- Email: [email protected]
A New Diagnosis Method for Component Failures1
Coprright © IFAC Identification and System Parameter Estimation, Beijing. PRC 1988
A NEW DIAGNOSIS METHOD FOR COMPONENT FAILURES· W. Ge and C. Z. Fang Department of Automatioll, Tsinghua L'lIillersil\', PRC
Abstract. This paper considers the problems involved in designing a failure diagnosing system using state estimation techniques for on-line supervision of a linear time invariant system. A new failure diagnosing decision process based on robust state estimation and logic reasoning is derived in this paper. By means of this new diagnosing system, it is possible to provide more precise failure infonnation than previous diagnosing schemes in literature. The efficiency of the diagnosing system has been proved on an experimental plant with industrial instI'llJlentation. Some practical aspects concerning the implementation of the diagnosing scheme are discussed. Discussions are also given to the limitation of the detection observer schemes. This technique may be used on-line to improve overall process supervision or be used offline to facilitate maintenance and repair. Keywords. state estimation; failure detection; observers; robustness; logic reasoning.
only partially isolatable.
INTHOIXX::TION
Simultaneous occurrence of failures is quite unlikely in practice, so that complete isolation may indeed be unnecessary in most cases, Therefore, realization of partial failure isolation has important practical significance. This paper shows that partial failure isolation may be realized by the approach of robust observation, and a new failure diagnosing decision process is developed to identify failures as precisely as possible.
The increasing complexity of industrial systems and growing scope of automation have demanded for higher reliability (Himmelblau,1978). Modern control theory has its special efficiency for online failure diagnosis (Isermann,1984). In this area, state estimation is one important approach (Willsky, 1976) , where the crucial problem is failure isolation (Frank, 1986). To solve this problem, Beard(1971) and Jones(1973) formulated a Beard-Jones Detection Filter Problem(BJDFP). A simple generalization of the BJDFP leads to the restricted control decoupling problem(RCDP). Basic resul ts and recent developnents are presented by Massoumnia(1986). Janssen and Frank (1984) developed a hierarchical scheme of global and local observers to detect and isolate faulty components. Application of this hierarchical scheme to a nuclear reactor model has shown its efficiency of failure isolation.
Experiments on a pilot plant proved the isolation efficiency of the failure diagnosing scheme presented in this paper. NOTATION. In this paper a boldface capital letter denotes a matr1X. (A) iJ denotes the element of a matrix A at the l-th row and the j-th column, and (E) i denotes the i-th element of a vector E. A prime "'" denotes matrix transpose.
In all the previous researches, it was required to detect and isolate failures even if they occur simul taneously. We refer to such failure isolations as complete isolations. Jones (1973) introduced a concept of "mutually detectable failure modes" to describe the possibility of complete isolations.
FAIWRE ISOLATABILITY Suppose a system is defined by
k
x(t)
i=1 y(t)
However, in practice most failures could not be diagnosed if they occur simultaneously. I t is often the case that a failure may be identified only when certain other failures have not occurred. We refer to such failures as being partially isolatable. In this paper, we introduce a concept of isolatability to describe such a property. It should be noted that in practice most failures are
Supported of China.
by the National
Ax(t) + Bu(t) + ~ L.m. (t) Cx(t)
1
( I-a)
1
(1-b)
where x(t) is the n-dimensional state, u(t) is the input, y(t) is the m-dimensional output. u(t) and y(t) are measured by sensors. Limi(t) are k failure modes, Li are known matrices called failure signature matrices (Jones, 1973), milt) are unknown functions called failure flmctions. When failure i occurs, mi (t) ~ 0; when failure i does not occur, milt) = O.
Natural Science Fund A failure diagnosing system should make decisions
1129
w. Ge and
1130
on the basis of the measurements y(t) and u(t) as to which mi (t) 0 (failure i has not occurred) and which mitt) t 0 (failure i has occurred). Definition 1. If the possibility of the occurrence of a certain failure can be exchrled by linear observers irrespective of the occurrence of another failure or failure set, then this failure is said to be isolatable via linear observation from that failure or failure set, or in short, isolatable from that fai lure set. Definition 2. If within a failure set, every failure is isolatable from all other failures of this set, then the failures of this set are said to be mutually isolatable from each other. "Mutually isolatable" is virtually equivalent to Jones' "mutually detectable" (Jones, 1973). However, isolatability may not necessarily be mutual. It often happens that failure A is isolatable from failure B but failure B is not isolatable from failure A. In the previous failure isolation schemes (Jones, 1973; Massoumnia, 1986; Janssen and Frank, 1984; Frank, 1986; etc.), such two failures have to be considered as one failure sourc e, so that no further isolation information could be provided. But actually in such a case, it should be possible to identify failure A with certainty . Furthermore, it should be possible to identify failure B with certainty when failure A has not occurred. Undoubtly such failure isolation information is very useful for system failure daignosis. In many cases, such partial failure isolation information may significantly improve the precision of failure location. In the formulation of failure detecting observer problems, the failure functions mitt) are assumed unknown. This assumption limi ts the failure isolation precision. Theorem 1 gives this limitation.
C. Z. Fang from e .(t ) by making e .(t) sensitive to failure~ but robust to otWer failures.
some
Defini tion 4. Suppose only one failure has occurred. An observation signal e(t) is said to be sensitive to this failure i f (4) does not hold; and e(t) is robust to this failure if (4) still holds. We use a logic vector to describe the robustness of an observation signal: Definition 5. A k-dimensional logic vector E is called the robustness vector associated with e(t), where (E)i
= {Ol
,
e(t) be sensitive to failure i e(t) be robust to failure i
Defini tion 6. By symbol "logic vector E barred" we mean
E "1 where
"1
E
is a vector whose elements are all l's.
We give an asterisk "*" to an observation signal e(t) to turn it to a logic quantity. Definition 7. e*(t) = {
o ,
je(t) j
1 ,
j e(t) j ~f
where E >0 is a threshold to take account of unmodeled effects. We use a logic vector (alano vector) f to represent the alarm signal of a diagnosing system: Definition 8.
