Actuator Failure Isolation and ... - ACS Publications

Dec 31, 2008 - In case of sensor failure, the state estimator is reconfigured by removing the ... the states as well as failed actuator signal in the ...
0 downloads 0 Views 275KB Size
Download PDF
1522

Ind. Eng. Chem. Res. 2009, 48, 1522–1535

Online Sensor/Actuator Failure Isolation and Reconfigurable Control Using the Generalized Likelihood Ratio Method Anjali P. Deshpande,† Ujjwal Zamad,† and Sachin C. Patwardhan*,‡ Systems and Control Engineering and Department of Chemical Engineering, Indian Institute of Technology, Bombay, Powai, Mumbai, 400076, India

In processing plants, sensor and/or actuator failures can have considerable deteriorating effect on the closedloop performance. Such failures have to be diagnosed online, as quickly as possible, and actively accommodated to arrest the performance degradation. Active failure tolerance can be achieved by employing model-based failure diagnosis techniques and redesigning/restructuring controller online. In this work, a sensor/actuator failure isolation strategy has been developed under the linear generalized likelihood ratio (GLR) framework. The strategy is then extended to isolation of sensor and actuator failures in nonlinear systems. The infomation on sensor/actuator failures is further used for online reconfiguration of the state estimator and the controller/ control scheme. In case of sensor failure, the state estimator is reconfigured by removing the measurement of failed sensor from the measurement vector. If an observability property is preserved after sensor failure, then an inferential control scheme is employed subsequent to the failure. When an actuator failure is isolated, it is proposed to make modifications in the controller objectives or switch to a new controller to account for the loss of a degree of freedom. The efficacy of the proposed failure diagnosis and control structure reconfiguration schemes is demonstrated by conducting experimental studies on a benchmark heater mixer set up. Analysis of these results reveals that the proposed strategies are able to isolate the failures accurately and recover the closed-loop performance by online reconfiguration of the controller/control scheme. 1. Introduction In processing plants, there are various reasons for degraded performance or complete loss of system functions. These include different faults, unknown disturbances, modeling uncertainties, or complete failure of system components. The effect of unknown disturbances and modeling uncertainties on closedloop behavior can be suppressed considerably by appropriate measures like filtering or robust design of controllers. However, sensor and/or actuator failures, which have considerable deteriorating effect on closed-loop performance, are difficult to handle through such passive approaches. Such failures have to be diagnosed online as quickly as possible and actively accommodated to arrest the propagation of their effects. Active failure tolerance can be achieved by employing failure diagnosis techniques online and redesigning/restructuring a controller on diagnosis of failures. A variety of active reconfiguration control techniques have been proposed in the literature. Konstantopoulous and Antsaklis1 have proposed an active reconfiguration strategy based on eigenstructure assignment. Their approach aims at placing the eigenvalues of the closedloop system at desired locations under a variety of failure conditions. Kanev and Verhaegen2 have proposed to enumerate all expected failure scenarios and construct models, which describe the dynamics of each failure situation. When a failure occurs this scheme switches to a precomputed control law corresponding to the current failure situation. This technique works well with systems with relatively few and well understood failures. On the other hand, Joshi3 has investigated the stability of a multiloop LQG controller under sensor/actuator failures using a single fixed controller. They have designed a failure accommodating the linear quadratic state feedback regulator, * To whom correspondence should be addressed. E-mail: sachinp@ iitb.ac.in. † Systems and Control Engineering. ‡ Department of Chemical Engineering.

which is able to maintain the stability under failure of a subset of actuators. They have also shown that the results on the regulators can be extended via duality to the design of state estimators which can accommodate sensor failures. Yang et al.4 have proposed design of a reliable LQG controller with a known cost bound on the LQG cost, such that closed-loop stability is ensured in the event of sensor failure. In another publication Yang et al.5 have designed a reliable LQ regulator which can tolerate actuator failures, such that the cost of the system is guaranteed to be within a certain bound. Model predictive control (MPC) is one of the most widely used multivariable control schemes in the process industry. Different versions of MPC that can tolerate sensor and actuator failures have also been developed in the process control literature.6-8 All the above-mentioned approaches have looked at the linear systems and linear controller reconfiguration. However very few approaches have dealt with nonlinear systems. Bajpai et al.9 have presented the design of a nonlinear regulator with full state feedback to address the persistent disturbance caused by jammed actuators. They have shown that the nonlinear regulator design achieves significantly better regulation and offers a larger window of safety in the face of time delays in failure detection as compared to linear regulators. However, they assume the existence of an FDI mechanism which manages to identify the failures. Thomas et al.10 have developed a reconfigurable controller based on nonlinear output regulation for nonlinear systems. They have used a composite observer which estimates the states as well as failed actuator signal in the event of actuator failures. The observer is considered as a system of plant dynamics augmented with failed actuator dynamics. Tao et al.11 have presented an output feedback, output tracking adaptive actuator failure compensation scheme for systems with actuator failures such that some unknown inputs are stuck at some unknown fixed values at unknown time instants. The controller works on the principle of adjusting the remaining controls to achieve the desired system performance in the face of failure

10.1021/ie8003122 CCC: $40.75  2009 American Chemical Society Published on Web 12/31/2008

Ind. Eng. Chem. Res., Vol. 48, No. 3, 2009 1523

of a controller with unknown parameters. Recently, Mhaskar et al.12,13 have presented an approach that deals with a control system or actuator failure in nonlinear processes subject to constraints. They have presented an approach for the design of robust hybrid predictive candidate controllers, which guarantees stability from an explicitly characterized set of initial conditions, subject to uncertainty and constraints. Reconfiguration or controller switching is done to activate or deactivate the constituent control configuration in order to achieve fault tolerance. The fault tolerant controller uses the knowledge of the stability regions of the back-up control configurations to guide the state trajectory within the stability regions of the backup control configurations to enhance the fault tolerance capabilities. In another article, Mhaskar et al.14 have presented an integrated fault detection and fault-tolerant control structure, for SISO nonlinear systems with input affine structure and with input constraints, subject to control failures. Their approach is based on identifying a family of candidate control configurations, characterized by different manipulated inputs and designing a Lyapunov-based controller that enforces asymptotic closed-loop stability in the presence of constraints for each control configuration. Mhaskar et al.15 have addressed the problem of control actuator fault detection and isolation and fault-tolerant control for a multi-input multi-output nonlinear system subject to constraints on the manipulated inputs. However, their approaches, as proposed, do not address difficulties arising from failed sensors. Mhaskar et al.16 have developed a fault tolerant control strategy for nonlinear process systems subject to constraints and sensor data losses. They have addressed the problem of controller reconfiguration under sensor failures and intermittent loss of sensor data to achieve closed-loop stability. These approaches assume the existence of an additional degree of freedom which can be utilized to maintain closed-loop stability in the event of failures. When such an additional degree of freedom is not available for controller reconfiguration, Gandhi et al.17 have developed a “safe parking” framework that addresses the problem of determining how to run the process during fault-rectification to enable smooth resumption of nominal operation. The safe park points (equilibrium points corresponding to failed actuators) are selected on the basis of the stability considerations. A candidate parking point was termed a safe-park point if the process state at the time of failure resides in the stability region of the safe-park candidate (subject to depleted control action), and the safe-park candidate resides within the stability region of the nominal control configuration. Most of the above-mentioned approaches have mainly focused on the issues related to control design, closed-loop stability on failure and controller reconfiguration. Moreover the approaches are based on a specific input affine structure of nonlinear processes. There are very few publications, however, wherein the focus is on detection and isolation of such failures. While developing a failure tolerant control scheme, it is typically assumed that an efficient failure isolation scheme is available. The model-based fault diagnosis literature, on the other hand, has significant literature on model-based diagnosis of faults such as biases and drifts in sensors/actuators/parameters. However, not many schemes are available for online model-based isolation of sensor/actuator failures. One of the prominent approaches for model-based fault diagnosis for identifying different types of faults in linear dynamic systems is the generalized likelihood ratio (GLR) method, first proposed by Willsky and Jones.18 This method uses an innovation sequence generated by Kalman filter to isolate a variety of faults. While Wilsky and Jones18 mention

