- Email: [email protected]
A Fault-tolerant Decentralized Control System Ensured by Autonomous Controllability
Cop~Tigll1
©
I F.-\(: 101 h Tricllllial \\"orld (:()lIgrcss.
\llIl1i,,". FR(;. l'IH7
A FAULT-TOLERANT DECENTRALIZED CONTROL SYSTEM ENSURED BY AUTONOMOUS CONTROLLABILITY K. Kawano, K. Mori and M. Koizumi .')'\'111'111.1 /)l'i'l'/ollllll'lll I.II/mmlnn.
// illlrhi UrI.. I IN') ()h : l'llji. ; \lilll-I!II.
"'11<1 'IN/hi
215 .
./11111/1/
Abstract: A fault-tolerant decentralized control system ensured by autonomous controllability is presented. The system satisfies the requirements of large scale systems which are fault-tolerance, on-line maintainability and on-line expandability. [n the autonomous decentralized system, system totality is not predetermined and a system should be constructed by integrating autonomous subsystems. To attain autonomy of each subsystem, autonomous controllability has been defined as the property whereby each subsystem can control its own responsible control plant even if some other subsystems fail, are under maintenance or are being expanded. Necessary and sufficient condition for autonomous controllability is derived by examining sensor rnalfunction as opposed to controller failure. A weak coupling method and adaptive reconfiguration method for designing an autonomously controllable systern are proposed. This system is apllied to a loop computer communication network system and the communication controller of each subsystem is designed to attain fault-tolerance of the system. Keywords: Autonomy. Molecular biology. Fault-tolerance. Decentralized control. Computer communication network.
M 'e satisfied. Re cent developments in molecular biology
[NTRODUCTlON Large scale systems have the following chara c teris ti c s. (1) As the scale of a system becomes larger, the opportunity for partial system failure increases, and maintenance is frequently required. (2) These systerns are constructed step by step, and improvernent and expansion are carried out as the systern is constructed. (3) [n spite of partial system failure, rnaintena nce or expansion, the other parts of the system have to be able to opera te. Shutting down the entire system can cause ser ious damage to security, productivity and serviceability. Therefore, fault-tolerance, on-line maintainability and online expandability are essential requirements for large scale systems. Recent developments in LS[, rnicrocomputer and communication technologies have made it possible to economically and technologically realize a dece ntralize d system. Against this background, new technology which is not just an extension of the conventional centralized system technology has been pursued in the system control and computer fields (A than, 1978; Avizienis, 1978). In the system control field, reliabl e control as opposed to controller failure has been recently studied. One approach Siljak, 1981; Ikeda, et al., 198j) is to stabilize the entire systern using multiple redundant controllers for each subsystem. Another approach (Daviso ll, 198j) is to forrnula te the controllers into a hierarchical control structure with a sequential priority and to regulate output at control stations with priorities higher than fail e d control stations. The first approach can attain high system reliability using redundant controllers for each subsystem. However, in the event that anyone of the subsystems is not functioning properly due to controller failure, the entire system will come to a cornplete stop. The second approach with sequential hierarchical controllers ensures output stability using simply designed controllers from the top to the bottom level. However, the failure of one controller will induce the stoppage of all controllers in the lower levels. Therefore, fault-tolerance is limited in these systems. In the computer field, fault-tolerant computers have been developed (Avizienis, 1978; Rennel, 1978). However, these are special purpose computers and only one or two of the requirements of large scale systerns. In biological organism s, however, all of three reqUirements
have shown that biological organisms consist of uniform cells and th a t each cell is autonomous. .\ IIotiva ted by advanc ements in molecular biology and the relnarkable progress of microelectronics in LSI and communication technologies, reserch on autonornous decentralization has been carried out. On the basis of this reserch, new computer systems have been developed and applied to train traffic control, factory automation and steel production ( \IIori, et al., 1982, 1981!a, b). These COlnputer systems do not assume a predetermined and fixed structure, and even if some of the computers fail, are under maintenance or are being expanded, other computers can '2ontinue their operations(Ihara and .\IIori, 1981!). In this paper, a utonomous controllability is defined as one of properties of an autonomous decentralized systern in which every controller can cooperatively control its own responsible control plant in spite of other subsystem failur e s. In addition, the condition for autonomous controllability is presented. The conventional conditions for autonomous controllability (Mori, et al. 198j) were derived without considering sensor data terrnination. Also, the methods for designing the autonomously controllable system are desc rived. Applications to a loop cornputer c ornmuni c ation network system is discussed and the communication controllers are designed so as to attain autonomous controllability.
,' vlOLECULAR BIOLOGY AND AUTONOMOUS DECENTRALlZA TlON CONCEPT The following develop ment in molecular biology have revealed how biological organisms function. (1) A biological organism is constru c ted step by step by repeating the cell division. When a cell is divided, DNA which stores all information required for life is duplicated. Therefore, a biological organism is the integration of uniform cells and a cell is the basic unit of the organism. (2) Each cell activa tes functions based on DNA. Each cell determines its own function by recognizing its environments through plasma membrance. There is no special cell that coordinates or suppresses the functions of other cells. (3) A biological organism always includes some abnorrnal part and its structure is always changing due to metabolism and growth. Organisrn totality is not predetermined. In spite of the partial death and structural change of an
I~ I
122
K. Kawano, K. Mori and M. Koizumi
organism, it can continue to live. Thus, it can be said that cells are uniform and equal, and each cell has its own function based on it's local environment. That is, a cell is not a divided part of a biological organism, but autonomous. Moreover, in the organism, there is no clear difference between normal and abnormal states. System operation, maintenance, generation and expansion occur simul taneously. A biological organism is a system which has attained fault-tolerance, on-line maintainability and on-line expandability that is required of large scale systems. Based on the biological system, an autonomous decentralization concept is defined as follows: (Mori,et.al. 1981ia). (i) Originally, subsystems exist. Subsystem is the basic unit of system. A system is an integration of subsystems. {ii) A system is always bound to include some abnormal parts due to partial failure, expansion and/or maintenance. In the conventional system concept, it is presupposed that the system has no faulty part and fixed structure. Moreover, when designing and constructing a system, total system structure and perforrnance is considered first. Therefore, the conventional system is inflexible against structure variation caused by partial failure, maintenance or expansion, which makes it difficult to satisfy the requirements of large scale systems. On the other hand, in the autonomous decentralization concept, faults and structure variation are considered normal. AUTONOMOUS DECENTRALIZED CONTROL SYSTEMS The following structure for control systems has been proposed (Mori,et.al.198lia,b) based on the autonomous decentralization concept ( Fig.1 ). (I) A system is constructed by integrating subsystems which are basic units of the system. (2) Each subsystem has its own intelligent controller which has the responsibility to control the subsystem's control plant( responsible control plant ). (3) The controller of each subsystem has its own objective. (li) The controllers of subsystems are connected through a data transmission system so that they can cooperatively control their responsible control plants and coordinate their objective with each other through data exchanges. This decentralized structure can be easily realized because of recent progress of microelectronics in LSI and communication te ch nologies. A system is called as an autonomous decentralized con trol system if each subs/stem has the following two properties. {i) Autonomous controllabili ty Each subsystem controller can control its own responsible control plant in spite of other subsystem failures. {ii) Autonomous coordinabili ty The controllers can coordinate their own obje c tives in spi te of other subsystem failures. It is clear that these two properties assure not only faulttolerance but also on-line maintainability and on-line expandability. The following properties are required for the above decentralized structured control system in order to achieve the autonomous con trollabili ty and autonomous coordinabili ty.
(c) Locali ty: Functioning subsystems have to control their own responsible control plants only based on the functioning subsystems' observation data. This is because correct and reliable observation data may not be transmitted from failed subsystems. That is, every subsystem has to be able to opera te on the basis of local information.
