A Supervisory Algorithm Against Intermittent and Temporary Faults in Consensus-Based Networks

In this paper, the consensus problem is addressed for multi-agent networks in which some nodes are expected to possibly misbehave as a consequence of temporary faults or errors. The solution proposed is based on the counteraction of a prescribed subset of nodes through the injection of additional corrective signals. Such corrections are the output of a fault compensation algorithm based on a simple elaboration of local data, whose structure is based on some input-output theoretical results achieved in this paper. A thorough discussion is reported on how to retrieve the algorithm coefficients using local data, so that the algorithm can be fully performed without any network topology knowledge in advance. Simulation results show the behavior of the adopted strategy in several different faulty conditions, and robustness of the compensation algorithm with respect to errors in the computation of the coefficients is also investigated. The results show that the proposed algorithm performs well in several scenarios of networked systems, and it can be suited to easily restore the consensus value to the original one, in spite of the drift initially caused by the fault.


I. INTRODUCTION
In the last decades, an impressive thrust of research has been devoted to distributed algorithms [1] and their significant applications in several technological fields [2]- [9]. Emerging networking applications that allow peer to peer communication, such as ad hoc wireless communication networks and sensor networks, motivated research on multiple devices connected with decentralized architectures [10]- [14].
One fundamental behavior of a network of agents such as sensor or robotic networks is the consensus among agents on a variable [13], [15]. In wireless sensor networks, consensus is achieved by an iterative algorithm performed by each node, and all the sensors in the network may achieve global agreement using only local transmissions [16], [17]. For a sensor network, it constitutes the basic block for designing decentralized tracking and estimation algorithms. This typically involves the algorithm to build consensus through cooperation among different nodes [13], [15]. In robotic networks, consensus allows seeking decentralized communication architectures to implement some fundamental global tasks such as rendezvous, flocking, formation The associate editor coordinating the review of this manuscript and approving it for publication was Jianxiang Xi . control [3], [20]. For the same reasons, it became popular in the area of distributed coordination of teams of vehicles [21], [22]. The problem of consensus and formation control under energy constraints or in the presence of disturbances has been recently studied in [18], [19].
An intrinsic peculiarity of consensus is that each node collaborates on mission objectives. To reach this goal, it is necessary that each node behaves according to an agreed protocol at each time instant. On one hand, this is a fundamental peculiarity of such networks because each node equally contributes to mission success, on the other hand it makes this strategy intrinsically fragile with respect to the presence of misbehaving nodes [23]- [25]. Considering that a misbehaving node exposes the whole group to an unpredictable evolution, this condition may not be acceptable for safety reasons or mission goal detriment independently of the nature of the misbehavior itself [26], [27].
Delving into the causes of a node misbehavior inside a collaborative network independently of the technological field of a given application, three main conditions can be considered as generating a misbehavior: the presence of nodes with the intention of perturbing the network, misbehavior as a consequence of a node damage or breakdown and finally misbehavior as involuntary consequence of wrong perception, interaction or assignment of the input [27]. Moreover, depending on their distribution among the nodes of the network, faults can be localized (i.e., only one or few nodes exhibit a misbehavior) or ubiquitous (that is, any node can exhibit at some time a faulty behavior), or considering their time shape, faults can be classified as transient (that is, occurring and disappearing within a short period of time) or permanent or persistent [23]. This classification is clearly detailed in [27] within the area of computer science and distributed computation, but it can be found as well in almost every reference of fault diagnosis and accommodation, e.g. [28], [30], [31], and it appears of primary importance in any application in the framework of cyber-physical systems [14].
The above classification clearly shows that each one of these conditions must be separately considered and properly managed during a mission to preserve mission success. Indeed, though in principle all such conditions have in common the misbehavior of a node with respect to an agreed protocol, each one has its own peculiarities and effective solutions can be very different. For example, the first two conditions are solved once that the misbehaving nodes are located and promptly excluded from collaboration, while the latter condition is usually related to vanishing effects which can be compensated instead of excluding nodes from collaboration. Moreover, hard failures are usually related to hard damages of a component, and they are typically localized, while isolated or temporary faults are typically related to bad temporary environmental conditions or temporary wrong assignments (errors), so that they are ubiquitous and their exclusion would produce the side effect of reducing the number of participants thus seeking poorer performances.

A. LITERATURE REVIEW AND MAIN CONTRIBUTIONS
A significant thrust of research has been devoted to the problem of fault detection and isolation for consensus-based networks [32]- [35]. In these papers, the goal is somehow complementary to the one of this paper. Indeed, while the goal in fault detection and isolation is to promptly locate and exclude the misbehaving node, in this paper the goal is to find corrective actions to restore the consensus value to the initial value regardless of the knowledge of the label of the faulty node, of the initial consensus value and even of the network topology.