in their work that sensor and actuator failures can be dealt with in GLR framework, no details were given. Narasimhan19 and Narasimhan and Mah20 have later shown that the GLR method proposed by Wilsky and Jones18 can be used for diagnosing actuator failures. Sensor failures, however, are not considered in their work. In this work, it is proposed to extend the linear GLR method for diagnosis of sensor failures.21 The proposed work involves development of recurrence relationships for signature matrices for diagnosing sensor and actuator failures, which are amenable for online computations. A nonlinear version of the linear GLR method for isolation of sensor and actuator failures in nonlinear systems is then developed.22 For nonlinear systems, the signature matrix computations are performed using the extended Kalman filter (EKF), and linearized model matrices are computed at each operating point. The information on sensor/actuator failures is then used for online reconfiguration of the control scheme. When an actuator fails, the proposed reconfiguration strategy is able to make modifications in the controller objectives or switch to a new controller to account for the loss of a degree of freedom. In the case of sensor failure, the state estimator is reconfigured by removing the measurement from a failed sensor, from the set of measurements. The advantages of the proposed scheme are demonstrated using (1) simulation studies on a CSTR system at an unstable operating point and (2) experimental studies on a benchmark laboratory scale heater-mixer setup.23,24 The rest of this article is organized as follows. The next section provides a brief review of GLR based FDI scheme and reconfiguration of the state estimators used in FDI and LQG formulation, under sensor and actuator failures. Section 3 provides the details of extension of the proposed FDI scheme to nonlinear systems. Section 4 presents the details of proposed controller reconfiguration scheme. Sections 5 and 6 provide the details of simulation study and experimental work for evaluation of linear FDI and nonlinear FDI, respectively. The major conclusions drawn from the experimental work are given in the last section. 2. Failure Isolation Using Linear GLR 2.1. Model for Normal Behavior. The main component of GLR-based FDI is the model describing process dynamics, which is used to develop the Kalman filter (KF). Let x(k + 1) ) Φx(k) + Γuu(k) + Γww(k)

(1)

y(k) ) Cx(k) + v(k)

(2)

represent the state space model that describes system dynamics under fault free conditions. Here x(k) ∈ Rn represents state variables, u(k) ∈ Rm represents manipulated inputs to process, y(k) ∈ Rr represents measured output, w(k) ∈ Rd and v(k) represent zero mean Gaussian white noise processes with known covariance matrices Q and R, respectively. Such a model can be obtained by linearization (and discretization) of a nonlinear mechanistic model of the form dx ) F[x(t), u(t), p, d(t)] dt d(k) ) d + w(k) y(k) ) H[x(k)] + v(k) for the system under consideration at the desired operating point.25 Here, d(k) represents the vector of unmeasured disturbances. However, such a mechanistic model is not always available and is quite difficult to obtain. In such cases, an innovation form of the state space model of the form

1524 Ind. Eng. Chem. Res., Vol. 48, No. 3, 2009

x(k + 1) ) Φx(k) + Γuu(k) + Kε(k)

(3)

y(k) ) Cx(k) + ε(k) (4) can be identified from the input-output perturbation data obtained under fault free conditions in the neighborhood of the desired operating point.26-28 Here, ε(k) is a white noise sequence with covariance matrix V. This model is equivalent to a process described by (1) and (2), with known covariance matrices for v(k) and w(k) given as follows: R1 ) E[w(k) w(k)T] ) KVKT

(5)

R12 ) E[w(k) v(k)T] ) KV

(6)

R2 ) E[v(k) v(k) ] ) V

(7)

T

Under normal operating conditions, the state estimates used in linear GLR-based FDI scheme are generated using a Kalman filter of the form xˆ(k|k - 1) ) Φxˆ(k - 1|k - 1) + Γuu(k - 1)

(8)

xˆ(k|k) ) xˆ(k|k - 1) + Kγ(k) (9) γ(k) ) y(k) - Cxˆ(k|k - 1) (10) where K represents the steady state Kalman gain and γ(k) represents the innovation sequence. This Kalman filter (KF) is referred to as normal KF in the rest of the text. 2.2. Detection of Abnormal Behavior. When a process starts behaving abnormally, the first task is to detect the deviations from the normal operating conditions. In the absence of any failure, innovation sequence {γ(k)} is a zero mean Gaussian white noise process with covariance V(k), defined as (11) V(k) ) CP(k|k - 1)CT + R Thus, a simple statistical test, namely failure detection test (FDT) as given in Prakash et al.,25 based on the innovations obtained from the normal KF is applied at each time instant to estimate the time of occurrence of a fault. The test statistic for this purpose is given as follows: (12) (k) ) γ(k)T V(k)-1 γ(k) The above test statistic follows a central chi-square distribution with r degrees of freedom, which can be used to fix the threshold. If FDT is rejected, the occurrence of a fault is further confirmed by examining innovation sequence in the time interval [t, t + N]. The test statistic given by equation 12 is used for this purpose, which follows a central chi-square distribution with r(N + 1) degrees of freedom. t+N

(t, N) )

∑ γ(k)

T

V(k)-1 γ(k)

(13)

k)t

If this test statistic exceeds the threshold, the occurrence of the fault or failure is confirmed. This is referred to as a failure confirmation test (FCT). 2.3. Models for Failure Modes. In this subsection, we develop models for single sensor/actuator failure under the following assumptions: (1) Each sensor or actuator failure generates a distinct signature in the innovation sequence generated by the normal mode observer; (2) the process under consideration is nonstiff and no single actuator failure leads to a scenario similar to a stuck sensor in the time window used for the failure isolation. 2.3.1. Stuck Actuator. When jth actuator fails abruptly (gets stuck at some value) at instant t, Narasimhan19 has proposed a model for failure mode. Taking motivation from this, we present slightly different model as follows:

uaj(k) ) m(k) + [baj - eaTjm(k)]eajσ(k - t)

(14)

where j ∈ 1 to a, baj represents the constant value at which the jth actuator is stuck and eaj represents the fault vector with jth element equal to unity and all other elements equal to zero. Note that this model distinguishes between the controller output m(k) and manipulated input u(k) entering the process. Here σ(k - t) represents unit-step function. The model given in eq 14 indicates that the signal going to the plant from an actuator becomes constant because of some fault in the actuator. 2.3.2. Stuck Sensor. When jth sensor fails abruptly at instant t, it is often observed that we get a constant reading close to the value measured by digital to analog converter before the failure occurs. We propose to model the behavior of the measurement vector subsequent to such abrupt failure of a sensor as follows ysj(k) ) Cx(k) + V(k) + [bsj - esTjCx(k)]esjσ(k - t)

(15)

where j ∈ 1 to r, bsj represents constant value at which the jth sensor is stuck and esj represents fault vector with jth element equal to unity and all other elements equal to zero. According to eq 15, the measurements coming from a particular sensor in a plant have constant mean when a sensor fails. 2.4. Failure Isolation. Each failure influences the innovation sequence generated by the Kalman filter in a different manner and this fact can be used for failure isolation. The effect of a failure on the innovations can be captured using signature matrices and signature vectors.19 The signature matrices and signature vectors for each hypothesized failure can be precomputed on the basis of the appropriate fault model and normal KF equations. This section provides the details of the proposed failure isolation strategy and online reconfiguration of the state estimator and controller. 2.4.1. Signature Matrices for Sensor Failure. Let us assume that jth sensor fails at instant t. The process output subsequent to the failure is given by eq (14) while the process states evolve according to eq 1. During the interval [t, t + N], the state estimates are still generated using the normal state estimator as follows: xˆ(k|k - 1) ) Φxˆ(k - 1|k - 1) + Γuu(k - 1)

(16)

xˆ(k|k) ) xˆ(k|k - 1) + Kγsj(k)

(17)

γsj(k) ) ysj(k) - Cxˆ(k|k - 1)

(18)

where γsj(k) represent the innovation sequence generated by normal KF. Let δxˆsj(k), defined as δxˆsj(k) ) xˆ(k|k) - x(k)

