Beruflich Dokumente
Kultur Dokumente
Mogens Blanke
Department of Control Engineering
Aalborg University, Denmark
email: blanke
ontrol.au
.dk
September 1996
Contents
1 Introdu
tion
1.1 A
ronyms and Abbreviations
1.1.1 Denitions . . . . . .
1.1.2 A
ronyms . . . . . . .
1.1.3 Abbreviations . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
11
11
11
11
12
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
15
15
18
18
18
19
19
19
22
22
23
23
23
25
25
26
27
28
29
31
32
32
32
33
34
36
CONTENTS
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
37
38
38
39
41
43
44
45
45
47
48
50
51
51
54
55
56
57
58
61
62
63
64
64
65
.
.
.
.
.
.
.
.
.
.
.
.
67
67
69
69
71
71
72
74
75
78
79
80
81
CONTENTS
5
87
89
90
91
91
92
94
CONTENTS
List of Figures
2.1 Failure Mode and Ee
t Analysis s
heme illustrated graphi
ally. Two
omponent levels are shown. . . . . . . . . . . . .
2.2 Propagation of fault ee
ts in
losed loop
ontrol of 3-way
valve. Solid lines show fault propagation. Points marked
with star show where propagation
an be stopped. . . . . . .
2.3 Blo
k diagram for
ooling system with two 3-way valves and
sket
h of surrounding
omponents. . . . . . . . . . . . . . . .
2.4 Bond graph model prin
iple for
ooling loop. is serial, is
serial, and a parallel
onne
tion of
omponents. . . . . . .
2.5 Three layer model for autonomous
ontroller with link to upper level plant wide
ontrol or to operator interfa
e. . . . . .
2.6 Design method for dependable
ontroller with autonomous
fault dete
tion and a
ommodation . . . . . . . . . . . . . . .
2.7 Temperature
ontrol loop with 3-way valve. . . . . . . . . . .
3.1 Swit
h arrangement for level swit
h. . . . . . . . . . . . . . .
3.2 3-wire resistan
e measurement of resistan
e in Pt element to
measure temperature with
ompensation of wire resistan
e. .
3.3 Pressure measurement using a strain gauge bridge tted to a
membrane
onverted to a 4-20 mA
urrent out of the transdu
er.
3.4 Binary pressure indi
ator. The solid line is me
hani
al dieren
e and the bottom of it is the adjustable set-point value. .
3.5 Ele
tri
al diagram of potentiometer and
omputer interfa
e
to enable fault dete
tion at the single sensor level. . . . . . .
3.6 Valve
hara
teristi
s for diverging and
onverting operation
(the use of A or B ports for in
ow). . . . . . . . . . . . . . .
3.7 Operation of 3-way valve a
tuator with relay operated indu
tion motor. Abbreviations are: o:open,
:
lose, s:stop,
HTR:Heater, LS:Limit Swit
h, TS:Torque Swit
h. . . . . . .
3.8 Standby pump set with remote
ontrol. The
ontrol
omputers are independent and have mutual supervision. . . . . . . .
3.9 Tripple
onversion sampling has only marginal overhead but
oers both signi
ant ele
tromagneti
spike suppression and
onsisten
y
he
k within one sample. . . . . . . . . . . . . . .
7
20
24
27
28
29
31
34
41
42
44
45
46
49
50
51
63
LIST OF FIGURES
4.1
4.2
4.3
4.4
68
72
73
74
75
82
83
List of Tables
2.1 FMEA S
heme for 3-way Valve . . . . . . . . . . . . . . . . . 26
10
LIST OF TABLES
Chapter 1
Introdu
tion
This do
ument is a le
ture note in fault-tolerant
ontrol used at the 9th
semester
ourse for MS
students in pro
ess
ontrol at Aalborg University.
1.1.2 A
ronyms
Dependable System : A system that has high reliability in terms of high
availability and where the
onsequen
es of a fault are limited to the
system itself, i.e., lo
al faults do not develop into failure at plant level.
Event : An internal or external o
urren
e involving equipment performan
e or human a
tion that
auses a system upset.
Failure : The inability of a system or subsystem to a
omplish its required
fun
tion.
Fault : A
hange in the
hara
teristi
s of a part or
omponent su
h that
its mode of operation or performan
e is
hanged in an undesired way.
Required spe
i
ations are no longer fullled.
Fault tolerant system : A system where a fault may leed to
hange of
operation or redu
ed performan
e but a single fault does not develop
into a failure on a subsystem or system level.
Failure Modes : The various ways in whi
h failures o
ur.
Hazard : An intrinsi
property or
ondition that has the potential to
ause
an a
ident.
11
12
CHAPTER 1. INTRODUCTION
1.1.3 Abbreviations
AI : Analog Input. Part of
omputer pro
ess interfa
e
AO : Analog Output. Part of
omputer pro
ess interfa
e
A/D : Analog to Digital
onversion. Part of analog input.
D/A : Digital to Analog
onversion. Part of analog output.
DI : Digital Input. Part of
omputer pro
ess interfa
e
DiGraph : Dire
ted Graph. Used for fault models in reliability analysis.
DO : Digital Output. Part of
omputer pro
ess interfa
e
ETA : Event Tree Analysis
I/O : Input/Output
ISC : Integrated Ship Control.
LO : Lubri
ating Oil
PHA : Preliminary Hazard Analysis
13
14
CHAPTER 1. INTRODUCTION
Chapter 2
16
has been mu
h improved. However, the
omplexity and fast response time
required makes it appealing to move the more basi
supervision down from
the operator to the automation level. To a
hieve this, plant supervision
needs to be automated and be
ome more autonomous.
This is te
hni
ally possible with integrated automation systems as platforms, but new design methods are needed to
ope e
iently with the
omplexity and ensure that the fun
tionality of a supervisor is
orre
t and
onsistent. Fail-safe systems, known from avioni
s and other safety
riti
al
appli
ations are expensive in both hardware and development eort, and
are prohibitive in
ost for ordinary pro
ess automation. Here, additional
hardware should not be required and implementation
osts be very limited.
The o
urren
e of faults
an be tolerated but it should be prevented that
they develop into failures at a subsystem or plant level. Furthermore, it
should be guaranteed that all essential faults are dete
ted and all
riti
al
faults are a
ommodated.
Fault Dete
tion and Isolation (FDI) theory has matured over the last
de
ade. E
ient methods exist to dete
t additive faults - where faults are
understood as signal ve
tors in a state spa
e or polynomial system des
ription. (Gertler,1993 [25; Patton,1995 [43; Isermann,1994 [29). Di
ulties
with fault dete
tion in nonlinear systems have started to be solved Frank,
(1995)[21 and Shields, (1994) [46 , and robustness problems have been
dealt with in various ways: fuzzi
ation (Frank, 1994 [20), threshold adaption (Emami-Naeini, 1988 [17; Ding and Frank, 1991 [15; Jrgensen, 1995
[31), and statisti
al hypothesis testing Baseville and Nikiforov,(1994) [2.
Dete
tability was investigated in Chen and Patton, (1994) [11.
Mu
h less work has been devoted the problem of what to do when a
fault has been dete
ted. An overall approa
h was taken by
Astrom, et al.,
(1986) [1 where not-normal
ontroller operation and tuning were key issues.
The a
ommodation problem was treated by Tsui, (1994) [47 for a narrow
s
enario where state feedba
k was required and faults needed to be state
disturban
e signals, similar to a
tuator faults.
The s
ope in mu
h
ontrol systems resear
h has been limited to solve
the fairly well formulated problem starting o with mathemati
al models
of
ontrol obje
ts and faults represented as additive signal ve
tors. A general design
on
ept was treated in Blanke,(1995) [6 and marine appli
ation
studies were presented in Blanke and Jrgensen, (1993 [8 and 1995 [5).
The paper by Bgh, et al., (1995) [10 dis
usses autonomous, fault tolerant
ontrol of a mi
ro-satellite using the same basi
ideas.
