Integrated Fault Detection and Fault-Tolerant Control Architectures for

Apr 14, 2006 - distributed processes described by quasi-linear parabolic partial differential equations (PDEs) with control constraints and ... from t...
2 downloads 13 Views 294KB Size
8338

Ind. Eng. Chem. Res. 2006, 45, 8338-8351

Integrated Fault Detection and Fault-Tolerant Control Architectures for Distributed Processes Nael H. El-Farra* Department of Chemical Engineering and Materials Science, UniVersity of California, DaVis, One Shields AVenue, DaVis, California 95616-5294

This paper presents an integrated fault detection (FD) and fault-tolerant control (FTC) architecture for spatially distributed processes described by quasi-linear parabolic partial differential equations (PDEs) with control constraints and control actuator faults. Under full state feedback conditions, the architecture integrates modelbased fault detection, spatially distributed feedback, and supervisory control to orchestrate switching between different actuator configurations in the event of faults. The various components are designed on the basis of appropriate reduced-order models that capture the dominant dynamics of the distributed process. The fault detection filter replicates the dynamics of the fault-free reduced-order model and uses its behavioral discrepancy from that of the actual system as a residual for fault detection. Owing to the inherent approximation errors in the reduced-order model, appropriate fault detection and control reconfiguration criteria are derived for the implementation of the FTC architecture on the distributed system to prevent false alarms. The criteria is expressed in terms of residual thresholds that capture the closeness of solutions between the fault-free reduced and full-order models. A singular perturbations formulation is used to link these thresholds with the separation between the slow and fast eigenvalues of the spatial differential operator necessary for closed-loop stability. Under output feedback conditions, an appropriate state estimation scheme is incorporated into the control architecture, and the effects of estimation errors are accounted for in the design of the feedback controller, the fault detection filter, and the control reconfiguration logic. The proposed approach is successfully applied to the problem of constrained, actuator fault-tolerant stabilization of an unstable steady state of a representative diffusion-reaction process. 1. Introduction The vulnerability of modern, automated industrial processes to faults, together with the increased emphasis placed on safety, reliability and profitability in the operation of industrial processes, provide a strong motivation for the development of systematic methods for the diagnosis and handling of faults. Faults in the control actuators, measurement sensors, or process equipment can lead to serious degradation in the system performance and may even lead to a complete breakdown of process operation if not handled properly in the control system design. In this light, it is only natural that the subject of faulttolerant control (FTC) has become the focus of considerable research interest over the past few decades in both academic and industrial circles. The main objectives of FTC are to preserve the integrity of the process, ensure satisfaction of the operational objectives after the appearance of a fault (possibly after a short period of degraded performance), and prevent a fault from causing a failure at the system level. In general, FTC approaches can be classified as either passive or active. The passive approaches rely mainly on robust control techniques to enforce fault tolerance without altering the control structure (for example, refs 1 and 2), while the active FTC approaches handle faults explicitly through control system reconfiguration. The successful design and implementation of active FTC systems require the integration of two basic steps. The first step is fault diagnosis and involves the detection and identification of faults with sufficient accuracy on the basis of which remedial action can be taken. The literature on fault diagnosis is quite extensive and includes statistical and pattern recognition-based approaches (for example, refs 3-6) as well as model-based * Tel: (530)754-6919. Fax: (530)752-1031. E-mail: nhelfarra@ ucdavis.edu.

approaches (for example, refs 7-13). Once the faults have been identified, the second step in FTC is that of fault handling, which is typically accomplished through reconfiguration of the control system to cancel the effects of the faults or to attenuate them to an acceptable level (for example, refs 14-17). Despite the extensive literature on fault diagnosis, most of the research work in this area has been concerned with lumped parameter systems described by ordinary differential equations. Many important chemical processes, however, are characterized by spatial variations, owing to the underlying physical phenomena such as diffusion, convection, and phase dispersion and are modeled by partial differential equations (PDEs). While distributed parameter systems have been the subject of significant research work in process control over the past decade (for example, refs 18-29), the problem of designing FTC systems for such processes has received limited attention. Existing results have focused either on the fault diagnosis component alones based mostly on the assumption of a linear process description (for example, ref 30) and without taking complexities, such as constraints or limited measurements, into accountsor on the control reconfiguration strategy component alone31,32 under the assumptions that the faults are known and that complete state measurements are available. One of the fundamental issues that arise in model-based control of distributed processes is the issue of model reduction. Owing to their infinite-dimensional nature, the dynamic models of distributed processes cannot be used directly for the synthesis of practically implementable controllers. In the context of modelbased FTC, this issue takes on greater significance since it not only affects the controller synthesis but also impacts the design of the fault diagnostic filters, which need to be designed on the basis of similar, reduced-order models, to be suitable for practical implementation. Owing to the approximation errors inherent

10.1021/ie060052i CCC: $33.50 © 2006 American Chemical Society Published on Web 04/14/2006

Ind. Eng. Chem. Res., Vol. 45, No. 25, 2006 8339

in the reduced-order models, it is important that the fault diagnosis filters be designed and implemented in a way that allows them to discriminate between approximation errors and the errors caused by the faults. Furthermore, the design of an effective FTC system requires that the fault diagnosis filters be integrated with the control reconfiguration component and that complexities such as nonlinear behavior, constraints, and limited measurements be explicitly accounted for in the FTC strategy. Motivated by the considerations above, we develop in this paper a hierarchical FTC architecture that integrates model-based fault detection, feedback, and supervisory control for spatially distributed processes described by quasi-linear parabolic partial differential equations with control constraints and control actuator faults. The architecture is designed on the basis of appropriate reduced-order models that capture the dominant dynamics of the distributed process. The rest of the paper is organized as follows. Following some mathematical preliminaries in Sections 2 and 3, the FTC architecture under full state feedback is presented in Section 4. In this case, the architecture consists of a family of spatially distributed control configurations, together with a fault detection filter and a supervisor. For each configuration, a stabilizing feedback controller is obtained, and its stability region is explicitly characterized in terms of the control constraints and actuator locations. A fault detection filter that replicates the dynamics of the fault-free reduced-order model is designed, and its behavioral discrepancy from that of the actual system is used as a residual for fault detection. Precise fault detection and control reconfiguration criteria, in terms of the separation between the slow and fast eigenvalues of the spatial differential operator, are derived for the implementation of the FTC architecture on the infinite-dimensional system. Finally, a switching law based on the stability regions of the constituent control configurations is derived to orchestrates the transition from the faulty actuators to a well-functioning fallback configuration with a different spatial arrangement. The state feedback architecture is then extended in Section 5 to address the output feedback problem. The proposed approach is successfully applied in Section 6 to the problem of constrained, fault-tolerant stabilization of an unstable steady state of a diffusion-reaction process.

size of the constraints; bk(z) ) [bk1(z) bk2(z) ‚‚‚ bkm(z)], f ka ) k T ] where f ka,i ∈ IR denotes a fault in the ith [f ka,1 f ka,2 ‚‚‚ f a,m control actuator of the kth control configuration; k(t) is a discrete variable that takes values in a finite set K and denotes which control configuration is active at any given time; and yµm is a measured output. R, β, ω, ci, di, and ri are constant coefficients with R > 0, and xj0(z) is a smooth function of z. The functions bki (z) ∈ L2(η1, η2) and qµ(z) ∈ L2(η1, η2) are square integrable functions of z that describe, respectively, how the control action, k ui (t), and how the measurement output, yνm, are distributed in the interval [η1, η2]. Throughout the paper, the notations ||‚|| and ||‚||2 will be used to denote the L2 norms associated with a finite-dimensional and infinite-dimensional Hilbert spaces, respectively. The order of magnitude notation O() will also be used. In particular, δ() ) O() if there exist positive real numbers k1 and k2 such that |δ()| e k1||, ∀ || e k2. Finally, the notation x(T+) denotes the limit of the trajectory x(t) as T is approached from the right, i.e.: x(T+) ) lim x(t) tfT+

For a precise characterization of the class of PDEs considered in this work, we formulate the PDE of eqs 1-4 as an infinitedimensional system in the state space H ) L2(η1, η2), with inner product and norm:

(ω1, ω2) )

∫ηη ω1(z)ω2(z) dz, 2

1

||ω1||2 ) (ω1, ω1)1/2 (5)

where ω1, ω2 are two elements of L2(η1, η2). Defining the state function, x(t), on the state space H as x(t) ) xj(z, t), t > 0, η1 < z < η2, the operator A as

Aφ ) R

dφ d2φ + β , η1 < z < η 2 dz dz2

where φ(z) is a smooth function on (η1, η2) with ciφ(η1) + di(dφ/dz)(η2) ) ri, i ) 1, 2, with the following dense domain: D(A) ) {φ(z) ∈ L2(η1, η2): φ(z), (dφ/dz) are absolutely continuous, Aφ ∈ L2(η1, η2), ciφ(η1) + di(dφ/dz)(η2) ) ri, i ) 1, 2}, and defining the input and output operators as m