(19)

represent the state estimation error during the interval [t, t + N]. Substituting equation 1, and 15 in equation 18 and rearranging, we get γsj(k) ) -CΦ[δxˆsj(k - 1)] + CΓww(k - 1) + [bsj - esTjCx(k)]esj + v(k) (20) Taking expectations and using E[w(k)] ) 0j and E[v(k)] ) 0j, it follows that E[γsj(k)] ) -CΦE[δxˆsj(k - 1)] + [bsj - esTjCxE[x(k)]]esj (21) Now, substituting eq 16 in eq 17, the evolution of normal KF under sensor failure can be expressed as

Ind. Eng. Chem. Res., Vol. 48, No. 3, 2009 1525

xˆ(k|k) ) Φxˆ(k - 1|k - 1) + Γuu(k - 1) + Kγsj(k)

(22)

Subtracting eq 1 from eq 22, rearranging and taking expectation, we get E[δxˆsj(k)] ) ΦE[δxˆsj(k - 1)] + KE[γsj(k)]

E[γaj(k)] ) -CΦE[δxˆaj(k - 1)] + CΓu[baj - eaTjm(k)]eaj (35) while the expected values of the state estimation error evolve as follows: E[δxˆaj(k)] ) (I - KC)ΦE[δxˆaj(k - 1)] -

Substituting for E[γsj(k)] and rearranging, we get E[δxˆsj(k)] ) (I - KC)ΦE[δxˆsj(k - 1)] + K[bsj - esTjCE[x(k)]]esj

(I - KC)Γu[baj - eaTjm(k)]eaj) (36)

(23)

Let us define the linear dependence of expected values E[γaj(k)] and E[δxˆaj(k)] on the failure by following relations

Let the linear dependence of expected values E[γsj(k)] and E[δxˆsj(k)] on the failure be defined by the following relations

E[γaj(k)] ) bajGa(k;t)eaj + gaj(k, t)

(37) (38)

E[γsj(k)] ) bsjGs(k;t)esj + gsj(k, t)

(24)

E[δxˆaj(k)] ) bajJa(k;t)eaj + jaj(k, t)

E[δxˆsj(k)] ) bsjJs(k;t)esj + jsj(k, t)

(25)

where Ja(k; t) and Ga(k; t) are the signature matrices and jaj(k, t) and gaj(k, t) are the signature vectors for state correction and contributions to innovations in the event of jth sensor failure, respectively. Comparing eq 35 and 36 with eq 37 and 38, we obtain the following recurrence relationships for signature matrices and signature vectors for jth actuator failure:

where Js(k; t) and Gs(k; t) are the signature matrices and jsj(k, t) and gsj(k, t) are the signature vectors for state correction and contributions to innovations in the event of jth sensor failure, respectively. Comparing eq 21-23 with eq 24 and 25, we obtain the following recurrence relationships for signature matrices and signature vectors for jth sensor failure

Ga(k;t) ) CΓu - CΦJa(k - 1;t)

(39)

Js(k;t) ) ΦJs(k - 1;t) + KGs(k;t)

(26)

gaj(k;t) ) - CΓu[eaTjm(k)]eaj - CΦja(k - 1;t)

(40)

jsj(k;t) ) Φjsj(k - 1;t) + Kgsj(k;t)

(27)

Ja(k;t) ) ΦJa(k - 1;t) + KGa(k - 1;t) - Γu

(41)

Gs(k;t) ) I - CΦJs(k - 1;t)

(28)

jaj(k;t) ) Φjaj(k - 1;t) + Kgaj(k - 1;t) + Γu[eaTjm(k)]eaj (42)

gsj(k;t) ) -esTjCE[x(k)]esj - CΦjsj(k - 1;t)

(29)

where I is the identity matrix. 2.4.3. Failure Isolation and Magnitude Estimation. For each hypothesized fault fj, the log likelihood ratio is computed as given in Narasimhan.19

where I is the identity matrix. The difficulty in using eq 29 is that it requires knowledge of the expected value of true state vector x(k). To alleviate this difficulty it is proposed to use x˜(k) generated as follows

Ψfj )

x˜(k) ) Φx˜(k - 1) + Γuu(k - 1) x˜(t - 1) ) xˆ(t - 1|t - 1);

dfj2 cfj

t+N

+

∑ [2(g (k;t)

T

k)t

fj

V(k)-1 γ(k)) -

k ∈ [t, t + N]

gfj(k;t)T V(k)-1 gfj(k;t) (43)

]

in place of E[x(k)]. It may be noted that the state transition equation is not affected by the failure. Thus, if the estimation error is zero mean prior to the failure, then the open loop estimate x˜(k) will represent a reasonably good estimate of x(k) during k ∈ [t, t + N]. 2.4.2. Signature Matrices for Actuator Failure. Let us assume that jth actuator fails at instant t. The controller output subsequent to the failure is given by eq 14. During the interval [t, t + N], the state estimates are still generated using the normal state estimator eqs 8-9. Let δxˆaj(k) and γaj(k) be defined as δxˆaj(k) ) xˆ(k|k) - x(k)

(30)

xˆ(k|k) ) xˆ(k|k - 1) + Kγaj(k)

(31)

γaj(k) ) yaj(k) - Cxˆ(k|k - 1)

(32)

represent the state estimation error and the innovation sequence generated by normal KF during the interval [t, t + N]. The true process state evolves according to x(k + 1) ) Φx(k) + Γu[m(k) + [baj - eaTjm(k)]eajσ(k - t)] + Γww(k) (33) yaj(k) ) Cx(k) + v(k)

(34)

Substituting for yaj(k) in γaj(k) it can be shown that the expected values of innovation sequence {γaj(k)} during interval [t, t + N] evolves as follows:

where t+N

dfj ) efTj

∑ G (k;t) V(k)

-1

T f

k)t

[γ(k) - gf (k;t)] j

(44)

t+L

cfj ) efTj

∑ G (k;t) V(k)

-1

T f

k)t

Gf(k;t)efj

(45)

Among all hypothesized sensor and actuator failures, the failure fj with the maximum value of Ψfj is the failure that is isolated and the corresponding estimate of magnitude is given as bˆfj )

dfj cfj

(46)

2.5. Estimator Reconfiguration. Once a failure is isolated, the state estimator has to be reconfigured to accommodate the failure. In the event of jth actuator failure, the state prediction step in the observer for k g t is modified as follows: maj(k - 1) ) m(k - 1) + [baj - eaTj m(k - 1)]eaj

(47)

xˆ(k|k - 1) ) Φxˆ(k - 1|k - 1) + Γumaj(k - 1)

(48)

In the event of sensor failure, the measurement model is modified as y˜(k) ) Csj x(k) + Vsj(k)

(49)

1526 Ind. Eng. Chem. Res., Vol. 48, No. 3, 2009

where Csj has all rows of the original matrix C except the jth row and y˜ ∈ Rr-1. This modified measurement vector is used in the state estimator starting from instant t, the time at which the failure was detected. Under the assumption that the state observability is preserved under the sensor failure, the Kalman gain (Ksj) is recomputed with modified Csjand the corresponding modified covariance matrix Rsj and the state correction step in the estimator is modified for k g t as follows: xˆ(k|k) ) Φxˆ(k|k - 1) + Ksj γ˜ (k)

(50)

γ˜ (k) ) y˜(k) - Csj xˆ(k|k - 1)

(51)

To avoid repeated detection of the same failure in the future, the failed sensor/actuator is also excluded from the failures hypothesized in the FDI scheme. 3. Failure Isolation using Nonlinear GLR This section extends the failure isolation technique described above to nonlinear systems or systems undergoing transient, where a linear perturbation models is inadequate and a nonlinear model is required to describe the system dynamics. 3.1. Model for Normal Behavior. Let us assume that the process dynamics is better described as a continuous time nonlinear stochastic system described by the following set of equations: x(k + 1) ) x(k) +



(k+1)T

kT

F[x(t), u(k), p, d(k)] dt

(52)

d(k) ) d¯ + w(k)

(53)

y(k) ) H[x(k)] + v(k)