This
hapter fo
uses on development of an overall
on
ept that meets
industrial requirements to development methods. A method is suggested
that gives a
onsistent design and assures system dependability. The basi
philosophy has been to use existing sensors and a
tuators in an integrated
system and make systemati
use of both dire
t and indire
t redundan
y
in the available information. Component based fault analysis is shown to
2.1. INTRODUCTION
17
18
20
To third level
Second level
analysis
E1 E2 Em
Inputs
F1
F2
Outputs F3
First level
analysis
Unit 1
Inputs
E1 E2
F1
F2
F3
Outputs F4
F5
Parts
F6
F7
F8
En
Unit 2
Inputs
E1 E2
Unit 1
E1
E2
En
Unit 2
E1
E2
En
En
F1
F2
F3
Outputs F4
F5
Parts
F6
F7
F8
Figure 2.1: Failure Mode and Ee
t Analysis s
heme illustrated graphi
ally.
Two
omponent levels are shown.
Afi
f
i
e i
(2.1)
e k
(2.2)
When some faults are ee
ts that are propagated from other
omponents,
we get
e i
f
i
f
i
e
i 1
(2.3)
System des
riptions are obtained from inter
onne
tion of
omponent des
riptions. The des
ription of a system with three
omponents and open
loop stru
ture is
e
3
e
1
Af2
fe
2
1
Af3
fe
3 ; e
2
2
f
A2
[f
1
(2.4)
e
3
e
3
A3
Af3
f
3 ;
e
2
I 0
0 Af2
2
I 0
(2.5)
4
f
3
f
2
f
1
3
5;
3
f
3
f
2
f
1
5
4
5 Afsys
fsys
Af3
4 0 Af
I 0
f
2
0 A1
Ee
ts are seen to be propagated to the next level of analysis and a
t
as part's faults at that level. This is
ontinued until the system level is
rea
hed. The s
hemes give a surje
tive mapping from faults to ee
ts: there
is a unique path from fault to end ee
t, but dierent faults may
ause the
same end ee
t.
e 3
22
Absys
e
3 :
fsys
(2.6)
fi = fk ^ fl
(2.7)
as an example. This extends the above pro
edure to be
ome more elaborated
but still solvable.
2.3.2 Completeness
Completeness of the fault ee
t ve
tor is a ne
essary prerequisite for later
fault dete
tion and isolation, be
ause the only faults that
an be isolated
are those spe
ied in the design. Completeness is obtained if all possible
omponent faults are
onsidered. This is not a
hievable in a rigorous sense,
but engineering experien
e from risk analysis makes it possible for pra
ti
al
purposes.
It is noted, that
ompleteness does not ensure that
omponent fault
isolation is possible sin
e several
omponent faults
ould
ause the same
ee
ts.
e i
f
i
f
i
e
i
(2.8)
e i
Afi
[f
i
(2.9)
With
losed loop feedba
k and negative loop ampli
ation, equation
(2.8) is unstable, however, and a steady state solution does not exist.
tem.
Change settings in the surrounding pro
ess to de
rease the requirements to the
ontrolled system.
Change
ontroller parameters.
24
To Filter
X
X
X
Motor/Gear
Potentiometer
25
If the fault is a set point error then freeze at last fault-free set
Fail-to-safe operation.
Emergen
y stop of physi
al pro
ess (safety system).
The a
ommodation a
tions needed follow from the FMEA analysis.
The requirements on part of software are that su
h fault a
ommodation
a
tions
an be easily spe
ied and that autonomous fault dete
tion and
a
ommodation is part of
ontroller and safety system spe
i
ations. This
is beyond the s
ope of present automation equipment but is believed to be
an essential part of requirements to
ome to improve overall reliability of
automated ma
hinery systems.
26
Ee
t )
fault +
input fault
Flow zero
omp. fault
rotor fault
pipe leak,
power fault
output fault pipe broken
Flow redu ed
A ow high B ow high
pipe
logged,
power fault
pipe leak,
port A or B
logged
rotor fault,
bearing worn
setp. fault
setp. fault
Input :
Input :
q1
q2
F ault :
q =
Internal : R1 =
R2 =
Output : q3 =
8
<
= 0 : no fault
=
< 0 : redu
ed
ow
:
= q1 q2 : no
ow ;
f () ; where 0 < f () < K
K f ( )
q1 + q2 + q
(2.10)
Input :
t1
Input :
t2
Internal : K1 = f () ; where 0 < f () < K
K2 = K f ()
Output : t3 = t1 K1 + t2 K2
(2.11)
27
Controller
From cooler,
FW calorifier and
FW generator
TS
TS
To de-arating tank
Main
engine
M
(3a)
A
From pump system
(3b)
Three-way valves
From FW calorifier
and FW generator
Figure 2.3: Blo
k diagram for
ooling system with two 3-way valves and
sket
h of surrounding
omponents.
and 2.4 for two 3-way valve
ooling loops and a pro
ess being
ooled. The diagrams are not
omplete but serve as illustration. The prin
ipal issue is that
a graphi
al
omponent des
ription with
omponent links has an underlying
model and the stru
tures of the two
an be dire
tly related.
(2.12)
The symbols in eq. (2.12) are: state ve
tor, x,
ontrol input, u, disturban
e, d, additive fault ve
tor, f , and output ve
tor, y. Fault propagation
is des
ribed by the plant dynami
s and the matri
es Ef and Gf .
Parity equation and Fault dete
tion observer based FDI method dete
ts
a deviation from normal and isolates the
omponent of the fault ve
tor, f
, whi
h is the most likely
ause to the deviation. Identi
ation approa
hes
determine
hanges of parameters in either of the system matri
es.
A
ru
ial point about FDI methods is that only fault ee
ts whi
h have
been in
luded in the model,
an be isolated. The FDI methods alone
an not
28
3WV
3WV
TS
ME
TS
Cntrl
Cntrl
Figure 2.4: Bond graph model prin
iple for
ooling loop. is serial,
serial, and a parallel
onne
tion of
omponents.
is
guarantee that all relevant faults
an be isolated. This obsta
le is over
ome
by using the risk analysis approa
h to dene the fault ee
ts.
Transformation of a bond graph model to an FDI state spa
e des
ription
an be
ompletely automated when
ausality in the loop is properly dened.
The interested reader should
onsult (de Vries, 1994 [13, or Karnopp and
Rosenberg, 1983) [32.
29
Figure 2.5: Three layer model for autonomous
ontroller with link to upper
level plant wide
ontrol or to operator interfa
e.
3. A third level with de
ision logi
whi
h rea
ts on the
urrent
ondition,
re
eiving inputs from dete
tors on any non-normal state and the operational mode of the pro
ess. Dedi
ated ee
tor modules will also exist
to exe
ute handling a
tions when required
The 2nd and 3rd level are meta-levels whi
h together
onstitute a supervisory
ontrol. Levels 1 and 2 are exe
uted in real-time. Level 3 is exe
uted
when triggered by events at a lower level.
30
Lo
ate
losed loop points and determine desired fault rea
tions
Use system fun
tionality requirements in this analysis
Make list of ee
ts to be handled
Determine remedy a
tions for ea
h
ee
t to be a
ommodated.
Determine
ontroller
onguration, in
luding possible sensor signal estimation for ea
h fault ee
t. This step may in
lude rea
tions from plant shut-down to issue of an operator warning.
Determine how re
onguration shall be done.
Determine faults that ause the end ee ts with high riti ality
6. System modelling
Model relevant parts of the system as required by the FDI methods to be employed.
31
Figure 2.6: Design method for dependable
ontroller with autonomous fault
dete
tion and a
ommodation
8. Supervisor design and implementation
32
before a
ontrol loop fault has
aused plant malfun
tion. For these reasons,
automati
ode generation and systemati
design methods are key issues.
There are three main
on
erns when implementing a supervisor. First,
a design methodology must ensure that there is a unique mapping from the
system fault des
ription to supervisor logi
. Se
ond,
onsisten
y of the logi
should be provable and, third, automati
ode generation of the state-event
logi
is preferred for reasons of implementation reliability.
33
it is a
tive. This makes implementation mu
h more versatile and maintainable than traditional
ase statement implementations and re-use of dete
tor
ode be
omes a genuine possibility. The ways to ensure
onsisten
y and
orre
tness of an re
e
tive implementation is, however, still an area of a
tive
resear
h.