Theorem 1. If the failure signature matrices of two failures are linearly dependent, then these two failures are not isolatable from each other .
failure i has not occurred (f) . l.
={O 1
Theorem 2. A family of observation signals e.(t) with t heir respective robustness vectors J E ., j=1,2, ... ,p, produce the alarm vector f by J
ROBUST OBSERVATION APPROACH
Diagnosing Decision Making
A detecting observer (F,G,T,K,P) is defined by f= z(t) e(t)
Fz(t) + Gy(t) + TBu(t) Kz(t) + Py(t)
failure i has probably occurred
*
p n(E.e.(t)UE .)
j=l
(2-a) (2-b)
J J
(5 )
J
i = 0 means failure i has not occurred, but (f) . = 1 does not mean failure i must have occUrred. The following theorems are given to provide further diagnosing information on failure i when (f)i = 1. (f)
where the parametric matrices F, G, T, K and Pare subject to the structure conditions TA - FT = PC KT+PC=O
F be stable
(3-a) (3-b) (3-c)
Definition 3. e(t) of (2) is called an observation signal. Failure detection is based on the satisfaction or dissatisfaction of (4): lim e(t) = 0 t -'"
(4 )
Without l oss of generality, let a diagnosing system be composed of p detecting observers (F j' Gj' Tj' Ki' Pj) producing observation signals ej(t), j=1,2, ... ,p, and ej(t) are scalars. Since failure functions mitt) are assumed unknown, one cannot get failure isolation information from the type of movement of a scalar e j (t). However valuable isolation information can be obtained
Theorem 3. The addition of tion signal to a familly will not confuse failure provided by the original signals.
still another observaof observation signals isolation information family of observation
Theorem 3 implies that the more the observation siganls there are, the more the isolation information we can get. If a diagnosing system is composed of those detection observers that realize all the robustness vectors of system (1), then it will provide the maximum failure isolation information. Theorem 4. Suppose at a certain instant a failure set is formed by probable failures (i.e., failures that have probably occurred). If a certain failure of this set is isolatable from all other failures of this set, then this failure must have occurred.
A :-.Iew Diagnosis Method for Component Failures Let [ El' E2' ... ,
~
1 = [ D1' D2' •.. , I\: l'
(6)
then Di are p-dimensional logic row vectors.
Theorem 7. For a family of observation signals ej(t) with their respectiv~ robust~ess v~tors ~j' J=1,2, ... ,p, ejo(t) prOVIdes faIlure IsolatIon information not provided by ej(t), j=1,2, ... ,p, jtjo, iff Eje,:> . is not a union of saoe of Ej' J=1,2, ... ,p, JtJo.
Theorem 5. Suppose ( Ej; j=l ,2, ... ,p ) exhausts all the robustness vectors of system (1). Let k = { 1,2, ... ,k }, u c k, io E u. Failure io is isolatable from the failure set {failure i; i E u } iff (7 )
I J:ll
APPLICATION
TO
A PILOT PI..Am'
A four-tank system shown in Fig.1 was built in our laboratory. An IBM-pc computer is connected to the plant to perform on-line diagnosis.
On-line diagnosing decision may be made by the following steps: 1). use theorem 2 to find those failures that may have probably occurred; 2). use theorem 4 and theorem 5 to pick out as far as possible those failures that are sure to have occurred; 3). if step 2) picks out no failure, then use theorem 6 and its corollary to determine which failure combinations are likely to have occurred. Theorem 6. Suppose at a certain instant the probable failures form a set S = { failure i; i E u c k }. Let ~ = (failure i; i E U o c u ) be a subset of S. If
Fig.1.
The four-tank system.
then Sb cannot occur alone, where by saying "a failure set occurs" we mean all the failures of this set occur simultaneously.
For this plant, inlet water flow u(t} and three water levels x1(t), x3(t) and x4(t) are measured by industrial instruments. Water level x2 (t) are assumed unavailable. Cross-section of each tank (sq.cm) is A1=494.5, A2=497.9, A3=504.0, A4=504.3
Corollary. At least one subset Sb must have occurred among those subsets of S that satisfy
The plant has nonlinear dynamics which may be represented approximately by
U Di t U Di IEuO IEu
U D.
.r I,U
o
I
(8)
U D.
iEu
(9 )
I
x2 (t)
k3~x1(t)-x2(t)
k ..)x (t)-x (t) 4 2 3
Diagnosing System Design
x3 (t)
= k5~x2(t)-X3(t)
k6~x3(t)-x4(t)
In our scheme, a diagnosing system includes two parts: (1). a family of ~etection ob~erver~ (F j , Gj' Tj' Kj' Pj) produCIng observatIon SIgnals ej(t) with their respective robustness vectors Ej' j=1,2, ... ,p; (2). a failure diagnosing decision process.
x4 (t)
k7~x3(t)-x4(t)
The 2nd part has been given in the last section. Designing of the first part includes finding Ej' p, Fj' Gj , Tj' Kj and Pj' j=1,2, ... ,po When there are k failure modes to be diagnosed, Ej is a k-dimensional logic vector. There are al together 2k_1 nonzero k-dimensional logic vectors. It should be noted that not all of them can be realized as robustness vectors. Gi ven system (1) and a robustness vector Ej' a systematic procedure has been developed to design a detection observer (Fj' Gj' Tj , K j , Pj) to realize Ej (Ge, 1988). ThIS design procedure has been computer coded. If a given Ej is not a robustness vector, the computer program will inform the user automatically. On applying the design program to these 2k_1 logic vectors one by one, we will find all the robustness vectors, and for each of them a detection observer will be designed at this time. The following theorem points out that not all the robustness vectors thus found are really necessary to provide the maximum failure isolation information. Redundant robustness vectors and their corresponding detection observers should be deleted from the diagnosing system.