2. Preliminaries

Bkuk ) ω

2.1. Scope. In this work, we focus on spatially distributed processes described by quasi-linear parabolic PDEs of the form:

bki (‚)uki , ∑ i)1

Qx ) [(q1, x) (q2, x) ‚‚‚ (ql, x)]

the system of eqs 1-4 takes the form:

∂xj ∂xj ∂2xj ) R 2 + β + f (xj) + ωbk(z)[uk(t) + f ka(t)] ∂t ∂z ∂z

(1)

|uk| e ukmax, k(t) ∈ K :) {1, 2, ‚‚‚, N}, N < ∞

(2)

µ

ym (t) )

∫ηη qµ(z)xj(t, z) dz, 2

µ ) 1, 2, ‚‚‚, l

(3)

1

subject to the boundary and initial conditions:

∂xj cixj(η1, t) + di (η2, t) ) ri, i ) 1, 2, xj(z, 0) ) xj0(z) (4) ∂z where xj(z, t) ∈ IR denotes the state variable; z ∈ [η1, η2] ⊂ IR is the spatial coordinate; t ∈ [0, ∞) is the time; f (xj) is a nonlinear function; uk ) [uk1, uk2, ..., ukm]T denotes the vector of constrained manipulated inputs (control actuators) associated with the kth control configuration; |‚| is the standard Euclidean norm in IRm; ukmax is a positive real number that captures the

x˘ ) Ax + Bk(uk + f ka) + f (x), x(0) ) x0

(6)

ym ) Qx where f (x(t)) ) f (xj(z, t)) and x0 ) xj0(z). We assume that f (x) is locally Lipschitz and satisfies f (0) ) 0. For A, the eigenvalue problem is defined as

Aφj ) λjφj, j ) 1, ..., ∞ where λj denotes an eigenvalue and φj denotes an eigenfunction. The eigenspectrum of A, σ(A), is defined as the set of all eigenvalues of A, i.e., σ(A) ) {λ1, λ2, ...,}. Assumption 1 that follows states that the eigenspectrum of A can be partitioned into a finite part consisting of m slow eigenvalues and a stable infinite complement containing the remaining fast eigenvalues and that the separation between the slow and fast eigenvalues of A is large.33

8340

Ind. Eng. Chem. Res., Vol. 45, No. 25, 2006

Assumption 1: (1) Re{λ1} g Re{λ2} g ‚‚‚ g Re{λj} g ‚‚‚, where Re{λj} denotes the real part of λj. (2) σ(A) can be partitioned as σ(A) ) σ1(A) + σ2(A), where σ1(A) consists of the first m (with m finite) eigenvalues, i.e., σ1(A) ) {λ1, ..., λm}, and |Re{λ1}|/|Re{λm}| ) O(1). (3) Re{λm+1} < 0 and |Re{λm}|/|Re{λm+1}| ) O() where  < 1 is a small positive number. Remark 1: The assumption of a finite number of unstable eigenvalues is always satisfied for parabolic PDE systems,34 while the assumption of discrete eigenspectrum and the assumption of existence of only a few dominant modes that describe the dynamics of the parabolic PDE system are usually satisfied by the majority of diffusion-convection-reaction processes.18,22 2.2. Problem Formulation and Solution Methodology. Consider the system of eqs 1-4 (and its abstract representation in eq 6) for which N distinct control actuator configurations are available for possible use in feedback control. Each control configuration is characterized by a distinct spatial placement of its m constrained control actuators. The notation zka represents the vector of spatial locations of the control actuators in the kth configuration. At any given time, only one actuator configuration is active for control, while the rest are kept dormant. We assume that operation starts using control configuration k and that, at some unknown time, a fault occurs in this configuration. The problems under consideration include how to detect that a fault has occurred and, upon detection, to decide which of the available N - 1 fall-back actuator configurations should be activated to maintain closed-loop stability and achieve FTC. To address these problems, we formulate the following objectives: (1) Initially, model reduction techniques are employed to derive a finite-dimensional system that captures the dominant dynamics of the infinite-dimensional system of eq 6. (2) Then, the approximate finite-dimensional system is used to synthesize, for each control configuration, a stabilizing bounded nonlinear feedback controller and explicitly characterize its constrained stability region. (3) Next, a fault detection filter that replicates the fault-free closed-loop behavior of the approximate finite-dimensional system is designed. Appropriate fault detection criteria are established to distinguish faults from approximation and estimation errors. (4) Finally, a switching law is devised to orchestrate the transition from the faulty actuator configuration to a wellfunctioning fall-back in a way that respects control constraints and maintains closed-loop stability. In the next section, we address the first objective by applying standard Galerkins method to the system of eq 6 and deriving an approximate finite-dimensional system to be used as the basis for the design of the integrated fault detection and FTC architecture. 3. Model Reduction Let Hs, Hf be modal subspaces of A, defined as Hs ) span{φ1, φ2, ..., φm} and Hf ) span{φm+1, φm+2, ...,} (the existence of Hs, Hf follows from Assumption 1). Defining the orthogonal projection operators Ps and Pf such that xs ) Psx, xf ) Pfx, the state x of the system of eq 6 can be decomposed as

x ) xs + xf ) Psx + Pfx

(7)

Applying Ps and Pf to the system of eq 6 and using the above

decomposition for x, the system of eq 6 can be rewritten in the following equivalent form:

x˘ s ) Asxs + Bks (uk + f ka) + fs(xs, xf) x˘ f ) Afxf + Bkf (uk + f ka) + ff(xs, xf) ym ) Qxs + Qxf

(8)

xs(0) ) Psx0, xf(0) ) Pfx0 where As ) PsA, Bs ) PsB, fs ) Ps f, Af ) PfA, Bf ) PfB, and ff ) Pf f. In the above system, As is a diagonal matrix of dimension m × m of the form As ) diag{λj}; fs(xs, xf) and ff(xs, xf) are Lipschitz nonlinear functions; and Af is an unbounded differential operator that is exponentially stable (following from Assumption 1, part 3, and the selection of Hs, Hf). In the remainder of the paper, we will refer to the xs and xf subsystems as the slow and fast subsystems, respectively. Neglecting the fast and stable infinite-dimensional xf subsystem in eq 8, the following approximate, m-dimensional slow system is obtained:

dxjs ) Asxjs + Bks (uk + f ka) + fs(xjs, 0) dt yjm ) Qxjs

(9)

where the bar symbol in xjs and yjm denotes that these variables are associated with a finite-dimensional system. The system of eq 9 will be referred to as the reduced system. In the next two sections, we present a control architecture that integrates fault detection and control system reconfiguration to address the objectives outlined in Subsection 2.2. To highlight the main features of this methodology, we begin in the next section with the state feedback case where the state, xj(z, t), is assumed to be available for measurement at all locations, z ∈ [η1, η2], and for all times. The output feedback case is treated in Section 5. 4. Fault-Tolerant Control Strategy under Full State Feedback Having obtained a finite-dimensional system that approximates the dominant dynamics of the infinite-dimensional system, we proceed in Subsection 4.1 first to describe the design procedure for the various components of the FD-FTC architecture under full state feedback conditions. We then turn to the implementation of the this architecture on the infinitedimensional system in Subsection 4.2. 4.1. Finite-Dimensional FD-FTC Architecture. The main components of the FD-FTC architecture include the feedback controller, the fault detection filter, and the supervisor. Below is a discussion of how each component is designed and a characterization of its properties. 4.1.1. Feedback Controller Synthesis. The objectives of this step are to (a) synthesize, for each actuator configuration, a stabilizing feedback controller that respects the control constraints, and (b) explicitly characterize the stability region associated with each controller in terms of the constraints and the actuator locations. There are several controller design methods that can be used to satisfy these objectives. Examples include bounded Lyapunov-based controller designs26,35 and hybrid predictive controller designs.36 For the sake of generality, we will not limit ourselves in the remainder of this paper to any particular controller design method. Instead, we will assume

Ind. Eng. Chem. Res., Vol. 45, No. 25, 2006 8341

that the desired controllers have already been synthesized and their stability regions explicitly characterized (see ref 31 for how to obtain explicit expressions for the controllers and their stability regions). Assumption 2: For each k ∈ K, there exists (i) a bounded feedback control law of the general form:

uk ) p(xjs, ukmax, zka)

(10)

where p(‚) is a nonlinear function and zka is the vector denoting the control actuators’ placement and (ii) a set Ω h ks (ukmax, zka) :) k {xjs ∈Hs: || xjs|| e δ h s} such that |uk| e umax for all xjs ∈ Ω h ks (ukmax, k za) and the origin of the closed-loop system:

jx˘ s ) Asxjs + Bs p(xjs, ukmax, zka) + fs(xjs, 0)