Implementation of the supervisor has been made using a BEOLOGICr generated state-event ma
hine on a small s
ale prototype.
The methodology for dependable design was implemented as a prototype
tool using o the shelf software to the extent possible. FMEA s
hemes
for
omponents were entered in a spreadsheet, and a dedi
ated
ompiler
translated to a language understood by the BEOLOGICr inferen
e engine.
The logi
of this
ommer
ial tool is rather more advan
ed than the basi
matrix formulation presented here, and array logi
is employed to solve the
inter
onne
tion and analysis problems. (Mller, 1995 [40; Franksen, 1978
[22; More, 1981 [41).
The tool was able to generate the ne
essary tables for fault handling for
the
ooling system as desired. A se
ond benet was easy a
ess to the inverse
tables, whi
h show all possible
omponent faults on
e a
ertain
ombination
of fault ee
ts is observed. This list
ould be useful in its own right for fault
diagnosis purpose and advise about the severity of an observed
ondition.
The parti
ular tool oers translation of the logi
and has, thus, a xed
maximum
al
ulation time at run-time.
One di
ulty en
ountered was the analysis of
losed loop systems. Equation (2.2)
annot be solved dire
tly for a
losed loop
onguration, and it
does not give any meaning to
onsider loop gain when faults are des
ribed
only quantitatively, the inferen
e engine had di
ulties. The work-around
solution was to in
orporate an additional state with ea
h FMEA blo
k stating whether a logi
sear
h had already been through this part of the diagram. The result was easy determination of
losed loop paths whi
h
ould
be used in the identi
ation of potential points where fault handling
ould
be a
tivated to stop further propagation. (Blanke, et al., 1995) [7.
The false dete
tion problem is not solved in this way, however. False
dete
tion and noise on FDI residuals may
ause
onsiderable diagnosis un
ertainty. This problem needs to be solved using, e.g., the usual sto
hasti
dete
tion methods or fuzzy dete
tion te
hniques Frank, (1995) [21.
Automati
handling of bond-graphs inter
onne
tion and translation to
state spa
e models has not been pursued. The reason was that other groups
have reported su
h results, see de Vries, (1994) [13.
The prototype tool is
ertainly far from a full s
ale implementation,
but the experien
e has shown that the
on
ept as su
h seems to be worth
pursuing at a larger s
ale.
34
AO
Control
Algorithm
A/D
AI
Computer
Plant
TS
Filter Unit
To Main Engine
{
{
{
{
35
A
tuator fault (fault in the valve limit swit
h) the motor must be stopped
immediately.
Position sensor fault the
ontroller should be re-
ongured. The analyti
al relation between duration of relay pulses and motor shaft position,
a position estimate is readily available. The estimate is used until the
fault is repaired.
Temperature sensor fault the referen
e to the position
ontroller fails.
The
ontroller is re-
ongured and a time-history roll ba
k is made of
the referen
e signal and the mean used as new referen
e until the fault
has been repaired.
These examples show situations where temperature would deviate signi
antly or the
ontrol would simply fail with the existing
ontroller design. Fault handling, by
ontrast,
ould assure plant availability with simple
means.
36
2.10 Summary
This
hapter has given an overview of ideas to make systemati
design to
obtain fault tolerant
ontrol. It showed how a matrix formulation of an
FMEA method
ould be adopted to t into the fault dete
tion and isolation
problem. State spa
e des
riptions of system dynami
s and fault propagation
ould be obtained from generi
bond-graph models of
omponents. It was
shown how the
omponent models
ould be simplied into generi
types
for used in the design, and how the generi
types were used in the model
building stage. It was further shown that the FMEA method and the generi
omponent types enable isolation of failure modes with dierent degree of
riti
ality and determination of
ontrol system a
tions to faults.
A systemati
design method was further presented whi
h led to a three
level ar
hite
ture for a supervisor based fault tolerant
ontroller. Various
implementation problems were dis
ussed.
The main
ontribution was the suggestion of a new method to systemati
apture of requirements for fault dete
tion and a
ommodation, and
a systemati
way of spe
ifying FDIA properties related to
omponent failure modes. A salient feature was shown to be the
ompleteness properties
obtained with this method if
ombined with array theory based implementation of the supervisor logi
.
Chapter 3
37
1. Level measurement
(Analog signal)
Level swit
h based on a
oat. (Binary signal)
2. Temperature measurement
signal)
Pressure swit
h. (Binary signal)
4. Flow measurement
Potentiometer.
A
tuators:
39
ele
tro-magneti
impulse travel time (mi
rowave radar prin
iple)
ultrasound impulse travel time or standing wave re
e
tion
2. Indire
t assessment through measuring the pressure near the tank bottom:
L = Lo j + (Tp)
p = p patm
(3.1)
Level Transdu
er
The level measurement system
onsidered here is of type b. It
onsists of a
strain gauge pressure transdu
er mounted in the tank and a signal amplier/transmitter. The transdu
er and the transmitter are inter
onne
ted by
means of a vented
able. The vent tube in the
able provides the transdu
er
with the referen
e pressure patm .
The pressure transdu
er
onsists of a sensing diaphragm and a resistive
strain gauge bridge. The bridge
onverts the diaphragm deformation, due
to pressure dieren
e, to a voltage. In the transmitter the bridge output
is
onverted to a 4-20 mA
urrent signal. The bridge is supplied from the
transmitter board whi
h also delivers ne
essary power from the 4-20 mA line.
Figure 3.1 shows the prin
iple of the measurement system with ele
tri
al
wiring.
A range sele
tor
ombined with span and zero adjustment potentiometers
are available for
alibration of the system.
Input to the level transdu
er is the strain gauge bridge signal, whi
h
is
aused by sensing diaphragm deformation due to a pressure dieren
e
over the diaphragm. The output is a 4-20 mA
urrent signal. The tank
level is almost proportional to the deformation. If the level,
urrent and
pressure span is Lspan , ispan and pspan respe
tively then the linear, relative
relationship between input and output (level relative ele
tri
urrent) is:
^
^
L
Lspan
L
Lspan
Lo
P (To )
= Pspan
+ Lspan
(T )
io )
Lo
= (iispan
+ Lspan
(3.2)
where p = p - patm .
Level Swit
h
Most level swit
hes use prin
iple
) above. They are used to indi
ate full or
empty tank, and to provide a binary indi
ation of high/low level. One level
swit
h has one of these fun
tions. Commer
ial level swit
hes have double
onta
ts to enable dete
tion of
onta
t faults. One set is o when the other
is on. shows the ele
tri
al swit
h arrangement.
41
A
Low Level
A
High Level
iref
MUX
Rw3
RPT100
Rw2
Sensor
Wirering
ISC
3-wire measurement
43
RP T 100 = R0 (1 + T )
(3.4)
R0 )
(3.5)
Pressure Transdu
er
The pressure transdu
er
onsidered here is of type b, and based on strain
gauge measurements. The transdu
er and transmitter are
olle
ted as one
SG
SG
Vsup+
SG
Bridge
Supply
SG
Vout+
4 - 20 mA
PA
Supply
Vout-
VsupTransducer
ISC
Wirering
i =
p =
p + i0
p patm
ispan
Pspan
(3.6)
Pressure Swit
h
The pressure swit
h
onsidered here is of type
. It is a pressure
ontrolled
swit
h, where pla
ement of the swit
h depends of the adjusted set-point
value and the pressure in the
onne
tion.
Figure ?? illustrates the operation of the swit
h. The
onta
ts 1-4
lose
while 1-0 break as the pressure rises above a set-point value. The
onta
ts
return to initial position when the pressure falls to the set-point value minus
the me
hani
al hysteresis.
45
4
2
Mechanical
Hysteresis
Setpoint
Figure 3.4: Binary pressure indi
ator. The solid line is me
hani
al dieren
e
and the bottom of it is the adjustable set-point value.