where the parameters through experiments: k 1 = 2.02' 10- 3 k4 = 0.1410 k7 = 0.1350
ki
(10)
k8~ have
been
identified 0.1356 0.1350
k2 0.1365 k5 = 0.1393 k8 = 0.0594
Diagnosing System for the Plant Let the nominal u(t) (operating point) be 277.778 c.c/s (1 Ton/h). The dynamics of these four tanks can be linearized at the operating point to the form of (1) of which the matrices A,B and Care
A~ 0.01' [ 0:!'3
1 -2.119 1. 112
o
C =
o 1. 125
-2.11
o
o
o .999 -3.433
1
0~~~1]
000
There are eight possible failures in this system. They are leakages in tank i, represented by Li mi (t), and cloggings in pipe i, represented by Li+4mi+4(t), i=1,2,3,4. These failure modes are summarized in Table 1 and Table 2. In Table 2,
Si
and hi are the cross-section and the height of the leak
in tank i respectively, and Si* is the reduc-
W. Ge and C. Z. Fang
1132
tion
in
cross-section of pipe i due to clogging;
. 1=1,2,3,4. si'
si* are
hi and
unknown variables
so
that the failure functions m.(t) are unknown functions. J It should be noted that these eight failures cannot be divided into mutually detectable failure sets, so that no failure isolation information can be provided by previous failure diagnosing schemes (Jones, 1973; Massoumnia, 1986; Jassen and Frank, 1984; Frank, 1986; etc.) Because L4 and Ls are linearly dependent, failure 4 and failure 8 are not isolatable from each other by Theorem 1. These two failures are therefore considered as one failure source. Thus there are altogether 7 failure modes in which the 4-th failure mode represents both failure 4 and failure 8. (f)4=1 only means at least one of these two failures has probably occurred. This exihibits the isolation limitation when failure functions mi(t) are assumed unknown. To distinguish between failure 4 and failure 8, a priori Imowledge on failure functions m4(t) and m8(t) should be made use of by the diagnosing decision process.
Failure Signature Matrices
TABLE 1
j
L. J
, 1 , 2 ,, 3
4
, , 1 , 0 , 0
0
,
,, ,, , 0 , 1 ,, 0 ,, ,, 0 ,, 0 ,, 1 ,, ,, , , , 0 , 0 , 0 , , , ,
5
,, 6 ,
0
:-1/A3 : I /A3;
0
0
-1/A 2 ; 1/A2 ; , ,
0
0
1
, ,,
0
,, 8
,,
0
l/Al ;
,
0
,, 7 , ,, ,, 0
,,, ,,, 0
,
, 0
;-1/A4 : I/A4
first 10 robustness vectors. The diagnosing system can thus be constructed by the detection observers realizing the first 10 robustness vectors of Table 3. Unmodeled Effects In this pilot plant, three main types of unmodeled effects are encountered. They are 1) instrunent noise; 2) fluctuation' of water levels; 3) nonlinear dynamics in failure cases. The industrial instruments of this plant have high frequency noise. Such noise can be eliminated by low pass filters. During operation, one can see by naked eye that the water levels fluctuate incessantly, causing the observation signals to fluctuate violently. Fig.2 gives the spectrum of water level Xl (t). Digital filters are designed for the sensors according to the spectra to suppress the effects of these fluctuations. Fig. 3 compares the observation signals before and after filteration. From Fig.4, it can be seen that in normal case ( Fig.4(0)), all the observation signals are very small. But in failure cases, even those observation signals that are robust to the failure(s) occurred will increase their magnitude to some degree. This is due to the nonlinear dynamics of this plant. In failure cases, the system will deviate appreciably from its operating point. The effects of this deviation are not considered in our isolation theory. We simply give a threshold to each observation signal to take account of this nonlineari ty effect. The thresholds are chosen on the basis of experimental data. In Fig.4, the observation signals are multiplied by suitable gain factors gj' j=l, 2 10, to let them appear to have the same threshold. Discussions on Experimental results
(~i/Ai)~2g(Xi-hi)
mi(t) =
i=1,2,3,4
*
mi +4 (t) = -Si~2g(xCxi+l) m8 (t) =
Fig. 4 ( 1 ) - ( 3 ) show that when there is only one failure present at a time, definite and correct diagnosing decisions are made for every failure mode.
Failure Functions
TABLE 2
When certain two failures occur simultaneously, definite diagnosing decisions can also be made for every failure mode. For example, when failure 2 and failure 7 occur simultaneously, Fig.4(4) shows that
i=1,2,3
-s:~2gx4
g is the gravitation constant
f = [ 0 1 0 000 1 J'
j
E.
