An evaluation of the dependability of observer based fault detection and isolation scheme : a structural approach

An evaluation of the dependability of observer based fault detection and isolation scheme : a structural approach

8th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes (SAFEPROCESS) August 29-31, 2012. Mexico City, Mexico An evaluat...

455KB Sizes 5 Downloads 99 Views

8th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes (SAFEPROCESS) August 29-31, 2012. Mexico City, Mexico

An evaluation of the dependability of observer based fault detection and isolation scheme : a structural approach T. Boukhobza, C. Simon and F. Hamelin CRAN - CNRS UMR 7039, Université de Lorraine, Faculté des Sciences et Technologies - B.P. 70239, 54506 Vandoeuvre-les-Nancy FRANCE (email: [email protected]) Abstract: The aim of this paper is to study the dependability of a fault detection and isolation scheme and the impact of sensor’s failure probability on such scheme during the mission duration of a system. The proposed method is based on a graph-theoretic approach and assumes only the knowledge of the system’s structure. For a linear structured system, we first recall the fault diagnosis conditions when using an observer based scheme. Then we deduce the sets of sensors that ensure the validity of such conditions. Next, we proceed with a dependability analysis to compute the reliability of this kind of diagnosability property based on the sensors’ reliability. The approach proposed in this paper is original because it allows combining dependability and structural analysis for studying system’s properties. Keywords: Fault detection and Isolation, Reliability, structural properties, Graph theory. 1. INTRODUCTION Systems design is a key issue in system engineering. It is the process of defining the architecture, components, modules, interfaces and data for a system to satisfy specified requirements. Within the well known systems engineering “V-model”for managing system’s life cycle, the design phase is based on the objectives developed in the functional specification phase. At this stage, the dimensions of the equipment to design are usually unknown but they will be defined according to customers demand. Working with unknown dimensions can be cumbersome, but still it is possible to work on the basis of generic models developed from the state equations. To ensure the supervision of the system, some properties like fault diagnosability should be guaranteed since the design phase to provide an operational system to the customers. This property is of great interest in many automatic control problems. Indeed, since the early 70’s, Fault Detection and Isolation (FDI) in dynamic system has received much attention from both theoretical and application viewpoints (Franck and Ding (2000); Chen and Patton (1999)). In fact, the detection and the location of incipient faults are important for safety critical systems where a malfunction can cause human and material damages. A FDI system is mainly made of two parts. The first one is related to the generation and the evaluation of some signals called residuals which must be sensitive to faults occurring on the system. The second part concerns the decision-making on the basis of these residuals. To handle the residual generation’s problem solvability, many works deal with algebraic and geometric formalizations which necessitate the good and precise knowledge of system state space models. However, as previously mentioned state equations are not numerically dimensioned in early phases 978-3-902823-09-0/12/$20.00 © 2012 IFAC

156

of the system’s lifecycle. Thus, the use of generic representations, called structured models, defined by matrices which contain a fixed number of zero entries determined on the basis of physical laws, and other entries defined by free parameters is very suitable. Many studies on structured systems are related to the graph-theoretic approach to ranalyze some system properties such as controllability, observability, fault diagnosticability, reconfigurability or the solvability of several classical control problems (see Dion et al. (2003); Blanke et al. (2006) and the references therein). It results from these works that the graphtheoretic approach provides simple and elegant analysis tools. Such approach has been also used when dealing with components oriented considerations in particular with sensor location problems. In Carpentier et al. (1997), the authors propose an algorithm which gives sensor locations for systems represented by bipartite graphs in order to recover some fault detectability and isolability properties. In Trave-Massuyes et al. (2006) authors define the notion of “diagnosticability”and for any given set of sensors, they provide the number of fault that can be discriminated and its degree of diagnosticability. The proposed method is based on the analytical redundancy relations and allows characterizing the minimal additional sensors that guarantees a desired degree of diagnosticability. In Commault and Dion (2007) the sensor placement is addressed in order to obtain a diagonal transfer between faults to residuals. The authors give the number of additional sensors and the conditions to be satisfied by each successful additional sensor configuration. Recently, in Frisk and Krysander (2007) an algorithm is developed for determining which sensors must be added to obtain a maximal fault detectability and fault isolability degree. In fact, the authors propose a method which find, for a given sensor locations, all minimal sensor sets with