Prin
iples for very a
urate appli
ations in
lude: opti
al en
oder prin
iples, magneti
indu
tion (the indu
tosyn) and syn
hro transmitter measurements. Opti
al en
oders and indu
tosyns are be made in both rotating
and linear versions. Linear position measurement is also available from differential transformer based sensors.
Magnetorestri
tive materials have been used for robust
omponents sin
e
about 1980. These elements are very robust but nonlinear in the 2 5%
order of magnitude.
3.2.1 Potentiometer
A potentiometer
hanges the position of
onta
t between a resistan
e element and a wiper when the turning angle is
hanged. The potentiometer
an be
onsidered a voltage divider with a division ratio that is a fun
tion
of the turning angle. Linear potentiometers have a very a
urate linear relation between turning angle and division ratio.Figure ?? shows the typi
al
onne
tion diagram. Fault dete
tion ability is dis
ussed in a subsequent
se
tion.
Potentiometer
Wirering
iF
ISC
Flowmeter
The
ow measurement prin
iple
onsidered here is of type a. The
ow-meter
onsists of a housed 4 bladed rotor whi
h is pla
ed in the
uid stream. The
47
axis of rotation of the rotor is parallel to the dire
tion of the
ow. The in
oming
uid for
es the blades to rotate at an angular velo
ity approximately
proportional to the
ow rate. A magneti
oupling transmit the rotor rotation to an indu
tive pulse transmitter. A pulse dis
riminatory may be
in
luded (option).
A pulse dis
riminatory prevents measurement faults due to pipeline vibrations, pressure
u
tuations, or non-steady
ow. The obsta
le is that an
error will o
ur if a ba
k and forth
u
tuation of the rotor
reates multiple
forward pulses. By using two pulse transmitters, whi
h generate two signals
with a phase shift of 90 , these measurement errors
an be eliminated.
Ele
tri
al output from the
ow-meter is a binary signal. Supply is a
voltage of 24 V DC. The load
urrent will
hange value a
ording to the
state of the binary signal.
Indi
ation
an be analog or binary for these valves. Binary indi
ation
an be limited to "
losed", and "not
losed" should then be interpreted
as open. However, most valves have indi
ation for both open and
losed positions.
2. Two way valve. Sends
ow in one dire
tions in a hydrauli
ir
uit,
stops the
ow in neutral position, or reverses the
ow when a
tivated
in opposite dire
tion. Two way valves are used in hydrauli
ontrol
ir
uits.
49
100
80
Diverging
Converging
60
20
0
100
20
80
60
40
60
40
Percent of total flow
80
20
100
0
A
B
Figure 3.6: Valve
hara
teristi
s for diverging and
onverting operation (the
use of A or B ports for in
ow).
AC
HTR1
HTR2
LS
TS
LS
TS
Potentiometer
A
C
B
Limit
Schwitches
Close
Motor
Open
ISC
Figure 3.7: Operation of 3-way valve a
tuator with relay operated indu
tion
motor. Abbreviations are: o:open,
:
lose, s:stop, HTR:Heater, LS:Limit
Swit
h, TS:Torque Swit
h.
Limit swit
hes on the rotor provide indi
ation of rotor end positions to
permit adequate
ontroller design and fault dete
tion. Torque swit
hes are
mounted to provide overload prote
tion.
3.3.2 Pumps
Pumps are used to drive a liquid through a ma
hinery system or to move
a liquid from on tank to another. Ele
tri
ally driven pumps are normally
used. Criti
al fun
tions like lubri
ation oil supply and
ooling water for the
main engine, are done using redundant pumps that automati
ally start if
supply pressure drops below a
ertain level. It is essential that the standby
pump
ontrol has no possible single point failures
51
PS
1
Computer 2
M1
PS
2
Pump 1
M2
rem.loc.blok
1
Motor
starter
1
start
stop
Pump 2
rem.loc.blok
start
stop
Motor
starter
2
Figure 3.8: Standby pump set with remote
ontrol. The
ontrol
omputers
are independent and have mutual supervision.
large
onsumer on a ship's power system. A two step starter has set of
resistors whi
h are in series with the pump for a number of se
onds after
startup. The resistors are bypassed after the startup period has elapsed.
The swit
hing is done by
onta
tors (three phase relay
apable of handling
the large
urrents is needed).
A standby pump set
onsists of two pumps with individual starters and
a pressure measurement in the outlet from ea
h pump. If measured pressure
on one pump is lower than a predetermined value, the other is automati
ally
started up. Figure ?? illustrates a standby pump
ontrol system.
Level Transdu
er
With referen
e to Fig.?? the following table is developed.
Too low
signal
Input
Output
wire
broken
Comp.
transmitter
adj. fault
Signal
not related
to physi
s
Vent. tube
loagged
salt water,
sensor
damage
Flu
tuating
signal
Too high
signal
onne
tion
fault
transmitter
defe
t
short
ir
uit
transmitter
adj. fault
Level Swit
h
With referen
e to Fig.?? the following table is developed.
Signal
Flu
tuComp./
Too low
not
related
ating
ee
t
signal
to physi
s
signal
Input
Output
low level
signal, eg.
broken wire
(low alarm
ong.)
onne
tion
fault
Me
h.
damage
Comp.
Too high
signal
high level
signal, eg.
broken
wire
(high
alarm
ong.)
Temperature Transdu
er
With referen
e to Fig.?? the following table is developed.
Too
Signal not
Flu
tuComp./
low
related
ating
ee
t
signal
to physi
s
signal
mounting
Input
fault
loose
short
onne
Output
ir
uit
tion
Comp.
eg. salt
water
sensor
element
fault
sensor
element
fault
Too
high
signal
Broken
wire
sensor
element
fault
53
Pressure Transdu
er
Referring to Fig. ?? the following FMEA table is developed for the pressure
transdu
er.
Signal not
Flu
tuComp./
Too low
Too high
related
to
ating
ee
t
signal
signal
physi
s
signal
Output
Broken
wire
Input
Comp.
amplier
failure
pipe
broken,
ref. press.
failure
waterlled,
amplier
failure,
unit
damage
loose
onne
tion
Short
ir
uit
amplier
failure
amplier
failure
Potentiometer
With referen
e to Fig.?? the following table is developed.
Too low
signal
Input
broken
wire
at A
short
at A-B
Output
short B-C
Comp.
Not
related
to angle
Flu
tuating
signal
Loss of
supply
vibration
Broken
wire
at C
stu
k,
shaft or,
element
broken
loose
onne
tion
Too high
signal
broken
wire
at A,
short
ir
uit
A-C
Wiper
fault
55
Comp./
ee
t
End pos.
rea
hed,
but not
indi
ated
Signal not
related
to physi
s
loose
wire,
onne
tion
problem
Input
Output
Comp.t
short
ir
uit
me
h.
damage
Flu
tuating
signal
me
h.
damage
End pos.
indi
ated,
but not
rea
hed
broken
wire
me
h.
damage
Three-way Valve
With referen
e to Fig. ?? the following tables are developed.
Flow not
Flu
tuFlow
Comp./
Flow
related to
ating
too high
ee
t
too low
ontrol
ow
output
angle
pipe
too high
broken,
pipe
set-point
input
ow
setpoint
Input
loagged,
u
tuset-point
low,
pipe
leak
ating
high,
power
low
pipe
pipe
A or B
loagOutput
broken,
ged
logged,
or leak
damage,
damage,
Comp.
hysteresis
wear
wear
A
ording to Ele
tri
al Interfa
e The
omponents sele
ted and dis
ussed in
hapter 6 was seen to have only a few standardized types of output. The
omputer interfa
e for ea
h
omponent is listed in the tables below.
57
3.5.2 Sensors
Sensors
Level
sensor
dierential
pressure
meas.
Pressure
transdu
er
abs. or
dierential
Pressure
swit
h
abs. or
dierential
PT100
element
Angle:
pot.meter
meas.
Norm.
losed
swit
h
Norm.
open
swit
h
Output
from
Comp.
Strain-gauge
bridge to
transmitter.
