- Email: [email protected]
Sensor fault masking of a ship propulsion system
IFAC
C:Cc>
Copyright 0 IFAC Fault Detection, Supervision and Safety of Technical Processes, Washington, D.C., USA, 2003
Publications www.elsevier.comllocatelifac
SENSOR FAULT MASKING OF A SHIP PROPULSION SYSTEM N. E.
wu t , S. Thavamani t , Y. Zhang;,
& M. Blanke·
t Dept. of ECE, Binghamton Univ., Binghamton, NY 13902, USA, [email protected] +Dept. of ECE, Univ. Western Ontario, London ON N6A 5B9, Canada, [email protected] • Section of Automation at Oersted-DTU, Tech . Univ. oJ Denmark, DK 2800 Kgs. Lyngby, Denmark, [email protected] Abstract: This paper presents the results of a study on fault-tolerant control of a ship propUlsion benchmark (Izadi-Zamanabadi and Blanke, 1999), which uses estimated or virtual measurements as feedback variables. The estimator operates on a selfadjustable design model so that its outputs can be made immune to the effects of a specific set of component and sensor faults . The adequacy of sensor redundancy is measured using the control reconfigurability (Wu, Zhou, and Salomon, 2000), and the number of sensor based measurements are increased when this level is found inadequate. As a result, sensor faults that are captured in the estimator's design model can be tolerated without the need for any reconfiguration actions. Simulations for the ship propulsion benchmark show that, with additional sensors added as described, satisfactory fault-tolerance is achieved under two additive sensor faults, an incipient fault, and a parametric fault, without having to alter the original controller in the benchmark. Copyright © 2003 [FAC Keywords: reconfigurability, sensor redundancy, fault tolerant control, adaptive estimation, ship propulsion benchmark
1. INTRODUCTION
dancy) can mask a single sensor fault and provide the correct measurement of the variable. If none or only one extra sensor is associated with the variable, analytic redundancy (Chow and Wilsky, 1984) provided via the use of static or dynamic models that relate the system variables must be invoked in order to mask a sensor fault. Reliable and adaptive control schemes must strive for the best use of analytic redundancy to achieve a superior fault tolerance. An alternative approach is for the control law to react to a diagnosis outcome rather than to mask the effect of a fault . This seemingly more flexible approach to management of redundancy is sometimes called a control reconfiguration. It is, however, considered riskier in terms of system complexity, processing burden, and decision criticality (Wu, 2001) .
Sensor fault tolerant control (as opposed to actuator or component fault tolerant control) is less discussed in the fault tolerant control literature despite the large number of publications in the field following the overview paper by Patton (1997) . The reasons can be seen as follows . The critical role of measured variables in a controlled system makes it necessary to keep the sensor reliability high, which is often achieved through the use of direct redundancy. The fact that sensors are, in comparison with actuators and most components, generally cheaper, smaller, and easier to retrofit has further besteaded the sensor reliability. There are applications, however, where sensor faults are critical to the extent that they are the sources of single point failures at the overall system level. This is the case in the ship propulsion benchmark (Izadi-Zamanabadi and Blanke, 1999).
Two basic fault-tolerant approaches were listed by Izadi-Zamanabadi and Blanke (1999) in describing the ship propulsion benchmark problem. Accommodation by recalculation of the set points at the coordination level was suggested for some faults, reconfiguration by replacing a faulty measurement with an alternative output estimate was suggested for other faults. The latter approach
Even if adequate sensor redundancy exists, it needs to be properly managed to mask single point failures . If a critical feedback variable is measured by three or more identical sensors, a simple scheme of majority voting (direct redun-
417
was demonstrated in Blanke et 801. (1998), which depends, as in all reconfiguration approaches, on the timely identification of the faults. The set points recalculation can take effect only if adequate redundancy exists and the redundancy is properly managed. Though most passenger vessels have two complete shafts that can provide fail-operational propulsion systems, they lack the capability of effectively mitigating the impact of sensor faults that affect availability of full engine power and thus affect their regularity of service. The aim of this paper is to investigate techniques that make the propulsion system unaffected by faults in sensor systems without reconfiguration, and enhance propulsion plant availability. Our approach is to use an estimator to mask sensor faults through replacement of feedback variables by their estimates that are immune to sensor faults. Fault immunity is achieved by assuring a sensor arrangement that preserves system reconfigurability (Wu, Zhou, & Salomon, 2000) before and after faults occur, and by capturing the effect of faults in the model used for the design of an estimator (design model, hereafter). It is shown possible to achieve fault-tolerance without having to alter control hardware or software. This approach is significantly different from any reported approaches to fault tolerant control of the ship propulsion benchmark (Bonivento et al., 2001; Kerrigan et al., 1999; and Blanke et al., 1998), and it has potential to solve other fault tolerant control problems.
the control input vector. Y E RP is the measured output vector. w'" E Rn z , we E Rn(, and Wy E RP are bounded exogenous input vectors. ( is the fault effect parameter vector with {e E ne c Rn(c representing component faults, E n. c R n (. representing sensor faults, and = 0 representing the fault-free case. Let Xm = [Xj) . . . xj.I' with q the number of state variables which are measured and participate feedback. The form of the measurement equation can be generalized. It is specialized to the situation in the ship propulsion benchmark. The upper block diagram in Figure 1 shows the configuration with the following conventional control law
e. e
which is designed for
e= 0 to achieve
IIxm(t) - r(t)/I
::;~ ,
Vt 2:: T
(6)
where ~ > 0 is a pre-specified tracking error bound, T > 0 is a pre-specified settling time bound, and r E Rq is the reference input vector. In general, it is not possible to find a control law by which (6) is satisfied V ee E ne and V (~ E n. because the feedback variable y is affected by sensor and component faults . The following faulttolerant control law is proposed, as shown in the lower schematic diagram of Figure 1. The new component in the control law is an estimator expressed as
i: = cjJ(x, (" u, y, r) t = 11: (x , (" u, Y, r)
The paper is organized as follows. Section 2 focuses on the discussion of the basic concept of the proposed sensor fault masking approach. Section 3 describes a ship propulsion benchmark problem to which the proposed scheme is applied. A Matlab function that implements the on-line estimator is included. Section 4 shows simulation results with a fault masking estimator in the control loop. Section 5 comments on the need for further research. Section 6 acknowledges external support for this work.