10.3182/20120829-3-MX-2028.00180

SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico

the maximum fault isolability. On the other hand, reliability engineers are concerned with the dependability properties of systems like Reliability, Availability, Maintainability and Safety also known as RAMS parameters. The reliability of a system measures how well it meets its design objectives. It is expressed as a function of its components’ reliability. The question is thus to assess the reliability by defining the function. This can be done thanks to the Failure Mode and Effects Analysis called FMEA (Dhillon (1999)). FMEA allows a well understanding of the system and how elementary events propagate through it to give a rise to the undesired event. It allows quantifying the RAMS parameters accordingly or by directly defining the structure function between the undesirable event and the failure of basic components. Since supervision and control systems are conceived based on physical devices like sensors, whose lifetime is unknown, structural properties like diagnosability are subjected to their failure. Consequently, it seems clear that the two problems of conceiving diagnosable and reliable systems should be considered jointly and early in the system life cycle in order to guarantee some confidence level on those properties by a probability assessment. If there exist many research works which deal with fault-accommodation and reconfiguration when actuators/sensors are prone to failures (see Starkov (2002) for example), to our knowledge, there are only few works that deal with the interaction between automatic control systems and reliability analysis in our way. In Bhushan and Rengaswamy (2000), the authors consider the sensor placement problem by combining a fault diagnosis observability study by signed directed graphs and reliability information on component failures probability. Luong et al. (1994) also propose to solve the sensor placement problem for diagnosis and introduce reliability and redundancy criteria to enhance the reliability of measurements. In Weber et al. (2008), the authors propose a method that improves the performance of the decision making in fault diagnosis by taking into account a priori knowledge of the system/components’ reliability. This paper deals with dependability analysis of structured linear systems according to the specific structural fault detectability and isolability property when using an observer based scheme. We propose to consider the sensors’ reliability to compute the probability that a system looses the ability to detect or locate a specific group of chosen faults because of their importance for example or their criticality. In practice, such information may be useful as well during the design phase than the operational one. Indeed, it may help designers when conceiving supervision systems and guide them to choose adequately components (here sensors) to maximize the system’s reliability in maintaining its structural properties when prone to failures. Also, during the system’s operational phase, the information on its redefined reliability will allow forestalling the loss of its structural properties by making adequate preventive maintenance actions, or components replacement and may be also a further reconfiguration. The paper is organized as follows. After Section 2, which is devoted to the problem formulation, some definitions related to the graph-theoretic approach are given in Section 3. The main results are exposed in Section 4 before a brief conclusion.