4-20 mA
output
Computer
interfa
e
Comments
Current
24V DC
supply
from
omputer
Current
4-20 mA
Current
24V DC
supply
from
omputer
NC
onta
t
Digital
Resist.
varies
with temp.
a) voltage
divider
varies ratio
with angle
b) resist.
varies with
angle
a) Conta
t
b) Conta
t,
resistor
in parallel
a) Conta
t
b) Conta
t,
resistor
in parallel
Resistan
e
measurem.
with wire
omp.
a)
3 terminal
measurem.:
Supply
voltage to
resist.
element,
measure at
wiper
b) Resist.
measurem.
of wire
resist. with
ompens.
a) Digital
input
b) Resistan
e
measurement
a) Digital
input
b) Resist.
measurem.
Constant
urrent
supply
from
interfa
e
a)
No wire
supervis.
a) With
wire
supervis.
a) Without
wire
supervision
a) With wire
supervis.
59
Range Che
k
Range
he
king is a very e
ient way to dete
t broken wires or short
ir
uits
between wires for all voltage or
urrent based sensors. The requirement to
hardware is that all su
h faults lead to a transition of the measured voltage
into an "out of range" region.
The time interval elapsed from the time the fault o
urs until it is dete
ted depends on how fast a limit is rea
hed. The allowable time to dete
t
depends on the a
tual use of the sensor signal. This is dis
ussed below.
For 4-20mA
urrent output from sensors/transmitters, ranges
ome natural. The requirements are
1. A/D
onverter range is 0 to 24 mA.
2. If
urrent ex
eeds 24 mA, or is below 0 mA (reverse
urrent), the
onverter must indi
ate 24 mA or 0 mA respe
tively, and not swap
around.
For voltage based measurements, range
he
king requires that all short
ir
uit and open
ir
uit
onditions
an be dete
ted:
1. any wire shorts to any other wire.
2. any wire shorts to ground
3. any wire is ope
For potentiometer measurements, dete
tion requires:
1. Voltage supply is unipolar. Symmetri
al supply around zero, as is
ommon pra
ti
e,
an not dete
t shorts between ground/zero level
and wiper.
2. Input
ir
uit on voltage amplier is driven out of range if input wire
is open.
Point b) implies that a
urrent (iF in gure 6 in
hapter 6) is inje
ted
into the measurement
ir
uit. When an "open" fault o
urs, input voltage will
hange with a rate of
hange that depends on
ir
uit
apa
itan
es
and the magnitude of the
urrent inje
ted. As the
urrents may have to be
hosen small in order to avoid too heavy impa
t on measurement nonlinearity/a
ura
y, the rate of
hange may be too small to meet required time to
dete
t the fault. If so, slew rate
he
king
an be adopted.
Slew rate
he
k
Slew rate is the
hange of signal between
onse
utive samples - the "derivative" of the signal. If an open fault o
urs, input
ir
uits should be designed
su
h that the slew rate of the signal in this
ondition if several times higher
than possible in normal operation. A slew rate dete
tor
an then be used
to
onsiderably redu
e the time to dete
t.
The slew rate algorithm should be robust implemented with adequate
ltering that
an be tuned with the time
onstant d :
1
(y(k) y^(k))
d
y^(k + 1) = y^(k) + Ts x(k)
x(k) =
(3.7)
where Ts is sampling time, y is the measured signal, and x is the slew rate
estimate.
RMS value
he
k
With referen
e to the fault s
hemes, signal
u
tuation is sometimes a symptom on a fault in development. In addition to signal
u
tuations and wiring
defe
ts in development,ele
tro-magneti
disturban
es will
ause in
rease in
Root Mean Square (RMS) value of a signal. Ele
tro-magneti
interferen
e
should be damped by ltering and s
reening of
ables. An in
rease in RMS
signal may therefore be an indi
ation of a s
reening or ETC defe
t or other
faults in the interfa
e.
An estimator for the RMS value is best made re
ursively. This requires
also an re
ursive
al
ulation of the signal's mean:
y(0)
=
y(0)
1
y(k + 1) =
y(k) + k+1 (y(k + 1) y(k))
2 (k + 1) = 2 (k) + k1 ((y(k) y(k))2 2 (k))
(3.8)
61
systems, may need immediate dete
tion be
ause the fault will have immediate ee
t on the ma
hinery.
Faults in a
ontrol loop
an be
ategorized in generi
types listed in the
table:
Required
Level for
Level for
time
remedy
Fault type
dete
tion
to dete
t
a
tion
Referen
e
Pro
ess
Several
value fault
interfa
e
Controller
samples
(setpoint)
hw & sw
Feedba
k
element
fault
Down to
one
sample
Pro
ess
interfa
e
hw & sw
A
tuator
fault
Down to
one sample
Pro
ess
interfa
e
hw & sw
Exe
ution
fault - eg.
in timing
Appli
ation
SW, system
or HW fault
in
omputer
ontroller
Controller.
Faulty
info. should
not be
used for
ommand
al
ulation
Controller
if possible
or safety
system
Comp.
rmware
and/or
Safety
system
Safety
Supply fault
Safety
system &
or other
system
fail-to-safe
fatal error
design
As apparent from the table, faults in feedba
k elements and a
tuators
are most demanding be
ause there is often very little time to dete
t a fault
before the fault ee
t o
urs.
63
3.6. ACTUATORS
Ts
2Ts
3Ts
time
Figure 3.9: Tripple
onversion sampling has only marginal overhead but offers both signi
ant ele
tromagneti
spike suppression and
onsisten
y
he
k
within one sample.
3.6 A
tuators
A
tuators
Three way
valve with
AC motor
positioner
Type of input
to
omponent
a)
losure of
"O"
onta
t
a
tivates
"open" relay
(220 V AC)
b)
losure of
"C"
onta
t
a
tivates
"
lose" relay
(220 V AC)
a) Closed
onta
t
a
tivates
start
(220V AC)
Computer
interfa
e
a) Close "O"
onta
t for
opening (digital
output relay)
b) Close "C"
onta
t for
losing (digital
output relay)
) Pot. meter
input
d) 2 NC swit
h
inputs
a) Close
onta
t
for start (digital
output relay)
b) NC swit
h to
indi
ate running
Comments
a and b)
Valve moves
as long as open
or
lose signals
are present.
) Angle indi
ation with potentiometer
d) End position
indi
ation with
2 NC swit
hes.
Timing of
start sequen
e
is lo
al within
the starter
) NC swit
h
to indi
ate lo
al
A
tuator fault dete
tion
an be made using information on both
ontrol
and feedba
k signals from the a
tuator. Analyti
redundan
y and model
based methods are very e
ient in this respe
t. These methods use knowledge about stati
and, if needed, dynami
relations within the a
tuator to
1. Short-
ir
uit between any two wires or any wire and ground shall be
dete
ted.
2. Any open
onne
tion shall be dete
ted.
Spe
i
requirements:
65
Chapter 4
Change Dete
tion. Residuals are generated by means of a mathemati
al system model and measurements. Residuals are signals, that
arry
information of the system operational
onditions, i.e., whether the system operates under normal or abnormal
onditions.
67
68
Change
Evaluation
Change
Detector
Fault
Accommodator
Process &
Control
The pro
edure of model based FDI is shown in Fig. 4.1. When the model
based methods are applied for FDI, it is ne
essary that input/output signals
of the monitored pro
ess are available and that dynami
hara
teristi
s of
the system are known with a reasonable degree of pre
ision. The information
about the faults,
ontained in the residuals, depends highly on the available
model. An a
urate model gives residuals, with desirable relations between
the residuals and the faults. An ina
urate model will produ
e relations,
whi
h deviate from the desired. An ina
urate model must ne
essarily be
used when the pro
ess knowledge is low and/or in order to de
rease the
design and on-line
al
ulation
omplexity.
Several arti
les
on
erning FDI investigations using model based methods have been published. Examples are Patton, Frank and Clarke, (1989)
[45, Patton and Chen, (1991) [42, Frank, (1991) [19, Isermann, (1991)
[16, the
lassi
survey paper by Willsky, (1976) [50 and later surveys by
Frank, (1990) [18, Isermann, (1994) [29, and Gertler, (1993) [25. Methods
for statisti
al
hange dete
tion are dealt with in the next
hapter. A key
referen
e is detailed in Basseville and Nikiforov, (1993) [3.