(7)
xm = hex, (,5) where x is the state estimate vector, (, is the fault-effect parameter estimate vector, and xm is the virtual measurement vector. The estimator is followed by the original controller with the sensor measurement y replaced by the virtual measurement xm
2. PROBLEM FORMULATION
If xm remains close to Xm = h( x, ea) for all
Consider the tracking problem for a system with the following model
x = I(x, (, u) + w"" ~ = n(x, () y = hex, (~)
{ = [{~ {~J'
{~
E n~. sensor faults are said to have been masked. In this case, the estimator is said to have acquired self-adjustability with respect to the occurrence of sensor faults . If, in addition, the tracking condition IIxm(t) - r(t)1I ::; f V t 2:: T is satisfied as well for all {, E n. and E ne, the controlled system is said to be sensor faulttolerant, and the controller described in (8) is said to be robust against component faults. Keeping a part of observer-based controller (8) in the same form as conventional controller (5) is justified under the condition that conventional controller (5) performs satisfactorily in the nominal situation. In
(1)
+ we
(2)
+ Wy
(3)
ee
with Yi = Xj, +(~ ,i +Wy,i, ji = 1,· · ·,q::; n (4)
The notations in the above equations are now explained. x E Rn z is the state vector. u E Rm is
418
addition, it is always desirable to minimize control hardware and software change, and to avoid the addition of a decision module that triggers control reconfiguration.
model for the fault masking estimator in which all faults entering the system are manipulated into additive random fault effect parameters. The set of fault effect parameters includes two additive sen:;or faults (L10, L1n), an additive incipient fault (~Oinc), and a multiplicative parametric fault
Two issues arise. The first is the characterization of a model's structural property that is necessary in order to mask sensor faults. The second is the construction of the estimator that achieves fault masking. The general principles to resolving these issues are briefly discussed now. How they are dealt with in the ship propulsion benchmark will be detailed in the next section.
(~ky).
The model based on which the estimator design is carried out has the state-space representation given in (1), (2), and (3) :i: = f(x,t;,u)
+ w""
~ = a(x,t;)
+W(,
y = h(x,t;.) +Wy
where
The structural property sought after is the control reconfigurability (Wu, Zhou, and Salomon, 2000) that measures the adequacy of redundancy level in a controlled system relative to the nominal condition. Numerically it is a combined measure of controllability and observability under specified fault scenarios. Explicit formulae for the computation of a control reconfigurability are available, however, only for small signal (linear) models. Nevertheless the computation is straightforward in this case, and the results are instructive with regard to the selection of alternative sensor and actuator arrangement. In order for the same conventional controller (5) to be effective before and after some sensor faults have occurred, the control reconfigurability specific to these sensor faults should necessarily remain approximately unchanged. This condition, however, is not sufficient unless the sensor faults are masked via redundancy management and the conventional controller is robust against the remaining faults.
prop~ller pitch angle engme shaft speed
=. [
t;
=
[t;.] = t;c
u = [(Jre j
]
Ym
y =
(J.,. n Tn [ Um
f),,(J
~n f),,(Jinc
r f),,"v
sh!p speed engme torque
1= [
1 '
[J (J
Xm=
n
U
pitch sensor fault shaft speed sensor faull pitch rate drift percentage engine gain reduction
= [Pitch angle reference measured fuel index
J'
1= [
mcasured propcller pitch angle] measured engine shaft speed , measured ship speed
and bounded exogenous signals
The sensor fault masking can be realized using an estimator (Wu, Zhang, and Zhou, 2000), and in particular using an extended Kalman estimator for the ship propulsion system (Zhang, and Wu, 1999). The role of parameter estimates pertinent to the application of the ship propulsion benchmark can be viewed as a means to adjust the estimator design model according to the values of the fault effect parameters so that the virtual measurement quantities are always correct (xm ~ XTn) ' An important feature of the estimator is the use of a set of temporally and spatially varying forgetting factors that facilitate the estimator convergence and minimize the dynamic effects of the estimator to the control loop.
Functions
J,
rjJ
and h are given by
Additional variables in the functions are defined as follows . Bmin and Bmo% are the pitch rate limits. I m and m are the inertia and the mass of the ship, respectively. Ru is the hull resistance. ky is the diesel engine gain and 're is the engine time constant corresponding to torque built up from cylinder firings. Qp1"OP and Tprop are developed propeller torque and thrust, respectively. In the benchmark simulation, they are calculated by the interpolation of two tables of real data measured under sea operation. They are nonlinear functions of B, n, and ship speed U, approximated by the following bilinear relations.
3. SHIP PROPULSION CONTROL SYSTEM The ship propulsion benchmark is a test bed for fault detection, diagnosis and fault-tolerant control. The lower level subsystems include a propeller pitch angle control subsystem, a governor subsystem, a diesel engine, a propeller, and a ship speed subsystem. The reader is referred to IzadiZamanabadi and Blanke (1999) for a detailed description. The model described here is the design
Qprop = Qo 1nl n + Qlnln«(J) 1nl n + QlnlVn (9) Tprop = Tlnln((J) 1nl n + l1nlV.. (6) 1nl V"
419
1nl V"
where Tlnln' IlnlVn' Qlnln and QlnlVn are complex functions of B, Va is the advance speed. The relation between Va and U can be described by wake fraction number w through Va = (I - w)U. An estimator based on a I sample/second discretized version of the above model is designed for the purpose of fault detection and diagnosis in Zhang and Wu (1999). Two major modifications with regard to the estimator design have been made in this paper. (i) The estimator model now includes an additional pitch angle sensor, and an additional shaft speed sensor, and (ii) the estimator is implemented as a Matlab routine which is placed in the control loop of the benchmark Simulink model. Inclusion of an additional shaft speed sensor is in accordance with the practice in the marine industry where the higher of the sensor signals are chosen in a maximum selector for use in the engine speed control loop. Certain sensor faults could easily cause an unwanted engine slow down with this configuration. The decision concerning the addition of sensors is made based on a control reconfigurability calculation (Wu, Zhou, and Salomon, 2000), and an observability calculation (Moore, 1981).