As far as the problem of intentional malicious nodes is concerned, one significant branch of research on this topic has been developed since the Eighties by computer scientists (see e.g. [37], [38]) where the problem was set within the area of distributed computing and computer networks. In these milestone papers, the focus is on the detection and localization of misbehaving nodes performed by a single node using only local information and it is proved that the intrusion detection problem can be solved only if the network is capable of a high redundancy of information exchange. In the last years, the same problem was set in the framework of robotic networks, power systems and sensor networks (see e.g. [24], [26], [40]).
Recently, another line of research close to the topic of this paper emerged and it is constantly growing: the design of consensus protocols in the presence of disturbances, defects and communication errors [41], [42]. In the paper [43] the authors propose a protocol to make nodes react against packet losses. Finally, in [23], [44] the consensus is analyzed when disturbances are accounted for.
The problem and methods considered in this paper were preliminary introduced in [45] for the case of one single faulty node and in [46] for the case of multiple compensation nodes. However, in those papers the stringent hypotheses of the a-priori knowledge of the network topology and the knowledge of the label of the faulty node make possible applications much more limited. The idea of equipping a node with algorithms based on local data with the goal of improving the overall performances of the network has been recently explored also in [47], [48].
The results and, in general, the approach reported in this paper can be implemented as a simple supervisory algorithm which can be run by any node/subset of nodes to monitor the correctness of the group evolution against any possible temporary fault. It is worth noting that, in a mission execution, the algorithm can be completely silent if every node behaves according to the agreed protocol. We believe that the algorithm presented here can be effective in practical applications because it does not require the knowledge neither of the label of the faulty node nor of the consensus value nor an a-priori knowledge of the network topology.
As a final remark, the proposed approach is primarily intended for intermittent and vanishing faults but it may be useful for persistent faults though other additional issues may arise. In such a case, the results of this paper may also be used in conjunction with those of fault detection and isolation to get a fully effective fault recovery action. Indeed, even if a faulty node is localized and excluded from collaboration, its past faulty behavior produces a permanent bias on the consensus value [36] which could be compensated using the techniques described in this paper.

B. PAPER STRUCTURE AND NOTATION
The rest of the paper is structured as follows. In the following we introduce the notation adopted along the paper. Section II is dedicated to a thorough introduction on system and fault model in order to state the problem clearly, both mathematically and through a simple example. Section III describes the proposed supervisory control law. First the controller structure is provided and then unbiasedness of the consensus value in the presence of faults is studied. An algorithm for retrieving the coefficients from local data is thoroughly investigated. Afterwards, the existence of time-invariant gains is discussed. In Section IV a set of simulation results are reported and discussed.
Here we briefly introduce the notation adopted in the paper. T . I n denotes the n × n identity matrix, and e i , i ∈ N, is the i-th vector of the canonical basis, e.g. e 1 = [1 0 . . . 0] T . Vector 1 is the vector with all components equal to 1. Symbol δ(t) denotes the discrete impulse signal, namely δ(t) = 1 for t = 0 and δ(t) = 0 otherwise, so that an isolated discrete signal s(t), namely a signal which has only one nonzero value, can always be written as s(t) =sδ(t −t), for a suitables = 0.
and in this case edges are bidirectional, otherwise it is called directed. However, in this paper this distinction is not relevat and we refer in any case to graph. A path P between two vertices u and v is a collection of edges connected if there exists a path between any two vertices. Also in this case, we omit the term strongly and we refer to connected implicitly meaning strongly connected in the case of directed graphs. We call distance d(i, j) from vertex i to vertex j the minimum number of edges of a path going from i to j. The neighborhood of node i, denoted with N i , is defined as N i = {j ∈ V : (i, j) ∈ E}. The (weighted) Laplacian of a graph G is a matrix L ∈ R n×n whose non-diagonal entries are equal to either For a complete book on Graph Theory the interested reader in referred to [49].

II. SYSTEM MODEL AND PROBLEM STATEMENT
In this Section the problem is introduced and described in details. First the Consensus Networks [50] are briefly summarized, then the detrimental effects of faults are described both mathematically and in practice through an example.