69
With in ipient omponent faults dete ted for use in maintenan e planning, FDI response may be rather slow (minutes to hours).
With abrupt
omponent faults in a pro
ess where dete
tion used for
operator assisted
hange of operational mode, dete
tion must be more
responsive (se
onds to minutes).
If abrupt faults in set-point values to a
losed loop
ontrol are
onsidered, and used by the
ontroller for automati
re-
onguration, time
to dete
t should be within a few samples (5 to 10).
If abrupt faults in feedba k elements in a losed loop ontrol are onsidered, time to dete t be within one to two samples.
70
(4.1)
where x(k) is the state ve
tor. A; B; C; D are known system matri
es,
E1 and E2 are known matri
es for unknown inputs and F1 and F2 are known
fault entry matri
es. w(k) and v(k) are dis
rete time Gaussian white noise
pro
esses (ve
tors) with zero mean and
ovarian
es
E [w(k) wT (k) = 1
E [w(k) vT (k) = 12
E [v(k) vT (k) = 2
(4.2)
71
{ Kalman ltering.
{ Parameter estimation.
{ Statisti
al
hange dete
tion.
The geometri
approa
hes generate residuals, whi
h
ontain information
of system
hanges due to faults, as
hanges in magnitude. Under ideal
onditions, when the system operates normally, residuals are
lose to zero.
If a faulty
ondition arises, one or more elements of the residual ve
tor
hange to nonzero.
The statisti
al approa
hes generate residuals, with information of
hanges
in system statisti
s due to faults, e.g.,
hanges in mean value or
ovarian
e.
r(z ) = H(z )f (z )
(4.6)
Denition 1
(4.7)
72
Inputs
Physical
Plant
Outputs
Plant
Model
Error signals
Output error
Filter
Residuals
(4.8)
The geometri
interpretation is depi
ted in Fig. 4.3, where three faults are
onsidered.
Denition 2
Isolability:
(4.9)
Isolability means that the i0 th residual is ae
ted by only the i0 th fault, then
the fault has been isolated. (Frank, 1990) [18.
The faults f1 (k), f2 (k), : : : , fm (k), an be dete ted and isolated simultaneously.
73
Fault space
r2
r1
The faults f1 (k), f2 (k), : : : , fm (k),
an be dete
ted and isolated one
at a time.
The rst approa
h leads to a single residual generator where the residual
ve
tor r(k) is ltered to give desired sensitivity to parti
ular faults.The
se
ond
an be implemented as a bank of lters, ea
h being sensitive to a
parti
ular fault. The two strategies are elaborated below.
(4.10)
If the fault fi (k) happens, then all residuals ex
ept the i0 th will respond
to that fault. The number of residuals must be larger than two. The geometri
interpretation is depi
ted in Fig. 4.4. With a single residual generator
onguration, the number of possible error signals equals the number of
available measurements. This gives one bound on the number of faults it is
possible to isolate. If m measurements are
onsidered, m error signals
an
be
onstru
ted. The faults are mapped on
omponents of residual ve
tor
following Eq. 4.8. The number of faults whi
h theoreti
ally
an be dete
ted
and isolated are n m. The fault isolation pro
edure, depends on the possibility of designing a lter so that ea
h
omponent of the residual ve
tor
has spe
i
properties to parti
ular fault ee
ts or a
ombination of these.
74
Fault 2
r2
r1
Fault 3
Figure 4.4: Geometri
interpretation for dete
tion and isolation of one fault
at a time.
Plant
y
+
-
Plant
Model
75
Filter
^
y
Figure 4.5: Geometri
interpretation for simultaneous fault dete
tion and
isolation.
des
ription, referring to Eq. (4.5) without noise
ontributions:
y^ (k) = Hu (z ) u(k)
(4.11)
(4.12)
Those error signals
an be sensitive to all potential fault and the disturban
es. A lter W(z ) is
onstru
ted to generate residuals, r(k) = W(z )e(k),
whi
h have the desired properties to faults.
To de
ouple the disturban
es, W(z )Hud (z ) must be zero. Fault dete
tion
an now be performed but not fault isolation. For dete
tion and isolation of the i0 th fault on the i0 th residual, the i0 th row of W(z ) multiplied
with any
olumn of Hf (z ) ex
ept the i0 th must equal zero.
(4.13)
where x^ (k) are the estimated states, y^ (k) the estimated outputs and K is
the observer feedba
k gain matrix.
Using G = A KC, the state estimation error, ex(k), and the output
76
(4.14)
KF2 )f (k) + w(k) Kv(k)
ex (k) = (zI G) 1 (F1 KF2 )f (k) + (E1 KE2 )d(k)
+(zI G) 1 w(k) Kv(k)
ey (k) = y(k) y^ (k)
= Cex(k) + E2 d(k) + F2 f (k) + v(k)
The error ve
tor ey (k),
an be given fault spe
i
properties by multip
ation
with a lter matrix W(z ),
r(z ) = W(z )ey (z )
(4.15)
The task is to design the observer feedba
k gain, K and the lter matrix W, so that the observer has optimal properties to faults and unknown
inputs.
Several methods exist for designing the two matri
es. One is the eigen
stru
ture assignment approa
h, Patton and Chen, (1991) [42. This approa
h for observer design is based on the eigen pair equations, with vj as
right side eigenve
tor of G, wT as left side eigenve
tor of G, and j is an
eigenvalue:
[j I Gvj = 0
wjT [j I G = 0
det(j I G) = 0
Following the matrix inversion lemma:
(4.16)
1
(4.17)
(A + BCD) 1 = A 1 A 1 B(C 1 + DA 1 B) 1 DA
Sin
e this lemma is valid for all sets of A; B; C; D matri
es having appropriate dimensions, and A being invertible, we may use the following renaming:
A ! C 1 ; B ! D, C ! A 1 ; D ! B and obtain
(C 1 + DA 1 B) 1 = C CD(A + BCD) 1 BC
(4.18)
This is used to rewrite the estimation error ex (k) in Eq. (4.15) by setting
(zI G) 1 = (A + BCD) 1 , i.e., zI = A and G = BCD. Then ex (k)
be
omes:
(4.19)
1
2
ex (k) = (z I + Gz : : : ) (E1 KE2 )d(k) + (F1 KF2 )f (k)
1
X
1
Gm z m (E1 KE2 )d(k) + (F1 KF2 )f (k)
= z I
m=0
77
X
Gm z m (E1 KE2 d(z )
r(z ) = W Cz 1
m=0
+(F1 KF2 )f (z ) + E2 d(z ) + F2 f (z )
X
Gm z
= W Cz 1
m=0
(4.20)
where
(4.21)
The goal is to design the matri
es W and K, so that one residual, ri (k),
from the ve
tor, r(k) in Eq. (4.21) is de
oupled from other in
uen
es (fault
or unknown input) ex
ept the parti
ular fault fi (k). The left and right side
eigenve
tor assignments are des
ribed for this purpose.
Left Side Eigenve
tor Assignment
If a row wjT C of WC in Eq. (4.21) is made a left side eigenve
tor of G, for
an eigenvalue j , then in relation to Eq. (4.16):
WC(j I G) = 0
+
WCj = WCG
WC
1
X
m
= WC
j
1
X
m=0
=0
using Eq. (4.23) in Eq. (4.21) gives the residual:
(4.22)
Gm
X
Gm z m E1tot + E2tot utot (z )
r(z ) = W Cz 1
m=0
The limit value of the sum as m goes to innity is:
1
X
j
z
m=0
and the residual be
omes:
m
z j
CE1tot
+ E2tot utot (z )
rj (z ) = W (z )
z j
(4.23)
(4.24)
(4.25)
78
This means, the left side eigen stru
ture assignment results in a lter
matrix, whi
h is independent of z .
If W furthermore is designed so that the i0 th row of W multiplied with
any
olumn ex
ept the i0 th of CE1tot and E2tot equals 0, then the i0 th residual
is only ae
ted by the i0 th disturban
e. Fault dete
tion and isolation of the
i0 th fault is thus a
omplished.