It can be seen from the above table that, with respect to pitch sensor fault, the level of sensor redundancy and the level of necessary observability needed for estimating faults are both adequate without the addition of any sensor. The shaft speed sensor fault, however, almost totally destroys the system observability necessary for successful faulty state estimation, and the system reconfigurability necessary for successful control performance preservation, unless a shaft speed sensor is added . We therefore conclude that the options that allow a successful sensor fault masking control are Ip2s and 2p2s. Tradeoffs between the two options are a higher cost of using an extra pitch sensor with 2p2s, or a poorer steady state accuracy and more severe transient in the estimate as indicated by a lower observability with Ip2s. The above conclusions are supported by our simulations. The simulation results shown in the paper are obtained with the 2p2s option. With the added sensors, mapping hex, {s) in the measurement equation (4), or more concretely in (9) that is used in the estimator design model, should be modified to
Control reconfigurability assesses the system ability to allow performance restoration in the presence of faults. A control reconfigurability calculation is performed for the small signal control design model (a 4-state system) of the ship propulsion benchmark relative to the nominal control reconfigurability with four options of sensor arrangement under two sensor fault scenarios. The four options are no added sensors (Ipls), an added pitch sensor (2pls), an added shaft speed sensor (lp2s), and an added pitch sensor and an added shaft speed sensor (2p2s). The calculation involves finding the worst case and the smallest relative Hankel singular value for a set of specific fault scenarios. The two sensor fault scenarios are a single pitch sensor fault (t:.B) and a single shaft speed sensor fault (t:.n). The relative control reconfigurability is denoted by Pr.
(1O)
Despite the increase in the number of measurements, the states that participate the feedback remains to be the same components of x m . The fault masking estimation algorithm involves a set of 18 recursive equations which are used to produce estimates of both the states and the fault effect parameters. These are the same set of equations as those in Zhang and Wu (1999) with two exceptions. (i) Modified measurement equation (10) replaces the original measurement equation, and (ii) the resulting esitmator is implemented online using a Matlab function. The estimator generates the virtual measurements that replace the feedback V"doriables provided by the two original pitch angle and shaft speed sensors. The on-line estimator has been added to the Simulink model of the original benchmark (Thavamani, 2002). We include the Matlab function here for the benefit of readers who wish to make use of the estimator.
On the other hand, the ability to estimate the state of a dynamic system rests on the system's observability. Since all four types of faults are captured in the estimator design model as states, an observability calculation is performed for the state augmented model (state vector contains both x and O. The same four options of sensor arrangement and two fault scenarios are considered. The relative observability, which is defined as the ratio of the smallest singular value of the observability gramian under a single fault to that of the faultfree case, is denoted by a r . The result of relative control reconfigurability and relative observability computation is summarized in the following table.
% Matlab function implementing sensor fault masking estimator functicm Estimate = Estimator{in) Bre ! = in{l);% Propeller pitch reference Ym = in(2)j% FUel index BI = in(3)j%Pitch mellBurement from sensor PI nl = in(4)j%Shaft speed measurement from sensor SI
420
Urn = in(5);%Ship speed measurement 82 = in(6);%Pitch measurement from sensor P2 n2 = in('7);'i'oShaft speed measurement from sensor S2 % Define global variables global b V Fb P'" QZ Qb R x x % Filter initial values: % Q'" = diag{0.018, 0, 0, O}, Qb = 0.5 .. le, P'" = 50 - I, % pb = 50-16, R = diag{0.18,3.9, 0.09, 0.18 x 1O-',0.04} global I., h % Identities of state and bias transition matrix sizes %Define estimator parameters T. = 1; %Estimator sampling period r'" = zeroa( 4,4); %Procflllll noise distribution r'" = -0.15; %lst element of rz nz = 4; n~ = 5; nb = 6;%Number of etates, of measurements, of faults % Estimator inputs U = [Ore! Yrnl/;%Plant inputs / y = 101 n1 Urn 02 n21 ;%Plant outputs % Subroutines for estimator model ModelUpdateData = [x(l : 3) ; y.,. ; T.l ; % Inputs needed for estimator model calculation [F, G, H, Ft, F21 = StateParameter(ModelUpdateData);% Function call for estimator state-space parameters N cm.linearity %Function call for state transition fusing x & T. % Calculate forgetting factors OmG% = 0.01; O""n = 0.0001;% Bias covariance upper & lower bounds [E, ).l = eig(pb+) ; % Eigen-vectors/-values of the bias covariance pH = zero8(nb, nb) ; % Initisl bias covariance for j = 1 : nb % Determine nb forgetting factors if >'(j, j) > O.,.GZ ).(j, j) = >'(j, j); else >'(j,j) = Om,n + (Om .. z - Q.,.in)" >'(j, j)/o.,. ..., ; end pH = pH + E( :,j) .. >'(j,j)" E( :,j)'; end % Estimator equations M = F .. V + FI;% Bias-to-state coupling V+ = M .. pI> .. inv(pb+) ;% Coupling extrapolation x+ = f + G - u + (M - V+) .. b;% State estimate extrapolation, bias free fo = Y - H .. x+; % State residusl pz+ = F .. pz .. F' + rz .. Q'" _ r /% + M .. pi> .. M' - V+ .. pH .. V' +;%Covariance extrapolation, bias free S = H .. pz .. H' + R;% Covariance update, bias free KZ = pz .. H' .. inv(S);% Kalman gain, bias free P% = (/% - KZ .. H) .. PZ+;%Covariance update, bias free x = x + + K'" .. r; %State update, bias free N = H .. V+ + F2;% State-to-bias coupling V = V+ - KZ .. N ;% Coupling update Kb = pH .. N' .. inv(N .. pH .. N' + S);% Kalman gain for bias b = b+ Kb .. (fo - N .. b);%Bias update pb = (Ib - Kb .. N) .. pH ;%Bias covariance update x = x + V .. b;%Compensated state 8 = x(l) ;%PropelIer pitch estimate n = x(2) ;%Shaft speed estimate % Estimator output E stimate = [8 nl; % Fault-free measurements
4. SIMULATION RESULTS Figures 2 through 4 show the responses of the measured variables Om, n m , and Um of the original benchmark simulation (first plot in each figure), the responses of the same set of variables in the
421
sensor fault masking setting (last plot in each figure), and the responses of the true state B, n, and U in the sensor fault masking setting (middle plot in Figures 2 and 3, last plot in Figure 4 for U = Um in the benchmark). It can be seen that sensor fault masking has been successfully achieved. Note that in the process, no switching action is taken. This is due to the self-adjustable nature of the fault masking estimator. In addition, we are able to retain the controller in the original benchmark despite the presence of an incipient fault and a parametric fault that are not directed measured by any sensor. This robustness is attributed to the less severe nature of the two additional faults , and to the enhanced reconfigurability of the modified system configuration. The contribution of the fault masking estimator can be thought of as an automatic compensation of a sensor fault which is recognizable from one of two sensor measurements by utilizing analytic redundancy, while a third sensor would be required with traditional fail-operational technology. The reader who is interested in reproducing the numerical results presented in the paper is referred to Izadi-Zamanabadi and Blanke (1999) for the standard set of parameter values of the benchmark. Only the sequence of fault occurrence is given here to facilitate the reading of the plots.