(54)

where x ∈ R , y ∈ R , and u ∈ R represent the state variables, measured outputs, and manipulated inputs, respectively, and T represents sampling interval. The variables p ∈ Rp and d ∈ Rd represent the vector of parameters and unmeasured disturbance variables, respectively. Here, v(k) and w(k) are zero mean Gaussian white noise sequences with known covariance matrices R and Q, respectively. These equations are used to develop the standard linearized Extended Kalman filter EKF29 as follows: n

r

a

xˆ(k|k - 1) ) xˆ(k - 1|k - 1) +



kT

(k-1)T

F[x(τ), m(k - 1), p¯, d¯] dτ (55)

xˆ(k|k) ) xˆ(k|k - 1) + L(k) γ(k)

(56)

γ(k) ) y(k) - H[xˆ(k|k - 1)] The time varying Kalman gain matrix L(k) is computed as follows P(k + 1|k) ) Φ(k) P(k|k) Φ(k)T + Γd(k) QΓTd (k)

(57)

V(k) ) C(k) P(k|k - 1) C(k)T + R

(58)

-1

L(k) ) P(k|k - 1) C(k) [V(k)] T

P(k|k) ) [I - L(k) C(k)] P(k|k - 1)

(59) (60)

where

[ ∂F∂x ] ; C(k) ) [ ∂H(x) ∂x ] ∂F ∂F B (k) ) [ ] ; B (k) ) [ ] ∂m ∂d

A(k) )

(·)

u

(·)

(·)

d

(·)

Φ(k) ) exp[A(k)T] Γu(k) )



T

0

exp(A(k)q) Bu(k) dq

T

Γd(k) )

∫ exp[A(k)τ] B (k) δτ d

(65)

0

j ). In the remainder of where ( · ) ≡ (xˆ(k|k - 1), m(k - 1), p j, d the text, this EKF is referred as normal EKF. 3.2. Failure Detection and Isolation. Under normal operating conditions, it is assumed that the innovation sequence generated by the normal EKF is a zero mean Gaussian white noise sequence with covariance V(k). Under this assumption, detection and confirmation of occurrence of a failure is done using FDT and FCT tests, given by eq 12 and 13, respectively. The test statistics are obtained using γ(k) and V(k) obtained by EKF. To extend the proposed diagnosis technique to nonlinear systems, recurrence relationships for signature matrices derived under linear GLR framework are modified using linearized discrete time varying system matrices given by eq 61-65. For example, if jth sensor fails, then the corresponding signature matrices and the signature vectors can be computed using the following recurrence relations for k ∈ [t, t + N] Js(k;t) ) Φ(k) Js(k - 1;t) + L(k) Gs(k;t)

(66)

js(k;t) ) Φ(k) jsj(k - 1;t) + L(k) gsj(k;t)

(67)

Gs(k;t) ) I - C(k) Φ(k) Js(k - 1;t)

(68)

gsj(k;t) ) -esTjC(k) E[x(k)] esj - C(k) Φ(k) jsj(k - 1;t) (69) Here, L(k) is the Kalman gain computed using the normal EKF. The state vector x(k) appearing in these equations is now replaced by x˜(k) ) x˜(k - 1) +



kT

(k-1)T

F[x(τ), m(k - 1), p¯, d¯] dτ (70)

x˜(t - 1) ) xˆ(t - 1|t - 1);

k ∈ [t, t + N]

(71)

Similar recurrence relations can be constructed for the actuator failure case using linearized discrete time varying system matrices given by eq 61-65. The fault isolation is then performed in the same manner as in linear case using eq 43 and the magnitude estimate is obtained using eq 46. 3.3. Estimator Reconfiguration. Once a failure is isolated, the state estimator has to be reconfigured to accommodate the failure. Failed Actuator. In the event of jth actuator failure, m(k 1) appearing in the state prediction step (55) is replaced by maj(k - 1) given by eq 47 for k g t. In state estimation and prediction in NMPC(MPC), the failed actuator is treated as constant mj(k) ) bˆuj for k g t + N, where bˆuj is the estimate of stuck actuator signal for jth actuator. Also, in the NMPC formulation, we introduce additional constraints as mj(k + j|k) ) bˆmj for j ) 0, ..., q - 1. If the number of setpoints specified in the NMPC formulation equals the number of manipulated inputs, then we modify the NMPC objective function by relaxing the setpoint on one of the controlled outputs. This strategy has been described in details in Deshpande et al.22,23 Sensor Failure. In the event of sensor failure, the measurement model is modified as

(61)

y˜(k) ) Hsj[x(k)] + Vsj(k)

(62)

where vector Hsj[x(k)] has all elements of vector H[x(k)] except the jth element and y˜ ∈ Rr - 1. This modified measurement vector is used in the state estimator for k g t. Under the assumption that the state observability is preserved under the sensor failure, for k g t the Kalman gain (Lsj(k)) is computed using

(63) (64)

(72)

Csj(k) )

[

∂Hsj(x) ∂x

]

Ind. Eng. Chem. Res., Vol. 48, No. 3, 2009 1527 22

(xˆ(k|k-1),m(k-1),p¯,d¯)

(73)

and the corresponding modified covariance matrix Rsj. The state correction step in the estimator is modified for kgt as follows ˜(k) xˆ(k|k) ) Φxˆ(k|k - 1) + Lsj(k) γ

(74)

γ ˜(k) ) y˜(k) - Hsj[x(k)]

(75)

4. Control Structure Reconfiguration on Failure A schematic representation of failure isolation and control structure reconfiguration is shown in Figure 1. In this work, it is assumed that, for each hypothecated failure condition, a stabilizing controller/control scheme has been designed a priori. Thus, once a failure is isolated, the task of the supervisory block in Figure 1 is to switch to the appropriate controller/control scheme. Separate measures have to be planned to deal with situations arising out of actuator and sensor failures. (1) Sensor failure: In the event of a sensor failure, if the state observability is preserved after removal of the failed sensor, then, we propose to carry out inferential control. In the inferential control strategy, control law is based on the estimated value of the failed measurement computed using the reconfigured state estimator. In a classical output feedback control scheme like multiloop PID control, this implies that the estimated value of the measurement is used as the controlled output in place of the measured output. On the other hand, if a state feed-back control scheme such as linear quadratic optimal control (LQG) or model predictive control (MPC) is used for control, then the reconfigured state estimator is used in the control law implementation. (2) Actuator failure: In the event of actuator failure, we propose to reconfigure the controller by exploiting additional degrees of freedom that may be available in the system for manipulation. If the process under consideration is being controlled by a multiloop PID control scheme, then loop pairing can be altered on isolation of the failure. If a multivariable state feed-back control law such as LQG is being used for controlling the process, then, apart from switching to the reconfigured state estimator, an alternate control law that makes use of the available degrees of freedom can be employed. In MPC formulation, actuator failure would require introduction of additional constraints on manipulated input vector. If additional degrees of freedom are not available for manipulation, then we may have to remove one variable from the list of controlled outputs. For example, if process is controlled using the MPC scheme, then we can modify the MPC objective function by relaxing the setpoint on one of the controlled outputs to a zone control

Figure 1. Control structure reconfiguration: schematic diagram.