Right Side Eigenve
tor Assignment
If all
olumns of E1tot in Eq. (4.21) are made the right side eigen ve
tors
of G for an eigenvalue, j then in relation to Eq. (4.16):
(j I G)E1tot = 0
+
j E1tot = GE1tot
+
(4.26)
1
1
X
X
Gm E1tot
m
j E1tot =
m=0
m=0
Substituting Eq. (4.27) into Eq. (4.21), r(k) will take the form of Eq.
(4.25).
The right side eigenstru
ture assignment determines the values in K but
not W. The latter matrix is therefore free for further de
oupling of any
other external in
uen
e ex
ept the fault to be dete
ted.
Still, if the i0 th disturban
e is to be dete
ted on the i0 th residual, then
the i0 th row of W multiplied with any
olumn ex
ept the i0 th of
CE1tot
+ E2tot
(4.27)
z j
must equal 0. The result is, that all in
uen
es, ex
ept the i0 th fault, are
de
oupled from the i0 th residual. In this design W be
omes a fun
tion of z .
Alternatively, the W matrix design
an be done as des
ribed for the left
side assignment, where W is independent of z .
Instead of making ea
h
olumn of E1tot the right side eigen ve
tors of G,
it may be su
ient to use only sele
ted
olumns. If, for instan
e, the i0 th
fault within the fault ve
tor f (k), in Eq. (4.21) is to be dete
ted then any
olumn of E1tot ex
ept the i0 th are made the right side eigenve
tors of G.
(4.28)
79
ex (k + 1) = Tx(k + 1) z(k + 1)
= Mex (k) + (TA MT LC)x(k) + (TB J)u(k)
+(TE1 LE2 )d(k) + (TF1 LF2 )f (k)
(4.29)
1
ey (k) = y(k) CT z(k)
= C(x(k) T 1 z(k)) + E2 d(k) + Fsfs (k)
= CT 1 ex (k) + E2 d(k) + F2 f (k)
Now if every part involving the states, the inputs and the unknown inputs
an be made zero, the state estimation error will only be in
uen
ed by the
faults ,i.e.:
TA MT LC = 0
TB J = 0
TE1 LE2 = 0
and the output error be
omes:
ex (k) = (zI M) 1 (TF1
LF2 ) f (k)
(4.30)
(4.31)
ey (k) = CT 1 (zI M) 1 (TF1 LF2 ) f (k) + E2 d(k) + F2 f (k)
W(z )E2 = 0
(4.32)
Dete
tion and isolation of the i0 th fault on the i0 th residual, implies that the
i0 th row of W(z ) multiplied with any
olumn of:
CT 1 (zI M) 1 (TF1 LF2 ) + F2
(4.33)
ex
ept the i0 th must equal zero.
80
is knowledge of the system statisti
s, both under normal and faulty
onditions, and the system des
riptions. Inspe
tion of
hanges in mean value
or
ovarian
e of the quantities is used for determining whether a fault has
o
urred. The dete
tion problem is further elaborated in the
hapter on
statisti
al fault dete
tion.
ex (k + 1)
ex (k + 1)
ex (k)
ey (k)
=
=
=
=
=
x(k + 1) x^ (k + 1)
(4.34)
Gex (k) + (E1 KE2 )d(k) + (F1 KF2 )f (k) + w(k) Kv(k)
(zI G) 1 ((F1 KF2 )f (k) + w(k) Kv(k))
y(k) y^ (k)
Cex(k) + E2 d(k) + F2 f (k) + v(k)
The design approa
h is, normally, to minimize the varian
e of the estimation
error, whi
h is denoted P(k):
h
(4.35)
The latter is the usual ve
tor Ri
atti equation where the
ovarian
e matri
es
of state and measurement noise are
v = E vvT
w = E wwT
81
Fault spe i properties an be given to the error ve tor, ey (k), by multiplying with a lter matrix W so that:
(4.37)
This lter must ensure that unknown inputs are de
oupled from r(k),
and that the desired properties to the faults are obtained. If the i0 th row of:
r(k) = H C(zI G) 1 (E1 KE2 ) + E2 d(k)
(4.38)
equals zero, then the unknown inputs are de
oupled from the i0 th residual.
It is now possible to make fault dete
tion, but not isolation, be
ause the
i0 th residual is dependent of all faults. If the i0 th fault, fi(k)
ontained in
the ve
tor f (k), is to be dete
ted and isolated from all other faults on the
residual ri (k), then the i0 th row of:
r(k) = W C(zI G) 1 (F1 KF2 ) + F2 f (k)
(4.39)
must equal zero as well. This pro
edure determines the i0 th row of the lter
matrix W and is repeated for any other row.
The matrix W is a fun
tion of z . If m in
uen
es are to be dete
ted and
isolated simultaneously, then m innovations must be available and m 1
disturban
es must be de
oupled from ea
h of them. The result is residuals
whi
h are sensitive to only one in
uen
e. Usually, the Kalman ltering used
for statisti
al FDI is
ongured as a bank of lters.
The overall stru
ture of the lter bank is illustrated in Fig. 4.6
If no fault is present, both rs (k) and ra (k) are innovations with zero
mean and a known
ovarian
e. On the other hand if the system a
tuator
fails, then ra (k) is distributed with N (f ; f ), while rs (k) still is distributed
with N (0; ). (Gertler, 1988) [23, Tzafestas and Watanabe, (1990) [48.
82
Plant
Kalman filter
for sensor fault
detection
rs
Kalman filter
for actuator
fault detection
ra
^
y^(k) = T (k)
(4.41)
(4.42)
(4.43)
is minimized by optimizing the performan
e fun
tion, whi
h means that the
parameters
hange, with system
hanges.
When knowing the nominal parameters and their varian
e, fault dete
tion
an be performed, by
omparing estimated values with their nominal
values. The pro
edure of generating residuals by means of parameter identi
ation is shown in Fig. 4.7.
If a fault happens it is dete
ted as a
hange in mean value of the parameter ve
tor .
Pro
edures and methods for parameter estimation, in the FDI frame
are treated in (Isermann, 1991 [28; Isermann, 1984; [27, Tzafestas and
Watanabe, 1990 [48; Ljung and So derstrom, 1983 [35, Ljung, 1987 [34).
f
u
ud
Actual
Plant
Parameter
Identification
Calculation of
physical parameters
P
Nominel
Plant
Parameter
Identification
n
Calculation of
physical parameters
Pn
Determination of
changes
P = Pn - P
ONLINE
OFFLINE
83
84
Chapter 5
86
= x = E fx (t)g lim
n
x=4
!1 N
x1
::
xn
3
5
N
X
1 i=0
(x (t) x)2
(5.2)
87
Q = E (x x) (x x)T = 4
2 :::
2 12
11
2
21 ::: :::
2
::: ::: nn
3
5
(5.4)
yk = Cxk + v
where v and w are measurement noise and pro
ess noise, respe
tively with
ovarian
es
E wwT = Qw
E vvT = Qv
The mean value is simply given by the propagation of the mean value of
the noise through the lter
y = zlim
C (zI A) 1 Bw + v
!1
whi
h, naturally, is just expressing the DC gain of the lter. The varian
e
at the output of a lter is only slightly more
ompli
ated to
al
ulate, and
88
the following expression is very useful to know - and remember - sin
e the
sole purpose of most ltering is to redu
e the varian
e of the sto
hasti
part
of a signal. With P being the varian
e of the output,
n
P = E (y y) (y y)T
then
x_ = Ax + B"
y = Cx +
where " and are
ontinuous time sto
hasti
pro
esses with intensities Q"
and Q dened by
n
P_ = AP + PAT + BQ" BT + Q
The steady state solution is obtained setting P_ = 0 and solving the resulting
algebrai
matrix Ri
atti equation. There are standard routines to do this.
Setting P_ equal to zero gives the steady state
ovarian
e matrix.