I Fault type I Approx. magnitude I Sustaining duration I 118 I1n 118in~
118
Iln Ilk"
0.4 0.5 10 -"(s + 10- 5 ) I -0.35 -9.6 20%k"
180a - 210" 680s - 710s 800s -l'700a 18908 - 1920s 26408 - 26'70s 30008 - 3500s
The table reflects an important difference in the treatment of sensor faults in this paper from that in all other reported ship propulsion benchmark studies. The sensor faults in this paper are modeled as measurement deviations from the fault-free values, rather than absolute deviations from the zero outputs. 5. DISCUSSION Our investigation is continuing in the following three areas. (i) The difficulty presented by the hard nonlinearities in the benchmark, which an extended Kalman estimator is incapable of handling, is circumvented by staying with a small signal model during analysis and design. The most challenging task of stability analysis of the closed-loop system is left with the simulation. Only a small signal analysis where the estimator is identified as a parametric LTI model has been performed (Thavamani, 2002). A more rigorous nonlinear, closed-loop stability analysis without small signal LT! approximations is being sought. (ii) The current controller which is inherited from the original benchmark is constructed based on a model without the estimator dynamics in the
loop. Although the dynamic effect of the estimator to the loop has been minimized by the use of a forgetting factor in the estimator, in general a controller design that includes the estimator dynamics in the control design model is needed. (iii) While all fault effect parameters enter explicitly into the estimator design model in order to gain greater accuracy of the virtual measurement estimates, the non-sensor faults .6.0inc and .6.ky have not been included in the controller design model. This is acceptable because these faults have only minor effects on the system performance. In a more general situation, however, effort to compensate non-sensor faults may be required.
Figure 1. (i) Original system configuration, (ii) Faulttolerant system configuration
6. ACKNOWLEDGMENT
i ": · ...... E..... i '~- ........... 'l'------~.. -~ .~
The support of NASA (NCC-I-02009) and NSF (ECS-9615956) is gratefully acknowledged by the first two authors. The authors also sincerely thank Prof. Izadi-Zamanabadi of Aalborg University for his most generous assistance with the ship propulsion benchmark.
•
0
.. - . . . .
.
.
. ..
,
.
PIktI..,ga. .... ttI ............... ..,.. __ -dS
o
'
,
1000
2000
lOOO
ij '/ "~ .\ 'I ri' :.1'1 ..la,,,. "1"\~.~H~.'M*J~'~I..!~t~,/' ," ~*1 GoaL
_~ PIKfI·~~.. (w..I~'oIlhI .... ~.ystem o
101X1
2000
llm_(_)
Figure 2. Pitch angle (i) measurement from the original benchmark, (ii) true state from the fault-tolerant system, (Hi) estimate that is fed back in the fault-tolerant system
References Blanke, M., Izadi-Zamanahadi, R., and Lootsma, T.F. (1998) . Fault monitoring and re-configurahle control for a ship propulsion plant, Journal of Adaptive Control and Signal Processing, vol. 12, pp.671-688. Bonivento C., Paoli A. and Marconi L. (2001) FaultTolerant Control for a Ship Propulsion System, Proc.
sn.fI Spe.d CbI'.a.tdcs
-,.~
.
:':r--1
+-; · •
European Control Conference. Chow, E.Y., and Willsky, A.S. (1984). Analytical redundancy and the design of robust detection systems, IEEE 7hmsaction on Automatic Control, vol. 29, pp.603-614. Izadi-Zamanabadi, R., and Blanke M. (1999) A ship propulsion system as a benchmark for fault tolerant control, Control Engineering Practice, vol.7, pp.227239. Kerrigan, E.C., and Maciejowski, J.M. (1999) . Fault tolerant control of a ship propulsion system using model predictive control, Proc. European Control Conference. Moore, B. C. (1981). Principal component analysis in linear systems: controllability, observability, and model reduction, IEEE 7hmsactions on Automatic Control, vol.26, pp.17-32. Patton, R.J., Fault-tolerant control: the 1997 situation, Proc. Safeprocess'9?, 1997 Thavamani, S. (2002). Observer-Based Sensor FaultTolerant Control of a Ship Propulsion Benchmark, Master of Science Thesis, Binghamton University. Wu, N.E, Zhou, K., and Salomon, G. (2000). Reconfigurability in linear time-invariant systems, Automatica, vol.36, pp.1767-1771. Wu, N.E., Zhang, Y., and Zhou, K. (2000). Detection, estimation, and accommodation of loss of control effectiveness, International Journal of Adaptive Control and Signal Processing, vo!.14, pp.775-795. Wu, N.E. (2001). Reliability and fault-tolerant control: Part I and I1, Proc . IEEE Conference on Decision and ControL Zhang, Y., and Wu, N.E. (1999). Fa.ult Diagnosis for A Ship Propulsion Benchmark: Part I, Proc. 14th IFAG World Congress,.
!
.
i
\:
, 'OOD
2000
'000
2000
·
,
::000
~ 3000
•
\
::1
~
r]
"'OIl
....
I: 3CIOO
Tn.(I~
1
Figure 3. Shaft speed (i) measurement from the original • benchmark, (ii) true state from the fault-tolerant system, (iii) estimate that is fed back in the fault-tolerant system
(E : --~ o
rE °
0
1000
2000
-~< ........
