20 of 29 Security and Safety, Vol. 1, 2022004 Figure 8. Schematic configuration of a multi-layer automatic control system P as the solution of (50) is the controllability gramian that indicates the capability of the actuators, P is the observability gramian indicating the capability of the sensors, • for either (51) or (52), H 2 -norm of transfer function C (zI − A) −1 B as performance can be assessed as follows: performance of an LQ state feedback controller, u = F x, is assessed.
There exist several strategies to monitor the above-described system performance. Assume that the system dynamics is governed by ,

It holds
during degradation-free operations. Hence, introducing performance residual r p defined by performance degradation can be detected using standard residual-based detection schemes. This endeavour is unfortunately limited to a theoretical concept and often vain in practical applications due to its minor detection capability and strict constraints on the system dynamics. Aiming at improving the detection performance, [49] have proposed a sophisticated detection scheme, which is briefly described in the sequel.
By means of a vectorization of P matrix, re-write the performance model as In the above equation, hvec (P ) denotes a half-vectorization of symmetric matrix P ∈ R n×n , represents the n(n+1) 2 parameters to be identified (considering P = P T ) and satisfies, D n hvec (P ) = vec (P ) , hvec (P ) ∈ R n(n+1) 2 , D n ∈ R n 2 × n(n+1) 2 with D n being the so-called duplication matrix [50]. Notation ⊗ stands for the Kronecker product. Suppose that, a sufficient number of data, x(k + i), i = 0, · · · , N, are collected, which enables us to write (55) into As a result, on the assumption of sufficient excitation, matrix P can be identified using, for example, a standard LS estimation algorithm. If the difference between the identified and the nominal goes beyond a decision threshold, performance degradation is declared. Considering that the solution of (50) is a symmetric positive definite (SPD) matrix, the Riemannian metric method [16,49] can be applied to achieve an efficient degradation detection. In [16], variations of the above algorithm are provided to solve the similar performance degradation problems using system output data y(k) instead of the state variable x(k).
Note that the above presented detection schemes are limited to the case that u = F x. Although extensions have been proposed in [16], a general solution for arbitrary input u remains to be an open issue. In the following example, we present a conceptual solution for performance degradation detection. Example 6. For simplicity, we only consider controllability gramian as functionality performance with the system model x(k + 1) = Ax(k) + Bu(k), A is Schur and a function It yields which can be further written into Note that (57) is of the identical form with (54). Consequently, applying the same procedure with (55)- (56), matrix Φ can be identified, which then enables a reliable performance degradation detection. It is noteworthy that Φ contains more information than P, which can be adopted for monitoring other system performance as well. For instance, given Q = C T s C s and R, the value q = tr 1/2 Φ (2, 2) − R withΦ (2, 2) = R + B T P B denoting the identified sub-block of matrix Φ, gives an estimation of which could, for example, represent the system dynamics from u to a certain sensor block modelled by C s x.
Remark 3. Even though only LTI systems are considered in the schemes introduced above, the ideas can be well adopted to address performance degradation monitoring of nonlinear control systems. Below, we schematically outline the conceptual steps of approaching solutions. Let the system performance under monitoring be q (x(k), u(k)) .
Analogue to (53), it holds On the assumption that J (k) as solution of (59) could be approximated by where {φ i (x(k), u(k)) , i = 1, · · · , N } is the set of some basic functions and w i , i = 1, · · · , N, are weights [51], difference equation (59) is re-written into Equation (61) is similar to (54) and can serve as a performance model. During online operations, the system performance can be assessed by an online identification of weights w i , i = 1, · · · , N, and computation of J (k) according to (60). It is noteworthy that the performance value function J (k) can be generally approximated using NNs [52].
At the end of this subsection, we would like to draw the reader's attention to the fact that application of the aforementioned schemes requires knowledge of the system state vector x(k), which is, unfortunately, not available in most of real practical applications. It is an open and challenging issue to realize those performance degradation monitoring schemes using system data (u, y) instead of the state vector x. In [16], this issue has been investigated.

Performance degradation monitoring in the probabilistic setting
Considering that the performance degradation schemes presented in the previous subsection are based on the assumption of ideal system models without uncertainty, adaptations are needed before they are efficiently applied in practice. Although their extensions to systems with normally distributed process and measurement noises have been addressed in [16], efficient handling of model uncertainties remains to be an open issue. Recently, [53][54][55] have proposed to apply the so-called distributionally robust optimization (DRO) technique [56,57] to enhancing the robustness of fault detection systems against model uncertainties. In particular, it is advantageous that DRO technique enables handlings and solutions in a probabilistic setting. In this subsection, we briefly introduce the ideas of applying DRO technique to performance degradation detection by means of two examples. In the sequel, notation Ξ is adopted for support, P is used for probability. P ξ and E P ξ represent probability distribution of ξ and expectation taken with respect to ξ following P ξ .
Example 7. In this example, we delineate a data-driven realization of performance indicator (49) in the probabilistic setting. Departing from the system model, with ω(k), υ(k) being the process and measurement noise vectors, the system dynamics are written as where y s (k), u s (k), Γ s , H u,s are given in Example 2, and ω s (k), υ s (k), H ω,s are as follows:

Page 24 of 29
Security and Safety, Vol. 1,2022004 To simplify our study, assume that the system is stable, x (k − s) is a random vector and φ s (k) is a wide sense stationary (w.s.s) stochastic process. We then further write (62) into Using the results presented in Example 2, the projection-based residual vector and the corresponding evaluation function are equivalently realized as follows: Note that r s (k) can be written as where ∆H u,s represents uncertainty in the system, which leads to Suppose that the distribution of unknown random vectorφ s belongs to the moment-based ambiguity set [56], where vector µ 0 , matrix Σ 0 , and constants γ 1 ≥ 0, γ 2 ≥ 1 are estimated using the sufficient number of collected data and thus assumed to be known. It is obvious that threshold setting J th = sup φsφ T s Πφ s would result in considerably conservative performance degradation detection. More reasonable setting can be achieved in the probabilistic setting as follows: ∀Pφ s ∈ D (γ 1 , γ 2 ) , P φ T s Πφ s > J th ≤ α, where α is a tolerable upper bound of false alarm rate. In this context, the probabilistic performance degradation problem is formulated as: given α ∈ (0, 1) , solve sup for the threshold J th . The DRO problem (64)-(65) can be solved using well-established DRO technique, see for example [53,56].
Example 8. Consider observer-based input-output model (46)- (47). Suppose that u(k) = Fx(k), and the residual vector is a w.s.s. stochastic process over the time interval [k − s, k), and its (unknown) distribution belongs to the moment-based ambiguity set, where s is a sufficiently large integer so that A s F ≈ 0. We would like to draw the reader's attention to random vector r s−1 . As described in Section 4.1, it represents uncertainties in the system, including noises and model uncertainty. Define cost function for control performance assessment as A T F P A F − P + Q = 0, P > 0.
Assume that Θ is of full row-rank. The moment-based ambiguity set of r x is given by where γ 3 , γ 4 andΣ 0 are known. The probabilistic performance degradation detection problem is then formulated as: given α ∈ (0, 1) , solve min β =: J th , sup Pr x ∈Dr x (γ3,γ4) for the threshold J th .
The above two examples showcase that DRO technique can serve as a powerful tool to deal with performance degradation detection issues efficiently. It is noteworthy that various ambiguity sets are investigated in the DRO framework [56], which enables us to handle different types of model uncertainties and study performance degradation detection issues both in model-based and data-driven fashions. A further aspect is to address safety issues in a probabilistic setting [58]. For instance, let S x = {x |g i (x) ≤ 0, i = 1, · · · , κ } , denote the set of the system state variables that are in the safe region defined by the safety requirements g i (x) ≤ 0, i = 1, · · · , κ. Then, the probability, can be, as a constraint, embedded in a probabilistic performance degradation detection and recovery problem.

Conclusion
In this note, we have discussed about diagnosis and performance degradation detection issues from an integrated viewpoint of functionality maintenance and cyber security of automatic control systems. Three aspects have been addressed: • application of a control and detection unified framework to enhancing the diagnosis capability of feedback control systems, in which the functionalization of the control system plays an essential role. It is showcased that rational utilization of the residual signal as an information provider and cyber security-oriented configuration of functional units of the control system promises enhanced capacity of detecting technical faults and cyber attacks, and preventing attackers to gain system knowledge by means of system identification using the transmitted data; • projection-based technique of detecting faults in dynamic systems, which is based on an orthogonal projection of the system data onto the system image and kernel subspaces. This technique is more capable than the well-established observer-based schemes in dealing with detecting faults in dynamic systems. In addition, more importantly, it enables explainable applications of ML-based technique like AE methods to diagnosis. It is illustrated that complementary application of modeland ML-based methods is the future of the diagnosis technique for industrial automatic control systems; • system performance degradation detection, which is of elemental importance for industrial CPSs and, unfortunately, has received less attention in the research domain. The residual-centred model form for dynamic systems is a useful system tool to deal with performance degradation detection issues. Moreover, some performance degradation monitoring schemes are introduced, whose core, roughly speaking, is modelling of system performance and online identification of the associated model parameters. It is demonstrated that by means of DRO technique, performance degradation detection can be handled in a probabilistic setting, which enables an efficient and more reliable degradation detection.
We have reported ideas, presented conceptual schemes, and illustrated by means of examples why research efforts in these three aspects could contribute to the future development of capable monitoring and diagnosis methods towards enhancing functionality safety and cyber security of automatic control systems. We would like to mention that a number of the basic design schemes and algorithms reported in this note have been successfully tested on laboratory systems, including • application of the control and detection unified framework to cyberattack detection in three-tank control system [23], • projection-based fault detection in three-tank control system [24], • DRO technique-based fault detection in three-tank control system [53,55], • performance degradation monitoring and recovery of vision-based inverted pendulum control system [59].
The focus of this note is on diagnosis and performance degradation detection issues. So far, key maintenance technologies like condition monitoring (CM), prognostics and health management (PHM), performance degradation recovery (PDR) or fault-tolerant control (FTC) are not addressed. The interested reader is referred to [5,16,25,[60][61][62][63] and references cited therein. We would like to emphasize the two aspects of fault diagnosis and performance degradation monitoring in automatic control systems. On the one hand, it builds the technical basis and an indispensable part of technologies like CM, PHM, PDR and FTC. Consequently, its development is significantly stamped by progresses in these technologies. On the other hand, as a basic function of today's automatic control systems, fault diagnosis and performance monitoring should match ongoing developments in automatic control systems. CPS, internet of things (IoT) and cloud computing as a service are the key technologies that will decisively impact the evolution of automatic control systems in the era of industry 4.0. In this context, integrated study on functional safety and cyber security of automatic control systems is of essential importance. Our work reported in this note is a contribution to this study.

Conflict of Interest
The author declares no conflict of interest.

Data Availability
The original data are available from the corresponding author upon reasonable request.