157

2. PROBLEM STATEMENT In this paper, we are considering systems of the following form { x(t) ˙ = Aα x(t) + Lα f (t) + E α w (1) Σα : y(t) = C α x(t) + Gα f (t) + H α w(t) where x ∈ IRn is the state vector, f ∈ IRm , is the fault components vector to be detected, w ∈ IRd is the vector regrouping the disturbances, unknown inputs or all other fault components which do not have to be detected and y ∈ IRp is the measurement or output vector. The control input components, which are known are not represented since they do not play a role for fault detection and isolation capabilities. Aα , Lα , E α , C α , Gα and H α are matrices whose elements are either fixed to zero or assumed to be nonzero free parameters noted αi . The set of these parameters is noted α = {α1 , α2 , . . . , αh }. If all parameters αi are numerically fixed, we obtain a so-called admissible realization of structured system Σα . We say that a property is true generically if it is true for almost all the realizations of structured system Σα . Here, “for almost all the realizations ”is to be understood as “for all parameter values (α ∈ IRh ) except for those in some proper algebraic variety in the parameter space ”. Let us first recall the classical definitions of the generic observer based scheme fault detectability and isolability. To do so, let us consider structured linear system (Σα ), we define the fundamental residual generation problem (FPRG) as the problem of finding a filter of form (2): { z˙ = Az + K(y − Cz) (2) r = Q(y − Cz) where residual r ∈ IRq is such that, for all i ∈ {1, 2, . . . , q} i. when fi = 0, ri is insensitive to w and to all fj for j ̸= i. It must decay to zero for all admissible inputs u and whatever x(0), z(0); ii. ri is affected by fi i.e. it takes a non-zero value for at least some t ≥ 0 whatever x(0) and z(0). Roughly speaking, this means (Commault et al. (2002)) that matrix (A − KC) is stable, the transfer matrix from the disturbance to the residual is zero, the transfer matrix from the fault to the residual is triangular with nonzero elements on the diagonal. Clearly, the solvability of FPRG depends greatly on the sensors and their position w.r.t. components fault. Definition 1. Structured system Σα is generically fault diagnosable using observer based scheme if, for almost all its realizations, the FPRG is solvable. Starting from a system, which is diagnosable using an observer-based scheme, the aim of the paper is first to propose a systematic characterization of the sensors importance according to the diagnosability. More precisely, we provide a logical expression depending on the sensors’ availability which traduces the satisfaction of the diagnosability conditions. Next, we deduce from this expression a probability measure of the system’s ability to conserve this property given the reliability of each involved sensor and actuator. For all the reasons cited in the introduction section, we choose a graph-theoretic approach to address this problem.

SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico

common vertex. Let V1 and V2 denote two subsets of V. The cardinality of V1 is noted card (V1 ). θ (V1 , V2 ) is the maximal number of disjoint edges from V1 to V2 . A simple path P is said a V1 -V2 path if its begin vertex belongs to V1 and its end vertex belongs to V2 . If the only vertices of P belonging to V1 ∪ V2 are its begin and its end vertices, P is a direct V1 -V2 path. Succ(V1 ) represents the subset of all the vertices successors of V1 . Similarly, P red(V1 ) represents the subset of all the vertices predecessors of V1 . We note by ρ (V1 , V2 ) the maximal number of disjoint V1 -V2 paths. A set of ρ (V1 , V2 ) disjoint V1 -V2 paths is called maximum V1 -V2 linking. The vertices which are covered by all the maximum V1 -V2 linkings are called the essential vertices for the V1 -V2 linkings. These vertices constitute a specific subset denoted Vess (V1 , V2 ). • A subset S ⊆ V is a separator between sets V1 and V2 , if every path from V1 to V2 contains at least one vertex in S. We call minimum separators between V1 and V2 any separators having the smallest size, which is equal to ρ (V1 , V2 ). ◦ Si (V1 , V2 ) is the set of end vertices of all direct V1 −Vess (V1 , V2 ) paths. Si (V1 , V2 ) is the minimum input separator. ◦ So (V1 , V2 ) is the set of begin vertices of all direct Vess (V1 , V2 ) − V2 paths. So (V1 , V2 ) is the minimum output separator. A subset Vo is V1 -V2 output minimal subset if it is included in V2 and ρ(V1 , V2 ) = ρ(V1 , Vo ) = card(Vo ). The computation of this subset can be easily done by taking distinct ρ(V1 , V2 ) vertices included in V2 which can be reached from each element of So (V1 , V2 ).