3000
CJ
~(
Figure 4. Ship speed (i) measurement from the original benchmark, (ii) measurement from the fault-tolerant systern
422
C:Cc>
Copyright 0 IFAC Fault Detection, Supervision and Safety of Technical Processes, Washington, D.C., USA, 2003
Publications www.elsevier.comllocatelifac
SENSOR FAULT MASKING OF A SHIP PROPULSION SYSTEM N. E.
wu t , S. Thavamani t , Y. Zhang;,
& M. Blanke·
t Dept. of ECE, Binghamton Univ., Binghamton, NY 13902, USA, [email protected] +Dept. of ECE, Univ. Western Ontario, London ON N6A 5B9, Canada, [email protected] • Section of Automation at Oersted-DTU, Tech . Univ. oJ Denmark, DK 2800 Kgs. Lyngby, Denmark, [email protected] Abstract: This paper presents the results of a study on fault-tolerant control of a ship propUlsion benchmark (Izadi-Zamanabadi and Blanke, 1999), which uses estimated or virtual measurements as feedback variables. The estimator operates on a selfadjustable design model so that its outputs can be made immune to the effects of a specific set of component and sensor faults . The adequacy of sensor redundancy is measured using the control reconfigurability (Wu, Zhou, and Salomon, 2000), and the number of sensor based measurements are increased when this level is found inadequate. As a result, sensor faults that are captured in the estimator's design model can be tolerated without the need for any reconfiguration actions. Simulations for the ship propulsion benchmark show that, with additional sensors added as described, satisfactory fault-tolerance is achieved under two additive sensor faults, an incipient fault, and a parametric fault, without having to alter the original controller in the benchmark. Copyright © 2003 [FAC Keywords: reconfigurability, sensor redundancy, fault tolerant control, adaptive estimation, ship propulsion benchmark
1. INTRODUCTION
dancy) can mask a single sensor fault and provide the correct measurement of the variable. If none or only one extra sensor is associated with the variable, analytic redundancy (Chow and Wilsky, 1984) provided via the use of static or dynamic models that relate the system variables must be invoked in order to mask a sensor fault. Reliable and adaptive control schemes must strive for the best use of analytic redundancy to achieve a superior fault tolerance. An alternative approach is for the control law to react to a diagnosis outcome rather than to mask the effect of a fault . This seemingly more flexible approach to management of redundancy is sometimes called a control reconfiguration. It is, however, considered riskier in terms of system complexity, processing burden, and decision criticality (Wu, 2001) .
Sensor fault tolerant control (as opposed to actuator or component fault tolerant control) is less discussed in the fault tolerant control literature despite the large number of publications in the field following the overview paper by Patton (1997) . The reasons can be seen as follows . The critical role of measured variables in a controlled system makes it necessary to keep the sensor reliability high, which is often achieved through the use of direct redundancy. The fact that sensors are, in comparison with actuators and most components, generally cheaper, smaller, and easier to retrofit has further besteaded the sensor reliability. There are applications, however, where sensor faults are critical to the extent that they are the sources of single point failures at the overall system level. This is the case in the ship propulsion benchmark (Izadi-Zamanabadi and Blanke, 1999).
Two basic fault-tolerant approaches were listed by Izadi-Zamanabadi and Blanke (1999) in describing the ship propulsion benchmark problem. Accommodation by recalculation of the set points at the coordination level was suggested for some faults, reconfiguration by replacing a faulty measurement with an alternative output estimate was suggested for other faults. The latter approach
Even if adequate sensor redundancy exists, it needs to be properly managed to mask single point failures . If a critical feedback variable is measured by three or more identical sensors, a simple scheme of majority voting (direct redun-
417
was demonstrated in Blanke et 801. (1998), which depends, as in all reconfiguration approaches, on the timely identification of the faults. The set points recalculation can take effect only if adequate redundancy exists and the redundancy is properly managed. Though most passenger vessels have two complete shafts that can provide fail-operational propulsion systems, they lack the capability of effectively mitigating the impact of sensor faults that affect availability of full engine power and thus affect their regularity of service. The aim of this paper is to investigate techniques that make the propulsion system unaffected by faults in sensor systems without reconfiguration, and enhance propulsion plant availability. Our approach is to use an estimator to mask sensor faults through replacement of feedback variables by their estimates that are immune to sensor faults. Fault immunity is achieved by assuring a sensor arrangement that preserves system reconfigurability (Wu, Zhou, & Salomon, 2000) before and after faults occur, and by capturing the effect of faults in the model used for the design of an estimator (design model, hereafter). It is shown possible to achieve fault-tolerance without having to alter control hardware or software. This approach is significantly different from any reported approaches to fault tolerant control of the ship propulsion benchmark (Bonivento et al., 2001; Kerrigan et al., 1999; and Blanke et al., 1998), and it has potential to solve other fault tolerant control problems.
the control input vector. Y E RP is the measured output vector. w'" E Rn z , we E Rn(, and Wy E RP are bounded exogenous input vectors. ( is the fault effect parameter vector with {e E ne c Rn(c representing component faults, E n. c R n (. representing sensor faults, and = 0 representing the fault-free case. Let Xm = [Xj) . . . xj.I' with q the number of state variables which are measured and participate feedback. The form of the measurement equation can be generalized. It is specialized to the situation in the ship propulsion benchmark. The upper block diagram in Figure 1 shows the configuration with the following conventional control law
e. e
which is designed for
e= 0 to achieve
IIxm(t) - r(t)/I
::;~ ,
Vt 2:: T
(6)
where ~ > 0 is a pre-specified tracking error bound, T > 0 is a pre-specified settling time bound, and r E Rq is the reference input vector. In general, it is not possible to find a control law by which (6) is satisfied V ee E ne and V (~ E n. because the feedback variable y is affected by sensor and component faults . The following faulttolerant control law is proposed, as shown in the lower schematic diagram of Figure 1. The new component in the control law is an estimator expressed as
i: = cjJ(x, (" u, y, r) t = 11: (x , (" u, Y, r)
The paper is organized as follows. Section 2 focuses on the discussion of the basic concept of the proposed sensor fault masking approach. Section 3 describes a ship propulsion benchmark problem to which the proposed scheme is applied. A Matlab function that implements the on-line estimator is included. Section 4 shows simulation results with a fault masking estimator in the control loop. Section 5 comments on the need for further research. Section 6 acknowledges external support for this work.