A. CONSENSUS NETWORKS
Consider a set of n agents, each of them holding a quantity x i (t) ∈ R which is updated at each time instant following the update rule where the update rule v i (t) ∈ R follows an agreed common protocol based on the values of neighbor agents Weights l ij > 0 are the coupling strength between node i and j. If all agents follow the agreed protocol (2) and do not incur in accidental wrong assignments of (2), then the overall system shows collective behaviors which are peculiar. For this reason it is very studied in the last years and widely used in multi-agent applications; it is commonly referred to as generalized nearest neighbor average protocol (see e.g. [50]). In the following, we assume that G is connected. Under the hypothesis that each agent evolves without failures, the evolution of the group can be compactly written through a suitable state vector x(t) ∈ R n built upon the rule (x(t)) i = x i (t) so that the evolution of the whole group can be compactly written as where A = (I − L), matrix L is the weighted Laplacian of G whose nonzero non-diagonal entries (L) ij are the weights l ij of protocol (2). Under known conditions on the gains l ij (see, e.g., [50]), if each agent updates its own x i (t) with the agreed protocol (2), agents asymptotically align (in the sense that they all achieve the same value), namely: and the value α they reach is called the consensus value and it depends on the initial conditions of the whole network: T is a left eigenvector of (I − L) associated to the eigenvalue 1. From now on, we assume that l ij are chosen according such rules.
Equations (4) and (5) are the basis of the success of consensus-based applications where decentralized architectures are sought while pursuing a global task. Eq. (4) states that all nodes converge to the same value, thus leading to global information available for any node notwithstanding that the shared information among nodes is local, while (5) is fundamental to read the correct global information into the value of α according to (5), and the correct value of α, available to each node for the property (4), is fundamental for any kind of application such as wireless sensor and robotic networks.
Based on the above considerations, the main goal of the algorithm proposed in this paper is to contrast and make ineffective the perturbation of the value of α from (5) to a different one as described in the next Subsection.

B. DETRIMENTAL EFFECTS OF MISBEHAVING NODES ON THE CONSENSUS VALUE
In this Subsection, we consider the effects of several types of misbehavior, and we show how they impact on the consensus value and, in general, on system evolution. This analysis shows how important is to design network monitoring algorithms to prevent mission success from the detrimental effects of a fault.
To state the problem clearly, assume that p nodes may fail during their activity injecting a different value with respect to the agreed protocol at time t, so that instead of (2). In the following we use the set F = {i 1 , i 2 , . . . , i p } to denote the labels of faulty nodes. In this paper, we do not require the set F to be known in advance. The overall evolution can be compactly written as [24]:  The above model is useful to describe any kind of misbehavior [24]. The presence of misbehaving nodes in a consensus network even for few instants can have a wasteful impact on the control objectives; the consensus value deviates from (5) to where it is put in evidence that the consensus value depends also on the values of the faulty inputs. According to (8), even if a misbehaving agent is located and excluded, the consensus value is corrupted by any of the past values of the faulty nodes and most of the peculiarities of consensus based on (5) do not hold any longer. In fact, such a condition makes it impossible to infer any global information from the knowledge of α. We now show in practice the behavior of a consensus network under some typical faulty conditions which are common in real applications.
Consider Fig.1 to Fig.6 where the evolution of the states on a consensus network of 8 nodes is run under the action of some typical faults. In order to make the results fully comprehensible, simulations are run with the same initial conditions, namely x(0) = 3 5 −2 4 7 2 −8 2 T with associated consensus value in absence of faults equal to α = 1.625. The same conditions are considered in the Simulation Results under the action of the supervisory fault tolerant control. Fig.1 shows the typical evolution of the states of a consensus network of 8 agents correctly running protocol (2). Fig.2 shows the effect of four nodes each injecting one wrong value, namely at time t = 75, t = 150, t = 225 and t = 300; the jumps of the consensus value as consequence of the faulty inputs are easily seen.  It is possible to see that the fault effects on the agents' evolution are persistent in time even if the fault lasts only one step, and the consensus value is still influenced by the fault value for all the next time steps. This phenomenon can be compensated through a suitable correction, and restore the consensus value to the initial one (unaffected by the fault) is the main goal of this paper. Fig.3 shows the evolution of a network subject to the action of a malicious agent which injects a signal in order not to be discovered by data but changing the consensus. This phenomenon is possible only if there is a node with malicious goals. Indeed, there is a class of forced responses having the time shape of a free response, namely those associated to the special input functionsū (t) =ū λ t , t ≥ 0 where λ is any zero of The Rosenbrock Matrix of the system (see, e.g., [26]), and in this case the intruder may set the consensus value to any value. However, in this case the corrupting inputs should blindly follow the time shapeū λ t from t = 0 on. In this paper we are more interested in faults as 'involuntary' wrong behavior of some nodes, so we exclude such case from our analysis. The interested reader may refer to the milestone papers on this topic [26], [24], [39]. Fig.4 shows the evolution of a network in presence of a severe breakdown of a component at time t = 50, and in this case the peculiar behavior of the network is to be driven by the faulty node and the evolution follows an unbounded pattern. In this case, it is urgent to detect and isolate the misbehaving node and exclude it from collaboration. In this simulation, it is assumed that a fault detection algorithm is active and the faulty node (blue dashed line) is excluded from collaboration at time t = 100. However, it is also visible that the drift of the faulty input still persists after the removal of the faulty node. Fig.5 shows the phenomenon of 98778 VOLUME 8, 2020  intermittent faults. The consequences of such faults are in terms of increasing divergence of the states from the consensus value and system trajectories are unbounded. Fig.6 shows a phenomenon frequent in networked systems, namely the presence of nodes whose faulty input (7) is an unknown but bounded random signal. In this simulation, the input u (t) of (6) is set equal to a zero mean random variable uniformly distributed in [−0.5, 0.5]. It is easily seen that the system moves away from the consensus value for the action of the faulty node in the fashion of a fluctuation.