J
so that the probable failures are only failure 2 and failre 7. Then for Theorem 6, u = { 2, 7 }. From Table 3,
The Robustness Vectors of the Plant
TABLE 3
1
2
3
4
5
6
7
8
0 0 0
1 1 1 1 0 1 0 1 1 1 1 0 0 0
1 1 1 1 0 1 0
1 1 1 1 1 1 0 0 1 0 0 1 1 1
1 0 1 1 1 1 0
1 0 0 1 1 1 0 1 1 1 1 1 1 0
1
0 0 1
9
10 11 0 1 1 0 1 1
1
1 1 1 1 1 1 0
... ... ... ... . .. . ... ... "
18 1 1 1 1 1 1 1
Since k=7, there are 2k_l=127 nonzero logic vectors. The design algorithm is only valid for 18 of them. They exhaust all the robustness vectors of this pilot plant and are summarized in Table 3. By Theorem 7, we Imow that the last 8 robustness vectors of Table 3 provide no other failure isolation information than that provided by the
D = D2 _ D7 = ( 1 1 1 1 1 1 0 1 1 1 Because D2;tD and D7;tD, by Theorem 6, it is not possible for failure 2 and failure 7 to occur alone. Thus we Imow with certainty that these two failures mus t have occurred simultaneously. We have already Imown from f that failures 1,3,4,5 and 6 have not occurred at this instant, hence definite diagnosis decisions are made to each one of 7 failure modes. There are also failure decision can be made to example, when failure simultaneously, Fig.4(5)
cases where no definite some failure modes. For 3 and failure 4 occur shows that
f = [ 001 100 1 J '
A ;-Jew Diagnosis Method for Componem Failures the probable failures are failure 3, 4 and 7. u { 3, 4, 7 }. From Table 3, D = D3
U D4 U D7
= ( 1
°1 1 1 1 1 1 1 1
)
Since D~Di' i=3,4,7, it is not possible for a single failure to occur by Theorem 6. But because D = Di U Dj
For any
i~j,
i,j = 3,4,7
by the corollary of Theorem 6, any two of these three failures are likely to have occurred, and at least two of them must have occurred. Hence in this instance definite diagnosing decisions are made only for failure 1, 2, 5 and 6. As to failure 3, 4 and 7, the diagnosing decisions are made with some degree of uncertainty. Fig.4(2) and Fig.4(4) show that in both failure 4 and failure 8 cases, the diagnosing system releases alarm on failure 4, because these two failure modes cannot be isolated from each other. But in these two cases, the directions of observation signals are opposite to each other: for failure 4, el(t)
° ° ° ~4~2g(X4(t)-h4)
/A4 )'
and
;4~2g(X4(t)-h4)
/A4
~
0;
-s:~2gx4(t)
/A4
~
°
On introducing this a priori knowledge on failure
functions into the diagnosing decision process, failure 4 and failure 8 may also be isolated from each other. CXlNCLUSIONS A new failure diagnosis method is presented and is realized on a pilot plant. It is shown that robust observation is a powerful approach to extract the maximum failure isolation information that linear observers can provide. Using our failure diagnosing scheme, failures which are not mutually detectable may be partailly isolated from each other. This means an appreciable improvement on previous results. Choice of a sui table threshold for an observation signal is an important problem in the implementation of our diagnosing scheme, especially for nonlinear plant with linearized models. For the sake of improving detection sensi ti vi ty, one hopes to choose a small threshold, but nonlineari ty effect prevents to choose a too small one. Increasing the sensitivity of an observation signal to failures and increasing its robustness to nonlineari ty effect are two possible ways to solve this problem. To apply this technique to practical processes, we need the mathematical models of the processes (identified or theoretically deduced) and need some measurements to form observable systems. These are just the same requirements as for constructing an output feedback control system. In addition lo these requirements, the more a priori knowledge \.le have on failure modes, the more precise failure isolation information the
1133
diagnosing system can provide. In our scheme, as well as in the previous schemes (Jones, 1973; Massoumnia, 1986; etc) , the failure functions mi (t) are assumed unknown. This assumption usually limits the precision of failure isolation. milt) represent the nonlinear and/or unknown effects of failures on a linear system. There is no general way to handle nonlinear effects. However, for practical applications, it would be easy to make use of a priori information on milt) if an expert system is used. The isolation of failure 4 and failure 8 of the pilot plant in this paper is such a simple example. In large complex systems, many failure modes may be too complex to be modeled by failure signature
matrices and failure functions. In such cases, the diagnosing system presented in this paper may be used as a powerful subsystem of a large complex expert diagnosing system. This technique may be used on-line to improve overall process supervision or be used off-line to facilitate maintenance and repair. REFERENCES
Himmelblau,D.M., (1978). Fault Detection and Diagnosis in Chemical and Petrochemical Processes, Elsevier scientific publishing company. Willsky,A.S. (1976). A Survey of Design Methods for Failure Detection in Dynamic Systems, Automatica, ~ 601-611. Isermann, R. ( 1984 ) . Process Fault Detection Based on Modeling and Estimation Methods-A survey, Automatica, ~ 387-404. Frank,P.M. (1986). Fault Diagnosis in Dynamic Systems Via State Estimation--A Survey, (from personal correspondence). Janssen,K and Frank,P.M. (1984). Component Failure Detection Via State Estimation, Preprints of IFAC 9th World Congress,Vol.l, pp.147-152. Beard,R.V. (1971). Failure Accommodation in Linf"ar Systems Through Self-Reorganization, Rept. MVT-71-1, Man Vehicle Laboratory, Cambridge, Mass. Jones,H.L. (1973). Failure Detection in Linear Systems, Ph.D. Thesis, Dept. of Aeronautics and Astronautics, M.!. T., Cambridge, Mass. Massoumnia,M.-A. (1986) A Geometric Approach to the Synthesis of Failure Detection Filters, IEEE Trans. on Automatic Control, AC-31 , 839846. Ge,W. (1988) An Observation Approach to Process Fault Diagnosis, Ph.D. Thesis, Dept. of Automation, Tsinghua University, Beijing.
°
3.56 Fig.2 Spectrum of xl(t).
14.24
Hz
1134
W. Ge and C. Z. Fang
~.3
Bffeet at _D8Or ftlterilllr on the obeervation .tgna1a (in the caae when tank 4 Ieab).
sensors not filtered _
4(0) 4(3)
sensors filtered
4(1) 4(4)
No failure occurs Pipe 4 clo«s
Tank 1 leaks Tank 2 leaks and pipe 3 clogs
4(2) Tank 4 leaks 4 (5) Tank 3 and Tank 4 leak
Coordinate axes are the same for all graphs, and are shown in Fig.4(0) only. to the time failure occurs. t. _ the time failure disappears.
Alarlll vector f
= (0
0 0 0 0 0 0)'
~r-----~--r-~--~--r-~--~--r--,
4(0)
I
Alarm vector f
I £;;
4(3)
= (0
0 0 1 0 0 0)' f, _
~
-!'
~...--...
'-.,."--
~;::::
\
-
~
el
Alarm vector f 4(1)
= (1
I
Alarm vector f
I
4(4)
~ f,
= (0
0 0 1 0 0 0)'
Alarm vector f
I
4(5)
e7
t,
_~z
e. ~
= (0
.£.
'!i
0 1 1 0 0 1)'
e7
/':.: et
eJ .
/
~
1 0 0 0 0 1)'
,~
'" e,~~ ea
ftS
e7
= (0
e,o
~
eo.
Alarm vector f
I
e2
~$
Lf,~
4(2)
0 0 0 0 0 0)'
e,
€,
e,
rres ~ \
~
t.