(7)
xm = hex, (,5) where x is the state estimate vector, (, is the fault-effect parameter estimate vector, and xm is the virtual measurement vector. The estimator is followed by the original controller with the sensor measurement y replaced by the virtual measurement xm
2. PROBLEM FORMULATION
If xm remains close to Xm = h( x, ea) for all
Consider the tracking problem for a system with the following model
x = I(x, (, u) + w"" ~ = n(x, () y = hex, (~)
{ = [{~ {~J'
{~
E n~. sensor faults are said to have been masked. In this case, the estimator is said to have acquired self-adjustability with respect to the occurrence of sensor faults . If, in addition, the tracking condition IIxm(t) - r(t)1I ::; f V t 2:: T is satisfied as well for all {, E n. and E ne, the controlled system is said to be sensor faulttolerant, and the controller described in (8) is said to be robust against component faults. Keeping a part of observer-based controller (8) in the same form as conventional controller (5) is justified under the condition that conventional controller (5) performs satisfactorily in the nominal situation. In
(1)
+ we
(2)
+ Wy
(3)
ee
with Yi = Xj, +(~ ,i +Wy,i, ji = 1,· · ·,q::; n (4)
The notations in the above equations are now explained. x E Rn z is the state vector. u E Rm is
418
addition, it is always desirable to minimize control hardware and software change, and to avoid the addition of a decision module that triggers control reconfiguration.
model for the fault masking estimator in which all faults entering the system are manipulated into additive random fault effect parameters. The set of fault effect parameters includes two additive sen:;or faults (L10, L1n), an additive incipient fault (~Oinc), and a multiplicative parametric fault
Two issues arise. The first is the characterization of a model's structural property that is necessary in order to mask sensor faults. The second is the construction of the estimator that achieves fault masking. The general principles to resolving these issues are briefly discussed now. How they are dealt with in the ship propulsion benchmark will be detailed in the next section.
(~ky).
The model based on which the estimator design is carried out has the state-space representation given in (1), (2), and (3) :i: = f(x,t;,u)
+ w""
~ = a(x,t;)
+W(,
y = h(x,t;.) +Wy
where
The structural property sought after is the control reconfigurability (Wu, Zhou, and Salomon, 2000) that measures the adequacy of redundancy level in a controlled system relative to the nominal condition. Numerically it is a combined measure of controllability and observability under specified fault scenarios. Explicit formulae for the computation of a control reconfigurability are available, however, only for small signal (linear) models. Nevertheless the computation is straightforward in this case, and the results are instructive with regard to the selection of alternative sensor and actuator arrangement. In order for the same conventional controller (5) to be effective before and after some sensor faults have occurred, the control reconfigurability specific to these sensor faults should necessarily remain approximately unchanged. This condition, however, is not sufficient unless the sensor faults are masked via redundancy management and the conventional controller is robust against the remaining faults.
prop~ller pitch angle engme shaft speed
=. [
t;
=
[t;.] = t;c
u = [(Jre j
]
Ym
y =
(J.,. n Tn [ Um
f),,(J
~n f),,(Jinc
r f),,"v
sh!p speed engme torque
1= [
1 '
[J (J
Xm=
n
U
pitch sensor fault shaft speed sensor faull pitch rate drift percentage engine gain reduction
= [Pitch angle reference measured fuel index
J'
1= [
mcasured propcller pitch angle] measured engine shaft speed , measured ship speed
and bounded exogenous signals
The sensor fault masking can be realized using an estimator (Wu, Zhang, and Zhou, 2000), and in particular using an extended Kalman estimator for the ship propulsion system (Zhang, and Wu, 1999). The role of parameter estimates pertinent to the application of the ship propulsion benchmark can be viewed as a means to adjust the estimator design model according to the values of the fault effect parameters so that the virtual measurement quantities are always correct (xm ~ XTn) ' An important feature of the estimator is the use of a set of temporally and spatially varying forgetting factors that facilitate the estimator convergence and minimize the dynamic effects of the estimator to the control loop.
Functions
J,
rjJ
and h are given by
Additional variables in the functions are defined as follows . Bmin and Bmo% are the pitch rate limits. I m and m are the inertia and the mass of the ship, respectively. Ru is the hull resistance. ky is the diesel engine gain and 're is the engine time constant corresponding to torque built up from cylinder firings. Qp1"OP and Tprop are developed propeller torque and thrust, respectively. In the benchmark simulation, they are calculated by the interpolation of two tables of real data measured under sea operation. They are nonlinear functions of B, n, and ship speed U, approximated by the following bilinear relations.
3. SHIP PROPULSION CONTROL SYSTEM The ship propulsion benchmark is a test bed for fault detection, diagnosis and fault-tolerant control. The lower level subsystems include a propeller pitch angle control subsystem, a governor subsystem, a diesel engine, a propeller, and a ship speed subsystem. The reader is referred to IzadiZamanabadi and Blanke (1999) for a detailed description. The model described here is the design
Qprop = Qo 1nl n + Qlnln«(J) 1nl n + QlnlVn (9) Tprop = Tlnln((J) 1nl n + l1nlV.. (6) 1nl V"
419
1nl V"
where Tlnln' IlnlVn' Qlnln and QlnlVn are complex functions of B, Va is the advance speed. The relation between Va and U can be described by wake fraction number w through Va = (I - w)U. An estimator based on a I sample/second discretized version of the above model is designed for the purpose of fault detection and diagnosis in Zhang and Wu (1999). Two major modifications with regard to the estimator design have been made in this paper. (i) The estimator model now includes an additional pitch angle sensor, and an additional shaft speed sensor, and (ii) the estimator is implemented as a Matlab routine which is placed in the control loop of the benchmark Simulink model. Inclusion of an additional shaft speed sensor is in accordance with the practice in the marine industry where the higher of the sensor signals are chosen in a maximum selector for use in the engine speed control loop. Certain sensor faults could easily cause an unwanted engine slow down with this configuration. The decision concerning the addition of sensors is made based on a control reconfigurability calculation (Wu, Zhou, and Salomon, 2000), and an observability calculation (Moore, 1981).