The main goal of this paper is to study strategies to counteract the phenomena described in this Section through a proper counteraction performed by a subset of nodes of the network, based on their own local data, as described in the next Section. The idea is that a suitable elaboration of local data can provide the necessary information for such nodes to react to the fault and restore the original correct consensus value (and keep the mission goal preserved).

III. A SELF-HEALING FAULT TOLERANT ALGORITHM
An appropriate approach to this problem is to equip some nodes of the network with algorithmic tools able to counteract against this phenomenon so that the network attains a self reaction ability to sporadic faults. The design strategy is to make a subset of nodes of the team, called compensation nodes from now on, equipped with algorithms to supervise the network evolution and react against potential faults. Supervision simply means that each compensation node is able to run an algorithm which is able to discover an inconsistency in the local data caused by the fault and to build a corrective input to pursue fault compensation. Finally, an essential feature of the algorithm is that it must elaborate local data only.

A. STRUCTURE OF THE ALGORITHM
The set of compensation nodes is denoted by V o = {i o 1 , i o 2 , . . . , i o q }, and we assume that each node ∈ V o can make elaborations and establish corrective actions based on its own current and past state values {x (i)} i∈ [0,t] .
Based on the above setting, any compensation node ∈ V o has the ability to drive the time evolution of the group with an additional input, namely where the subindex i denotes that ψ i (·) is possibly time-varying, so that the evolution of the network (7) takes the form for suitable time-varying functions ψ t (x j (·)). The main goal of this paper is the design of such functions to overcome or mitigate the effect of faulty nodes. A dynamic relation between one compensation node and one faulty node i is the state space description (9) together with the output map: A different yet equivalent description of the connection between a faulty node j and a compensation node is the Auto Regressive Moving Average (ARMA) model of suitable order ν [51]: where m = ν−τ j +1 and the temporal delay τ j depends only on the distance between the two nodes τ j = d( , j) + 1 while coefficients a i and b i are related with weights l i,j of matrix L in (7). In the following, we denote by AR(x (·)) (resp., MA ,j (u(·))) the left (right) elaboration of (11), so that (11) is equivalent to: Following [56], we use the symbol b ,j ∈ R ν to denote the row vector of the coefficients of the MA ,j (·) elaboration with increasing order and zero entries in the first (τ j −1) positions, i.e.
There is a strict connection between the ARMA model (11) and the state space model (7), indeed they are different representations of the same system. However, one setting can be more suited than the other in a given practical application. In this paper, the choice of using (11) is motivated by the fact that it elaborates local data only, so it is well suited for the design of decentralized algorithms, and it is easy to compute at each t without recurring to cumbersome algorithmic structures such as observers of the whole state of the network.
For the above reasons we base the fault compensation algorithm on (12). Some simple preliminary considerations are useful to introduce such elaboration structures that are effective to diagnose the presence of faults in the network. From a mathematical standpoint, the relation between the state space description (9), (10) and (11) is through the transfer function of (9), (10). More precisely, coefficients a i , b i in (11) are those of the polynomials of the transfer function between and j: where we assume that eventual common factors are preliminary removed. It is a straight consequence of the left-hand side of (14) that ν ≤ n, the strict inequality being related to unobservability of the network from node or uncontrollability from node j [51]. We discuss this point in the next subsection, but such conditions are not an obstacle for the algorithm proposed in this paper because the zero eigenvalue of L and, in turn, the eigenvalue λ = 1 of A are always reachable and observable from any node of a (strongly) connected graph [52], so that the condition ν < n corresponds to a lower degree of the minimal polynomial nulling the sequence x (t), and it has the beneficial effect of reducing the elaboration time and complexity of the algorithm [53].