-el'
e~
~
\
~
A NEW DIAGNOSIS METHOD FOR COMPONENT FAILURES· W. Ge and C. Z. Fang Department of Automatioll, Tsinghua L'lIillersil\', PRC
Abstract. This paper considers the problems involved in designing a failure diagnosing system using state estimation techniques for on-line supervision of a linear time invariant system. A new failure diagnosing decision process based on robust state estimation and logic reasoning is derived in this paper. By means of this new diagnosing system, it is possible to provide more precise failure infonnation than previous diagnosing schemes in literature. The efficiency of the diagnosing system has been proved on an experimental plant with industrial instI'llJlentation. Some practical aspects concerning the implementation of the diagnosing scheme are discussed. Discussions are also given to the limitation of the detection observer schemes. This technique may be used on-line to improve overall process supervision or be used offline to facilitate maintenance and repair. Keywords. state estimation; failure detection; observers; robustness; logic reasoning.
only partially isolatable.
INTHOIXX::TION
Simultaneous occurrence of failures is quite unlikely in practice, so that complete isolation may indeed be unnecessary in most cases, Therefore, realization of partial failure isolation has important practical significance. This paper shows that partial failure isolation may be realized by the approach of robust observation, and a new failure diagnosing decision process is developed to identify failures as precisely as possible.
The increasing complexity of industrial systems and growing scope of automation have demanded for higher reliability (Himmelblau,1978). Modern control theory has its special efficiency for online failure diagnosis (Isermann,1984). In this area, state estimation is one important approach (Willsky, 1976) , where the crucial problem is failure isolation (Frank, 1986). To solve this problem, Beard(1971) and Jones(1973) formulated a Beard-Jones Detection Filter Problem(BJDFP). A simple generalization of the BJDFP leads to the restricted control decoupling problem(RCDP). Basic resul ts and recent developnents are presented by Massoumnia(1986). Janssen and Frank (1984) developed a hierarchical scheme of global and local observers to detect and isolate faulty components. Application of this hierarchical scheme to a nuclear reactor model has shown its efficiency of failure isolation.
Experiments on a pilot plant proved the isolation efficiency of the failure diagnosing scheme presented in this paper. NOTATION. In this paper a boldface capital letter denotes a matr1X. (A) iJ denotes the element of a matrix A at the l-th row and the j-th column, and (E) i denotes the i-th element of a vector E. A prime "'" denotes matrix transpose.
In all the previous researches, it was required to detect and isolate failures even if they occur simul taneously. We refer to such failure isolations as complete isolations. Jones (1973) introduced a concept of "mutually detectable failure modes" to describe the possibility of complete isolations.
FAIWRE ISOLATABILITY Suppose a system is defined by
k
x(t)
i=1 y(t)
However, in practice most failures could not be diagnosed if they occur simultaneously. I t is often the case that a failure may be identified only when certain other failures have not occurred. We refer to such failures as being partially isolatable. In this paper, we introduce a concept of isolatability to describe such a property. It should be noted that in practice most failures are
Supported of China.
by the National
Ax(t) + Bu(t) + ~ L.m. (t) Cx(t)
1
( I-a)
1
(1-b)
where x(t) is the n-dimensional state, u(t) is the input, y(t) is the m-dimensional output. u(t) and y(t) are measured by sensors. Limi(t) are k failure modes, Li are known matrices called failure signature matrices (Jones, 1973), milt) are unknown functions called failure flmctions. When failure i occurs, mi (t) ~ 0; when failure i does not occur, milt) = O.
Natural Science Fund A failure diagnosing system should make decisions
1129
w. Ge and
1130
on the basis of the measurements y(t) and u(t) as to which mi (t) 0 (failure i has not occurred) and which mitt) t 0 (failure i has occurred). Definition 1. If the possibility of the occurrence of a certain failure can be exchrled by linear observers irrespective of the occurrence of another failure or failure set, then this failure is said to be isolatable via linear observation from that failure or failure set, or in short, isolatable from that fai lure set. Definition 2. If within a failure set, every failure is isolatable from all other failures of this set, then the failures of this set are said to be mutually isolatable from each other. "Mutually isolatable" is virtually equivalent to Jones' "mutually detectable" (Jones, 1973). However, isolatability may not necessarily be mutual. It often happens that failure A is isolatable from failure B but failure B is not isolatable from failure A. In the previous failure isolation schemes (Jones, 1973; Massoumnia, 1986; Janssen and Frank, 1984; Frank, 1986; etc.), such two failures have to be considered as one failure sourc e, so that no further isolation information could be provided. But actually in such a case, it should be possible to identify failure A with certainty . Furthermore, it should be possible to identify failure B with certainty when failure A has not occurred. Undoubtly such failure isolation information is very useful for system failure daignosis. In many cases, such partial failure isolation information may significantly improve the precision of failure location. In the formulation of failure detecting observer problems, the failure functions mitt) are assumed unknown. This assumption limi ts the failure isolation precision. Theorem 1 gives this limitation.
C. Z. Fang from e .(t ) by making e .(t) sensitive to failure~ but robust to otWer failures.
some
Defini tion 4. Suppose only one failure has occurred. An observation signal e(t) is said to be sensitive to this failure i f (4) does not hold; and e(t) is robust to this failure if (4) still holds. We use a logic vector to describe the robustness of an observation signal: Definition 5. A k-dimensional logic vector E is called the robustness vector associated with e(t), where (E)i
= {Ol
,
e(t) be sensitive to failure i e(t) be robust to failure i
Defini tion 6. By symbol "logic vector E barred" we mean
E "1 where
"1
E
is a vector whose elements are all l's.
We give an asterisk "*" to an observation signal e(t) to turn it to a logic quantity. Definition 7. e*(t) = {
o ,
je(t) j
1 ,
j e(t) j ~f
where E >0 is a threshold to take account of unmodeled effects. We use a logic vector (alano vector) f to represent the alarm signal of a diagnosing system: Definition 8.