KN (0 ; 1 )
p (r(i)) = N (; Q)
(5.5)
(5.6)
where px (rk (1); rk (2); : : : ; rk (i)) is the probability density fun
tion for the
sequen
e with mean value, x , taken over the samples rk (1) to rk (i). The
hange is said to be dete
table if the Kullba
k distan
e exists and satises:
K (0 ; 1 ) > 0
(5.7)
90
In other words, a
hange is dete
table if the log likelihood ratio has
hanged after a fault. In order to be statisti
ally dete
table, the mean
value, 0 , needs to be known - or estimated - for the system operating
under normal
onditions. The des
ription
onsiders
hanges from normal
to faulty
onditions, and not
hanges from one faulty situation to another.
The Kullbak measure is illustrated in the following example.
K (0 ; 1 ) =
N
p (r )
1X
ln H1 i
N k=1
pH0 (ri )
(5.9)
or
p (r )
si = ln H1 i
pH0 (ri )
0
2 1
(
r
)
i
1
1
B 1 p2 exp
C
212
C
= ln B
B
C
2
1
A
(
r
)
i
0
p exp
2
0 2
20
(r )2
si = ln 0 + i 2 0
1
20
(5.10)
1 )2
(5.11)
212
It is useful to look at one
hange of property only. We thus assume
that a residual generator has been designed su
h that, upon o
urren
e of a
ertain fault, the residual will
hange in the pres
ribed way.
A
hange in mean from 0 to 1 , with un
hanged varian
e, 0 = 1 =
gives
si = 1 2 0
ri
(ri
1 + 0
2
(5.12)
91
2 2
si = ln 0 + 1 2 2 0 (ri )2
1
0 0
(5.13)
This means that the log likelihood ratio is a fun
tion of the observation ri
and that the Kullbak distan
e is an average of those over N observations,
K (0 ; 1 ) =
N
1X
s
N k=1 i
(5.14)
(5.15)
92
u
Gu+Gu
Hy
Hu
+
y^
jjGu (z)jj
(5.17)
(5.18)
T h(k) = (I
Hy (z ))u(k)
(5.19)
93
(rk )2
22
(5.20)
5.4.1
The WSSR te
hnique uses the relation between a Gaussian and 2 distribution. The following are des
ribed for the one-dimensional
ase, but
an
easily be
onverted to a multi-variable
ase. One residual generated from a
Kalman lter, [r(1); r(2); : : : ; r(j ) = r where j is the number of samples, is
hara
terized by a Gaussian distribution with zero mean and a
ovarian
e,
2 . The sum of the squared samples [r2 (1) + r2 (2) + : : : + r2 (j ) = (r2 ) has
a 2 - distribution. If the Gaussian distribution is given by N (0; 1), then
the sum of squares has the distribution 2 (n), where n is the degrees of
freedoms. If r has the distribution N (; 1) then the sum of squares has the
distribution 2 (n; ), where:
(j ) =
j
X
k
=1
2 (k)
(5.21)
The mean and the varian e of the distribution are given by:
2 = n + ;
2 2 = 2n + 4
(5.22)
(5.23)
If r has the distribution N (; 2 ), then the sum of squares has the same
distribution as for 2 = 1, when ! 1.
Now, if the residual r(k) is weighted with the standard deviation, ,
whi
h is
onsidered known, then the result, rw (k), is a signal with zero
mean and a varian
e of one. This means that the distribution of the weighted
94
sum squared sequen
e, I (k), only
ontains one parameter for determination,
namely the degrees of freedom, n. n is determined as j 1.
= r(k) 1
rw (k)
I (j ) =
j
P
j
P
rT (k) 2 r(k)
(5.24)
k =1
=1
If a system fault happens the mean value of the residuals will
hange.
Hypotheses are stated for the dierent faulty and non-faulty
onditions. For
instan
e the hypothesis that nothing has o
urred H 0 = f : = 0 g and
the hypothesis that something has o
urred H1 = f : 6= 0 g gives the
following dete
tion rule using the weighted sum squared sequen
e I (k).
k
a
ept H0 if I (k)
reje
t H0 (or a
ept H1 ) if I (k) >
With the aid of 2 tables, the values for the innovation window length
(degrees of freedom) and the de
ision threshold must be
hosen so that trade
o are made between the probability of false dete
tions (reje
ting H0 when
really to be a
epted, or a
epting H1 when the reality is H0 ), PF , and the
probability of missed dete
tions (a
epting H0 when really to be reje
ted,
or a
epting H0 when the reality is H1 ), PM . PF
an be determined from
the
hoi
e of
onden
e level
= 1 PF .
is typi
ally
hosen to 0.95,
0.995 or 0.999 giving a probability of false dete
tion on 5%, 0.5% or 0.1%
respe
tively. PM is dependent of the statisti
s of the sequen
e when a fault
is present whi
h might not be known. The de
ision rule
an be written as:
g(k) =
(5.25)
In the above formulation, the algorithm is running only on
e. The algorithm should be reset to zero every time a hypothesis has been
onrmed in
order to run sequentially for on-line dete
tion.
5.4.2
95
H0 and H1 , is des
ribed. The tool for testing between the two hypotheses
is based on the log-likelihood ratio, dened by:
pH 1 (ri (1); ri (2); : : : ; ri (j ))
(5.26)
pH 0 (ri (1); ri (2); : : : ; ri (j ))
where pHi (ri (1); ri (2); : : : ; ri (j )) is the probability density fun
tion
onsidering that hypothesis Hi is true and taken over the samples ri (1) to ri (j ).
The expe
tation value of s(j ), E [s(j ), when hypothesis H0 is true is less
zero, while it is above zero when hypothesis H1 is true. A
hange in the
mean value is then re
e
ted as a
hange of sign in the mean value of s(j ).
The
umulative sum of s(j ):
s(j ) = ln
S (j ) =
j
X
s(k)
(5.27)
=1
is the log likelihood ratio for the observations from r(1) to r(j ) and is
the de
ision fun
tion, when testing between H0 and H1 using the following
de
ision rule:
k
a
ept H0 when S a
a
ept H1 when S h
ontinue to observe and test when a < S < h whi
h
an be rewritten to:
1 when S h
0 when S a
The threshold values a and h must fulll the inequality:
g (r ) =
(5.28)
a<S<h
The two threshold values
an be sele
ted by the designer to re
e
t the
trade -o between the probability of false alarms PF (H1 (a fault) is dete
ted but the real
ondition is H0 (no fault)) and the probability of missed
dete
tions PM (H0 (no fault) is dete
ted but the real
ondition is H1 (fault)).
Determination of the threshold values using PF and PM dire
tly was
proposed by De
kert, (1978) [14. The thresholds h and a are give by
1 PM
)
PF
P
a = ln( M )
1 PF
h = ln(
(5.29)
96
This is a very useful result from an engineering point of view. In an implementation, it will usually be de
ided to run the test sequentially. This
means, as soon as one of the thresholds is rea
hed, the asso
iated hypothesis
is de
lared TRUE, and the test is restarted. This enables us to nd a fault
that o
urs at a random instant in time. While the test runs for the rst
time, we
an not assume any of the hypotheses to be true with the desired
probability (PM , PF ):
Bibliography
[1 K. J.
Astrom, J. J. Anton, and K. E.
A. n. Expert
ontrol. Automati
a,
22(3):pp 227{286, 1986.
[2 M. Basseville and I. Nikiforov. Statisti
al Change Dete
tion. Prenti
e
Hall, 1994.
[3 M. Basseville and I. V. Nikiforov. Dete
tion of Abrupt Changes: Theory
and Appli
ation. Information and System S
ien
e. Prenti
e Hall, New
York, 1993.
[4 T. E. Bell. Managing murphy's law: Engineering a minimum-risk system. Spe
trum, 1989.
[5 M. Blanke. Aims and means in the evolution of fault tolerant
ontrol. In
European S
ien
e Foundation Workshop, Control of Complex Systems
(COSY), pages 22{32, Sept. 1995.
98
BIBLIOGRAPHY
BIBLIOGRAPHY
99
Dete tion, Supervision and Safety for Te hni al Pro esses { SAFEPROSS'91, Baden-Baden, Germany, Sept. 10-13 1991.
100
BIBLIOGRAPHY
BIBLIOGRAPHY
101