Consider the evolution of a compensation node (12) when no faults have been already occurred. Then the following relation holds for the sequence of local data x (t) for t ≥ ν: x (t)+a 1 x (t −1) + · · · + a ν x (t −ν) = 0 (15) so that, if no faults happen before ν, whatever the initial conditions, the rule based on local data AR(x (t)) = 0 is a useful and easy relation to verify at each time instant the occurrence of a fault for all t ≥ ν, while for t < ν there are too few data to implement (15). In the following, we assume that no faults happen when t < ν. This condition can be eventually verified a posteriori when a suitable set of data is available, but we omit the details for the sake of brevity.
An important fact to consider is that the AR(·) elaboration deduced from (14) (namely, its coefficients) does not depend on the specific input or output node, while the MA ,j (·) elaboration does. This makes the same rule (15) useful to detect any misbehaving node without knowing its label. A further useful property that can be deduced from (15) is that the AR(·) elaboration filters the free evolution out, so the outcome of this elaboration on local output data is directly related to the exogenous values of the faulty nodes. This is an important property because it is not easy in general to separate the free response from the forced response caused by a misbehaving agent (see e.g. [24], [39]).
Consider now the first occurrence of a fault, and consider the case of a single compensation node, V o = { }. According to (11), signal ε(t) carries information on the faulty input, and we now want to exploit such relation. Hence, the structure of the proposed algorithm executed by node is: where r i (t) are gains that must be carefully set, and the rest of the paper is devoted to how to choose them to achieve the objectives described in the Problem Statement.
As a final step, it is worth remarking that the above compensation algorithm is intended for compensating all unexpected inputs different from (2) as in (7), while the effects of the correcting inputs on ε in (16) can be easily canceled and the resulting algorithm architecture is depicted in Fig.7. As a consequence of this choice, as it is shown later in Theorem III.1, the reaction of the compensation nodes to a fault at timet is nonzero only inside [t,t + ν].
This algorithm easily generalizes to the multiple compensation nodes case, namely each node of V o should run (16) using its own local data, and cancel all the correcting inputs according to the scheme of Fig.7 in order to make this possible, we assume that nodes in V o can share data between themselves.

B. RETRIEVING THE ALGORITHM STRUCTURE FROM LOCAL DATA
One main peculiarity of the algorithm (16) is that it is based on local data only, so a single node can execute the algorithm once that the coefficients of the elaboration (16) are known. Even more interestingly, here we show that it is possible to compute the coefficients a i of (11) from the sequence of the first 2ν local data.
If the graph topology is not known in advance, any single node can retrieve these coefficients by simply performing an elaboration of a suitable set of data collected in the first steps, so that this algorithm can be implemented in a fully distributed manner with no prior information on the network topology. Here we briefly describe an algorithm derived from results available in the literature (see e.g. [54], [55]); similar techniques have been adopted in [53] and [56] for purposes of finite-time computation of the consensus value.
The following procedure is based on the results of [54]. For a given sequence {x (κ)} ∞ κ=0 the Hankel matrix of order s is denoted by H s (x ) ∈ R s×s and it is built upon the rule [H s (x )] i,j = x (i + j − 2) for i, j = 1, . . . , s, so that Sets as the least number such that rank[Hs(x )] = rank[Hs +1 (x )] =s; then any vector v belonging to ker{Hs +1 } is orthogonal to any vector X¯s (t) =    x (t + 1) . . .
x (t +s)    ofs samples of the sequence {x (κ)} ∞ κ=0 of the state evolution with no faults, and thus it is the vector of coefficients of the minimal annihilator polynomial of the sequence {x (κ)} ∞ κ=0 [53]. This in turn reveals that the components of vector v are to be set as as coefficients of the AR elaboration in (16).
To retrieve the coefficients of such AR(·) elaboration, the following procedure is effective [54]. Once that the condition rank[Hs(x )] = rank[Hs +1 (x )] =s is satisfied and s is known, coefficients a i can be computed using the formula [54]: . . .