A biological systems have attained these three properties, and these properties are essential for a system to achieve the autonomous controllabili ty and the autonomous coordinability. It is the problem how to coordinate the functioning controllers' objectives like the decentralized multicriteria optimization problem (Basar, 1978). Autonomous coordinability has been described by (Koizumi and Mori,1986). In this paper, autonomous controllability is discussed for linear continuous systems and the conditions for autonomous controllability will be described. AUTONOMOUS CONTROLLABILITY Each subsystem Si is assumed to consist of its own controller CCi' actuators, sensors and responsible control plant. When m subsystems are integrated, the system is assumed to have the following dynamics:
~ [~~: ~p::: ~f~ll~~~~~ 1 Ami A m 2' .. I:J,
Am~lxm(tl
In
= AX(t) + L Biui(t)
(la)
iE-1
= (CiI
Ci2'"
Cim] X(t)
~CiX(t)
(lb)
where xi{t) is the ni-dimensional state vector of the responsible control plant of subsystem Si( responsible state ), ui (t) is the ri-dimensional control vector of the controller CCi of Si and Yi(t) is the li-dimennsionaJ observation vector of the sensors of Si and X(t)E:R ,n ~>:ni . In system (la),(lb), Bi and Ci are assuffi'ed to be non-zero matrix to attain structure uniformity. Moreover, it is assumed tha t each controller CCi sends only observa tion data to the transmission system and controls its responsible state based on observation vector Yi(t) and other subsystems' observation vectors Yj(t), j \ i. THis will ensure subsystem equality. Here, the controller is called to be malfunctioning when it is in a faulty state, under maintenance or is being expanded. Let us define a malfunctioning con troller. Definition I : Controller eei of subsystem Si malfunctions at time to if
o
tL to
(2) controller cei of subsystem Si terminates the transrnission of its observation data, Yi(t), t~a , to the other subsystems.
In the above definition I (I), the control vector of malfunctioning controller is assumed to be zero. In a realistic situation, however, the control vectors of malfunctioning controllers may become non-zero constant ( ui(t) \ 0). Even if the control vectors of malfunctioning (a) Uniformit y: Every subsystem has its own actuator controllers are non-zero constant, the results discussed and sensors besides intelligent controller and responsible control plant so tha t each subsystem can opera te in spi te of below hold under the condition that the functioning other subsystem failures. That is, every subsystem has to be controllers know the values of the constant control vectors of malfunctioning controllers. structurally uniform. Definition 1 (2) implies that if controller cei begins to (b) Equality: A controller is not permitted to be a malfunction at time to, the other functioning controllers cannot obtain observation vector Yi( t ), tL to' Hence, if all master which direc ts other subsystems through the da ta transmission system because erroneous commands from a the controllers of subsystems Sj' j'E(i I, ... ,ik) begin to malfunction at time to , the set of data available for master controller could cause normal subsystems to fail. That is, every subsystem has to be equal in function. functioning controllers of subsystems Si, i = i It... ,ik, at time
123
A Fault-tolerant Decentralized Control System
(0:
t is given by Ii(t)
={ Yi 1(T)"",Yik(T): TE:[to,
t]}, i
= i lo···,ik
Definition 2: System (1) is autonomously controllable if under the condition that all controllers of subsystems Sj' j ~ (i 1, ••• ,ik) malfunctioning at time 0 and subsystem Si, i = i 1, ••• ,ik, knows the local information set Ii(t) defined by (4.3), there exists a finite positive number T and a control law ui(t), i = ilo ••• ,ik, tElO l T) such that X{iI,···,ik)(T) =7] for an arbitrary combinatIOn \ 1j, •.• ,lk )e ( I, ••• ,m) ,k2.1 ,an arbitrary initial condition X(O) =f: and an arbitrary (':il +. •• + ni ) dimensional state vector7] ,~here X(Ij, .•. ,lk)(t) = [ ~1(t)" xi 2(t)' , ••• ,xik (t)'] , and M' is the transpose matrix of From definition 2, it is clear that autonomous controllability is different from conventional controllability (Kalman, et al. 1963; Kobayashi, et al. 1978) in which failure of subsystem is not considered. Moreover, this autonomous controllability is also different from conventional autonomous controllability (Mori, et al. 1981) without considering sensor data termination due to controller failure. Autonomous controllability implies that even if a controller malfunctions due to failure, maintenance, or expansion of their autonomous controllers, the other functioning controllers can cooperatively transfer their own responsible state vectors to arbitrary vectors employing their own observation vectors. That is, autonomous controllability ensures fault-tolerance to the subsystems' failure in controllers. NECESSAR Y AND SUFFICIENT CONDITION FOR AUTONOMOUS CONTROLLABILITY A necessary and sufficient condition for autonomous controllability for a system (1) is provided as follows. Theorem 1 : System (1) is autonomously controllable if and only if the following two condi tions hold. 1)
,where r ~
f. ri , nO = L" ,
Condition (4) ensures that functioning controllers can drive their responsible sta tes to the desired point, and condition (5) ensures tha t functioning controllers can reconstruct the ini tial values of the plant required for the control of their responsible states usig only the local information set (3). These results show that the conventional controllability and observability are not necessarily sufficient for the autonomous controllability. DESIGN METHODOLOGY FOR A AUTONOMOUSL Y CONTROLLABLE SYSTEM Two methods are considered for designing an autonomously controllable system. One is for designing subsystems which are no capable of recognizing other subsystems malfunctioning. In this case, the design parameters have to be pre-determined to assure autonomous controllability. Weak coupling method is described as a kind of this design method, which integrates subsystems so that the interactions among subsystems become weak. By utilizing this method the integra ted system's configuration can be constructed. Another is for designing subsystems which are capable of recognizing other subsystem malfunction. Adaptive reconfiguration method is described, which does not consider future expansion and modifies each subsystem when expansion occurs. In this case, the design parameters can be adjusted to satisfy autonomously controllable condition. Weak coupling method In designing an autonomously controllable system, the interaction among subsystems is very important. If the controller of each subsystem can control its own responsible state and interference from other subsystems is weak, the system will be autonomously controllable. This is shown in the following theorem. Here, for brevity, let us introduce the reduced form R * of the controllability matrix R as follows: R* ~[RI*, ... ,Rrn*J,
(10)
"[R li *'R 2i *1, •.. , R mi *,,' R 1·* = J'
(11)
where R*E Rn x n, matrix Ri*eRn x ni selects ni column vectors from the controllability matrix Ri for each subsystem Si, i = 1,2, •.. ,m and Rij~Rni x nj • If the i-th block matrix of R *, Rii *, is nonsingular for i = 1, 2, •.• 1. m, it is possible to introduce a real square matrix Q(R ) with non-positive off-diagonal element as follows.
for an arbitrary combina tion (i lo •.. ,i k ) of km, 2)
(9)
rank H(i I , •.• ,ik)RG{i lo···,ik) ni I +..• + nik
(t, ... ,m) ,1
~ lGil , . . • ,Gik] ,
,(3).
The functioning controllers have to control their responsible states using this local information set so as to attain local information. Here, it is assumed that each controller CCi of subsystem Sj, i = 1, 2, •.. , m, knows A,Bi,Ci , i = 1, 2, ••• , m, and can determine the combination of malfunctioning controllers and the time when other controllers begin to malfunction due to become unfunctioning by the lack the observa tion data which should be transmitted from them. The autonomous controllability is mathematically formulated as follows.