(11)

is exponentially stable for all xjs(0) ∈ Ω h ks (ukmax, zka). Remark 2: Note that the feedback control laws for the different actuator configurations share the same structure and differ only in where the control action is applied. Furthermore, owing to the dependence of the control action on the actuator locations, the presence of control constraints imposes fundamental limitations on where the actuators can be placed to achieve stabilization from a given initial condition. For a given initial condition, Ω h ks characterizes the set of admissible actuator locations. Alternatively, for a fixed actuator location, Ω h ks describes the feasible initial conditions. Knowledge of the feasible initial conditions and actuator locations is necessary not only for stabilization under a given control configuration but also for the design of the control reconfiguration logic that needs to be implemented by the supervisor in the event of faults (see Section 4.1.3). 4.1.2. Fault Detection Filter Design. The main task in any model-based fault detection scheme is the generation of residual signals whose time evolution is indicative of whether the monitored system’s actual response has deviated from the expected, or healthy, behavior. Referring to the reduced system of eq 9, fault detection can be accomplished by constructing a finite-dimensional system (filter) that simulates its closed-loop behavior in the absence of faults, comparing this fault-free behavior with the actual response of the system of eq 9 and using the difference between the two behaviors, if any, as a residual signal to detect faults. To this end, we consider the following system:

w˘ ) Asw + Bs p(w, ukmax, zka) + fs(w, 0) r ) ||w - xjs||

(12)

where w ∈ Hs is the filter state and r is the residual. The fault detection filter of eq 12 uses a replica of the approximate closedloop slow (reduced) dynamics. Therefore, when its state is initialized at the same value as the reduced system, the evolution of w(t) will be identical to xjs(t), and hence r(t) ) 0, in the absence of faults. In the presence of faults, the effect of the fault is registered by a change in the evolution of xjs, but not in that of the filter state (since the filter state dynamics include only the computed control action, uk, and not the implemented control action, uk + f ka). This change is detected by a nonzero value of r(t) and declared as a fault. Note that both partial and complete actuator failures can be detected in this manner. Note also that the same filter design principle can be used to detect faults that do not necessarily appear in the control actuators, as long as they influence the evolution of the state variables.

4.1.3. Control Reconfiguration Logic. Having detected a fault in the operating control configuration, the supervisor needs to determine which of the available backup configurations can be activated to maintain closed-loop stability. Theorem 1 below describes how the fault detection and control reconfiguration tasks are integrated to ensure fault-tolerance in the closed-loop reduced system. The proof is given in the Appendix. Theorem 1: Consider the approximate, finite-dimensional closed-loop system of eqs 9 and 10 with k(0) ) j ∈K and xjs(0) ∈Ω h js. Consider also the system of eq 12 with w(0) ) xjs(0). Let j Td be such that f ja(t) ≡ 0 for all 0 e t < Tjd. Then r(Tjd) > 0 if and only if f ja(Tjd) * 0. Furthermore, let t ) Tjf be the earliest time for which r(t) > 0, then the switching rule given by

k(t) )

{

0 e t < Tjf j h νs (uνmax, zνa ) ν*j t g Tjf, xs(Tjf) ∈ Ω

}

(13)

exponentially stabilizes the origin of the closed-loop system. Remark 3: The switching law of eq 13 ensures that the fallback actuator configuration that is activated and implemented following fault detection is one that guarantees closed-loop stability in the presence of constraints. This is accomplished by choosing a configuration whose stability region contains the state at the time of fault detection. In the event that more than one fall-back configuration satisfies this condition, additional performance criteria (e.g., control effort, response speed) could be introduced to further discriminate between the candidate control configurations. For example, using the notion of spatial controllability37 as a measure, one could choose the configuration whose actuator locations provide maximum control authority over the entire spatial domain. This allows actuator re-configuration to be carried out in a way that accounts for optimality considerations in addition to stability considerations. Early detection of a fault enhances the chances of taking corrective action (Theorem 1 guarantees that a fault is detected as soon as it occurs). If a fault is not detected in a timely manner, its destabilizing effect could possibly drive the state outside the stability regions of all the backup configurations before the supervisor can take action (see the simulation study in Section 6 for a demonstration of this point). In this case, stability cannot be preserved and a process shutdown becomes unavoidable. Enlarging the stability regions of the various actuator configurations (through appropriate selection of ukmax, zka) and/or increasing the number of fall-back control configurations, N, if possible, helps minimize this possibility. 4.2. Implementation on the Infinite-Dimensional System: A Singular Perturbations Formulation. Having designed the various components of the FD-FTC architecture on the basis of the reduced-order model, we proceed in this subsection to characterize how each component is implemented on the fullorder model and what, if any, modifications need to be made to ensure the desired stability and performance properties in the infinite-dimensional closed-loop system. 4.2.1. Feedback Controller Implementation. Proposition 1 that follows characterizes the stability properties of the state feedback controller of eq 10 when implemented on the infinitedimensional system of eq 8. The proof, which relies on formulating the infinite-dimensional closed-loop system as a singularly perturbed system and analyzing its stability properties, is conceptually similar to the proof of Theorem 1 in ref 26 and is omitted for brevity. Proposition 1: Consider the system of eq 8, for a fixed k ∈K, under the feedback control law uk ) p(xs, ukmax, zka), where p(‚) was defined in Assumption 2. Then given any δks > 0 such

8342

Ind. Eng. Chem. Res., Vol. 45, No. 25, 2006

that the set Ωks :) {xs ∈ Hs : ||xs|| e δks } ⊂ Ω h ks , where Ω h ks was k defined in Assumption 1, and given any δf > 0, there exists a positive real number, *, such that if k ∈ (0, *], xs(0) ∈ Ωks , and ||xf(0)||2 e δkf , the origin of the closed-loop system is asymptotically (and locally exponentially) stable. Remark 4: Proposition 1 establishes that a controller satisfying Assumption 2 continues to enforce closed-loop stability for the infinite-dimensional system provided that the separation between the slow and fast eigenvalues of the spatial differential operator is large enough. This separation propertys characteristic of highly dissipative PDEssallows preserving the stability region associated with the reduced system in the sense that, for sufficiently small k, the discrepancy between the stability region of the slow subsystem in eq 8, Ωks , and the stability region of the reduced system of eq 9, Ω h ks , can be made arbitrarily small. 4.2.2. Implementation of Fault Detection Filter. When the filter of eq 12 is implemented on the infinite-dimensional system, its behavior has to be compared with the behavior of the actual slow subsystem, xs, not the approximate slow state since it is xs, not xjs, that is available for measurement in the state feedback setting. This motivates re-defining the residual as follows:

w˘ ) Asw + Bs p(w, ukmax, zka) + fs(w, 0) r ) ||w - xs||

(14)

The residual defined in this manner provides a measure of the discrepancy between the evolution of the closed-loop reduced system of eq 9 with f ka ) 0 and the evolution of the actual closed-loop slow subsystem in eq 8. Since the discrepancy can be solely due to the approximation error (resulting from neglecting xf in deriving eq 9), and not necessarily due to faults, the filter should be designed so that it does not treat any discrepancy to be an indicator of an actuator fault (i.e., to prevent false alarms). To this end, it is important to establish a bound on the residual which captures the expected difference in behavior in the absence of faults. This bound, which is established in Proposition 2 below, will be used by the supervisor as a fault-detectability threshold to decide when a fault has occurred and consequently when to switch actuator configurations. The proof of this proposition can be found in the Appendix. Proposition 2: Consider the closed-loop system of eqs 8 and 10, for a fixed k ∈ K with f ka ≡ 0. Consider also the system of eq 14. Then, given the set of positive real numbers {δks , δkf , δkd}, where δks as defined in Proposition 1 and δkf and δkd are arbitrary, there exists a positive real number, ′, such that if k ∈ (0,′], ||xs(0)|| e δks , ||xf(0)||2 e δkf , and w(0) ) xs(0), the residual of eq 14 satisfies a relation of the form r(t) e δkd ∀ t g 0. Remark 5: Proposition 2 provides direct linkage between the fault detection threshold, δkd, and the extent of separation, k, between the slow and fast eigenvalues of the infinitedimensional system. Specifically, the threshold can be chosen by the designer to be arbitrarily small provided that k is sufficiently small. As shown in the Appendix (see Proof of Proposition 2), this connection exists owing to the closed-loop stability properties (Proposition 1), which allow controlling the closeness between the solution of the reduced system of eq 9 and the solution of the slow subsystem in eq 8 by proper choice of k. Since the choice of k fixes the order of the approximate system of eq 9, the result of Proposition 2 implies that a tighter