It is easy to show that, for sequences {x (κ)} ∞ κ=0 generated by (1), (2), (10) describing the system without faults, it holds s ≤ ν ≤ n, the strict inequalities being related to the case of unobservability of the network from node , when matrix A is derogatory [29] or some special values of initial conditions. Indeed, consider the factorization of an Henkel matrix H s (x ) ∈ R s×s generated by (3), (10): it also depends on the given initial conditions. However, as discussed in details in [53] and [56], the impact of the initial conditions is concrete only for a subset of initial conditions of Lebesgue measure zero, so that they generically do not impact on the rank of H s (x (κ)), and in turn this implies that generically it holdss = ν, and in the following we assume this relation to hold. We skip further details on this topic, but it is also possible to infer this phenomenon from the collected data {x (κ)} 2ν−1 κ=0 and correct the estimated coefficients when the number of agents n is known (the interested reader is referred to [53] and [56], Appendix).
At first glance, also all the MA ij (·) coefficients should be estimated as well to use the elaboration (11) or (12). However, in the last part of this paper we show that, unexpectedly, only the values of MA ij (·), i, j ∈ V o are necessary to implement the fault compensation algorithm, so here we provide a technique to compute from data the coefficients of MA (·) related to one compensation node and then we extend the procedure to the multiple case.
First notice from (11) that it is necessary to give nonzero input values to infer b i from data. The procedure to retrieve b i starts at 2s, namely soon after having collected data for the estimation of a i , and it requires node to inject the input u (t) = δ(t −2s)−δ(t −2s−1), namely two opposite impulse inputs centered at t = 2s and t = 2s+1. Using (8), it is easy to check that is input does not change the initial consensus value. It is possible to compute the coefficients b i from the sequence {x (κ)} 3s κ=2s+1 . Using (12) and invoking the superposition principle it is easy to get the relations AR(x (2s + 1)) = b 1 , AR(x (2s + 2)) = b 2 − b 1 , AR(x (2s + 3)) = b 3 − b 2 , . . . and hence: . . .
Based on the above procedure, any compensation node can compute the coefficients a i and b i using only local data and without any a-priori knowledge on the network topology and run the algorithm. It is easy to extend this approach to the case of multiple compensation nodes by an ordered sequential run the above procedure for each compensation node. This allows each compensation node to compute the coefficients of MA ij (·) for all i, j ∈ V o . Remark 1: In practical applications, it is possible to adopt a more pragmatic control policy considering uncertainty in the estimated coefficients and in the knowledge of x (t). If data are uncertain and y (t) = x (t) + ξ (t), where ξ (t) ∈ [−ξ ,ξ ] a practical control policy is to set a threshold and choose ψ t (t) = 0 if AR(y (t)) < and ψ t (t) equal to (16) if AR(y (t)) > . As for example, in this case it is reasonable to set = ξ (|b 1 |+|b 2 |+· · · ). However, this topic goes beyond the scope of the paper and it is currently under investigation.

C. GAIN DESIGN TO RESTORE THE CORRECT CONSENSUS VALUE
We start the analysis from a result related to the structure of (9) under the control policy (16). We also derive conditions on gains r i (t) in (16) to guarantee an unbiased convergence value in terms of a set of linear equations involving the gains in a time span of ν steps. Let r κ (t) denote a vector of gains of node κ in a time span equal to n starting at time t, namely r κ (t) = r κ (t) r κ (t + 1) . . . r κ (t + n) T . Considering the notation (13), in the following we use b ,j · r κ (t) to compactly denote the operation The following result states the necessary and sufficient conditions on gains r κ (t) to compensate for a set of concurrent p faults at one timet.
Theorem 2: Consider a multi-agent system subject to temporary faults and compensation nodes as in (9) under the control policy (16) A set of p concurrent faulty nodes F = {j 1 , j 2 , . . . , j p } acting on system (7) at timet can be effectively compensated by a set of q nodes after ν steps running algorithm (16) if and only if gains r i (t), i ∈ V o satisfy the condition for all j ∈ F. Proof: We start proving (22) for a single fault, then we prove the general result by applying the superposition principle. Consider one single faulty valueū of node at timet. It is possible to compute the evolution of the system through (9) with u (t) =ūδ(t −t),ū = 0 and (16): (23) where ε i (t) is given by (16). Considering the faulty input u (t) =ūδ(t −t), it is possible to explicitly compute the values of ε i (t) using the relation AR(x i (t)) = MA i (u (t)) so that: Putting the above expression into (23) one gets: The above equation describes a one-step ahead evolution of the state under a single fault and the reaction of the compensation nodes. As a consequence, the consensus value takes the expression of (8) for t >t equal to: From (24), afters steps fromt all the compensation nodes have ended their action, so that for all t >t +s the consensus value α is constant and equal to Based on the previous formula, the variation of the consensus value caused by a faulty input and the reaction of the compensation nodes can be evaluated as: and it is now easy to see that the right hand-side can be zeroed by the choice of the gains as in (22) so that it is thus proved that the considered fault is compensated at timet +s. The case of multiple compensation nodes can be proved following the same lines, and it is omitted for the sake of brevity.