variable. In particular in state estimation and prediction in NMPC(MPC), the failed actuator is treated as constant mj(k) ) bˆaj for k g t + N, where bˆaj is the estimate of stuck actuator signal for jth actuator. Also, in the NMPC formulation, we introduce additional constraints as mj(k + j|k) ) bˆaj for j ) 0,..., q - 1. If number of setpoints specified in the NMPC formulation equals the number of manipulated inputs, then we modify the NMPC objective function by relaxing the setpoint on one of the controlled outputs. This strategy has been described in details in Deshpande et al.22,32 Online correction of state estimator in response to isolation of sensor and/or actuator failure has an important consequence. The proposed online correction scheme modifies the definition of the model for normal behavior. For example, if an actuator fails and it is subsequently isolated correctly, and the model is compensated for the failed actuator, then the system description with one actuator failed becomes the normal system for any application of failure diagnosis. The failed actuator is also excluded from the failures hypothesized in the FDI scheme to avoid repeated detection of the same failure in the future. These measures facilitate isolation of any sensor or actuator failure(s) that may occur at any subsequent time instant. 5. Simulation Study To demonstrate efficacy of our failure diagnosis approach on a system operating at an unstable operating point, we consider a nonisothermal CSTR system in which an irreversible first order reaction AfB is taking place. The reactor system has two state variables, the reactor concentration CA (≡ y1) and the reactor temperature T (≡ y2), both of which are assumed to be measured and controlled. The coolant flow rate Fc (≡ u1) and feed flow rate F (≡ u2) are the manipulated inputs while the feed concentration, CA0 (≡ d) is treated as an unmeasured disturbance variable. The dynamic model for a nonisothermal CSTR is given as follows30 dCA F E ) (CA0 - CA) - k0 exp C dt V RT A (-∆Hr)k0 dT F ) (T0 - T) + dt V FCp Q)

aFb+1 c

( ) E Q exp(- )C RT VFC

( )

aFbc Fc + 2FcCpc

A

(76) (77)

p

(T - Tcin)

(78)

This system exhibits entirely different dynamic characteristics for different set of parameter values.30 However, we have selected the operating parameters of the CSTR such that the process has one single unstable steady state for the specified input conditions. The feed concentration is assumed to fluctuate around its mean value as a Gaussian white noise with a variance of 0.0025. The measurements of CA and T are assumed to be corrupted with Gaussian white noise signals with standard deviations of 0.01 kmol/m3 and 0.5 K, respectively. The sampling time is chosen as 0.1 min. The covariance matrices for state and measurement noise are chosen to be diagonal matrices. The values of standard deviations for the state and measurement noises are given in Table 1. The reactor system is controlled at unstable steady state (CA ) 1.372 mol/m3 and T ) 349.88 K) using an NMPC scheme

1528 Ind. Eng. Chem. Res., Vol. 48, No. 3, 2009 Table 1. Nonisothermal CSTR/Standard Deviations for Measurement Noise and State Noise variable

standard deviation ( σ)

feed concentration reactor concentration reactor temperature

0.05 kmol/m3 0.01 kmol/m3 0.5 deg K

Table 2. Nonisothermal CSTR: GLR Tuning Parameters window for fault confirmation level of significance for fault detection level of significance for fault confirmation

40 0.05 0.0001

that uses the mechanistic model for prediction. This controller uses prediction horizon of 5, control horizon of 1, and

[ ]

4 0 error weighting matrix ) 10 0 1

The bounds imposed on the inputs are as follows:

at 0.926 m3/min. In reconfigured NMPC formulation, the feed flow is not manipulated further and is kept constant at 0.926 m3/min. In addition, since only one degree of freedom is left for control, the NMPC objective function is modified and the setpoint on temperature is relaxed. These measures minimize the plant-model mismatch and the performance degradation is arrested. The sensor failure subsequently introduced at k ) 41 in concentration measurements gets isolated correctly, and the concentration later controlled using the estimate generated by the EKF is corrected by removing the failed concentration measurements. Using the remaining degree of freedom, that is, cooling water flow rate, the FTNMPC controller is able to maintain the reactor concentration at the desired setpoint (see Figure 3), while the conventional NMPC drifts further away from the setpoint. 6. Experimental Studies

3

5 e Fc e 30 m /min 0.5 e F e 2 m3/min Eight different faults consisting of biases in two measurements, biases in two actuators, failures of the two actuators, and failures of two sensors were hypothesized for this process. The tuning parameters of nonlinear-model-based FDI used are given in Table 2. 5.1. Sensor Failure. To evaluate the performance of the proposed method at the nominally unstable operating point, failure is introduced at k ) 6 in the sensor for concentration (CA) measurement. A setpoint change is introduced at k ) 25. Because of the wrong measurements received by the controller, the performance of the controller starts getting deteriorated. When this failure gets isolated, the inferential control is employed by reconfiguration of the estimator. In the fault tolerant controller formulation, the concentration (CA) measurements received from the failed sensor are replaced by the corresponding estimates obtained using the available temperature measurements (T). Before the corrective measure is taken, the system is controlled using conventional NMPC formulation and the deterioration in the closed-loop performance is evident from Figure 2. However, subsequent to the online corrective measure, the desired setpoint in concentration is achieved despite failure of the concentration sensor. 5.2. Sequential Actuator and Sensor Failure. To demonstrate the behavior in the presence of multiple failures occurring sequentially but present simultaneously in the system, we have simulated the situation when the feed flow valve is stuck at 0.928 m3/min subsequent to k ) 6 followed by failure in the sensor for concentration (CA) measurement at k ) 41. Figure 3 compares behavior of the controlled outputs obtained using the proposed failure tolerant NMPC controller (FTNMPC) with that of the conventional controller (NMPC). As evident from Figure 3, the temperature starts drifting from the desired set point value with the onset of this failure. Initially both the controllers are unaware of the failure and hence they start increasing the computed value of the feed flow rate. This further increases the plant-model mismatch, which results in controller performance degradation. This degradation in the performance continues further in case of NMPC as no corrective measures are taken to account for the failure (see Figures 3 and 4). However, in FTNMPC formulation, the FDI component correctly isolates the actuator failure and estimates the constant value at which it is stuck, as 0.926 m3/min. Subsequent to this isolation, feed flow in EKF formulation is maintained constant

In this section, we present verification of the proposed linear and nonlinear failure isolation and control structure reconfiguration schemes using experimental studies conducted on a benchmark heater-mixer setup developed at IIT Bombay.23,24 The experimental heater-mixer setup considered for the study consists of two stirred tanks in series as shown in Figure (5). A cold water stream is introduced in the first tank. The contents of tank 1 are heated using a 4 kW heating coil. The hot water that overflows the first tank is mixed with a cold water stream entering into tank 2. The content of the second tank is heated using another 3 kW heating coil. The heat inputs Q1 and Q2 to both the tanks can be manipulated by changing current inputs to the thyristor power control units, which can be varied between 4 and 20 mA. The cold water inlet flow F1 and F2 to both the tanks can be manipulated using pneumatic control valves. The process variables are as follows: The temperatures in the two tanks (T1 and T2) and level in second tank (h2) are measured variables while the heat inputs to tank 1 (Q1) and tank 2 (Q2) and cold water inlet to tank 2 (F2) are treated as manipulated inputs. The cold water flow to tank 1 (F1) is treated as a disturbance. The system is controlled through an Advantech data acquisition module and combination of Labview and Matlab. The following two scenarios of failure and reconfiguration are considered in this work. (1) Sensor failure and estimator reconfiguration. The controlled outputs in this case are T1, T2, and h2 and all the three inputs are used for manipulation. To begin with, all the measurements are available to the controller. We investigate the scenario where sensor T2 fails and to continue the operation, it become necessary to isolate the failure, reconfigure the state estimator and subsequently carry out inferential control using estimated state variable. (2) Actuator failure and control structure reconfiguration. The controlled outputs in this case are T2 and h2. To begin with, heat input to tank 2, Q2, and cold water inlet to tank 2, F2, are used for manipulation. We investigate the scenario when the thyristor power controller used for changing Q2 is stuck. To continue operation, it becomes necessary to isolate the failure and switch to another controller that manipulates heat input to tank 1, Q1, and cold water inlet to tank 2, F2. The experimental verification is carried out under the following operating conditions: (1) At a fixed operating point using a linear perturbation model identified from data and linear GLR method; (2) in transient using a nonlinear

Ind. Eng. Chem. Res., Vol. 48, No. 3, 2009 1529

Figure 2. Nonisothermal CSTR: estimator and controller reconfiguration on sensor failure-outputs.

Figure 3. Nonisothermal CSTR: controller reconfiguration on actuator and sensor failure-outputs.