(8)
InilO] E-Rni x n
rCl nge (C i ' , A'C"1 , ... , A,n-I C 1")
2range(Hi', A'Hi', •.. , A,n-lHi']
- Bm(R*)] -IJ 2m (R*)
(5)
for i = I, ... ,m , where R is the controllability matrix of the system (1) defined as:
(12)
where
R ~ RI' R2"'" Rm Ri '" = Bi' ABi,"" A n-l Bi for i
1
(6)
= I,
(13)
2, .•. , m , (7 )
and the matrices H
andllMlldenotes a matrix norm. Using this matrix Q(R*), the following result is obtained. Theorem 2: In addition to condition 2) of Theorem 1, if there exists a reduced controllability matrix R * such that: J) det Rit ~ 0
2) det Q(R*) (1,2, ••. ,k) 1,2, ... ,k
i = 1,2, .•. ,m ,
>0
(14)
(j 5) k = 1,2, ••• ,m
K. Ka\\·ano. K. I\lori and 1\1. KoizlIllli
12--1
~here
det M ( .II:~: ;;;'~) means the leading principal m1l10r of matrix M, then, system (J) IS autonomously controllable. Aj(R *) defined by (J 3) is considered to be a gain of the interference from subsystems Sj to subsystem Si' Hence, (R *) is called a interference ga1l1 from Sj to Si, and the matrix Q(R *) is called a interference ga1l1 matrix of system (J) generated from R*. The relation (J5) implies that each subsystem's responsible control plant is more strongly influenced by the control of its own controller than by the interference of the other subsystems' controllers.
Aj
Adaptive reconfiguration method The more complex the parameters pre-determining is, the greater the total system order n becomes. Thus, it is considerable to design autonomous controllable system which system order becomes time-variable. Under any unpredictive subsystem expansion, the predetermined design parameters have to be adjustLd on-line in each subsystem. C0nsidering subsystem h expanded, each subsystem dynamics is described as follows. Xi = Aij Xj + Bij Uj + Aih xh where i,j = I,Z, .•• ,m ,1= i. If the system is designed without considering subsystem h expansion, the interference Aih xh makes subsystem i undesired state. It is assumed that each subsystem can recognize the new subsystem expansion and determine their own desired sta te in such a case. It can be designed tha t each subsystem has an adaptive mechanism to make Xi the desired state Xi*' Subsystem i refers their own desired state when expansion occur and adJust their own parameters to converge sta te error ei = Xi - Xi to zero. The problem is to stabilize ei by on-line parameter adjustment. A technique using this method is shown in next section.
DESIGN OF A LOOP COMMUNICATION NETWORK SYSTEM Here, a loop computer cOlnmunication network system is discussed and it is shown tha t the communication controller of each computer system is designed so as to satisfy the autonomous controllability utilizing the weak coupling method and adaptive reconfiguration method.
send and/or the receive buffers of other computer systems. Therefore, it is desirable for the queue lengths of each communication controller's buffers to approach the specified safety lengths. THese are predetermined in anticipa tion of a sudden increase in messages caused by computer load variation. Problem The problem is to design the control law of the receive and send controllers, RCi and SCi' of communication controller CCi of each computer system Si so that even if some computer systems malfunction, the other computer systems can attain the arbitrarily desired queue lengths of their receive and send buffers. A model of the computer system is shown in Fig.3, and the dynamical model fo~ the queue lengths of SF iland BFiZ is described as follows:
Xii (t) = -fi(t) + gi_l(t) xiZ(t) = Pi fi(t) +?li - gilt) , i = I, Z, ••• , m,
where xijlt) is the queue length in BFii ' j = I, Z , fi(t) is the control of receive controller RCi, gilt) is the control of send controller SCi, ~i is the percentage of the packets whose destination are not Si and the flow rate of the packets originate from the computer of Si' Here, the following assumptions are made. 1) ~ i and Ai are fixed. Z) There exists j such that ~ j ~ 1, Is js m 3) Each communication controller knows ~ i and it i , i = 1,2, ... , m. 4) The functioning cornmunication controllers CCj' j i I, ... ,ik, know their states xjl(t) and XjZ(t), j = i[, .•. ,ik' Assumption Z) implies that there exists at least one computer system which receives packets. When designing the control law of the receive and send controllers in a realistic situation, gilt) which directly affects the adjacent computer system Si+1 should be constant, and fi(t) should be linear feedback of the states of the receive and send buffers. Therefore, the receive and send controllers, RCi and SCi, are assumed to have the following control structure. (J 7a) (l7b)
PiXil (t) - qixiZ(t) + di I ui(t) + diZ
A loop computer communication network system This loop computer communica tion network system consists of m heterogeneous computer systems( Fig.Z). The computer systems have various processing and communication capabilities. Each computer systeln Si consists of a computer CP i and a communication controller CCi( Gate Way )(Freeman, 1983)( Fig.3). Each computer system is connected to the adjacellt computer system through a unidirectional transmission line. Communication among the computer systems is controlled by the communication contr011er CCi of each computer systeln Si' Each communication controller CCi has a receive buffer BFiI' a send buffer BFi20 a receive controller RCi and a send controller SCi' The send controller SCi is connected to the receive buffer BFi+ll of the communication controller CCi+l of the adjacent computer system Si+ 1. Messages origina ting from the computer are addressed to the receiver and are sent out to the transmission line. Here, it is assumed that the messages are subdivided into packets. The received packets from the adjacent computer system Si-l are stored in receive buffer BFiI' The receive controller RC i regulates The sending rate of the packets in the receive buffer BFi I to the computer CPi or the send buffer BF iZ. The packets whose destinations are computer system Si are sent to its computer CPi and the other packets are sent to send buffer BFiZ' Each send controller SCi individually regulates the transmission rate to send out the packets in the send buffer BFiZ to tile transmission line. Here, since the communication controllers of the computer systems have buffering capabilities, each send controller has to control the transmission rate so as not to overflow the
([6a) (J6b)
where Pi and qi are the design parameters and ui(t) is the control for adjusting the stationary queue lengths in oFil and BFiZ' Since the stationary external input always affects the state of the systeln, the receive and the send controllers have to constantly send out d i 1 and d iZ packets from BFi I and BFi20 respectively, in order to cancel the inputAj. By substituting (J 6) in.to (J 7) and setting vector d ~[d 11 d lZ: d21 d22:---: d ml dmzl as:
o d
-)
: 0
1 Q' ~.9 ___0_ ,!'-I. C ~z.
o
-- --- __ ,r----,----01,-100 :0
0 : Il m -1 ~
t V c ub.)ve problem is rnathematicCllly formulated to des~gn the parameters Pi and qi so that the follo\\iing system (18) is autonomously controllable. •
In
X(t) = AX(t) + ~ biui(t) Yi(t) = CiX(t) 1·1 where
X(t)
~ [Xll(t) XIZ(t)
Yi(t)
~[Xil(t)
XiZ(t)j'
([8a) ([ 8b)
A Fault-tolerant Decentralized Control System
-PI
ql
0
:
JI£l! ___JlLCU - -i- ---- ?i---~ ..
-P2
1
O Ci
,
\---------------, ,-Pm
qm
i~Pm
~[0
~[
Then, the dynamic equations for dX land dX are described i i2 as follows.