The above result provides necessary and sufficient conditions for fault compensation nodes with algorithmic structure as in (16) to restore an unbiased consensus value. However, it mainly has a theoretical significance as it is not clear how it is possible to compute solutions of (22) and even if at least one solution exists.
It is worth noticing that (22) is a set of AR(·) relations on the gains r i (t) with no boundary conditions. If faults happen with a rate less than ν −1 then gains corresponding to different faults can be computed separately, otherwise they must be computed within the same recursion. However, it is also worth noting that they do not depend on measured data at all but only on system structure, so they can be solved off-line. However, we now turn to the analysis to constant solutions of (22), which allow to have a time invariant algorithm structure (16). Next Proposition is a preliminary step to further investigate a solution to equations (22).
The quantity b 1 + b 2 + · · · + b ν−τ j does not depend on the output node and it is equal to where = ν + (ν − 1)a 1 +(ν −2)a 2 +· · · + 2a ν−2 + a ν−1 . (31) Proof: By construction, A = I − L is a rowstochastic matrix. By connectedness of the communication graph, matrix A is non-negative and irreducible, thus satisfying the conditions of the Perron-Frobenius Theorem [3]. This implies that p A (z) = det(zI − A) has one simple zero in one, i.e. p A (1) = n i=1 a i = 0 and with q(1) = 0 and it holds = q (1). Following any of these two ways, direct computation shows that such is equal to (31).
Consider now that any function W j (z) of the form (29) can be seen as the transfer function of the state space model (9)- (10), and it corresponds to the output response of the system to an impulse input and zero initial state value [51]. According to the final value theorem [51], the asymptotic value of a sequence can be computed from (29) with the formula lim t→∞ w j (t) = [(z−1)W j (z)] z→1 so that, considering the previous facts, it holds On the other hand, the impulse response of a consensus network from node j can always be seen as the free evolution of the system starting from initial conditions x(0) = e j so the evolution of the system tends to for all ∈ {1, .., n}.
Putting together (32) and (33) the statement follows. Proposition 3 provides important insights in terms of structure of a transfer function of a consensus network with the related interconnection graph. These results are fully exploited in the next Proposition, where we discover that it is always possible to find constant solutions of (22) without any restriction on p, q ∈ N.
Proposition 4: Consider a multi-agent system subject to temporary faults and compensation nodes as in (9) under the control policy (16) It is possible to set constant gains satisfying (22) to all compensation nodes equal to: Proof: Consider r i (t) = r i ; vectors r i (t) take the form (22) can be suitably adjusted: for all j ∈ F. In view of the previous Lemma, b j,i · 1 = b 1 + b 2 +· · ·+b ν−τ j = γ j γ T 1 , with given by (31). Introducing this relation in the above set of equations one has for all j ∈ F, and it is easily seen that they all can be reduced to the same relation for all j ∈ F: which admits infinite solutions for every p and q, e.g. .
The above result completes the analysis for the problem of fault compensation of the consensus value. According to the previous results, it is now clear that the bias compensation through (16) can be equivalently performed by any node of the group, without any requirement for the graph topology but connectedness.
It is also clear the impact of adopting multiple compensation nodes using the algorithm (16), namely the reduction of the control effort for the fault compensation which is equally shared among all compensation nodes using (38). This aspect is also clear from Simulations.
As a final remark, it is worth mentioning that, after a fault at timet, the convergence rate to consensus of the supervised system is the same of (3) once that the reaction of the compensation nodes ends att + ν. However, if faults are persistent, also the reaction of the compensation nodes is persistent and additional stability-related issues may arise, and this aspect is currently under investigation.

IV. SIMULATION RESULTS
In this Section we apply the results obtained along the paper to a multi-agent system of 8 agents and show the effectiveness of the proposed fault compensation algorithm. Consider a group of eight nodes connected as in Fig.8, and set all weights l ij equal to one. This example was considered in Section II-B to show the effects of faulty node behaviors on a Consensus Network and here we show the usefulness of a supervisory fault compensation in any of the faulty condition shown in Section II-B (excluding the presence of a malicious node). Simulations are run with the same initial conditions of Section II, namely x(0) = 3 5 −2 4 7 2 −8 2 T and associated consensus value in absence of faults equal to α = 1.625.