3. GRAPHICAL REPRESENTATION OF STRUCTURED LINEAR SYSTEMS

• Digraph G(Σα ), associated to Σα , is constituted by a • vertex set V and an edge set E. The vertices represent the state, the control input, the disturbances, the faults and the output components of Σα whereas the edges represent the existence of static or dynamic relations between • these variables. More precisely, V = X ∪ W ∪ F ∪ Y, where X = {x1 , . . . , xn } is the set of state vertices, W = {w1 , . . . , wd } is the set of disturbance vertices, F = • {f1 , . . . , fq } is the set of fault vertices, Y = {y1 , . . . , yp } is the set of output vertices. The edge set is E = A − edges ∪ L − edges ∪ E − edges ∪ C − edges ∪ G − edges ∪ • H − edges, with A − edges = {(xj , xi ) |Aα (i, j) ̸= 0 }, L − edges = {(fj , xi ) |Lα (i, j) ̸= 0 }, E − edges = {(wj , xi ) |E α (i, j) ̸= 0 }, C−edges = {(xj , yi ) |C α (i, j) ̸= 0 }, G − edges = {(fj , yi ) |Gα (i, j) ̸= 0 } and H − edges = {(wj , yi ) |H α (i, j) ̸= 0 } . Here, M α (i, j) is the (i, j)th element of matrix M α and (v1 , v2 ) denotes a directed edge from vertex v1 ∈ V to vertex v2 ∈ V. Example 1. To the system defined by the following matrices, we associate the digraph in Figure 1.     0 0 0 0 0 α1 0 0 0  0 0 0 α2 α3 0 0 0   0   0 0 0 0 0 0 0 0 α     10     0  0 0 0 0 0 0 α 0 4 α α     A = , L =  α11 , 0 0 0 α 0 0 0 0 5     •  α6 0 α7 0 α8 0 0 0   0      0 0 0 0 0 0 0 0 0 0 0 0 α9 0 0 0 0 0   0 0  0 0     0 0  α14 0 0 . . . 0   4. MAIN RESULTS  α12 0  α  0 α15 0 . . . 0  ,C =  Eα =    0 0  0 0 α16 . . . 0   4.1 Preliminaries  0 0  0 0 0 . . . α17   0 α13 In Commault et al. (2002), the authors establish the 0 0 necessary and sufficient conditions ensuring the solvability all the other matrices Gα and H α are equal to zero. of the FDI problem: Proposition 1. Consider structured system (Σα ) represented by digraph G(Σα ). The fault components associated to F are isolable and detectable using an observer-based FDI scheme iff in G(Σα ) : ρ (W ∪ F, Y) = card(F) + ρ (W, Y)

For sake of simplicity, we first treat the case where the system is submitted to one fault. In a second step, we handle the general multi-fault case by considering the following corollary of Proposition 1: Corollary 1. Consider structured system (Σα ) represented by digraph G(Σα ). The fault components associated to F are isolable and detectable using an observer-based FDI scheme iff in G(Σα ), ∀fℓ ∈ F, ρ (F ∪ W, Y) = 1 + ρ (W ∪ F \ {fℓ }, Y).

!

Figure 1. Digraph associated to system of Example 1 • Two edges e1 = (v1 , v1′ ) and e2 = (v2 , v2′ ) are disjoint if they have no common vertex. • A sequence of edges (vrj , vrj+1 ) ∈ E for j = 0, . . . , i − 1 is called a path and is denoted P = vr0 → vr1 → . . . → vri . Two paths are disjoint if they have no 158

4.2 Single fault case Structural analysis Assume that we are concerned by detecting and isolating only one fault f1 which can occur on the system and that condition of Proposition 1 is

SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico

satisfied. The aim of the following part is to provide an expression of all the sensor’s configurations which ensure the FDI problem solvability. First, let us denote by SW = Si (W, Y ) the minimum input separator between W and Y . Condition of Proposition 1 is equivalent to ρ ({f1 } ∪ W, Y) = 1 + ρ (SW , Y). For each yi ∈ Succ(f1 ), let us use the following algorithm to construct specific vertex subsets: ΓYi = {yi } Y ΓW i = P red(Γi ) ∩ (SW ) W while Succ(Γi ) ∩ Y * ΓYi do ΓYi = Succ(ΓW i )∩Y Y ΓW i = P red(Γi ) ∩ (SW ) Using the previous subsets, for each yi ∈ Succ(f1 ) ∩ Y, we Y construct a new bipartite graph Gi = (ΓW i , ∪{f1 }Γi , ϵi ) W Y such that ϵi = {(vk , vj ), | vk ∈ Γi ∪ {f1 }, vj ∈ Γi there exists a path between vk and vj in G(Σα )}. Y Gi is said FDI-eligible bipartite graph if ρ(ΓW i ∪{f1 }, Γi ) = W card(Γi ) + 1. We can now state the following proposition. Proposition 2. Consider structured linear system Σα with only one fault component q = 1, represented by digraph G(Σα ) and by the bipartite graphs Gi associated to each yi ∈ Succ(f1 ). To ensure the observer based FDI problem Y solvability, all the sensors belonging to any ΓW i ∪ {f1 }-Γi output minimal subset are necessary and sufficient. o Y Denoting by Vi,k , k = 1, . . . , σi all the ΓW i ∪ {f1 }-Γi output minimal subsets, we write this condition in the form: (σ ) ) ∨ ∨i (∧ o {yj ∈ Vi,k } (3) yi ∈Succ(f1 ) and Gi FDI eligible

problem has no solution. This implies that, to ensure the solvability of such problem, it is necessary to have at least a FDI-eligible graph. But an eligible FDIgraph remains eligible, only if all the sensors of at Y least one ΓW i ∪ {f1 }-Γi output minimal subset are operational. This achieves the necessity proof. Example 2. Considering Example 1, the successors of f1 in Y are y1 , y2 and y3 . Moreover, Si (W, Y ) = {x4 }. The computation of the subsets ΓYi , ΓW i , i = 1, 2, 3 gives: Since x4 is not a predecessor of y3 , Γ3Y = {y3 } and ΓW 1 = ∅. Since x4 is a predecessor of both y2 and y3 , Γ1Y = Γ2Y = W {y1 , y2 , y4 } and ΓW 2 = Γ3 = {x4 }. The bipartite graphs G1 , G2 and G3 are represented in figure 2. y4

x4

y2

f1

y1

Graph G1 which is similar to G2

f1

y3

Graph G3

!

Figure 2. Bipartite graphs G1 , G2 and G3 associated to system of Example 1 The output minimal subsets in G1 , G2 and G3 are respectively: {y3 }, {y1 , y2 }, {y1 , y4 }, {y2 , y3 }. Consequently, the expression which ensures the fault detection and isolation ability for this system is:

k=1

( ) y3 ∨ (y1 ∧ y2 ) ∨ (y1 ∧ y4 ) ∨ (y2 ∧ y4 )

Proof : i

Sufficiency: First note that, as SW = S (W, Y ) and by definition of minimal input separator ρ (W, Y) = ρ (SW , Y) = card(SW ). Similarly, ρ (W ∪ {f1 }, Y) = ρ (SW , Y). Thus, the FDI structural solvability problem is equivalent to ρ (SW ∪ {f1 }, Y) = 1+card(SW ). Moreover, by construction, all the predecessors of vertex subset ΓYi included in SW constitute ΓW i . Similarly, all the successors of ΓW i , when this set is not empty, included in Y constitute ΓYi . Consequently, Y W ρ (SW ∪ {f1 }, Y) = ρ(ΓW i ∪{f1 }, Γi )+ρ(SW \Γi , Y \ Y W Y W Γi ) Therefore, if ρ(Γi ∪{f1 }, Γi ) = card(Γi )+1 or equivalently Gi is eligible, then using only the output vertices included in ΓYi , the diagnosability condition is ensured. In other words, using only any subset Y V0 of ΓYi which ensures that ρ(ΓW i ∪ {f1 }, Γi ) = W card(Γi ) + 1 is then sufficient to guarantee the fault diagnosability. The Sufficiency is proved by remarking that these subsets constitute by definition the ΓW i ∪ {f1 }-ΓYi output minimal subsets. Necessity: Recall that by construction, all the predecessors of vertex subset ΓYi included in SW constitute ΓW i . If there is no FDI-eligible graph Gi (equivalently Y if for all yi successor of f1 , ρ(ΓW i ∪ {f1 }, Γi ) < W card(Γi ) + 1) then for all the possible subsets Y0 of Y including a successor of f1 , ρ(SW ∪ {f1 }, Y0 ) < card(SW ) + 1. In this case the observer based FDI 159