LP!.?] __ -_h~zl
A
b l·
"2
I
I
I
I
j'
-pll1Qm I
0 '----'0 -1'1 01----'0 , 1_'-......-1 I
0
And the state matrix represantation is
]'
(26)
l-t~ ~1"kl"l-th block
Oil, 0:0 , '0
l'
Here, it should be noted that the receive controllers RCi' i = 1,2, •• , m, are designed to satisfy autonomous controllability and are previously installed in the communication controller CCi. Only the send controller SCi can vary control ui(t). When send controller SCi malfunctions, it can not vary the control ui(t) but takes the constant value di2 with the aid of the fault recovery mechanism. Design of autonomous controllable system Let us design the parameters Pi and qi so that the system (I&) becomes a weakly coupled system using the weak coupling method. On the basis of theorem 2, the condition for autonomous controllability of the loop computer communication system is given as : i = 1,2, ••. , m
(I 9)
i = 1,2, •.. , m
(20)
The condition (I9) is required for autonomous controllability for each computer system. The values I and Pi in (20) are considered to be the strength of the direct and indirect interferences from the adjacent send controller SCi_I' Value \qjl is considered to be the strength of its own send controller SCi' Therefore, condition (20) means that send controller SCi of each communication controller CCi affects its own buffers' states more than the adjacent send controller SCi_l' It is clear that there exists parameters, Pi, qi' which satisfy conditions (I 9) and (20), and that it is possible to make the system (I &) autonomously controllable. The autonomous controllability of the computer communication system means that the communication controllers of computer systems can control their buffers based on the states only of their own buffers even if the other send controllers malfunctions. Autonomous Adaptive Flow Controller Let us design each subsystem's adaptive mechanism for new subsystem's expansion. The controller parameters are adjusted by adaptive mechanism to attain the subsystem's desired state. It is assumed that each controller is capable of recognizing new subsystem expansion and deterrnining their own desired state. the control flow set is described as follows. f. = I
f* i +
df. I
g. = I
g*. + I
dg
where Ai is a stable matrix and Vi is assumed as a timeslowly varing vector depending on the interaction by new communica tion controller's expansion. An adaptive law to converge state error dx. on the equilibrium point asymptotically can be der'ived by the Lyapunov direct method. Consider a next Lyapunov function Vet) 1
Vet) = dXi' Pi dXi + ~ lj e 2j J: I
>0
(27)
where lj is a positive constant, Pi is a positive definit matrix and
Then
V = dXi'(Ai' where
Pi + Pi Aj ) dXj + 2 dXi' Pi ei +
~iejej (29) ).,
dXi'(Ai' Pi + Pj Ai ) dXi = - dXi' Qi dXi
<0
(30)
and Qi is a positive definit matrix. To ensure the asymptotic stability for dXi, the adaptive law is selected as follows eil = - ll-I dXi' Pi!
(3l)
ei2 = - l2- l dXi' Pi2
(32)
Pij is j-column vector of a matrix Pi' Then the derivative of V\t) is negative. Thus hm Vet) = 0, that IS, the system described by eq.(25) app).oaches asymptotically the desired equilibrium states, starting from arbitary initial condition. Consequintly, the queue lengths xij converge to the desired values x ij' The adjustable parameters ki I and ki2 are adjusted on-line according to the derived adaptive law. ki = eil = -ll-I dXi' Pi! ki2 = ei2 - ~ikil= -l2- 1 dXi' Pi2 -Ie l dXi' Pi!
(33) (34)
Each communication controller with proposed flow control mechanisrn control only its own computer system's packet flow by adjusting own controller's parameters. And the desired queue lengths of each functioning computer subsystem can be attained even in the some expanded computer systems. This computer communication system with autonomous controllabili ty has been applied to factory automa tion systems, train traffic control systems, steel production systems (Mori, et al., 19&2, 19&4a, b). These systems have been realized and continue to operate now.
i
where f*., g *. is a reference control flow which assure the desired state.IThe feedback control structure for auxiliary adaptive input is defined as follows.
(23) where dXij j = 1 , 2 is an error state from desired state x* ij , Kij j = 1 to 4, is a feedback constant gain, k J = 1 , 2 IS a ij adjustable parameter. And let
125
Kit Ki4 - Ki2 Ki3
<
0
CONCLUSIONS As was stated a large scale system has three basic requirements - fault-tolerance, on-line maintenance and online expandability. To satisfy these requirements,an autonomous decentralization system was proposed. In this system, the totali ty of the system was not predetermined and a system should be constructed by integrating subsystems. Each subsystem should be a basic and autonomous unit. The subsystem consisted of its own controller, actua tors, sensor and responsible control plant. Controllers were connected through a data transmission system so that subsystems can exchange data. Autonomous controllability was defined for linear continuous systems in
K. Kawano, K. Mori and M. Koizumi
126
which controllers are able to control their own responsible control plants using only their own observation data. In this system, controllers were considered to be malfunctioning when their control vector stuck at zero and could not transmit observation data. Therefore, it could be said that autonomous controllability ensures fault-tolerance. Necessary and sufficient condition for autonomous controllability was derived. Based on this result, the weak coupling method and adaptive reconfiguration method were developed. The system was successfully applied to a loop computer communication network system, and the communication controllers were designed to be autonomously controllable. It is believed that autonomous decentralization of large scale systems will become more and more important with the advancement microcomputer and communication technologies.
Transmission system
Intelligent contrOllers Actua ter I
¥I
i
I~ 3-Sensor
Responsible control plant Fig.!. Autonomous decentralized Control system. In the figure, th~ natched part of the plant is operated normally, and the wnl te part of the plant is not opera ted.
ACKNOWLEDGMENT The authors would like to thank Prof. Jose B. Cruz, Jr., Prof. William R. Perkins, and Prot. Tamer Basar of University of Illinois, and ProL Dragoslav D. Siljak of the University of Santa Clara for stimulating discussions during the course of this work.
./Computer
Communication controller
"REFERENCES Athan, M. (J978). On large-scale systems and decentralized Control. IEEE Trans. Automat. Contr ., AC-23, 105. Avizienis, A. (J 978). Fault-tolerance: the survival attribute of digi tal systems. Proc. IEEE, 66, 1109. Basar, T. (J 978). Decentralized multicriteria optimiza tion problem of linear stochastic systems. IEEE Trans. Automat. Contr., AC-23, 233. Davison, L J. 0980. Reliability of the robust servomechanism controller for decentralized system. Proc. of the 8th IFAC World Con ress, Kyoto, XII, 116. Freeman, H. A. 1983. Network interconnection. Computer,
Unidirectional transmission line
Fig. 2. A loop which consists of computer system system through a
computer communication network system m heterogeneous compute, systems. Each is connected to the adjacent computer unidirectional transmission line.
16-9, 11. Ihara, H. and K. Mori (J 9811). Autonomous Decentralized Computer Control Systems. COMPUTER, 17-8,57. Ikeda, M., et al. (J 981). Optimality and reliability of decentralized control. Proc. of the 8th IF AC World Congress, Kyoto, XII, 123. Kalman, R. L, et al. (J 963). Controllability of linear dynamical systems. Contribution to Differential Eguations, 1, 189. Kobayashi, H., et al. (] 978). Controllability under decentralized information structure. IEEE Trans. Automat. Contr ., AC-23, 182. KOizumi,M and Mori,K (J 986). Autonomous Coordinability of Decentralized System Considering Subsystems Failures. Proc. of 7th International Conference on Multiple Criteria Decision Making,Kyoto,2,895. Mori, K., et al. (J 981). Autonomous controllability of decentralized system aiming at faulttolerance. Proc. of 8th IFAC World Congress, Kyoto, XII, 129. Mori, K., et al. (J 982). Autonomous decentralized loop network. Proc. of COMPCON Spring '82, San Francisco, 192. Mori, K., et al. (J 9811a). On-line 'Aaintenance in Autonomous Decentralized Loop Network:ADL. Proc • of COMPCON Fall '811, Arlington, 323. Mori, K., et al. (19811b). Autonomous Decentralization Concept. Trans. lEE of Ja an, 104-C, 303. Rennel, M. 1983. Distributed fault-tolerant computer system. comruter, 13, 55. Siljak, D. D.I981). Dynamic reliability of multiplex control system. Proc. of the 8th IFAC World Congress, Kyoto, XII, 110.
Computer system Si
1
Receive buffer Send buffer BF'1 BFi2 Receive Send 11 controller r---""L----, controller RCi SCi
F ig. J .