detection threshold (which could be desirable to minimize detection delays) requires a higher-order approximate model. In the asymptotic limit (as k f 0), the detection threshold tends to zero and the fault detection filter becomes infinitedimensional. In this light, from a practical implementation standpoint, it is important that the designer carefully balance the resulting tradeoff between the need for tight fault detection criteria and the need to design practically implementable (lowdimensional) filters that are suitable for fault detection. Remark 6: It is important to highlight some of the fundamental differences that arise when the above fault detection and control designs are applied to the linear case. To this end, consider the system of eqs 8 and 10 with fs(xs, xf) ) ff(xs, xf) ) 0. In the absence of the nonlinear terms responsible for interconnecting the fast and slow subsystems, the nominal closed-loop slow subsystem with f ka ) 0 becomes identical to the finite-dimensional system of eqs 9 and 10 with f ka ) 0, and hence identical to the system of eq 12. This has important implications for the fault detection scheme. Specifically, it implies that, unlike the nonlinear case, any discrepancy between the evolution of the actual slow state xs and the filter state w will be solely due to faults and will not include any approximation errors (no approximation errors exist in this case since the slow states evolve independently of the fast states given the fact that the control action depends on the slow states only). In other words, the possibility of false alarms due to model reduction errors in the filter design are precluded in the linear case, and a nonzero fault-detectability threshold similar to the one in Proposition 2 is not needed on account of this fact alone (such a threshold may still be needed when errors due to model uncertainty need to be accounted for). 4.2.3. Implementation of Control Reconfiguration Logic. The switching logic of eq 13 is based on monitoring where the reduced system state, xjs, is with respect to the stability regions, Ω h ks . The same logic applies when considering the full system except that the supervisor monitors the actual slow state, xs, with respect to the slow stability regions Ωks . Theorem 2 below establishes that the control reconfiguration logic based on the finite-dimensional system continues to enforce fault-tolerance in the infinite-dimensional closed-loop system provided that the separation between the slow and fast eigenmodes is large enough. The proof is sketched in the Appendix. Theorem 2: Consider the closed-loop system of eqs 8 and 10 with k(0) ) j ∈ K, and the system of eq 12 with w(0) ) xs(0). Then, given the set of positive real numbers, {δjs, δjf, δjd}, where δjs was defined in Proposition 1, and given a fault, f ja, for which r(t) > δjd for some t > 0, there exists s > 0 such that if j ∈ (0, s], ||xs(0)}|| e δjs, ||xf(0)|| e δjf, w(0) ) xs(0), the control-reconfiguration rule given by

k(t) )

{

0 e t < Tjf j ν * j t g Tjf, xs(Tjf) ∈ Ωνs (uνmax, zνa )

}

(15)

where Tjf is the earliest time such that r(t) > δjd, asymptotically stabilizes the origin of the closed-loop system. Remark 7: Since the filter of eq 14 is designed to only detect faults, a residual exceeding the threshold indicates that some fault has occurred in one or more actuator of the active control configuration but does not pinpoint the location of the fault. This necessitates that the supervisor shut down all the actuators of the current configuration upon fault detection (including possibly healthy ones) and switch to an appropriate fall-back configuration whose entire set of actuators are well-functioning.

Ind. Eng. Chem. Res., Vol. 45, No. 25, 2006 8343

To avoid the unnecessary shut down of healthy actuators, a faultisolation scheme that identifies the faulty actuators within the active configuration needs to be added to the FTC architecture. This issue is the subject of other research work. Remark 8: In the case of a partial failure, unless the faulty actuator configuration is shut down, the backup control configurations will have to be redesigned to be robust with respect to the bounded disturbance generated by the faulty configuration (for the backup control configuration, the unmeasured actuator action of the faulty control configuration will act as a disturbance and will be bounded because of the limited capacity of the actuator). By shutting down the faulty configuration, however, the source of the disturbance is eliminated and no controller redesign is needed for the backup control configurations. 5. Output Feedback Fault-Tolerant Control Architecture The feedback controller, fault detection filter and switching rule described in the previous section were designed under the assumption that measurements of the state, xj(z, t), are available at all positions and times. In this section, we present an output feedback FD-FTC architecture that requires measurements of the state only at a finite number of spatial positions. Given the parallels with the state feedback architecture, we focus mainly on how the lack of full state measurements influences the design and implementation of the various components of the FD-FTC structure. 5.1. Output Feedback Controller Synthesis. To facilitate the synthesis of an output feedback controller that preserves the closed-loop stability properties under state feedback, we impose the following requirement in order to obtain estimates of the state of the finite-dimensional system of eq 9 from the measurements. Assumption 3: l ) m (i.e., the number of measurements is equal to the number of slow modes), and the inverse of the operator Q exists, so that xˆ s ) Q-1ym. The requirement that Q-1 exists can be achieved by appropriate choice of the location of the measurement sensors (i.e., the functions qµ(z)). The desired output feedback controller is then synthesized by combining the state feedback controller of eq 10 with the estimates of the states of the approximate model of eq 9. Proposition 3 below establishes the closed-loop stability properties of the output feedback controller. The proof, which employs singular perturbation arguments, is similar to that of Theorem 2 in ref 26 and will be omitted for brevity. Proposition 3: Consider the system of eq 8 for which Assumptions 1-3 hold, under the nonlinear output feedback controller:

uk ) p(xˆ s, ukmax, zka)

(16)

where xˆ s ) Q-1ym and p(‚) was defined in Assumption 2. Then, h ks , and given any positive real number, δkb, such that Ωkb ⊂ Ω k o given any positive real number δf , there exists k > 0 such that if k ∈ (0, ok ], xs(0) ∈ Ωkb, ||xf(0)||2 e δkf , the origin of the closed-loop system is asymptotically (and locally exponentially) stable. Furthermore, given Tkb > 0, there exists c > 0 such that if k ∈ (0, c], then ||xf(t)||2 e R2k, for some R2 > 0, for all t g Tkb. Remark 9: The controller of eq 16 uses static feedback of the measured outputs yµm, µ ) 1, ..., l, and thus, it feeds back both xs and xf (unlike the controller of eq 10 which uses feedback of xs only). Even though static output feedback is more sensitive to measurement noise than dynamic output feedback, we prefer

to use static feedback of ym because it practically preserves the region of closed-loop stability associated with the approximate finite-dimensional slow system of eq 9 (see Remark 2). In the asymptotic limit (as k f 0), the slow stability regions for both the state and output feedback problems approach that for the approximate system of eq 9. This result is important because only the system of eq 9 is used to design the controller and carry out any practical computations. Remark 10: An important consequence of exponential closed-loop stability is the O() closeness between the solutions of the infinite-dimensional system and its finite-dimensional approximation for almost all times. This property will be exploited in the design of the fault detection filter in the next subsection. In particular, note that the fast state, xf, becomes small only after some period of time, Tkb, which can be made arbitrarily small provided there is sufficiently large separation between the slow and fast subsystems. 5.2. Fault Detection Filter Design. In this section, we show how the design and implementation of the fault-detection filter presented in Proposition 2 should be modified to handle the absence of full state measurements. To this end, we consider the following system:

w˘ ) Asw + Bsp(w, ukmax, zka) + fs(w, 0) r(t) ) ||w(t) - xˆ s(t)||

(17)

which, similar to the full state feedback case, is a replica of the fault-free approximate closed-loop reduced system of eqs 9 and 10. However, owing to the absence of full state measurements, the residual can be defined only in terms of the slow state estimate, not the actual slow state. The residual therefore provides a measure of the discrepancy between the evolution of the approximate closed-loop slow states under full state feedback with no faults and the evolution of the closed-loop slow state estimates under output feedback. Since the discrepancy can be solely due to estimation and/or approximation errors, we derive in Proposition 4 below a fault-detectability criterion that takes these errors into consideration and prevents false alarms. The proof of this proposition is given in the Appendix. Proposition 4: Consider the system of eq 8, for a fixed mode k ∈ K, and with f ka ≡ 0, under the output feedback controller of eq 16. Consider also the system of eq 17. Then, given the set of positive real numbers {δkb, δkf , δko, Tkb}, where δkb was defined in Proposition 3 and δkf , δko, Tkb are arbitrary, there exists a positive real number, **, such that if k ∈ (0,**], xs(0) ∈ Ωkb, ||xf(0)||2 e δkf , w(Tkb) ) xˆ s(Tkb), the residual satisfies a relation of the form r(t) e δko for all t g Tkb. Remark 11: Unlike the full state feedback case, the fault detection filter under output feedback is initialized only after some short period of time [0, Tkb] (which can be made small by considering a larger separation between the slow and fast subsystems, i.e., a smaller k), to ensure that xˆ s has converged sufficiently close to xs. The difference lies in the fact that, under state feedback, the residual of eq 12 captures only the discrepancy between the state of the slow subsystem and the state of the fault-free reduced system. From the exponential stability of both systems, singular perturbation theory ensures that, with an appropriate choice of k, the discrepancy between these two subsystems (i.e., the approximation error) can be made as small as desired for all times. On the other hand, the residual in eq 17 includes both xs and xf (note that xˆ s ) Q-1ym ) xs + xf) and therefore is sensitive not only to faults and approximation errors