Figure 4. Nonisothermal CSTR: controller reconfiguration on actuator and sensor failure-inputs.

mechanistic (gray box) model for the system and nonlinear GLR method 6.1. Failure Isolation Using Linear GLR. 6.1.1. Model Development and Controller Design. To evaluate the efficacy of the proposed linear-model-based FDI (i.e., linear GLR) for sensor and actuator failure isolation, a linear model has been

identified from input-output data. For model identification, the steady state operating point of the process is chosen as [T1 ) 56°, T2 ) 52° and h2 ) 0.36 m] and each of the nominal steady state current input to the plant has been set to 12 mA. The three inputs, namely, current inputs to heater 1, heater 2, and valve 2, were perturbed simultaneously with random binary signals

1530 Ind. Eng. Chem. Res., Vol. 48, No. 3, 2009

Γβ ≡ [first and last columns of Γu]

(RBS) of amplitude 2.5, 2.5, and 2 mA, respectively, in the frequency band [0, 0.005], and the sampling time was set to 5 s. A linear state space model of the form eq 3-4 was identified using prediction error method in the System Identification toolbox of MATLAB. The model matrices are as follows:

The noise covariance matrix for additional artificial states added to the inputs u1and u3 is chosen as

0.9274 -0.06445 0.123 -0.00234 0.9266 0.0449 Φ) -0.1362 0.16548 0.99941 0.6633 -1.0068 0.01693

where I is 2 × 2 identity matrix. Here u1, u2, and u3 represent the deviation current inputs to heaters 1 and 2 and flow 2, respectively. 6.1.2. Sensor Failure. The tuning parameters for LQG controller that manipulates (u1, u2, u3) are as follows:

[ [

] ]

0.0272 0.01023 0.0187 0.9133

(79)

-0.00487 0.0025383 -0.0018451 -0.0028917 0.00064853 0.000072091 Γu ) -0.020272 0.0093654 0.0028472 0.089115 -0.044466 -0.012054

(80)

[

12.041 -121.73 36.495 6.8547 C ) 70.171 -94.857 -36.873 -7.4768 -1.5443 -0.26192 0.020383 -0.086584

[

-0.0079845 0.009324 -0.0048235 0.0011059 K) -0.033694 0.032464 0.14725 -0.16086

-0.15538 -0.054624 -0.16296 -0.65319

]

]

Qβ ) 0.0001 × I

[

Wu ) diag[0.1 0.1 1 ] 5071.352 -8121.513 -2148.040 -441.986 -8121.513 23815.025 -944.695 -125.133 Wx ) C × C ) -2148.040 -944.695 2691.544 525.855 -441.986 -125.133 525.855 102.896 T

(81)

(82)

Model innovations generated from model identification exercises are used to estimate their covariance V as V ) diag[0.63714 0.29610 0.000015806 ] The above model has been used in the development of normal KF (ref equations 8-10 required in GLR formulation. The tuning parameters used in linear GLR formulation are listed in Table 3. To control the plant at the desired operating point, a linear quadratic Gaussian (LQG) controller of the form ba(k|k - 1) - xs(k)] u(k) ) us(k) - G[x was designed using the identified model as described in the Appendix. Here, b xa(k|k - 1) represents state estimates generated using the separate state estimator designed using augmented steady state model for LQG implementation as described in the Appendix.

The corresponding controller gain matrix obtained by solving algebraic Riccati equations (ARE) is G)

[

41.1724 -283.2851 60.4884 10.7599 132.6346 -165.8516 -69.9155 -13.8383 -20.4734 28.6511 9.2221 1.8255

-7.5 mA e u1 e 7.5 mA -7.5 mA e u2 e 7.5 mA -6 mA e u3 e 3 mA For the model given by matrices 79-82, it was noted that the state observability is preserved even when T2 is removed from the measurement vector. The objective of the controller is to regulate operation at the desired set point. In the linear GLR formulation, failures have been hypothesized in sensors (T1, T2, h2) and actuators (u1, u2, u3). A sensor failure was simulated by artificially holding the temperature measurements T2 constant in the control computer at 6° below its steady state value subsequent to 145th sampling instant. The failure was detected at 157th sampling instant and the occurrence of the failure was confirmed at 207th sampling instant. After failure confirmation, the failed measurement was removed from the state estimators used for fault diagnosis and for LQG implementation. As evident from Figures 6 and 7, the proposed FTLQG is able to track the T2 setpoint using its inferred value after diagnosis and accommodation of the failure. 6.1.3. Actuator Failure. We begin the closed-loop operation using an LQG controller designed to control T2 and h2 by manipulating inputs u2 and u3. The tuning parameters for tuning the LQG controller are

value

window length N level of significance for FDT level of significance for FCT

50 sampling instants 0.5 0.005

Wu )

[

0.1 0 0 1

]

]

4926.37 - 6655.84 - 2587.47 - 524.52 -6655.84 8998.00 3497.69 709.25 T ˜ ˜ Wx ) C × C ) -2587.47 3497.69 1359.63 275.69 -524.52 709.25 275.69 55.91 ˜ represents the last two rows of the C matrix. The steady where C state solution of the Riccati equation computed using function dlqr in Matlab yields the following gain matrices: (1) Manipulated inputs u2 and u3 :

Table 3. Heater-Mixer Setup: GLR Parameters variable description

]

The manipulated deviation inputs are constrained as follows

[

Figure 5. Schematic of experimental heater mixer setup.

]

G23 )

[

136.5833 -200.0227 -61.7764 -12.3859 -20.8596 30.8098 9.1767 1.8353

]

Another standby LQG controller is designed using inputs u1 and u3.

Ind. Eng. Chem. Res., Vol. 48, No. 3, 2009 1531

(2) Manipulated inputs u1 and u3: G13 )

[

41.1724 -283.2851 60.4884 10.7599 -20.4734 28.6511 9.2221 1.8255

]

6.2. Failure Isolation Using Nonlinear GLR. 6.2.1. GreyBox Model for Laboratory Two-Tank Heater-Mixer Setup. A gray box model for the heater-mixer setup23,24 can be stated as follows

The manipulated deviation inputs are constrained as follows: -6.5 mA e u1 e 7.5 mA -7.5 mA e u2 e 7.5 mA -6 mA e u3 e 3 mA To begin with, T2 and h2 are regulated by the LQG controller that manipulates u2 and u3. Failures were hypothesized in sensors (T2, h2) and actuators (u2, u3). As shown in Figure 8 and Figure 9, input to heater in tank 2 was stuck at 25th sampling instant where the true input was -0.53 mA. The set point change for T2 was given at the 30th instant. The failure was isolated by the FDI unit at 85th sampling instant with an estimated magnitude of -0.601 mA. After failure isolation, a new LQG controller was implemented, which manipulates heat input to tank 1 (u1) and flow input to tank 2 (u3). It is evident from Figure 8 that the reconfigured control law is able to track the desired set point change.

V1 A2h2

Q1(U1) dT1 ) F1(D)(Tc - T1) + dt FCp

(83)

dT2 ) F1(D)(T1 - T2) + F2(U3)(Tc - T2) + dt 1 [Q (U ) - 2πr2h2U(T2 - Ta)] (84) FCp 2 2

dh2 ) F1(D) + F2(U3) - k√Fd(h2) × 10-3 (85) dt where T1 represents temperature in tank 1, T2 represents temperature in tank 2, h2 represents the level in tank 2, Ui represents manipulated current inputs, and D represents the disturbance input expressed as % value between 0 and 100%. The relationship between Ui and D, the corresponding physical variable, is captured through the following correlations A2

F1(D) ) (1.2676D3 - 108.02D2 + 8166D) × 10-10 m3/sec (86)

Figure 6. Heater-mixer setup: FTLQG performance under sensor failure-outputs.

Figure 7. Heater-mixer setup: FTLQG performance under sensor failure-inputs.

1532 Ind. Eng. Chem. Res., Vol. 48, No. 3, 2009

Figure 8. Heater-mixer setup: FTLQG performance under actuator failure-outputs.