A mOde l of a compute, sy stem.
©
I F.-\(: 101 h Tricllllial \\"orld (:()lIgrcss.
\llIl1i,,". FR(;. l'IH7
A FAULT-TOLERANT DECENTRALIZED CONTROL SYSTEM ENSURED BY AUTONOMOUS CONTROLLABILITY K. Kawano, K. Mori and M. Koizumi .')'\'111'111.1 /)l'i'l'/ollllll'lll I.II/mmlnn.
// illlrhi UrI.. I IN') ()h : l'llji. ; \lilll-I!II.
"'11<1 'IN/hi
215 .
./11111/1/
Abstract: A fault-tolerant decentralized control system ensured by autonomous controllability is presented. The system satisfies the requirements of large scale systems which are fault-tolerance, on-line maintainability and on-line expandability. [n the autonomous decentralized system, system totality is not predetermined and a system should be constructed by integrating autonomous subsystems. To attain autonomy of each subsystem, autonomous controllability has been defined as the property whereby each subsystem can control its own responsible control plant even if some other subsystems fail, are under maintenance or are being expanded. Necessary and sufficient condition for autonomous controllability is derived by examining sensor rnalfunction as opposed to controller failure. A weak coupling method and adaptive reconfiguration method for designing an autonomously controllable systern are proposed. This system is apllied to a loop computer communication network system and the communication controller of each subsystem is designed to attain fault-tolerance of the system. Keywords: Autonomy. Molecular biology. Fault-tolerance. Decentralized control. Computer communication network.
M 'e satisfied. Re cent developments in molecular biology
[NTRODUCTlON Large scale systems have the following chara c teris ti c s. (1) As the scale of a system becomes larger, the opportunity for partial system failure increases, and maintenance is frequently required. (2) These systerns are constructed step by step, and improvernent and expansion are carried out as the systern is constructed. (3) [n spite of partial system failure, rnaintena nce or expansion, the other parts of the system have to be able to opera te. Shutting down the entire system can cause ser ious damage to security, productivity and serviceability. Therefore, fault-tolerance, on-line maintainability and online expandability are essential requirements for large scale systems. Recent developments in LS[, rnicrocomputer and communication technologies have made it possible to economically and technologically realize a dece ntralize d system. Against this background, new technology which is not just an extension of the conventional centralized system technology has been pursued in the system control and computer fields (A than, 1978; Avizienis, 1978). In the system control field, reliabl e control as opposed to controller failure has been recently studied. One approach Siljak, 1981; Ikeda, et al., 198j) is to stabilize the entire systern using multiple redundant controllers for each subsystem. Another approach (Daviso ll, 198j) is to forrnula te the controllers into a hierarchical control structure with a sequential priority and to regulate output at control stations with priorities higher than fail e d control stations. The first approach can attain high system reliability using redundant controllers for each subsystem. However, in the event that anyone of the subsystems is not functioning properly due to controller failure, the entire system will come to a cornplete stop. The second approach with sequential hierarchical controllers ensures output stability using simply designed controllers from the top to the bottom level. However, the failure of one controller will induce the stoppage of all controllers in the lower levels. Therefore, fault-tolerance is limited in these systems. In the computer field, fault-tolerant computers have been developed (Avizienis, 1978; Rennel, 1978). However, these are special purpose computers and only one or two of the requirements of large scale systerns. In biological organism s, however, all of three reqUirements
have shown that biological organisms consist of uniform cells and th a t each cell is autonomous. .\ IIotiva ted by advanc ements in molecular biology and the relnarkable progress of microelectronics in LSI and communication technologies, reserch on autonornous decentralization has been carried out. On the basis of this reserch, new computer systems have been developed and applied to train traffic control, factory automation and steel production ( \IIori, et al., 1982, 1981!a, b). These COlnputer systems do not assume a predetermined and fixed structure, and even if some of the computers fail, are under maintenance or are being expanded, other computers can '2ontinue their operations(Ihara and .\IIori, 1981!). In this paper, a utonomous controllability is defined as one of properties of an autonomous decentralized systern in which every controller can cooperatively control its own responsible control plant in spite of other subsystem failur e s. In addition, the condition for autonomous controllability is presented. The conventional conditions for autonomous controllability (Mori, et al. 198j) were derived without considering sensor data terrnination. Also, the methods for designing the autonomously controllable system are desc rived. Applications to a loop cornputer c ornmuni c ation network system is discussed and the communication controllers are designed so as to attain autonomous controllability.
,' vlOLECULAR BIOLOGY AND AUTONOMOUS DECENTRALlZA TlON CONCEPT The following develop ment in molecular biology have revealed how biological organisms function. (1) A biological organism is constru c ted step by step by repeating the cell division. When a cell is divided, DNA which stores all information required for life is duplicated. Therefore, a biological organism is the integration of uniform cells and a cell is the basic unit of the organism. (2) Each cell activa tes functions based on DNA. Each cell determines its own function by recognizing its environments through plasma membrance. There is no special cell that coordinates or suppresses the functions of other cells. (3) A biological organism always includes some abnorrnal part and its structure is always changing due to metabolism and growth. Organisrn totality is not predetermined. In spite of the partial death and structural change of an
I~ I
122
K. Kawano, K. Mori and M. Koizumi
organism, it can continue to live. Thus, it can be said that cells are uniform and equal, and each cell has its own function based on it's local environment. That is, a cell is not a divided part of a biological organism, but autonomous. Moreover, in the organism, there is no clear difference between normal and abnormal states. System operation, maintenance, generation and expansion occur simul taneously. A biological organism is a system which has attained fault-tolerance, on-line maintainability and on-line expandability that is required of large scale systems. Based on the biological system, an autonomous decentralization concept is defined as follows: (Mori,et.al. 1981ia). (i) Originally, subsystems exist. Subsystem is the basic unit of system. A system is an integration of subsystems. {ii) A system is always bound to include some abnormal parts due to partial failure, expansion and/or maintenance. In the conventional system concept, it is presupposed that the system has no faulty part and fixed structure. Moreover, when designing and constructing a system, total system structure and perforrnance is considered first. Therefore, the conventional system is inflexible against structure variation caused by partial failure, maintenance or expansion, which makes it difficult to satisfy the requirements of large scale systems. On the other hand, in the autonomous decentralization concept, faults and structure variation are considered normal. AUTONOMOUS DECENTRALIZED CONTROL SYSTEMS The following structure for control systems has been proposed (Mori,et.al.198lia,b) based on the autonomous decentralization concept ( Fig.1 ). (I) A system is constructed by integrating subsystems which are basic units of the system. (2) Each subsystem has its own intelligent controller which has the responsibility to control the subsystem's control plant( responsible control plant ). (3) The controller of each subsystem has its own objective. (li) The controllers of subsystems are connected through a data transmission system so that they can cooperatively control their responsible control plants and coordinate their objective with each other through data exchanges. This decentralized structure can be easily realized because of recent progress of microelectronics in LSI and communication te ch nologies. A system is called as an autonomous decentralized con trol system if each subs/stem has the following two properties. {i) Autonomous controllabili ty Each subsystem controller can control its own responsible control plant in spite of other subsystem failures. {ii) Autonomous coordinabili ty The controllers can coordinate their own obje c tives in spi te of other subsystem failures. It is clear that these two properties assure not only faulttolerance but also on-line maintainability and on-line expandability. The following properties are required for the above decentralized structured control system in order to achieve the autonomous con trollabili ty and autonomous coordinabili ty.
(c) Locali ty: Functioning subsystems have to control their own responsible control plants only based on the functioning subsystems' observation data. This is because correct and reliable observation data may not be transmitted from failed subsystems. That is, every subsystem has to be able to opera te on the basis of local information.