8344

Ind. Eng. Chem. Res., Vol. 45, No. 25, 2006

but also to state estimation errors. Since convergence of the estimation error occurs only after a small period of time (see Remark 10), faults cannot be deciphered from the residual before such time has passed. By setting the filter state w at this time equal to xˆ s, we ensure that w is initialized sufficiently close to the true value of xs. 5.3. Supervisory Switching Logic. Since the switching logic depends ultimately on where xs is at any given time (see eq 15), and the supervisor can only monitor the evolution of xˆ s, a reliable mechanism for inferring xs based on xˆ s is needed. Specifically, a monitoring set, Ωkm, with the property that xˆ s ∈ Ωkm w xs ∈ Ωkb, is needed for the implementation of the switching logic. Proposition 5 below (see the Appendix for the proof) establishes the existence of a set for which this property holds once the estimation error becomes sufficiently small (which is ensured for all t g Tkb provided that k is sufficiently small). Proposition 5: Given δkb > 0, there exist m > 0 and δkm > 0 such that if ||xs - xˆ s|| e γ1k for some γ1 > 0, k ∈ (0, m], and ||xˆ s|| e δkm, then ||xs|| e δkb. Remark 12: Note from Proposition 4 that, for all t g Tkb, the estimation error falls below R2k for k e ck. Identifying γ1 ) R2 and c ) m ensures that if xˆ s(t) ∈ Ωkm then xs(t) ∈ Ωkb (i.e., the slow state belongs to the output feedback stability region) for t g Tkb. The decay of the estimate is therefore necessary for implementing not only the fault detection filter but also for the supervisor’s monitoring task. We are now in a position to derive the appropriate control reconfiguration logic. Theorem 3 below presents the integrated fault detection and fault-tolerant control strategy under output feedback. The proof, which invokes singular perturbation arguments, is given in the Appendix. Theorem 3: Consider the closed-loop system of eq 8 and eq 16 with k(0) ) j ∈ K. Consider also the system of eq 17. Given the set of positive real numbers {δjb, δjf, δjo, Tjb}, where δjb as defined in Proposition 3, and given a fault, f ja, for which r(t) > δjo for some t > 0, there exists r > 0 such that if j ∈(0, r], ||xs(0)|| e δjb, ||xf(0)|| e δjf, w(Tjb) ) xˆ s(Tjb), r(Tjf) > δjo where Tjf > Tjb is the earliest time for which r(t) > δjo, where δjo was defined in Proposition 4, the control-reconfiguration rule given by

k(t) )

{

0 e t < Tjf j ν * j t g Tjf, xˆ s(Tjf) ∈ Ωνm(uνmax, zνa )

}

(18)

where Ωνm ) {xs ∈Hs : ||xs|| e δνm} and δνm was defined in Proposition 5, asymptotically stabilizes the origin of the closedloop system. Remark 13: Theorem 3 considers faults that are observable from the filter’s residual in the sense that a residual in excess of the allowable threshold, δko, is conclusive indicator that such a fault has occurred since r > δko is more than what can be accounted for by inherent approximation and/or estimation errors. Faults that yield a residual within the margin of (i.e., indistinguishable from) these errors will, in principle, go undetected and is not considered since their effect on closedloop stability cannot be discerned from the behavior of the residual. This, however, is not a restriction since the observability threshold δko can be chosen arbitrarily small, thus rendering the possibility of major (i.e., destabilizing) faults that cannot be detected quite small (note that reducing the threshold requires adding more measurements and increasing the dimension of the slow subsystem to reduce the approximation/

estimation errors; in the limit as  f 0, the filter becomes infinite-dimensional). Ultimately, the choice of δko reflects a fundamental tradeoff between the need to avoid false alarms that could be caused by approximation/estimation errors (this favors a relatively large threshold) and the need to minimize the possibility of some faults going undetected (this favors a relatively small threshold). The simulation study in the next section demonstrates this tradeoff. 6. Application to a Diffusion-Reaction Process In this section, we illustrate through computer simulations how the integrated FD-FTC strategies described earlier can be used to deal with the problem of actuator fault-tolerant control of a diffusion-reaction process. To this end, consider a long, thin catalytic rod in a reactor. The reactor is fed with pure species A and a zeroth order exothermic reaction of the form A f B takes place on the rod. Since the reaction is exothermic, a cooling medium in contact with the rod is used for cooling. Under standard assumptions, the spatiotemporal evolution of the dimensionless rod temperature is described by the following parabolic PDE:

∂xj ∂2xj ) + βTe-γ/(1+xj) + βU(b(z)u(t) + b(z)fa(t) - xj) - βTe-γ ∂t ∂z2 subject to the boundary and initial conditions:

xj(0, t) ) 0, xj(π, t) ) 0, xj(z, 0) ) xj0(z)

(19)

where xj denotes the dimensionless temperature in the reactor, βT denotes a dimensionless heat of reaction, γ denotes a dimensionless activation energy, βU denotes a dimensionless heat transfer coefficient, u(t) denotes the manipulated input, fa(t) denotes the actuator fault, and b(z) denotes the actuator distribution function. The following typical values of the process parameters are used: βT ) 50.0, βU ) 2.0, γ ) 4.0. For the above values, it was verified that the operating steady state xj(z, t) ) 0 is an unstable one. The control objective is to stabilize the rod temperature profile at this unstable steady state by manipulating the temperature of the cooling medium, subject to actuator constraints and failures. To achieve this objective, we assume that three point actuators (A, B, and C) located at zAa ) 0.5π, zBa ) 0.33π, and zCa ) 0.8π, respectively, are available for stabilization. The three actuators have the same constraints: uAmax ) uBmax ) uCmax ) 1.4. Only one actuator is to be active, while the other two are kept dormant, at any given moment. The eigenvalue problem for the spatial differential operator of the process can be solved analytically and its solution is

λj ) -j2, φj(z) )

xπ2 sin(j z),

j ) 1, ..., ∞

(20)

For this system, we consider the first eigenvalue as the dominant one and use standard Galerkins method to derive an ODE that describes the approximate temporal evolution of the amplitude of the first eigenmode, a1(t), where xs(t) ) a1(t)φ1(z). The approximate (reduced-order) model is given by

aj˘ 1 ) f(aj1) + g(aj1, z)(u + fa)

(21)

where xjs(t) ) aj 1(t)φ1(z), f (aj 1) ) λ1aj 1 + ( ˜f (aj 1), φ1(z)), ˜f (aj 1) ) βTe-γ/(1+aj1φ1(z)) - βUaj 1φ1(z) - βTe-γ, g(aj 1, z) )

Ind. Eng. Chem. Res., Vol. 45, No. 25, 2006 8345

βU(b(z),φ1(z)). This ODE (with fa ) 0) is used for the synthesis of a bounded Lyapunov-based controller of the form:

uk ) -

L/f V + x(L/f V)2 + (ukmax|LgV(zka)|)4 |LgV(zka)|2[1

+ x1 +

(ukmax|LgV(zka)|)2]

LgV(zka) (22)

where V ) (1/2)aj12, L/f V ) LfV + F| aj1|2, F > 0. For a given actuator spatial placement, an estimate of the stability region can be obtained by constructing an invariant subset of the region described by the following inequality (see ref 26 for further details on the controller synthesis and stability region characterization):

L/f V e ukmax|LgV(zka)|

(23)

In all simulation runs, the controller of eqs 21 and 22 is implemented on a 50th order Galerkin discretization of the parabolic PDE (higher order discretizations led to identical results). We proceed with the state feedback results first. We initially use eq 23 with F ) 0.2 to compute the stability region as a function of control actuator location. Figure 1a displays the variation of the set of admissible initial conditions for the amplitude of the first eigenmode, a1(0), with actuator location (note that xs(0) ) a1(0)φ1(z)). The figure makes clear that starting from the initial condition a1(0) ) 0.7, actuator A can be used for stabilization since its stability region contains the given initial condition. Figure1, panels b and c depict, respectively, the closed-loop temperature and manipulated input profiles corresponding to this initial condition when the controller of eqs 21 and 22 is implemented using actuator A. Clearly, the controller successfully stabilizes the temperature profile at the desired steady state. We now turn to the case when process operation is interrupted by actuator faults. To account for possible actuator failures, we construct a fault detection filter that replicates the fault-free behavior of the approximate system of eq 21:

w˘ ) f (w) + g(w)u, r(t) ) |w(t) - a1(t)|

(24)

where r is the residual that captures the discrepancy between the evolution of the filter state and the evolution of the amplitude of the first eigenmode. Since r is expected to be nonzero (even in the absence of faults) due to the model reduction error, we need to establish a bound on r that captures the discrepancy due to such errors alone. To this end, we use the following criteria, r(t) g δ, to declare that a fault has been detected, where

δ ) max |a1(t) - aj1(t)| tg0, fa)0

is the maximum error between the state of the full and reduced order models in the absence of faults. For the given initial condition, it was found that the maximum approximation error is δ ) 0.006. To demonstrate how the integrated FD-FTC scheme works, we initialize the closed-loop system with a1(0) ) 0.7 using actuator A, and initialize the filter at w(0) ) a1(0). At t ) Tf1 ) 1, actuator A breaks down (this is simulated by setting the control action of actuator A to zero for t g 1, see Figure 2c). As shown in the residual plot in Figure 2a, this failure is detected immediately by the supervisor since it causes the residual to exceed the threshold at Td1 ) 1.003. Notice that prior to actuator failure, the residual evolves within the allowable threshold that

Figure 1. (a) Stability region as a function of actuator location for umax ) 1.4. (b) Closed-loop temperature profile under state feedback control for a1(0) ) 0.7 when actuator A is used without failure. (c) The corresponding manipulated input profile.

reflects model reduction errors. Following failure detection, the supervisor needs to decide which backup actuator, B or C, is suitable for use as fall-back. According to the switching logic of eq 13 the actuator whose stability region contains the state at the time of fault detection is the one that should be activated. By tracking the slow state a1(t) in time, we find that a1(Td1) ) 0.183, which is inside the stability regions of both backup actuators, B and C. Even though both are feasible choices for preserving closed-loop stability, the supervisor switches to actuator B due to its proximity to the middle of the rod (this helps reduce the deterioration in controller performance).