It can be seen from the above table that, with respect to pitch sensor fault, the level of sensor redundancy and the level of necessary observability needed for estimating faults are both adequate without the addition of any sensor. The shaft speed sensor fault, however, almost totally destroys the system observability necessary for successful faulty state estimation, and the system reconfigurability necessary for successful control performance preservation, unless a shaft speed sensor is added . We therefore conclude that the options that allow a successful sensor fault masking control are Ip2s and 2p2s. Tradeoffs between the two options are a higher cost of using an extra pitch sensor with 2p2s, or a poorer steady state accuracy and more severe transient in the estimate as indicated by a lower observability with Ip2s. The above conclusions are supported by our simulations. The simulation results shown in the paper are obtained with the 2p2s option. With the added sensors, mapping hex, {s) in the measurement equation (4), or more concretely in (9) that is used in the estimator design model, should be modified to
Control reconfigurability assesses the system ability to allow performance restoration in the presence of faults. A control reconfigurability calculation is performed for the small signal control design model (a 4-state system) of the ship propulsion benchmark relative to the nominal control reconfigurability with four options of sensor arrangement under two sensor fault scenarios. The four options are no added sensors (Ipls), an added pitch sensor (2pls), an added shaft speed sensor (lp2s), and an added pitch sensor and an added shaft speed sensor (2p2s). The calculation involves finding the worst case and the smallest relative Hankel singular value for a set of specific fault scenarios. The two sensor fault scenarios are a single pitch sensor fault (t:.B) and a single shaft speed sensor fault (t:.n). The relative control reconfigurability is denoted by Pr.
(1O)
Despite the increase in the number of measurements, the states that participate the feedback remains to be the same components of x m . The fault masking estimation algorithm involves a set of 18 recursive equations which are used to produce estimates of both the states and the fault effect parameters. These are the same set of equations as those in Zhang and Wu (1999) with two exceptions. (i) Modified measurement equation (10) replaces the original measurement equation, and (ii) the resulting esitmator is implemented online using a Matlab function. The estimator generates the virtual measurements that replace the feedback V"doriables provided by the two original pitch angle and shaft speed sensors. The on-line estimator has been added to the Simulink model of the original benchmark (Thavamani, 2002). We include the Matlab function here for the benefit of readers who wish to make use of the estimator.
On the other hand, the ability to estimate the state of a dynamic system rests on the system's observability. Since all four types of faults are captured in the estimator design model as states, an observability calculation is performed for the state augmented model (state vector contains both x and O. The same four options of sensor arrangement and two fault scenarios are considered. The relative observability, which is defined as the ratio of the smallest singular value of the observability gramian under a single fault to that of the faultfree case, is denoted by a r . The result of relative control reconfigurability and relative observability computation is summarized in the following table.
% Matlab function implementing sensor fault masking estimator functicm Estimate = Estimator{in) Bre ! = in{l);% Propeller pitch reference Ym = in(2)j% FUel index BI = in(3)j%Pitch mellBurement from sensor PI nl = in(4)j%Shaft speed measurement from sensor SI
420
Urn = in(5);%Ship speed measurement 82 = in(6);%Pitch measurement from sensor P2 n2 = in('7);'i'oShaft speed measurement from sensor S2 % Define global variables global b V Fb P'" QZ Qb R x x % Filter initial values: % Q'" = diag{0.018, 0, 0, O}, Qb = 0.5 .. le, P'" = 50 - I, % pb = 50-16, R = diag{0.18,3.9, 0.09, 0.18 x 1O-',0.04} global I., h % Identities of state and bias transition matrix sizes %Define estimator parameters T. = 1; %Estimator sampling period r'" = zeroa( 4,4); %Procflllll noise distribution r'" = -0.15; %lst element of rz nz = 4; n~ = 5; nb = 6;%Number of etates, of measurements, of faults % Estimator inputs U = [Ore! Yrnl/;%Plant inputs / y = 101 n1 Urn 02 n21 ;%Plant outputs % Subroutines for estimator model ModelUpdateData = [x(l : 3) ; y.,. ; T.l ; % Inputs needed for estimator model calculation [F, G, H, Ft, F21 = StateParameter(ModelUpdateData);% Function call for estimator state-space parameters N cm.linearity %Function call for state transition fusing x & T. % Calculate forgetting factors OmG% = 0.01; O""n = 0.0001;% Bias covariance upper & lower bounds [E, ).l = eig(pb+) ; % Eigen-vectors/-values of the bias covariance pH = zero8(nb, nb) ; % Initisl bias covariance for j = 1 : nb % Determine nb forgetting factors if >'(j, j) > O.,.GZ ).(j, j) = >'(j, j); else >'(j,j) = Om,n + (Om .. z - Q.,.in)" >'(j, j)/o.,. ..., ; end pH = pH + E( :,j) .. >'(j,j)" E( :,j)'; end % Estimator equations M = F .. V + FI;% Bias-to-state coupling V+ = M .. pI> .. inv(pb+) ;% Coupling extrapolation x+ = f + G - u + (M - V+) .. b;% State estimate extrapolation, bias free fo = Y - H .. x+; % State residusl pz+ = F .. pz .. F' + rz .. Q'" _ r /% + M .. pi> .. M' - V+ .. pH .. V' +;%Covariance extrapolation, bias free S = H .. pz .. H' + R;% Covariance update, bias free KZ = pz .. H' .. inv(S);% Kalman gain, bias free P% = (/% - KZ .. H) .. PZ+;%Covariance update, bias free x = x + + K'" .. r; %State update, bias free N = H .. V+ + F2;% State-to-bias coupling V = V+ - KZ .. N ;% Coupling update Kb = pH .. N' .. inv(N .. pH .. N' + S);% Kalman gain for bias b = b+ Kb .. (fo - N .. b);%Bias update pb = (Ib - Kb .. N) .. pH ;%Bias covariance update x = x + V .. b;%Compensated state 8 = x(l) ;%PropelIer pitch estimate n = x(2) ;%Shaft speed estimate % Estimator output E stimate = [8 nl; % Fault-free measurements
4. SIMULATION RESULTS Figures 2 through 4 show the responses of the measured variables Om, n m , and Um of the original benchmark simulation (first plot in each figure), the responses of the same set of variables in the
421
sensor fault masking setting (last plot in each figure), and the responses of the true state B, n, and U in the sensor fault masking setting (middle plot in Figures 2 and 3, last plot in Figure 4 for U = Um in the benchmark). It can be seen that sensor fault masking has been successfully achieved. Note that in the process, no switching action is taken. This is due to the self-adjustable nature of the fault masking estimator. In addition, we are able to retain the controller in the original benchmark despite the presence of an incipient fault and a parametric fault that are not directed measured by any sensor. This robustness is attributed to the less severe nature of the two additional faults , and to the enhanced reconfigurability of the modified system configuration. The contribution of the fault masking estimator can be thought of as an automatic compensation of a sensor fault which is recognizable from one of two sensor measurements by utilizing analytic redundancy, while a third sensor would be required with traditional fail-operational technology. The reader who is interested in reproducing the numerical results presented in the paper is referred to Izadi-Zamanabadi and Blanke (1999) for the standard set of parameter values of the benchmark. Only the sequence of fault occurrence is given here to facilitate the reading of the plots.