The eigenvalue of the system matrix (I − L) (see (7)) with second largest modulus is λ 2 = 0.6548, and the characteristic polynomial is z 8 − 1.4z 7 − 0.2z 6 + 0.8z 5 − 0.1z 4 − 0.11z 3 + 0.0125z 2 + 0.004z so the AR(·) elaboration performed by each compensation node, say node , is AR( . As VOLUME 8, 2020 FIGURE 9. State evolution of a consensus network with compensated isolated faults using an exact AR elaboration. a preliminary step, we evaluated the AR(·) coefficients with those obtained using formula (18). The results confirmed the same coefficients with an error of magnitude 10 −5 .
In order to check the robustness of the algorithm (16) with respect to coefficients uncertainty, we tested the algorithm with a higher level of uncertainty, namely we usedâ i = a i + δ a i andb i = b i + δ b i with uncertain terms of magnitude 10 −2 (i.e. |δ a i | ≤ 10 −2 , |δ b i | ≤ 10 −2 that we call moderate uncertainty) and then we increased the uncertainty up to 10 −1 (referred to as high uncertainty). Under these conditions, we verified the effectiveness of a practical implementation of the algorithm as described in Remark 1, and we set equal to 0.05 in the former case and 0.5 in the latter.
Consider Fig.9 first, where the state evolution of the system with multiple isolated faults under the supervisory action of node 2 is plotted. In details, we impose that node 6 has one faulty input equal to 1 at the time steps t = 75, node 1 analogously at time t = 150, node 8 at t = 225 and 3 at t = 300. The detrimental effects of uncompensated faults was shown in Fig.2. The same evolution of the system has been computed using a single compensation node, namely node 2. Fig.9 shows that the action of the compensation node is to restore the consensus value to the initial unbiased value, and this is in accordance with the theoretical results of Section 3. Fig.10 and Fig.11 show the state evolution under the same faulty conditions in the case of moderate and high uncertainty (resp., Fig.10 and Fig.11 ). In such a case, simulations show that the consensus value has a drift after the occurrence of compensated faults, namely the value of α changes from 1.625 to 1.604, 1.59, 1.639 and 1.583 in the case of moderate uncertainty and to 1.763, 1.855, 1.533 and 1.901 in the case of high uncertainty. However, in comparison with the behavior of Fig.2 (which shows the values 2, 2.25, 1.375 and 2.375), the variations with respect to the initial consensus value under the fault compensation action are much smaller and simulation results suggest further directions for research. Fig.12 and 13 show system evolution under compensated intermittent faults using one or two compensation nodes respectively. The interesting point to note is that the use of multiple compensation nodes has the advantage of keeping the control effort significantly lower than the single compensation node case. This happens because the two compensation nodes distribute the fault compensation effort between themselves.
This phenomenon is even clearer in Fig.14-16, where the behavior of the system with the fault compensation algorithm    is active in presence of one node injecting a random variable identically distributed in [−0.5; 0, 5] when one, two, or all nodes are set as compensation nodes respectively. All these figures show that the action of the algorithm is to keep the evolution tied to the consensus value, and fluctuations visible in Fig.6 are no longer present. However, the difference of using one or multiple nodes is clear from the width of the variations around the consensus value. The drift of nearly 0.125 of the consensus value with respect to the value without faults is related to the effects of faults in the first time instants,    namely t ≤ 8, when the algorithm is not yet active because too few data are available.
As final simulation, we applied the fault compensation algorithm to the case of a hard failure, which is reported in Fig.17. In this case, the effects of the reaction of the fault compensation algorithm to the system evolution are beneficial. Indeed, system trajectories are kept bounded when the fault acts and move to a consensus close to the original value when the faulty node is removed from collaboration.

V. CONCLUSION
In this paper, the consensus problem for a multi-agent system where some nodes inject unexpected values as a consequence of a fault is considered. A fault compensation algorithm based on the corrective injection of a subset of nodes is proposed. Such corrective input is the output of an algorithm based on local data. Unbiasedness of the consensus value in the presence of a set of faults is thoroughly studied, and a procedure to retrieve the algorithm's coefficients using local data is provided. A thorough simulation analysis is performed to verify the effectiveness of the proposed algorithm as well as to investigate some facts which appear to be further research directions on this topic, such as uncertainty in the coefficients or the presence of persistent faults, unknown-but-bounded disturbances or additive noise. Another interesting line of research is distributing the computation of the algorithm among the compensation nodes.