Figure 9. Heater-mixer setup: FTLQG performance under actuator failure-inputs. Table 4. Heater-Mixer Setup: Model Parameters

Table 6. Heater-Mixer Setup: Nonlinear GLR Parameters

parameter

description

value

variable description

value

k V1 A2 r2 U Ta

discharge coefficient volume of tank 1 cross sectional area of tank 2 radius of tank 2 heat transfer coefficient ambient temperature

0.1 1.75 × 10-3 m3 7.854 × 10-3 m2 0.05 m 175 W/(m · K) 301 K

window length N level of significance for FDT level of significance for FCT

30 samples 0.75 0.01

Table 5. Heater-Mixer Setup (Sensor Failure Case): PI Loop Pairings and Controller Tuning Parameters output-input

gain

integral time (sec)

T1 - U1 T2 - U2 h2 - U3

0.8 1 50

50 50 100

F2(U3) ) (-0.1115U34 + 17.2404U33 - 817.6U32 + 18858U3) × 10-10 m3/sec (87) Fd(h2) ) -0.2275h22 + 0.597h2 + 0.037

(88)

Q1(U1) ) 53.579U1 + 0.0584U1 - 0.0026U1

W (89)

2

3

Q2(U2) ) 78.82U2 - 0.782U22 - 0.0035U23 W

(90)

These correlations (86-87) were developed using data generated from steady-state experiments. The model parameters for the correlations (88-90) were initially generated using steady-state data and later refined using transient response data. The remaining parameters of the model are as given in Table 4. The cold water temperature Tc is available as a measurement. To develop EKF using the above mechanistic model, it is necessary to generate information regarding measurement and state noise covariances. Measurement noise covariance matrix was estimated directly from sensor data to be R ) diag[0.2172 0.1351 1.156 × 10-5 ] The state noise covariance matrix Q was parametrized as a diagonal matrix and its elements were estimated by solving following minimization problem min Q, θ

[∑ N

k)1

]

γT(k) V(k)-1 γ(k)

Ind. Eng. Chem. Res., Vol. 48, No. 3, 2009 1533

Figure 10. Heater-mixer setup: FTC performance under sensor failure during transient.

5% e U1 e 95% 5% e U2 e 95% 5% e U3 e 62.5%

Table 7. Two-Tank Heater-Mixer Setup (Actuator Failure Case): Tuning Parameters, Controller I and II output-input

gain

integral time (sec)

T2 - U1 T2 - U2 h2 - U3

0.8 1 100

50 50 100

where θ represents parameters of correlations 88-90, γT(k) represents an innovation sequence of the EKF, V(k) represents the corresponding covariance matrix of the innovations and N represents the length of transient response data used for parameter estimation. The optimum values of Q obtained from this exercise as follows Q ) diag[2.25 0.58 1.375 × 10-5 ] The corresponding refined correlations are reported in equations 56-58. This procedure of tuning EKF using the experimental data was found to be a crucial step in the development of the proposed failure isolation approach. 6.2.2. Sensor Failure During Transient. The objective of FTC is to track the desired set point trajectories in the face of failure of temperature sensor for T2 using a multiloop PI controller. Control loop pairings and controller tuning parameters are listed in Table 5. The controller outputs are constrained as follows

Hypothesized failures include failures in sensors (T1, T2, h2) and actuators (U1, U2, U3). The tuning parameters for proposed nonlinear GLR are listed in Table 6. The sensor for T2 was stuck at 41 °C, during transient at k ) 41 (205 s) while the controller is attempting to move T2 to its setpoint. The performance of the EKF based FDI unit integrated with the controller is given in Figure 10. It can be observed from this figure, that when a sensor for T2 was stuck, the controller as well as observer performance deteriorated. The PI controller started increasing U2 as it was unaware of the failure. However, after the failure was isolated at k ) 71 (355 s), the faulty sensor measurements T2 were replaced by estimates Tˆ2 in the controller formulation. Tˆ2 is obtained from the modified EKF that uses the remaining healthy sensor signals, that is, T1 and h2. As a consequence of this corrective measure, the controller changed the direction of manipulation of U2, and the desired setpoints were achieved. 6.2.3. Actuator Failure During Transient. To begin with, a multiloop PI controller (controller I) was used for controlling T2 and h2 by manipulating heat input to tank 2, Q2(U2) and flow to tank 2, F2(U3). In the event of failure of actuator for heat input to tank 2, Q2(U2), the objective of the FDI

Figure 11. Heater-mixer setup: FTC performance under actuator failure during transient.

1534 Ind. Eng. Chem. Res., Vol. 48, No. 3, 2009

unit was to identify the failed actuator and reconfigure the controller online by switching to another controller (controller II) that brings T2 to the set point by manipulating heater input in tank 1, Q1(U1). Variable pairing and tuning parameters of the controller I and controller II are given in Table 7. Failures were hypothesized in sensors (T1, T2, h2) and actuators (U2, U3). As shown in Figure 11, input to heater in tank 2 was stuck during transient at k ) 13 (65 s). As a degree of freedom is lost, the controller performance deteriorated and the output started deviating from the setpoint. However, after the failure isolation at k ) 95 (475 s), controller II is switched on. It is evident from Figure 11, that the reconfigured control law is able to track the desired set point trajectory.

G ) (Wu + ΓuS∞Γu)-1ΓuS∞Φa

(94)

S∞ ) [Φa - ΓuG]TS∞[Φa - ΓuG] + Wx + GTWuG where Wx ) CTC is the state weighing matrix and Wu is input weighing matrix. To handle plant model mismatch arising out of actuator biases or input disturbances in LQG formulation, artificial states are introduced as follows: x(k + 1) ) Φx(k) + Γuu(k) + Γββ(k) + w(k) β(k + 1) ) β(k) + wβ(k) y(k) ) Cx(k) + v(k) where β ∈ R are artificially introduced input disturbance vectors, while wβ ∈ Rm is a zero mean white noise sequence with covariance Qβ. The elements of noise covariance matrix Qβ are tuning parameters, which can be chosen to achieve desired closed-loop disturbance rejection characteristics. The augmented state space model of the form given below is used to formulate the Kalman predictor. m

7. Conclusions In this work, a failure isolation strategy has been developed under generalized likelihood ratio framework. In particular, the recurrence relationships involving signature matrices are developed for diagnosing sensor failures. A nonlinear version of the linear GLR method for isolation of sensor and actuator failures in nonlinear systems is then developed. For nonlinear systems, signature matrix computations are performed using EKF and linearized model matrices computed at each operating point. The information on sensor/actuator failures is further used for online reconfiguration of the state estimator and the controller/control scheme. In case of sensor failure, the state estimator is reconfigured by removing the measurement of the failed sensor from the measurement vector. If the observability property is preserved after sensor failure, then an inferential control scheme is employed subsequent to the failure. When an actuator failure is isolated, it is proposed to make modifications in the controller objectives or switch to a new controller to account for the loss of a degree of freedom. The efficacy of the proposed failure diagnosis and control structure reconfiguration schemes is demonstrated by conducting experimental studies on the benchmark heater-mixer set up. Analysis of the results reveals that the proposed strategies are able to isolate the failures accurately and recover the closed-loop performance by online reconfiguration of the controller/control scheme.

This appendix briefly describes the design procedure for the LQG controller. Consider a process with following state space representation x(k + 1) ) Φx(k) + Γuu(k) + w(k)

(91)

y(k) ) Cx(k) + v(k)

(92)

where v(k) and w(k) are zero mean Gaussian white noise sequences with known covariances. The regulator design problem is posed as an optimization problem where it is desired to determine state feedback controller u(k) ) -Gx(k) such that objective function

{∑ [

lim E Nf∞

(95)

y(k) ) Caxa(k) + v(k)

(96)

where xa(k) ) Φa )

[ ] [ ] x(k) ; β(k)

[ ] [ ]

w(k) wa(k) ) w (k) β

Φ Γβ ; [0] Iβ

Γua )

Γu 0

Ca ) [C [0] ] R1a ) E[wa(k) wa(k)T] ) R12a ) E[wa(k) v(k)T] )

[ ]

KV ; [0]

[

(97)

KVKT [0] Qβ [0]

(98)

]

(99)

R2a ) E[v(k) v(k)T] ) V

Using the above augmented model, Kalman predictor of form γa(k) ) y(k) - Cab xa(k|k - 1)

(100)

bxa(k + 1|k) ) Φab xa(k|k - 1) + Γuau(k - 1) + Kaγa(k)

Appendix: LQ Controller Design for Servo Control

J)

xa(k + 1) ) Φaxa(k) + Γuau(k) + wa(k)

(101) is formulated, where Ka Kalman gain matrix and b xa(k) represents the estimated state vector. Now, let r(k) represents the setpoint vector. Then, the setpoint tracking problem can be solved31 by modifying the state feedback control law as follows T u(k) ) us(k) - G[x a(k) - xs(k)]

Ku ) Ca(I - Φa)-1Γu ;

Kβ ) Cr(I - Φ)-1Γβ

us(k) ) K-1 u [r(k) - Kββ(k)]

(102) (103)

-1 xs(k) ) (I - Φ)-1[ΓuK-1 u r(k) + (Γβ - ΓuKu Kβ)β(k)] (104)

N-1

[Cx(k)]T[Cx(k)] + u(k)T Wuu(k)] +

k)0

T

Literature Cited

}

x(N) WNx(N)

(93)

is minimized. The optimal solution to this problem is computed by solving the steady state algebraic Riccati equations (ARE).