Theorem 1. If the failure signature matrices of two failures are linearly dependent, then these two failures are not isolatable from each other .
failure i has not occurred (f) . l.
={O 1
Theorem 2. A family of observation signals e.(t) with t heir respective robustness vectors J E ., j=1,2, ... ,p, produce the alarm vector f by J
ROBUST OBSERVATION APPROACH
Diagnosing Decision Making
A detecting observer (F,G,T,K,P) is defined by f= z(t) e(t)
Fz(t) + Gy(t) + TBu(t) Kz(t) + Py(t)
failure i has probably occurred
*
p n(E.e.(t)UE .)
j=l
(2-a) (2-b)
J J
(5 )
J
i = 0 means failure i has not occurred, but (f) . = 1 does not mean failure i must have occUrred. The following theorems are given to provide further diagnosing information on failure i when (f)i = 1. (f)
where the parametric matrices F, G, T, K and Pare subject to the structure conditions TA - FT = PC KT+PC=O
F be stable
(3-a) (3-b) (3-c)
Definition 3. e(t) of (2) is called an observation signal. Failure detection is based on the satisfaction or dissatisfaction of (4): lim e(t) = 0 t -'"
(4 )
Without l oss of generality, let a diagnosing system be composed of p detecting observers (F j' Gj' Tj' Ki' Pj) producing observation signals ej(t), j=1,2, ... ,p, and ej(t) are scalars. Since failure functions mitt) are assumed unknown, one cannot get failure isolation information from the type of movement of a scalar e j (t). However valuable isolation information can be obtained
Theorem 3. The addition of tion signal to a familly will not confuse failure provided by the original signals.
still another observaof observation signals isolation information family of observation
Theorem 3 implies that the more the observation siganls there are, the more the isolation information we can get. If a diagnosing system is composed of those detection observers that realize all the robustness vectors of system (1), then it will provide the maximum failure isolation information. Theorem 4. Suppose at a certain instant a failure set is formed by probable failures (i.e., failures that have probably occurred). If a certain failure of this set is isolatable from all other failures of this set, then this failure must have occurred.
A :-.Iew Diagnosis Method for Component Failures Let [ El' E2' ... ,
~
1 = [ D1' D2' •.. , I\: l'
(6)
then Di are p-dimensional logic row vectors.
Theorem 7. For a family of observation signals ej(t) with their respectiv~ robust~ess v~tors ~j' J=1,2, ... ,p, ejo(t) prOVIdes faIlure IsolatIon information not provided by ej(t), j=1,2, ... ,p, jtjo, iff Eje,:> . is not a union of saoe of Ej' J=1,2, ... ,p, JtJo.
Theorem 5. Suppose ( Ej; j=l ,2, ... ,p ) exhausts all the robustness vectors of system (1). Let k = { 1,2, ... ,k }, u c k, io E u. Failure io is isolatable from the failure set {failure i; i E u } iff (7 )
I J:ll
APPLICATION
TO
A PILOT PI..Am'
A four-tank system shown in Fig.1 was built in our laboratory. An IBM-pc computer is connected to the plant to perform on-line diagnosis.
On-line diagnosing decision may be made by the following steps: 1). use theorem 2 to find those failures that may have probably occurred; 2). use theorem 4 and theorem 5 to pick out as far as possible those failures that are sure to have occurred; 3). if step 2) picks out no failure, then use theorem 6 and its corollary to determine which failure combinations are likely to have occurred. Theorem 6. Suppose at a certain instant the probable failures form a set S = { failure i; i E u c k }. Let ~ = (failure i; i E U o c u ) be a subset of S. If
Fig.1.
The four-tank system.
then Sb cannot occur alone, where by saying "a failure set occurs" we mean all the failures of this set occur simultaneously.
For this plant, inlet water flow u(t} and three water levels x1(t), x3(t) and x4(t) are measured by industrial instruments. Water level x2 (t) are assumed unavailable. Cross-section of each tank (sq.cm) is A1=494.5, A2=497.9, A3=504.0, A4=504.3
Corollary. At least one subset Sb must have occurred among those subsets of S that satisfy
The plant has nonlinear dynamics which may be represented approximately by
U Di t U Di IEuO IEu
U D.
.r I,U
o
I
(8)
U D.
iEu
(9 )
I
x2 (t)
k3~x1(t)-x2(t)
k ..)x (t)-x (t) 4 2 3
Diagnosing System Design
x3 (t)
= k5~x2(t)-X3(t)
k6~x3(t)-x4(t)
In our scheme, a diagnosing system includes two parts: (1). a family of ~etection ob~erver~ (F j , Gj' Tj' Kj' Pj) produCIng observatIon SIgnals ej(t) with their respective robustness vectors Ej' j=1,2, ... ,p; (2). a failure diagnosing decision process.
x4 (t)
k7~x3(t)-x4(t)
The 2nd part has been given in the last section. Designing of the first part includes finding Ej' p, Fj' Gj , Tj' Kj and Pj' j=1,2, ... ,po When there are k failure modes to be diagnosed, Ej is a k-dimensional logic vector. There are al together 2k_1 nonzero k-dimensional logic vectors. It should be noted that not all of them can be realized as robustness vectors. Gi ven system (1) and a robustness vector Ej' a systematic procedure has been developed to design a detection observer (Fj' Gj' Tj , K j , Pj) to realize Ej (Ge, 1988). ThIS design procedure has been computer coded. If a given Ej is not a robustness vector, the computer program will inform the user automatically. On applying the design program to these 2k_1 logic vectors one by one, we will find all the robustness vectors, and for each of them a detection observer will be designed at this time. The following theorem points out that not all the robustness vectors thus found are really necessary to provide the maximum failure isolation information. Redundant robustness vectors and their corresponding detection observers should be deleted from the diagnosing system.