I Fault type I Approx. magnitude I Sustaining duration I 118 I1n 118in~
118
Iln Ilk"
0.4 0.5 10 -"(s + 10- 5 ) I -0.35 -9.6 20%k"
180a - 210" 680s - 710s 800s -l'700a 18908 - 1920s 26408 - 26'70s 30008 - 3500s
The table reflects an important difference in the treatment of sensor faults in this paper from that in all other reported ship propulsion benchmark studies. The sensor faults in this paper are modeled as measurement deviations from the fault-free values, rather than absolute deviations from the zero outputs. 5. DISCUSSION Our investigation is continuing in the following three areas. (i) The difficulty presented by the hard nonlinearities in the benchmark, which an extended Kalman estimator is incapable of handling, is circumvented by staying with a small signal model during analysis and design. The most challenging task of stability analysis of the closed-loop system is left with the simulation. Only a small signal analysis where the estimator is identified as a parametric LTI model has been performed (Thavamani, 2002). A more rigorous nonlinear, closed-loop stability analysis without small signal LT! approximations is being sought. (ii) The current controller which is inherited from the original benchmark is constructed based on a model without the estimator dynamics in the
loop. Although the dynamic effect of the estimator to the loop has been minimized by the use of a forgetting factor in the estimator, in general a controller design that includes the estimator dynamics in the control design model is needed. (iii) While all fault effect parameters enter explicitly into the estimator design model in order to gain greater accuracy of the virtual measurement estimates, the non-sensor faults .6.0inc and .6.ky have not been included in the controller design model. This is acceptable because these faults have only minor effects on the system performance. In a more general situation, however, effort to compensate non-sensor faults may be required.
Figure 1. (i) Original system configuration, (ii) Faulttolerant system configuration
6. ACKNOWLEDGMENT
i ": · ...... E..... i '~- ........... 'l'------~.. -~ .~
The support of NASA (NCC-I-02009) and NSF (ECS-9615956) is gratefully acknowledged by the first two authors. The authors also sincerely thank Prof. Izadi-Zamanabadi of Aalborg University for his most generous assistance with the ship propulsion benchmark.
•
0
.. - . . . .
.
.
. ..
,
.
PIktI..,ga. .... ttI ............... ..,.. __ -dS
o
'
,
1000
2000
lOOO
ij '/ "~ .\ 'I ri' :.1'1 ..la,,,. "1"\~.~H~.'M*J~'~I..!~t~,/' ," ~*1 GoaL
_~ PIKfI·~~.. (w..I~'oIlhI .... ~.ystem o
101X1
2000
llm_(_)
Figure 2. Pitch angle (i) measurement from the original benchmark, (ii) true state from the fault-tolerant system, (Hi) estimate that is fed back in the fault-tolerant system
References Blanke, M., Izadi-Zamanahadi, R., and Lootsma, T.F. (1998) . Fault monitoring and re-configurahle control for a ship propulsion plant, Journal of Adaptive Control and Signal Processing, vol. 12, pp.671-688. Bonivento C., Paoli A. and Marconi L. (2001) FaultTolerant Control for a Ship Propulsion System, Proc.
sn.fI Spe.d CbI'.a.tdcs
-,.~
.
:':r--1
+-; · •
European Control Conference. Chow, E.Y., and Willsky, A.S. (1984). Analytical redundancy and the design of robust detection systems, IEEE 7hmsaction on Automatic Control, vol. 29, pp.603-614. Izadi-Zamanabadi, R., and Blanke M. (1999) A ship propulsion system as a benchmark for fault tolerant control, Control Engineering Practice, vol.7, pp.227239. Kerrigan, E.C., and Maciejowski, J.M. (1999) . Fault tolerant control of a ship propulsion system using model predictive control, Proc. European Control Conference. Moore, B. C. (1981). Principal component analysis in linear systems: controllability, observability, and model reduction, IEEE 7hmsactions on Automatic Control, vol.26, pp.17-32. Patton, R.J., Fault-tolerant control: the 1997 situation, Proc. Safeprocess'9?, 1997 Thavamani, S. (2002). Observer-Based Sensor FaultTolerant Control of a Ship Propulsion Benchmark, Master of Science Thesis, Binghamton University. Wu, N.E, Zhou, K., and Salomon, G. (2000). Reconfigurability in linear time-invariant systems, Automatica, vol.36, pp.1767-1771. Wu, N.E., Zhang, Y., and Zhou, K. (2000). Detection, estimation, and accommodation of loss of control effectiveness, International Journal of Adaptive Control and Signal Processing, vo!.14, pp.775-795. Wu, N.E. (2001). Reliability and fault-tolerant control: Part I and I1, Proc . IEEE Conference on Decision and ControL Zhang, Y., and Wu, N.E. (1999). Fa.ult Diagnosis for A Ship Propulsion Benchmark: Part I, Proc. 14th IFAG World Congress,.
!
.
i
\:
, 'OOD
2000
'000
2000
·
,
::000
~ 3000
•
\
::1
~
r]
"'OIl
....
I: 3CIOO
Tn.(I~
1
Figure 3. Shaft speed (i) measurement from the original • benchmark, (ii) true state from the fault-tolerant system, (iii) estimate that is fed back in the fault-tolerant system
(E : --~ o
rE °
0
1000
2000
-~< ........
3000
CJ
~(
Figure 4. Ship speed (i) measurement from the original benchmark, (ii) measurement from the fault-tolerant systern
422