8346

Ind. Eng. Chem. Res., Vol. 45, No. 25, 2006

Figure 2. Evolution of (a) the fault detection filter residual with a threshold of δ ) 0.006, (b) the closed-loop temperature profile, and (c) the manipulated input profiles under state feedback control, when actuator A fails at t ) 1, actuator B is activated, actuator B fails at t ) 2, and actuator C is activated. The dotted, dashed-dotted, and solid lines in panel c describe the manipulated input profiles for actuators A, B, and C, respectively.

Following the activation of actuator B, the supervisor reinitializes the filter state to w(Td1) ) a1(Td1) (note that the residual drops to zero as a result of this) in order to detect possible future faults in actuator B, while the controller proceeds to drive the closed-loop state closer to the desired steady state. At t ) Tf2 ) 2, actuator B fails causing the residual once again to exceed the threshold at t ) Td2 ) 2.07 (see Figure 2a). At

this time the supervisor declares the failure of actuator B and switches to actuator C whose stability region contains a1 at the time of fault detection. Figure 2b,c depicts the evolution of the closed-loop state and the manipulated input under the two consecutive failures and subsequent actuator switchings. The results show that with timely detection of failure and subsequent actuator re-configuration, closed-loop stability can be successfully maintained. To demonstrate the need for choosing the residual threshold properly, we consider two simulation scenarios that show the effect of varying the residual threshold on the fault detection and fault-tolerance capabilities of the control system. In the first scenario, we attempt to enhance the residual’s sensitivity to small faults by reducing the threshold to δ ) 0.0005 (note that this is smaller than the model reduction error). In this case, the closedloop system is initialized at the same previous initial condition using actuator A, the filter is initialized at w(0) ) a1(0) and no faults are introduced. Reducing the detection threshold is expected to increase the system’s susceptibility to false alarms which can lead to premature actuator switching and subsequent performance degradation or loss of stability. We see from Figure 3a that the residual crosses the new threshold at t ) 0.046, which leads the supervisor to declare a fault in actuator A even though no fault has actually occurred. As a result of this false alarm, the supervisor switches (unnecessarily) to actuator B (since a1 at this time is outside the stability region of actuator C) to maintain closed-loop stability and re-initializes the filter. Due to the tight threshold, however, the residual crosses the threshold once more at t ) 0.094 even though actuator B is still functioning properly. However, at this time, no backup actuator is available since the state a1 is outside the stability region of actuator C; therefore, the supervisor has to either shut down process operation or activate the only remaining actuator leading to instability. Figure 3b,c depicts the evolution of the closedloop state and the manipulated input corresponding to the false alarms and subsequent actuator switchings from A to B to C. In the second scenario, the residual’s sensitivity to errors is reduced by increasing the detection threshold beyond the maximum model reduction error (e.g., to avoid false alarms resulting from model uncertainties). Two cases are considered in this scenario. The first involves raising the threshold to δ ) 0.1. The closed-loop system is initialized at the same initial condition using actuator A, the filter is initialized at w(0) ) a1(0), and actuator failure is introduced at t ) Tf1 ) 1. As can be seen from Figure 4a, due to the reduced sensitivity of the residual, failure detection is delayed until t ) Td1 ) 1.18, which is the time that the residual crosses the threshold and the supervisor switches to actuator B (a1 is within the stability region of actuator B at this time). A second failure, this time in actuator B, is then introduced at t ) Tf2 ) 2. Again, due to the relaxed detectability threshold, detection of this failure occurs at t ) Td2 ) 2.71 at which time a1 ) 0.12 is within the stability region of the last remaining backup actuator, and thus the supervisor activates actuator C. The closed-loop state and manipulated input profiles for this case are shown in Figure 4b,c. Even though stability was preserved in this case, the detection delays led to an unnecessary deterioration in the closed-loop response as the process evolved uncontrolled for sometime before actuator reconfiguration in each failure instance took effect. In the second case, the threshold is further raised to δ ) 0.8 leading to more prolonged delays in fault detection which now occur at t ) Td1 ) 1.99 (for the failure of actuator A) and t ) Td2 ) 2.25 (for the failure of actuator B) as can be seen from Figure 5a. By the time actuator B fails, however, the state has already escaped

Ind. Eng. Chem. Res., Vol. 45, No. 25, 2006 8347

Figure 3. Evolution of (a) the fault detection filter residual, (b) the closedloop temperature profile, and (c) the manipulated input profiles under state feedback control when the residual threshold is set at δ ) 0.0005 and no faults are introduced. The supervisor shuts down actuator A at t ) 0.046, switches to actuator B, shuts down actuator B at t ) 0.094, and switches to actuator C. The dotted, dashed-dotted, and solid lines in panel c describe the manipulated input profiles for actuators A, B, and C, respectively.

the stability region of the remaining backup actuator, C, and the supervisor must either shut down process operation or execute a transition to actuator C resulting in instability. Figure 5, panels b and c, depict the corresponding closed-loop state and manipulated input profiles. The simulation results of the previous two scenarios (Figures 2-5) point to the fact that the selection of the residual threshold must carefully balance the need to avoid false alarms against

Figure 4. Evolution of (a) the fault detection filter residual with a threshold of δ ) 0.1, (b) the closed-loop temperature profile, and (c) the manipulated input profiles under state feedback control, when actuator A fails at t ) 1, actuator B is activated at t ) 1.18, actuator B fails at t ) 2, and actuator C is activated at t ) 2.71. The dotted, dashed-dotted, and solid lines in panel c describe the manipulated input profiles for actuators A, B, and C, respectively.

the need to ensure timely fault detection and control reconfiguration. For the case of output feedback, we use a single point sensor located at z ) 0.57π to obtain estimates of the amplitude of the first eigenmode, aˆ 1, which are then used for implementing the feedback controller of eq 22, the fault detection filter and the supervisory switching logic. A fault detection

8348

Ind. Eng. Chem. Res., Vol. 45, No. 25, 2006

Figure 5. Evolution of (a) the fault detection filter residual with a threshold of δ ) 0.8, (b) the closed-loop temperature profile, and (c) the manipulated input profiles under state feedback control, when actuator A fails at t ) 1, actuator B is activated at t ) 1.99, actuator B fails at t ) 2, and actuator C is activated at t ) 2.25. The dotted, dashed-dotted, and solid lines in panel c describe the manipulated input profiles for actuators A, B, and C, respectively.

filter of the following form is used:

w˘ ) f (w) + g(w)u, r(t) ) |w(t) - aˆ 1(t)|

(25)

where the residual, r, is now defined in terms of the slow state estimate, aˆ 1, rather than the slow state itself, a1, which is unavailable for measurement. The same fault detection threshold used for the state feedback residual (r(t) > δ ) 0.006) is also used in the output feedback case.

To demonstrate how the integrated output feedback FD-FTC scheme works, we initialize the closed-loop system with a1(0) ) 0.7 using actuator A (it was verified that the output feedback controller successfully stabilizes the closed-loop system at the desired steady state in the absence of faults). The filter is initialized after some time from startup (t ) Tb ) 0.9) to allow sufficient time for the convergence of the estimation error which is necessary for aˆ 1 to reliably predict the evolution of a1. At t ) Tf1 ) 1, actuator A breaks down (this is simulated by setting the control action to zero at t g 1, see Figure 6c). As shown in the residual plot in Figure 6a, this failure is detected immediately by the supervisor since it causes the residual to exceed the threshold at t ) Td1 ) 1.01. At this time, the supervisor switches to actuator B, re-initializes the filter state to w(Td1) ) aˆ 1(Td1), and proceeds to drive the closed-loop state closer to the desired steady state. At t ) Tf2 ) 3, actuator B fails causing the residual to exceed the threshold at t ) Td2 ) 3.43 (see Figure 6a). At this time the supervisor declares the failure of actuator B and switches to actuator C thus preserving closed-loop stability. Figure 6, panels b and c, depict the evolution of the closedloop state and manipulated input profiles. It should be noted that even though the late initialization of the fault detection filter (to allow convergence of the state estimates) allows us to practically use the state feedback detection threshold (which captures only model reduction errors), this comes at the expense of increasing the vulnerability of the process to faults that take place early on and can thus go undetected for sometime. From the result of Proposition 4, we know that the time period before the filter can be initialized (the time it takes for the estimates to converge to the true states), can be made smaller by increasing the order of the approximate, reduced-order model and including more measurements. An alternative way is to increase the detection threshold beyond the state feedback value in order to account for the estimation error directly. This approach is demonstrated in Figure 7 where the detection threshold is increased to δ ) 0.0224 and the fault detection filter is initialized at w(0) ) aˆ 1(0). As shown in the residual plot in Figure 7a, the first failure (in actuator A) which is introduced at t ) Tf1 ) 1 is detected immediately by the supervisor since it causes the residual to exceed the threshold at t ) Td1 ) 1.05. At this time, the supervisor switches to actuator B, re-initializes the filter state to w(Td1) ) aˆ 1(Td1), and proceeds to drive the closed-loop state closer to the desired steady state. The second failure (in actuator B) which is introduced at t ) Tf2 ) 3 is detected later by the supervisor at t ) Td2 ) 4.55 and followed by switching to actuator C. The corresponding closed-loop state and manipulated input profiles are given in Figure 7, panels b and c. Notice that even though we were able to activate the fault detection filter earlier than in the previous scenario, the relatively large threshold caused some delay in the detection of the second failure. Comparing the two scenarios above makes clear the fundamental tradeoff that emerges in the output feedback setting between the need to wait for some time before implementing the fault detection filter (this allows the decay of the estimation error and the use of a relatively small detection threshold which enhances detection capability of “late-occurring” faults) and the need to detect early faults (which may require the use of large thresholds to account for the initially large estimation error or the use of a higherorder approximate model to design the fault detection filter). 7. Conclusions An integrated FD and FTC architecture for spatially distributed processes described by quasi-linear parabolic PDEs with