A biological systems have attained these three properties, and these properties are essential for a system to achieve the autonomous controllabili ty and the autonomous coordinability. It is the problem how to coordinate the functioning controllers' objectives like the decentralized multicriteria optimization problem (Basar, 1978). Autonomous coordinability has been described by (Koizumi and Mori,1986). In this paper, autonomous controllability is discussed for linear continuous systems and the conditions for autonomous controllability will be described. AUTONOMOUS CONTROLLABILITY Each subsystem Si is assumed to consist of its own controller CCi' actuators, sensors and responsible control plant. When m subsystems are integrated, the system is assumed to have the following dynamics:
~ [~~: ~p::: ~f~ll~~~~~ 1 Ami A m 2' .. I:J,
Am~lxm(tl
In
= AX(t) + L Biui(t)
(la)
iE-1
= (CiI
Ci2'"
Cim] X(t)
~CiX(t)
(lb)
where xi{t) is the ni-dimensional state vector of the responsible control plant of subsystem Si( responsible state ), ui (t) is the ri-dimensional control vector of the controller CCi of Si and Yi(t) is the li-dimennsionaJ observation vector of the sensors of Si and X(t)E:R ,n ~>:ni . In system (la),(lb), Bi and Ci are assuffi'ed to be non-zero matrix to attain structure uniformity. Moreover, it is assumed tha t each controller CCi sends only observa tion data to the transmission system and controls its responsible state based on observation vector Yi(t) and other subsystems' observation vectors Yj(t), j \ i. THis will ensure subsystem equality. Here, the controller is called to be malfunctioning when it is in a faulty state, under maintenance or is being expanded. Let us define a malfunctioning con troller. Definition I : Controller eei of subsystem Si malfunctions at time to if
o
tL to
(2) controller cei of subsystem Si terminates the transrnission of its observation data, Yi(t), t~a , to the other subsystems.
In the above definition I (I), the control vector of malfunctioning controller is assumed to be zero. In a realistic situation, however, the control vectors of malfunctioning controllers may become non-zero constant ( ui(t) \ 0). Even if the control vectors of malfunctioning (a) Uniformit y: Every subsystem has its own actuator controllers are non-zero constant, the results discussed and sensors besides intelligent controller and responsible control plant so tha t each subsystem can opera te in spi te of below hold under the condition that the functioning other subsystem failures. That is, every subsystem has to be controllers know the values of the constant control vectors of malfunctioning controllers. structurally uniform. Definition 1 (2) implies that if controller cei begins to (b) Equality: A controller is not permitted to be a malfunction at time to, the other functioning controllers cannot obtain observation vector Yi( t ), tL to' Hence, if all master which direc ts other subsystems through the da ta transmission system because erroneous commands from a the controllers of subsystems Sj' j'E(i I, ... ,ik) begin to malfunction at time to , the set of data available for master controller could cause normal subsystems to fail. That is, every subsystem has to be equal in function. functioning controllers of subsystems Si, i = i It... ,ik, at time
123
A Fault-tolerant Decentralized Control System
(0:
t is given by Ii(t)
={ Yi 1(T)"",Yik(T): TE:[to,
t]}, i
= i lo···,ik
Definition 2: System (1) is autonomously controllable if under the condition that all controllers of subsystems Sj' j ~ (i 1, ••• ,ik) malfunctioning at time 0 and subsystem Si, i = i 1, ••• ,ik, knows the local information set Ii(t) defined by (4.3), there exists a finite positive number T and a control law ui(t), i = ilo ••• ,ik, tElO l T) such that X{iI,···,ik)(T) =7] for an arbitrary combinatIOn \ 1j, •.• ,lk )e ( I, ••• ,m) ,k2.1 ,an arbitrary initial condition X(O) =f: and an arbitrary (':il +. •• + ni ) dimensional state vector7] ,~here X(Ij, .•. ,lk)(t) = [ ~1(t)" xi 2(t)' , ••• ,xik (t)'] , and M' is the transpose matrix of From definition 2, it is clear that autonomous controllability is different from conventional controllability (Kalman, et al. 1963; Kobayashi, et al. 1978) in which failure of subsystem is not considered. Moreover, this autonomous controllability is also different from conventional autonomous controllability (Mori, et al. 1981) without considering sensor data termination due to controller failure. Autonomous controllability implies that even if a controller malfunctions due to failure, maintenance, or expansion of their autonomous controllers, the other functioning controllers can cooperatively transfer their own responsible state vectors to arbitrary vectors employing their own observation vectors. That is, autonomous controllability ensures fault-tolerance to the subsystems' failure in controllers. NECESSAR Y AND SUFFICIENT CONDITION FOR AUTONOMOUS CONTROLLABILITY A necessary and sufficient condition for autonomous controllability for a system (1) is provided as follows. Theorem 1 : System (1) is autonomously controllable if and only if the following two condi tions hold. 1)
,where r ~
f. ri , nO = L" ,
Condition (4) ensures that functioning controllers can drive their responsible sta tes to the desired point, and condition (5) ensures tha t functioning controllers can reconstruct the ini tial values of the plant required for the control of their responsible states usig only the local information set (3). These results show that the conventional controllability and observability are not necessarily sufficient for the autonomous controllability. DESIGN METHODOLOGY FOR A AUTONOMOUSL Y CONTROLLABLE SYSTEM Two methods are considered for designing an autonomously controllable system. One is for designing subsystems which are no capable of recognizing other subsystems malfunctioning. In this case, the design parameters have to be pre-determined to assure autonomous controllability. Weak coupling method is described as a kind of this design method, which integrates subsystems so that the interactions among subsystems become weak. By utilizing this method the integra ted system's configuration can be constructed. Another is for designing subsystems which are capable of recognizing other subsystem malfunction. Adaptive reconfiguration method is described, which does not consider future expansion and modifies each subsystem when expansion occurs. In this case, the design parameters can be adjusted to satisfy autonomously controllable condition. Weak coupling method In designing an autonomously controllable system, the interaction among subsystems is very important. If the controller of each subsystem can control its own responsible state and interference from other subsystems is weak, the system will be autonomously controllable. This is shown in the following theorem. Here, for brevity, let us introduce the reduced form R * of the controllability matrix R as follows: R* ~[RI*, ... ,Rrn*J,
(10)
"[R li *'R 2i *1, •.. , R mi *,,' R 1·* = J'
(11)
where R*E Rn x n, matrix Ri*eRn x ni selects ni column vectors from the controllability matrix Ri for each subsystem Si, i = 1,2, •.. ,m and Rij~Rni x nj • If the i-th block matrix of R *, Rii *, is nonsingular for i = 1, 2, •.• 1. m, it is possible to introduce a real square matrix Q(R ) with non-positive off-diagonal element as follows.
for an arbitrary combina tion (i lo •.. ,i k ) of km, 2)
(9)
rank H(i I , •.• ,ik)RG{i lo···,ik) ni I +..• + nik
(t, ... ,m) ,1
~ lGil , . . • ,Gik] ,
,(3).
The functioning controllers have to control their responsible states using this local information set so as to attain local information. Here, it is assumed that each controller CCi of subsystem Sj, i = 1, 2, •.. , m, knows A,Bi,Ci , i = 1, 2, ••• , m, and can determine the combination of malfunctioning controllers and the time when other controllers begin to malfunction due to become unfunctioning by the lack the observa tion data which should be transmitted from them. The autonomous controllability is mathematically formulated as follows.