where the parameters through experiments: k 1 = 2.02' 10- 3 k4 = 0.1410 k7 = 0.1350
ki
(10)
k8~ have
been
identified 0.1356 0.1350
k2 0.1365 k5 = 0.1393 k8 = 0.0594
Diagnosing System for the Plant Let the nominal u(t) (operating point) be 277.778 c.c/s (1 Ton/h). The dynamics of these four tanks can be linearized at the operating point to the form of (1) of which the matrices A,B and Care
A~ 0.01' [ 0:!'3
1 -2.119 1. 112
o
C =
o 1. 125
-2.11
o
o
o .999 -3.433
1
0~~~1]
000
There are eight possible failures in this system. They are leakages in tank i, represented by Li mi (t), and cloggings in pipe i, represented by Li+4mi+4(t), i=1,2,3,4. These failure modes are summarized in Table 1 and Table 2. In Table 2,
Si
and hi are the cross-section and the height of the leak
in tank i respectively, and Si* is the reduc-
W. Ge and C. Z. Fang
1132
tion
in
cross-section of pipe i due to clogging;
. 1=1,2,3,4. si'
si* are
hi and
unknown variables
so
that the failure functions m.(t) are unknown functions. J It should be noted that these eight failures cannot be divided into mutually detectable failure sets, so that no failure isolation information can be provided by previous failure diagnosing schemes (Jones, 1973; Massoumnia, 1986; Jassen and Frank, 1984; Frank, 1986; etc.) Because L4 and Ls are linearly dependent, failure 4 and failure 8 are not isolatable from each other by Theorem 1. These two failures are therefore considered as one failure source. Thus there are altogether 7 failure modes in which the 4-th failure mode represents both failure 4 and failure 8. (f)4=1 only means at least one of these two failures has probably occurred. This exihibits the isolation limitation when failure functions mi(t) are assumed unknown. To distinguish between failure 4 and failure 8, a priori Imowledge on failure functions m4(t) and m8(t) should be made use of by the diagnosing decision process.
Failure Signature Matrices
TABLE 1
j
L. J
, 1 , 2 ,, 3
4
, , 1 , 0 , 0
0
,
,, ,, , 0 , 1 ,, 0 ,, ,, 0 ,, 0 ,, 1 ,, ,, , , , 0 , 0 , 0 , , , ,
5
,, 6 ,
0
:-1/A3 : I /A3;
0
0
-1/A 2 ; 1/A2 ; , ,
0
0
1
, ,,
0
,, 8
,,
0
l/Al ;
,
0
,, 7 , ,, ,, 0
,,, ,,, 0
,
, 0
;-1/A4 : I/A4
first 10 robustness vectors. The diagnosing system can thus be constructed by the detection observers realizing the first 10 robustness vectors of Table 3. Unmodeled Effects In this pilot plant, three main types of unmodeled effects are encountered. They are 1) instrunent noise; 2) fluctuation' of water levels; 3) nonlinear dynamics in failure cases. The industrial instruments of this plant have high frequency noise. Such noise can be eliminated by low pass filters. During operation, one can see by naked eye that the water levels fluctuate incessantly, causing the observation signals to fluctuate violently. Fig.2 gives the spectrum of water level Xl (t). Digital filters are designed for the sensors according to the spectra to suppress the effects of these fluctuations. Fig. 3 compares the observation signals before and after filteration. From Fig.4, it can be seen that in normal case ( Fig.4(0)), all the observation signals are very small. But in failure cases, even those observation signals that are robust to the failure(s) occurred will increase their magnitude to some degree. This is due to the nonlinear dynamics of this plant. In failure cases, the system will deviate appreciably from its operating point. The effects of this deviation are not considered in our isolation theory. We simply give a threshold to each observation signal to take account of this nonlineari ty effect. The thresholds are chosen on the basis of experimental data. In Fig.4, the observation signals are multiplied by suitable gain factors gj' j=l, 2 10, to let them appear to have the same threshold. Discussions on Experimental results
(~i/Ai)~2g(Xi-hi)
mi(t) =
i=1,2,3,4
*
mi +4 (t) = -Si~2g(xCxi+l) m8 (t) =
Fig. 4 ( 1 ) - ( 3 ) show that when there is only one failure present at a time, definite and correct diagnosing decisions are made for every failure mode.
Failure Functions
TABLE 2
When certain two failures occur simultaneously, definite diagnosing decisions can also be made for every failure mode. For example, when failure 2 and failure 7 occur simultaneously, Fig.4(4) shows that
i=1,2,3
-s:~2gx4
g is the gravitation constant
f = [ 0 1 0 000 1 J'
j
E.