(1) Konstantopoulous, I. K.; Antsaklis, P. J. Eigenstructure Assignment in Reconfigurable Control System. Interdisciplinary Studies of Intelligent Systems; Technical Report; University of Notre Dame: Evanston, IL. 1996. (2) Kanev, S.; Verhaegen, M. Controller Reconfiguration for Nonlinear systems. Control Eng. Pract. 2000, 8, 1223–1235. (3) Joshi, S. M. Design of Failure-Accommodating Multiloop LQGType Controllers. IEEE Trans. Automat. Control 1981, 32 (8), 740–741.

Ind. Eng. Chem. Res., Vol. 48, No. 3, 2009 1535 (4) Yang, G. H.; Wang, J. L.; Soh, Y. C. Reliable LQG control of with sensor failures. IEE Proc. Control Theory Appl. 2000, 147 (4), 433–439. (5) Yang, G. H.; Wang, J. L.; Soh, Y. C. Reliable Control of Discrete Time Systems with Actuator Failure. IEE Proc. Control Theory Appl. 2000, 147 (4), 428–432. (6) Lee, J. H.; Gelormino, M. S.; Morari, M. Model Predictive Control of Multirate Sampled Data Systems: A State Space Approach. Int. J. Control 1992, 55, 153–191. (7) Yu, Z. H.; Li, W.; Lee, J. H.; Morari, M. State Estimation Based Model Predictive Control Applied to Shell Control Problem: A Case Study. Chem. Eng. Sci. 1994, 49 (3), 285–301. (8) Bemporad, A.; Ferrari-Trecate, G. Mignone, D.; Morari, M; Torrisi, F. D. Model Predictive Control - Ideas for the Next Generation. Proc. Eur. Control Conf. 1999. (9) Bajpai, G., Chang B. C., Kwanty H. G., Design of Fault Tolerant systems for Actuator Failures in Nonlinear Systems. Proc. Am. Control Conf. 2002 3618-3623. (10) Thomas, S., Chang B. C., Kwanty H. G., Controller Reconfiguration for Nonlinear Systems using Composite Observers Proc. Am. Control Conf. 2003 4779-4784. (11) Tao, G.; Chen, S.; Joshi, S. M. An Adaptive Actuator Failure Compensation Controller Using Output Feedback. IEEE Trans. Automat. Control 2002, 47, 3. (12) Mhaskar, P.; Gani, A.; Christofides, P. D. Fault Tolerant Control of Nonlinear Processes:Performance-based reconfiguration and robustness. Int. J. Robust Nonlin. Control 2006, 16 (3), 91–111. (13) Mhaskar, P. Robust Model Predictive Control Design for FaultTolerant Control of Process Systems. Ind. Eng. Chem. Res. 2006, 45 (25), 8565–8574. (14) Mhaskar, P; Gani, A; El-Farra, N. H.; McFall, C; Christofides, P. D.; Davis, J. F. Integrated Fault-Detection and Fault-Tolerant Control of Process Systems. AIChE 2006, 52, 2129–2148. (15) Mhaskar, P; McFall, C; Gani, A; Christofides, P. D.; Davis, J. F. Isolation and handling of actuator faults in nonlinear systems. Automatica 2008, 44, 53–62. (16) Mhaskar, P; Gani, A; McFall, C; Christofides, P. D.; Davis, J. F. Fault-Tolerant Control of Nonlinear Process Systems Subject to Sensor Faults. AIChE J. 2007, 53, 654–668. (17) Gandhi, R.; Mhaskar, P. Safe-parking of nonlinear process systems. Comput. Chem. Eng. 2008, 32 (9), 2113–2122. (18) Willsky, A. S.; Jones, H. L. A Generalized Likelihood Ratio Approach to the Detection and Estimation of Jumps in Linear Systems. IEEE Trans. Automat. Control 1974, 21 (1), 108–112. (19) Narasimhan, S. A Generalized Likelihood Ratio Method for Identification of gross Errors, Ph.D. Thesis, Evanston, IL, 1987.

(20) Narasimhan, S.; Mah, R. S. H. Generalized Likelihood Ratios for Gross Error Identification in Dynamic systems. AIChE 1988, 34, 1321– 1334. (21) Zamad, U. S.; Deshpande A. P.; Patwardhan, S. C. LQG Control with Reconfigurable State Estimator under Sensor Failure, Proc. of Dynamics and Control of Process Systems (DYCOPS), Cancun, Mexico, 6th June 2007. (22) Deshpande, A.; Patwardhan S. C.; Narasimhan S. Integrating Fault Diagnosis with Nonlinear Predictive Control, In Assessment and Future Directions of Nonlinear Model PredictiVe Control, Findeisen, R. et al. (Eds.), pp 513-521, Springer 2007. (23) Srinivasarao, M.; Patwardhan, S. C.; Gudi, R. D. Nonlinear Predictive Control of Irregularly Sampled Multirate Systems using Nonlinear Black Box Observers. Journal of Process Control 2007, 17 (1), 17–35. (24) Thornhill, N.;Patwardhan, S. C.;Shah, S. L.;A continuous stirred tank heater simulation model with applicationsJournal of Process Control2007, http://dx.doi.org/10.1016/j.jprocont.2007.07.006. (25) Prakash, J.; Patwardhan, S. C.; Narasimhan, S. A Supervisory Approach to Fault Tolerant Control of Linear Multivariable Control systems. Ind. Eng. Chem. Res. 2002, 41, 2270–2281. (26) Patwardhan, S. C.; Shah, S. L. From Data to Diagnosis and Control Using Generalized Orthonormal Basis Filters. Part I: Development of State Observers. J. Process Control 2005, 15, 819–835. (27) Patwardhan, S. C.; Manuja, S.; Narasimhan, S.; Shah, S. L From Data to Diagnosis and Control Using Generalized Orthonormal Basis Filters. Part II: Model Predictive and Fault Tolerant Control J. Process Control 2006, 16, 157-175. (28) Manuja, S.; Patwardhan, S. C.; Narasimhan, S. Unknown Input Modeling and Robust Fault Diagnosis using Black Box Observers. J. Process Control, 2009, 19 (1), 25–37. (29) Muske, K. R.; Edgar, T. F. Nonlinear State Estimation. In Nonlinear Process Control; Henson M. A., Seborg D. E., Eds.; Prentice Hall: 1997; pp 332-340. (30) Marlin, T. Process Control: Designing Processes and Control Systems for Dynamic Performance; McGraw-Hill International Editions, Chemical Engineering Series: New York, 1995. (31) Franklin, G. F.; Powell. J. D. Digital Control of Dynamic Systems; Addison-Wesley: Reading, MA, 1989. (32) Deshpande, A. P.; et al. Intelligent state estimation for fault tolerant nonlinear predictive controlJ. Process Control. 2008, doi:10.1016/j. jprocont.2008.04.006.

ReceiVed for reView February 25, 2008 ReVised manuscript receiVed October 4, 2008 Accepted October 28, 2008 IE8003122