Ind. Eng. Chem. Res., Vol. 45, No. 25, 2006 8349

Figure 6. Evolution of (a) the fault detection filter residual with a threshold of δ ) 0.006, (b) the closed-loop temperature profile, and (c) the manipulated input profiles under output feedback control, when actuator A fails at t ) 1, actuator B is activated at t ) 1.01, actuator B fails at t ) 3, and actuator C is activated at t ) 3.43. The dotted, dashed-dotted, and solid lines in panel c describe the manipulated input profiles for actuators A-C, respectively.

Figure 7. Evolution of (a) the fault detection filter residual with a threshold of δ ) 0.0224, (b) the closed-loop temperature profile, and (c) the manipulated input profiles under output feedback control, when actuator A fails at t ) 1, actuator B is activated at t ) 1.05, actuator B fails at t ) 3, and actuator C is activated at t ) 4.55. The dotted, dashed-dotted, and solid lines in panel c describe the manipulated input profiles for actuators A-C, respectively.

control constraints and control actuator faults was presented. Under full-state feedback conditions, the architecture integrates model-based fault detection, spatially distributed feedback, and supervisory control to orchestrate switching between different actuator configurations in the event of faults. The various components were designed on the basis of appropriate reducedorder models that capture the dominant dynamics of the distributed process. The fault detection filter replicates the

dynamics of the fault-free reduced-order model and uses its behavioral discrepancy from that of the actual system as a residual for fault detection. Owing to the inherent approximation errors in the reduced-order model, appropriate fault detection and control reconfiguration criteria were derived for the implementation of the FD-FTC architecture on the distributed system to prevent the possibility of false alarms. The criteria was expressed in terms of residual thresholds that capture the

8350

Ind. Eng. Chem. Res., Vol. 45, No. 25, 2006

closeness of solutions between the fault-free reduced and fullorder models. A singular perturbation formulation was used to link these thresholds to the separation between the slow and fast eigenvalues of the spatial differential operator necessary for closed-loop stability. Under output feedback conditions, an appropriate state estimation scheme was incorporated into the control architecture and the effects of estimation errors were accounted for in the design of the feedback controller, the fault detection filter, and the control reconfiguration logic. The proposed approach was successfully applied to the problem of constrained, actuator fault-tolerant stabilization of an unstable steady state of a diffusion-reaction process. Appendix Proof of Theorem 1: We split the proof into two parts. In the first part we show that the filter detects a fault if and only if one occurs, and in the second part we establish closed-loop stability under the switching rule of eq 13. Part 1: Let xjs(Tkd) :) xjds and w(Tkd) :) wd and consider:

w˘ (Tkd) - jx˘ s(Tkd) ) As[wd - xjds ] + Bs[p(wd) - p(xjds )] Bs f ka + fs(wd, 0) - fs(xjds , 0)

(26)

with f ka(Tkd) * 0. Since w(0) ) xjs(0) and f ka(t) ≡ 0 for all 0 e t < Tkd, we have wd ) xjds which implies that p(wd) - p(xjds ) ) 0 and fs(wd, 0) - fs(xjds , 0) ) 0. Substituting these relations into eq 26 yields w˘ (Tkd) - jx˘ s(Tkd) ) -Bsf ka. Since Bs is invertible (by proper choice of zka), it follows that w˘ (Tkd) - jx˘ s(Tkd) * 0 if and only if f ka(Tkd) * 0. This, together with the fact that wd ) xjds , yields w(Tkd) - xjs(Tkd) * 0 or r(Tkd) ) ||w(Tkd) - xjs(Tkd)|| > 0 if and only if f ka(Tkd) * 0. Part 2: Note first that in the absence of faults, we have r(t) ) 0 which implies w(t) ) xjs(t). Since w(0) ) xjs(0) ∈ Ω h js and control configuration j is implemented for all times in this case, closed-loop stability follows from Assumption 2. In the case of faults, the earliest time a fault is detected is Tjf and we have from eq 13 that k(t) ) j for 0 e t < Tjf. From the stability of the jth closed-loop system (Assumption 2), we have that the closed-loop trajectory stays bounded for 0 e t < Tjf. At time Tjf, the supervisor switches to control configuration, k ) ν, for which xjs(Tjf) ∈ Ω h νs . From this point onward, configuration ν is implemented in the closed-loop system for all future times and, since xjs(Tjf) ∈ Ω h νs , closed-loop stability of the origin follows from Assumption 2. This completes the proof of the theorem. Proof of Proposition 2: From Proposition 1, we have that the origin of the closed-loop system of eqs 8 and 10 with f ka ≡ 0 is asymptotically (and locally exponentially) stable for ||xs(0)|| e δks , ||xf(0)||2 e δkf , and k ∈(0, *]. An application of the result of Proposition 4.1 in ref 22 to this system yields the existence of j > 0 such that, for k ∈ (0, j], the solution of the xs subsystem in eq 8 satisfies ||xs - xjs|| e R1 for all t g 0, for some R1 > 0. Re-writing r(t) ) ||w - xs|| e ||w - xjs|| + ||xjs - xs||, and using the fact that ||w - xjs|| ) 0 when f ka ) 0 (from Theorem 1), we have r(t) e ||xjs - xs|| e R1. Therefore, given any δkd > 0 there exists ′ :) min{δkd/R1, j, *} such that for k e ′, r(t) e δkd ∀ t g 0. Proof of Theorem 2: Consider first the case when no faults are present (i.e., Tjd f ∞). In this case, we have from eq 15 that control configuration j is implemented for all times. Applying the results of Propositions 1 and 2 with k ) j, we have that given the set {δjs, δjf, δjd} there exists some w1 > 0 such that if

j e w1 , ||xs(0)|| e δjs, and ||xf(0)||2 e δjf, the origin of the closed-loop system is asymptotically stable and the residual satisfies r(t) e δjd for all t g 0. In the case of faults, we know from the definitions of f ja and Tjf that no faults occur for 0 e t < Tjf and therefore eq 15 dictates that k(t) ) j for 0 e t < Tjf. From the stability of the jth closed-loop system established in Proposition 1 and the closeness of solutions result in Proposition 2, we have that the slow and fast closed-loop states stay bounded and that the residual satisfies r(t) e δjd, for 0 e t < Tjf, provided j e w1 , ||xs(0)|| e δjs, and ||xf(0)||2 e δjf. At time Tjf, the supervisor switches (per eq 15) to a control configuration, k ) ν, for which ||xs(Tjf)|| e δνs , and continues to implement this configuration in the closed-loop system for all future times t g Tjf. Since the fast state is also bounded at Tjf, there exists a positive real number, δνf , such that ||xf(Tjf)||2 e δνf . At this point, a second application of the result of Proposition 1, with k ) ν, yields the existence of some w2 > 0 such that if ν e w2 , ||xs(Tjf)|| e δνs , and ||xf(Tjf)||2 e δνf , the origin of the closed-loop system is asymptotically stable. Choosing s ) min{w1 , w2 } completes the proof of the theorem. Proof of Proposition 4: From Proposition 3, we have that the origin of the closed-loop system of eqs 8 and 16 with f ka ≡ 0 is asymptotically (and locally exponentially) stable for ||xs(0)|| e δkb, ||xf(0)||2 e δkf , and k ∈ (0, o]. From the consequent closeness-of-solutions property (Proposition 4.1 in ref 22), it follows that there exists ˜ > 0 such that, for k ∈ (0, ˜ ] and for all t gTkb, ||xs(t) - xjs(t)|| e R1, for some R1 > 0, and || xf(t)||2 e R2, for some R2 > 0, where xjs is the state of the approximate closed-loop system (with xf ) 0). Since xˆ s ) Q-1ym ) xs + xf, the residual satisfies r(t) ) ||w(t) - xs(t) xf(t)|| e ||w(t) - xjs(t)|| + ||xjs(t) - xs(t)|| + ||xf(t)||2 e R3k, ∀ t g Tkb, where R3 ) R1 + R2 and we used the fact that ||w xjs|| ) 0 when f ka ) 0 (from Theorem 1). Therefore, given any δko > 0 there exists **: ) min{δko/R3, ˜ ,o} such that for k e **, r(t) e δko ∀ t gTkb. Proof of Proposition 5: Given δkb > 0, let δkm and m be such that δkm + γ1m e δkb. Then, if k e m and ||xs - xˆ s|| e γ1k, we have ||xs|| e ||xˆ s|| + γ1k e δkm + γ1m e δkb. Proof of Theorem 3: Since only faults for which r(Tjf) > δjo are considered, it follows that, in the absence of such faults (Tjf f ∞), no switching takes place and configuration j is implemented for all times. Applying the results of Propositions 3 and 4 with k ) j, we have that given the set {δjb, δjf, δjo, Tjb} there exists some 0 < w1 e min{o, c, **} such that if j e w1 , ||xs(0)|| e δjb, and ||xf(0)||2 e δjf, the origin of the closed-loop system is asymptotically stable and the residual satisfies r(t) e δjo for all t g Tjb. In the case of faults, we know from the definitions of f ja and Tjf that no faults occur for 0 e t < Tjf and therefore eq 18 dictates that k(t) ) j for 0 e t < Tjf. From the stability of the jth closed-loop system established in Proposition 3, and the closeness of solutions result in Proposition 4, we have that the slow and fast closed-loop states stay bounded for 0 e t < Tjf, and that the residual satisfies r(t) e δjo, for Tjb e t < Tjf, provided j e w1 , ||xs(0)|| e δjb, and ||xf(0)||2 e δjf. At time Tjf, the supervisor switches (per eq 18) to a control configuration, k ) ν, for which ||xˆ s(Tjf)|| e δνm, and continues to implement this configuration in the closed-loop system for all future times t gTjf. Since Tjf > Tjb and j e w e c, we have from the results of Propositions 4 and 5 that ||xs(Tjf)|| e δνb. Also, since the fast state is bounded at Tjf, there exists a positive real number, δνf , such that ||xf(Tjf)||2 e δνf . At this