J
so that the probable failures are only failure 2 and failre 7. Then for Theorem 6, u = { 2, 7 }. From Table 3,
The Robustness Vectors of the Plant
TABLE 3
1
2
3
4
5
6
7
8
0 0 0
1 1 1 1 0 1 0 1 1 1 1 0 0 0
1 1 1 1 0 1 0
1 1 1 1 1 1 0 0 1 0 0 1 1 1
1 0 1 1 1 1 0
1 0 0 1 1 1 0 1 1 1 1 1 1 0
1
0 0 1
9
10 11 0 1 1 0 1 1
1
1 1 1 1 1 1 0
... ... ... ... . .. . ... ... "
18 1 1 1 1 1 1 1
Since k=7, there are 2k_l=127 nonzero logic vectors. The design algorithm is only valid for 18 of them. They exhaust all the robustness vectors of this pilot plant and are summarized in Table 3. By Theorem 7, we Imow that the last 8 robustness vectors of Table 3 provide no other failure isolation information than that provided by the
D = D2 _ D7 = ( 1 1 1 1 1 1 0 1 1 1 Because D2;tD and D7;tD, by Theorem 6, it is not possible for failure 2 and failure 7 to occur alone. Thus we Imow with certainty that these two failures mus t have occurred simultaneously. We have already Imown from f that failures 1,3,4,5 and 6 have not occurred at this instant, hence definite diagnosis decisions are made to each one of 7 failure modes. There are also failure decision can be made to example, when failure simultaneously, Fig.4(5)
cases where no definite some failure modes. For 3 and failure 4 occur shows that
f = [ 001 100 1 J '
A ;-Jew Diagnosis Method for Componem Failures the probable failures are failure 3, 4 and 7. u { 3, 4, 7 }. From Table 3, D = D3
U D4 U D7
= ( 1
°1 1 1 1 1 1 1 1
)
Since D~Di' i=3,4,7, it is not possible for a single failure to occur by Theorem 6. But because D = Di U Dj
For any
i~j,
i,j = 3,4,7
by the corollary of Theorem 6, any two of these three failures are likely to have occurred, and at least two of them must have occurred. Hence in this instance definite diagnosing decisions are made only for failure 1, 2, 5 and 6. As to failure 3, 4 and 7, the diagnosing decisions are made with some degree of uncertainty. Fig.4(2) and Fig.4(4) show that in both failure 4 and failure 8 cases, the diagnosing system releases alarm on failure 4, because these two failure modes cannot be isolated from each other. But in these two cases, the directions of observation signals are opposite to each other: for failure 4, el(t)
° ° ° ~4~2g(X4(t)-h4)
/A4 )'
and
;4~2g(X4(t)-h4)
/A4
~
0;
-s:~2gx4(t)
/A4
~
°
On introducing this a priori knowledge on failure
functions into the diagnosing decision process, failure 4 and failure 8 may also be isolated from each other. CXlNCLUSIONS A new failure diagnosis method is presented and is realized on a pilot plant. It is shown that robust observation is a powerful approach to extract the maximum failure isolation information that linear observers can provide. Using our failure diagnosing scheme, failures which are not mutually detectable may be partailly isolated from each other. This means an appreciable improvement on previous results. Choice of a sui table threshold for an observation signal is an important problem in the implementation of our diagnosing scheme, especially for nonlinear plant with linearized models. For the sake of improving detection sensi ti vi ty, one hopes to choose a small threshold, but nonlineari ty effect prevents to choose a too small one. Increasing the sensitivity of an observation signal to failures and increasing its robustness to nonlineari ty effect are two possible ways to solve this problem. To apply this technique to practical processes, we need the mathematical models of the processes (identified or theoretically deduced) and need some measurements to form observable systems. These are just the same requirements as for constructing an output feedback control system. In addition lo these requirements, the more a priori knowledge \.le have on failure modes, the more precise failure isolation information the
1133
diagnosing system can provide. In our scheme, as well as in the previous schemes (Jones, 1973; Massoumnia, 1986; etc) , the failure functions mi (t) are assumed unknown. This assumption usually limits the precision of failure isolation. milt) represent the nonlinear and/or unknown effects of failures on a linear system. There is no general way to handle nonlinear effects. However, for practical applications, it would be easy to make use of a priori information on milt) if an expert system is used. The isolation of failure 4 and failure 8 of the pilot plant in this paper is such a simple example. In large complex systems, many failure modes may be too complex to be modeled by failure signature
matrices and failure functions. In such cases, the diagnosing system presented in this paper may be used as a powerful subsystem of a large complex expert diagnosing system. This technique may be used on-line to improve overall process supervision or be used off-line to facilitate maintenance and repair. REFERENCES
Himmelblau,D.M., (1978). Fault Detection and Diagnosis in Chemical and Petrochemical Processes, Elsevier scientific publishing company. Willsky,A.S. (1976). A Survey of Design Methods for Failure Detection in Dynamic Systems, Automatica, ~ 601-611. Isermann, R. ( 1984 ) . Process Fault Detection Based on Modeling and Estimation Methods-A survey, Automatica, ~ 387-404. Frank,P.M. (1986). Fault Diagnosis in Dynamic Systems Via State Estimation--A Survey, (from personal correspondence). Janssen,K and Frank,P.M. (1984). Component Failure Detection Via State Estimation, Preprints of IFAC 9th World Congress,Vol.l, pp.147-152. Beard,R.V. (1971). Failure Accommodation in Linf"ar Systems Through Self-Reorganization, Rept. MVT-71-1, Man Vehicle Laboratory, Cambridge, Mass. Jones,H.L. (1973). Failure Detection in Linear Systems, Ph.D. Thesis, Dept. of Aeronautics and Astronautics, M.!. T., Cambridge, Mass. Massoumnia,M.-A. (1986) A Geometric Approach to the Synthesis of Failure Detection Filters, IEEE Trans. on Automatic Control, AC-31 , 839846. Ge,W. (1988) An Observation Approach to Process Fault Diagnosis, Ph.D. Thesis, Dept. of Automation, Tsinghua University, Beijing.
°
3.56 Fig.2 Spectrum of xl(t).
14.24
Hz
1134
W. Ge and C. Z. Fang
~.3
Bffeet at _D8Or ftlterilllr on the obeervation .tgna1a (in the caae when tank 4 Ieab).
sensors not filtered _
4(0) 4(3)
sensors filtered
4(1) 4(4)
No failure occurs Pipe 4 clo«s
Tank 1 leaks Tank 2 leaks and pipe 3 clogs
4(2) Tank 4 leaks 4 (5) Tank 3 and Tank 4 leak
Coordinate axes are the same for all graphs, and are shown in Fig.4(0) only. to the time failure occurs. t. _ the time failure disappears.
Alarlll vector f
= (0
0 0 0 0 0 0)'
~r-----~--r-~--~--r-~--~--r--,
4(0)
I
Alarm vector f
I £;;
4(3)
= (0
0 0 1 0 0 0)' f, _
~
-!'
~...--...
'-.,."--
~;::::
\
-
~
el
Alarm vector f 4(1)
= (1
I
Alarm vector f
I
4(4)
~ f,
= (0
0 0 1 0 0 0)'
Alarm vector f
I
4(5)
e7
t,
_~z
e. ~
= (0
.£.
'!i
0 1 1 0 0 1)'
e7
/':.: et
eJ .
/
~
1 0 0 0 0 1)'
,~
'" e,~~ ea
ftS
e7
= (0
e,o
~
eo.
Alarm vector f
I
e2
~$
Lf,~
4(2)
0 0 0 0 0 0)'
e,
€,
e,
rres ~ \
~
t.
-el'
e~
~
\
~