(8)
InilO] E-Rni x n
rCl nge (C i ' , A'C"1 , ... , A,n-I C 1")
2range(Hi', A'Hi', •.. , A,n-lHi']
- Bm(R*)] -IJ 2m (R*)
(5)
for i = I, ... ,m , where R is the controllability matrix of the system (1) defined as:
(12)
where
R ~ RI' R2"'" Rm Ri '" = Bi' ABi,"" A n-l Bi for i
1
(6)
= I,
(13)
2, .•. , m , (7 )
and the matrices H
andllMlldenotes a matrix norm. Using this matrix Q(R*), the following result is obtained. Theorem 2: In addition to condition 2) of Theorem 1, if there exists a reduced controllability matrix R * such that: J) det Rit ~ 0
2) det Q(R*) (1,2, ••. ,k) 1,2, ... ,k
i = 1,2, .•. ,m ,
>0
(14)
(j 5) k = 1,2, ••• ,m
K. Ka\\·ano. K. I\lori and 1\1. KoizlIllli
12--1
~here
det M ( .II:~: ;;;'~) means the leading principal m1l10r of matrix M, then, system (J) IS autonomously controllable. Aj(R *) defined by (J 3) is considered to be a gain of the interference from subsystems Sj to subsystem Si' Hence, (R *) is called a interference ga1l1 from Sj to Si, and the matrix Q(R *) is called a interference ga1l1 matrix of system (J) generated from R*. The relation (J5) implies that each subsystem's responsible control plant is more strongly influenced by the control of its own controller than by the interference of the other subsystems' controllers.
Aj
Adaptive reconfiguration method The more complex the parameters pre-determining is, the greater the total system order n becomes. Thus, it is considerable to design autonomous controllable system which system order becomes time-variable. Under any unpredictive subsystem expansion, the predetermined design parameters have to be adjustLd on-line in each subsystem. C0nsidering subsystem h expanded, each subsystem dynamics is described as follows. Xi = Aij Xj + Bij Uj + Aih xh where i,j = I,Z, .•• ,m ,1= i. If the system is designed without considering subsystem h expansion, the interference Aih xh makes subsystem i undesired state. It is assumed that each subsystem can recognize the new subsystem expansion and determine their own desired sta te in such a case. It can be designed tha t each subsystem has an adaptive mechanism to make Xi the desired state Xi*' Subsystem i refers their own desired state when expansion occur and adJust their own parameters to converge sta te error ei = Xi - Xi to zero. The problem is to stabilize ei by on-line parameter adjustment. A technique using this method is shown in next section.
DESIGN OF A LOOP COMMUNICATION NETWORK SYSTEM Here, a loop computer cOlnmunication network system is discussed and it is shown tha t the communication controller of each computer system is designed so as to satisfy the autonomous controllability utilizing the weak coupling method and adaptive reconfiguration method.
send and/or the receive buffers of other computer systems. Therefore, it is desirable for the queue lengths of each communication controller's buffers to approach the specified safety lengths. THese are predetermined in anticipa tion of a sudden increase in messages caused by computer load variation. Problem The problem is to design the control law of the receive and send controllers, RCi and SCi' of communication controller CCi of each computer system Si so that even if some computer systems malfunction, the other computer systems can attain the arbitrarily desired queue lengths of their receive and send buffers. A model of the computer system is shown in Fig.3, and the dynamical model fo~ the queue lengths of SF iland BFiZ is described as follows:
Xii (t) = -fi(t) + gi_l(t) xiZ(t) = Pi fi(t) +?li - gilt) , i = I, Z, ••• , m,
where xijlt) is the queue length in BFii ' j = I, Z , fi(t) is the control of receive controller RCi, gilt) is the control of send controller SCi, ~i is the percentage of the packets whose destination are not Si and the flow rate of the packets originate from the computer of Si' Here, the following assumptions are made. 1) ~ i and Ai are fixed. Z) There exists j such that ~ j ~ 1, Is js m 3) Each communication controller knows ~ i and it i , i = 1,2, ... , m. 4) The functioning cornmunication controllers CCj' j i I, ... ,ik, know their states xjl(t) and XjZ(t), j = i[, .•. ,ik' Assumption Z) implies that there exists at least one computer system which receives packets. When designing the control law of the receive and send controllers in a realistic situation, gilt) which directly affects the adjacent computer system Si+1 should be constant, and fi(t) should be linear feedback of the states of the receive and send buffers. Therefore, the receive and send controllers, RCi and SCi, are assumed to have the following control structure. (J 7a) (l7b)
PiXil (t) - qixiZ(t) + di I ui(t) + diZ
A loop computer communication network system This loop computer communica tion network system consists of m heterogeneous computer systems( Fig.Z). The computer systems have various processing and communication capabilities. Each computer systeln Si consists of a computer CP i and a communication controller CCi( Gate Way )(Freeman, 1983)( Fig.3). Each computer system is connected to the adjacellt computer system through a unidirectional transmission line. Communication among the computer systems is controlled by the communication contr011er CCi of each computer systeln Si' Each communication controller CCi has a receive buffer BFiI' a send buffer BFi20 a receive controller RCi and a send controller SCi' The send controller SCi is connected to the receive buffer BFi+ll of the communication controller CCi+l of the adjacent computer system Si+ 1. Messages origina ting from the computer are addressed to the receiver and are sent out to the transmission line. Here, it is assumed that the messages are subdivided into packets. The received packets from the adjacent computer system Si-l are stored in receive buffer BFiI' The receive controller RC i regulates The sending rate of the packets in the receive buffer BFi I to the computer CPi or the send buffer BF iZ. The packets whose destinations are computer system Si are sent to its computer CPi and the other packets are sent to send buffer BFiZ' Each send controller SCi individually regulates the transmission rate to send out the packets in the send buffer BFiZ to tile transmission line. Here, since the communication controllers of the computer systems have buffering capabilities, each send controller has to control the transmission rate so as not to overflow the
([6a) (J6b)
where Pi and qi are the design parameters and ui(t) is the control for adjusting the stationary queue lengths in oFil and BFiZ' Since the stationary external input always affects the state of the systeln, the receive and the send controllers have to constantly send out d i 1 and d iZ packets from BFi I and BFi20 respectively, in order to cancel the inputAj. By substituting (J 6) in.to (J 7) and setting vector d ~[d 11 d lZ: d21 d22:---: d ml dmzl as:
o d
-)
: 0
1 Q' ~.9 ___0_ ,!'-I. C ~z.
o
-- --- __ ,r----,----01,-100 :0
0 : Il m -1 ~
t V c ub.)ve problem is rnathematicCllly formulated to des~gn the parameters Pi and qi so that the follo\\iing system (18) is autonomously controllable. •
In
X(t) = AX(t) + ~ biui(t) Yi(t) = CiX(t) 1·1 where
X(t)
~ [Xll(t) XIZ(t)
Yi(t)
~[Xil(t)
XiZ(t)j'
([8a) ([ 8b)
A Fault-tolerant Decentralized Control System
-PI
ql
0
:
JI£l! ___JlLCU - -i- ---- ?i---~ ..
-P2
1
O Ci
,
\---------------, ,-Pm
qm
i~Pm
~[0
~[
Then, the dynamic equations for dX land dX are described i i2 as follows.