Ind. Eng. Chem. Res., Vol. 45, No. 25, 2006 8351

point, a second application of the result of Proposition 3, with k ) ν, yields the existence of some w2 > 0 such that if ν e w2 , ||xs(Tjf)|| e δνb, and ||xf(Tjf)||2 e δνf , the origin of the closedloop system is asymptotically stable. Choosing r ) min{w1 , w2 } completes the proof of the theorem. Literature Cited (1) Yang, G. H.; Wang, J. L.; Soh, Y. C. Reliable H∞ control design for linear systems. Automatica 2001, 37, 717-725. (2) Bao, J.; Zhang, W. Z.; Lee, P. L. Decentralized fault-tolerant control system design for unstable processes. Chem. Eng. Sci. 2003, 58, 50455054. (3) Kresta, J. V.; Macgregor, J. F.; Marlin, T. E. Multivariate statistical monitoring of process operating performance. Can. J. Chem. Eng. 1991, 69, 35-47. (4) Davis, J. F.; Piovoso, M. L.; Kosanovich, K.; Bakshi, B. Process data analysis and interpretation. AdV. Chem. Eng. 1999, 25, 1-103. (5) Tatara, E.; Cinar, A. An intelligent system for multivariate statistical process monitoring and diagnosis. ISA Trans. 2002, 41, 255-270. (6) Zhang, X. D.; Parisini, T.; Polycarpou, M. M. Adaptive fault-tolerant control of nonlinear uncertain systems: An information-based diagnostic approach. IEEE Trans. Autom. Control 2004, 49, 1259-1274. (7) Massoumnia, M.; Verghese, G. C.; Wilsky, A. S. Failure detection and identification. IEEE Trans. Autom. Control 1989, 34, 316-321. (8) Frank, P. M. Fault diagnosis in dynamic systems using analytical and knowledge-based redundancysa survey and some new results. Automatica 1990, 26, 459-474. (9) Frank, P. M.; Ding, X. Survey of robust residual generation and evaluation methods in observer-based fault detection systems. J. Process Control 1997, 7, 403-424. (10) Saberi, A.; Stoorvogel, A. A.; Sannuti, P.; Niemann, H. Fundamental problems in fault detection and identification. Int. J. Rob. Non Control 2000, 10, 1209-1236. (11) DePersis, C.; Isidori, A. A geometric approach to nonlinear fault detection and isolation. IEEE Trans. Autom. Control 2001, 46, 853-865. (12) Simani, S.; Fantuzzi, C.; Patton, R. Model-Based Fault Diagnosis in Dynamic Systems Using Identification Techniques; Springer: London, 2003. (13) Mehranbod, N.; Soroush, M.; Panjapornpon, C. A method of sensor fault detection and identification. J. Process Control 2005, 15, 321-339. (14) Blanke, M.; Kinnaert, M.; Lunze, J.; Staroswiecki, M. Diagnosis and Fault-Tolerant Control; Springer: Berlin-Heidelberg, 2003. (15) El-Farra, N. H.; Christofides, P. D. Coordinated feedback and switching for control of hybrid nonlinear processes. AIChE J. 2003, 49, 2079-2098. (16) El-Farra, N. H.; Gani, A., Christofides, P. D. Fault-tolerant control of process systems using communication networks. AIChE J. 2005, 51, 1665-1682. (17) Christofides, P. D.; El-Farra, N. H. Control of Nonlinear and Hybrid Process Systems: Designs for Uncertainty, Constraints and Time-Delays; Springer: New York, 2005. (18) Ray, W. H. AdVanced Process Control; McGraw-Hill: New York, 1981. (19) Christofides, P. D.; Daoutidis, P. Nonlinear control of diffusionconvection-reaction processes. Comput. Chem. Eng. 1996, 20, 10711076.

(20) Palazoglu, A.; Karakas, A. Control of nonlinear distributed parameter systems using generalized invariants. Automatica 2001, 36, 697707. (21) Alonso, A.; Ydstie, B. E. Stabilization of distributed systems using irreversible thermodynamics. Automatica 2001, 37, 1739-1755. (22) Christofides, P. D. Nonlinear and Robust Control of PDE Systems: Methods and Applications to Transport-Reaction Processes; Birkha¨user: Boston, 2001. (23) Dochain, D. State observation and adaptive linearizing control for distributed parameter (bio)chemical reactors. Int. J. Adapt. Control Sig. Process 2001, 15, 633-653. (24) Hoo, K. A.; Zheng, D. G. Low-order control-relevant models for a class of distributed parameter systems. Chem. Eng. Sci. 2001, 50, 66836710. (25) Armaou, A.; Christofides, P. D. Dynamic optimization of dissipative PDE systems using nonlinear order reduction. Chem. Eng. Sci. 2002, 57, 5083-5114. (26) El-Farra, N. H.; Armaou, A.; Christofides, P. D. Analysis and control of parabolic PDE systems with input constraints. Automatica 2003, 39, 715-725. (27) Demetriou, M. A.; Kazantzis, N. A new integrated output feedback controller synthesis and collocated actuator/sensor scheduling framework for distributed parameter processes. Comput. Chem. Eng. 2005, 29, 867876. (28) El-Farra, N. H. Actuator/sensor scheduling for distributed processes with quantized control systems. In AIChE Annual Meeting; AIChE: Cincinnati, OH, 2005; paper 57a. (29) Ruszkowski, M.; Garcis-Osorio, V.; Ydstie, B. E. Passivity based control of transport reaction systems. AIChE J. 2005, 51, 3147-3166. (30) Demetriou, M. A. A model-based fault detection and diagnosis scheme for distributed parameter systems: a learning systems approach. ESAIMsControl Optim. Calculus Variations 2002, 7, 43-67. (31) El-Farra, N. H.; Christofides, P. D. Coordinated feedback and switching for control of spatially distributed processes. Comput. Chem. Eng. 2004, 28, 111-128. (32) El-Farra, N. H.; Lou, Y.; Christofides, P. D. Fault-tolerant control of fluid dynamic systems: Coordinated feedback and switching. Comput. Chem. Eng. 2003, 27, 1913-1924. (33) Christofides, P. D.; Daoutidis, P. Finite-dimensional control of parabolic PDE systems using approximate inertial manifolds. J. Math. Anal. Appl. 1997, 216, 398-420. (34) Friedman, A. Partial Differential Equations; Holt, Rinehart & Winston: New York, 1976. (35) Lin, Y.; Sontag, E. D. A universal formula for stabilization with bounded controls. Syst. Control Lett. 1991, 16, 393-397. (36) El-Farra, N. H.; Mhaskar, P.; Christofides, P. D. Hybrid predictive control of nonlinear systems: method and applications to chemical processes. Int. J. Rob. Non Control 2004, 14, 199-225. (37) Demetriou, M. A.; Armaou, A. Optimal actuator placement and model reduction for a class of parabolic partial differential equations using spatial H2 norms. In Proceedings of American Control Conference, Portland, OR, 2005; pp 4569-4574.

ReceiVed for reView January 12, 2006 ReVised manuscript receiVed March 12, 2006 Accepted March 17, 2006 IE060052I