LP!.?] __ -_h~zl
A
b l·
"2
I
I
I
I
j'
-pll1Qm I
0 '----'0 -1'1 01----'0 , 1_'-......-1 I
0
And the state matrix represantation is
]'
(26)
l-t~ ~1"kl"l-th block
Oil, 0:0 , '0
l'
Here, it should be noted that the receive controllers RCi' i = 1,2, •• , m, are designed to satisfy autonomous controllability and are previously installed in the communication controller CCi. Only the send controller SCi can vary control ui(t). When send controller SCi malfunctions, it can not vary the control ui(t) but takes the constant value di2 with the aid of the fault recovery mechanism. Design of autonomous controllable system Let us design the parameters Pi and qi so that the system (I&) becomes a weakly coupled system using the weak coupling method. On the basis of theorem 2, the condition for autonomous controllability of the loop computer communication system is given as : i = 1,2, ••. , m
(I 9)
i = 1,2, •.. , m
(20)
The condition (I9) is required for autonomous controllability for each computer system. The values I and Pi in (20) are considered to be the strength of the direct and indirect interferences from the adjacent send controller SCi_I' Value \qjl is considered to be the strength of its own send controller SCi' Therefore, condition (20) means that send controller SCi of each communication controller CCi affects its own buffers' states more than the adjacent send controller SCi_l' It is clear that there exists parameters, Pi, qi' which satisfy conditions (I 9) and (20), and that it is possible to make the system (I &) autonomously controllable. The autonomous controllability of the computer communication system means that the communication controllers of computer systems can control their buffers based on the states only of their own buffers even if the other send controllers malfunctions. Autonomous Adaptive Flow Controller Let us design each subsystem's adaptive mechanism for new subsystem's expansion. The controller parameters are adjusted by adaptive mechanism to attain the subsystem's desired state. It is assumed that each controller is capable of recognizing new subsystem expansion and deterrnining their own desired state. the control flow set is described as follows. f. = I
f* i +
df. I
g. = I
g*. + I
dg
where Ai is a stable matrix and Vi is assumed as a timeslowly varing vector depending on the interaction by new communica tion controller's expansion. An adaptive law to converge state error dx. on the equilibrium point asymptotically can be der'ived by the Lyapunov direct method. Consider a next Lyapunov function Vet) 1
Vet) = dXi' Pi dXi + ~ lj e 2j J: I
>0
(27)
where lj is a positive constant, Pi is a positive definit matrix and
Then
V = dXi'(Ai' where
Pi + Pi Aj ) dXj + 2 dXi' Pi ei +
~iejej (29) ).,
dXi'(Ai' Pi + Pj Ai ) dXi = - dXi' Qi dXi
<0
(30)
and Qi is a positive definit matrix. To ensure the asymptotic stability for dXi, the adaptive law is selected as follows eil = - ll-I dXi' Pi!
(3l)
ei2 = - l2- l dXi' Pi2
(32)
Pij is j-column vector of a matrix Pi' Then the derivative of V\t) is negative. Thus hm Vet) = 0, that IS, the system described by eq.(25) app).oaches asymptotically the desired equilibrium states, starting from arbitary initial condition. Consequintly, the queue lengths xij converge to the desired values x ij' The adjustable parameters ki I and ki2 are adjusted on-line according to the derived adaptive law. ki = eil = -ll-I dXi' Pi! ki2 = ei2 - ~ikil= -l2- 1 dXi' Pi2 -Ie l dXi' Pi!
(33) (34)
Each communication controller with proposed flow control mechanisrn control only its own computer system's packet flow by adjusting own controller's parameters. And the desired queue lengths of each functioning computer subsystem can be attained even in the some expanded computer systems. This computer communication system with autonomous controllabili ty has been applied to factory automa tion systems, train traffic control systems, steel production systems (Mori, et al., 19&2, 19&4a, b). These systems have been realized and continue to operate now.
i
where f*., g *. is a reference control flow which assure the desired state.IThe feedback control structure for auxiliary adaptive input is defined as follows.
(23) where dXij j = 1 , 2 is an error state from desired state x* ij , Kij j = 1 to 4, is a feedback constant gain, k J = 1 , 2 IS a ij adjustable parameter. And let
125
Kit Ki4 - Ki2 Ki3
<
0
CONCLUSIONS As was stated a large scale system has three basic requirements - fault-tolerance, on-line maintenance and online expandability. To satisfy these requirements,an autonomous decentralization system was proposed. In this system, the totali ty of the system was not predetermined and a system should be constructed by integrating subsystems. Each subsystem should be a basic and autonomous unit. The subsystem consisted of its own controller, actua tors, sensor and responsible control plant. Controllers were connected through a data transmission system so that subsystems can exchange data. Autonomous controllability was defined for linear continuous systems in
K. Kawano, K. Mori and M. Koizumi
126
which controllers are able to control their own responsible control plants using only their own observation data. In this system, controllers were considered to be malfunctioning when their control vector stuck at zero and could not transmit observation data. Therefore, it could be said that autonomous controllability ensures fault-tolerance. Necessary and sufficient condition for autonomous controllability was derived. Based on this result, the weak coupling method and adaptive reconfiguration method were developed. The system was successfully applied to a loop computer communication network system, and the communication controllers were designed to be autonomously controllable. It is believed that autonomous decentralization of large scale systems will become more and more important with the advancement microcomputer and communication technologies.
Transmission system
Intelligent contrOllers Actua ter I
¥I
i
I~ 3-Sensor
Responsible control plant Fig.!. Autonomous decentralized Control system. In the figure, th~ natched part of the plant is operated normally, and the wnl te part of the plant is not opera ted.
ACKNOWLEDGMENT The authors would like to thank Prof. Jose B. Cruz, Jr., Prof. William R. Perkins, and Prot. Tamer Basar of University of Illinois, and ProL Dragoslav D. Siljak of the University of Santa Clara for stimulating discussions during the course of this work.
./Computer
Communication controller
"REFERENCES Athan, M. (J978). On large-scale systems and decentralized Control. IEEE Trans. Automat. Contr ., AC-23, 105. Avizienis, A. (J 978). Fault-tolerance: the survival attribute of digi tal systems. Proc. IEEE, 66, 1109. Basar, T. (J 978). Decentralized multicriteria optimiza tion problem of linear stochastic systems. IEEE Trans. Automat. Contr., AC-23, 233. Davison, L J. 0980. Reliability of the robust servomechanism controller for decentralized system. Proc. of the 8th IFAC World Con ress, Kyoto, XII, 116. Freeman, H. A. 1983. Network interconnection. Computer,
Unidirectional transmission line
Fig. 2. A loop which consists of computer system system through a
computer communication network system m heterogeneous compute, systems. Each is connected to the adjacent computer unidirectional transmission line.
16-9, 11. Ihara, H. and K. Mori (J 9811). Autonomous Decentralized Computer Control Systems. COMPUTER, 17-8,57. Ikeda, M., et al. (J 981). Optimality and reliability of decentralized control. Proc. of the 8th IF AC World Congress, Kyoto, XII, 123. Kalman, R. L, et al. (J 963). Controllability of linear dynamical systems. Contribution to Differential Eguations, 1, 189. Kobayashi, H., et al. (] 978). Controllability under decentralized information structure. IEEE Trans. Automat. Contr ., AC-23, 182. KOizumi,M and Mori,K (J 986). Autonomous Coordinability of Decentralized System Considering Subsystems Failures. Proc. of 7th International Conference on Multiple Criteria Decision Making,Kyoto,2,895. Mori, K., et al. (J 981). Autonomous controllability of decentralized system aiming at faulttolerance. Proc. of 8th IFAC World Congress, Kyoto, XII, 129. Mori, K., et al. (J 982). Autonomous decentralized loop network. Proc. of COMPCON Spring '82, San Francisco, 192. Mori, K., et al. (J 9811a). On-line 'Aaintenance in Autonomous Decentralized Loop Network:ADL. Proc • of COMPCON Fall '811, Arlington, 323. Mori, K., et al. (19811b). Autonomous Decentralization Concept. Trans. lEE of Ja an, 104-C, 303. Rennel, M. 1983. Distributed fault-tolerant computer system. comruter, 13, 55. Siljak, D. D.I981). Dynamic reliability of multiplex control system. Proc. of the 8th IFAC World Congress, Kyoto, XII, 110.
Computer system Si
1
Receive buffer Send buffer BF'1 BFi2 Receive Send 11 controller r---""L----, controller RCi SCi
F ig. J .
A mOde l of a compute, sy stem.