(4)

Dependability analysis The dependability of a system is defined as a property that allows its users to have a justified reliance on the service it is delivering. It is described by various attributes such as reliability, availability, maintainability and safety (Laprie (1992)). In this paper, we are dealing with the reliability factor. It is defined as the probability that an item will carry out its assigned mission satisfactorily for a stated time period [0, T ] when used under specified conditions (Dhillon (1999)). The reliability, called R(t), can be expressed as R(t) = P (t ≥ T ). This definition can be extended to properties like diagnosability. The diagnosability property is an important property involved in many applications around automatic controlled systems (FDI, FTC, . . .). Loosing this property induces the loss of the ability to supervise the system . . . To assess the reliability of the diagnosability, we should find the structure function linking the existence of the property and the reliability of the system components. To evaluate the traditional reliability of a system, we usually consider the system state as binary (i.e. UP or DOWN) and have to find the relation with the binary state of the components. In the same way, the diagnosability can be satisfied or not according to the state of the involved components. By identifying the structure function, the probability to satisfy the diagnosability can be calculated as explained hereafter.

SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico

Table 1. Components failure rates Sensors Failure rate λ(h−1 )

y1 1.10−3

y2 2.10−3

y3 3.10−3

y4 4.10−3

As seen in Subsection 4.2.1, a structured linear system is generically diagnosable iff a condition of sensors’ availability is satisfied. This condition is expressed in term of the union of some sensors sets. Those sensors can fail when the system is operational. This may lead to the violation of the diagnosability condition. To calculate the probability that a system is diagnosable (or equivalently un-diagnosable) it is necessary to evaluate the probability to satisfy (or violate) the diagnosability condition. The system’s probability to conserve its Diagnosability property can be calculated as follows: P (Diag) = 1 − P (Diag) (5) o According to Proposition 2, all the sensors of Vi,k , for each yi ∈ Succ(f1 ) ∩ Y having a FDI-eligible graph Gi for at least one k, (k = 1, . . . , σi ) should be available. If one of them fails, the condition will not be satisfied anymore and the system becomes un-diagnosable using an observer based scheme. Therefore, the condition becomes unverified when failures occur is defined from equation 3 by: P (Diag) =  (σ ) ) ∧ ∧i (∨ P {yj ∈ V o } 

Figure 3. Reliability of yi and P (Diag) The probability to maintain the diagnosability property is also shown. It is the product of R(y3 ) and the reliability of 2oo3 between y1 , y2 and y4 . At t = 460h, P (Diag) decreases under 0.5. Now let’s consider that the goal is to maintain the probability of the diagnosability over 0.5 for a specific mission. We have to repair some specific components each time the diagnosability property crosses 0.5. We propose a specific staggered maintenance considering a possible repair of only one component at a time. The reliability of components and the probability to maintain the diagnosability are shown on figure 4. As y3 has one of

i,k

yi ∈Succ(f1 ) and Gi FDI-eligible

k=1

(6) This means that the fault detection and isolation condition becomes unsatisfied if at least one of the subsets of sensors o Vi,k for k = 1, . . . , σi and for yi ∈ Succ(f1 ) ∩ Y having a FDI-eligible graph Gi fails. Knowing the failure rate of each sensor in the system, the reliability of a structured linear system in conserving its fault-detection and isolation ability when failures occur on its sensors can be computed from equation (6). However, notice that in equation (6) there is a union of many sets which may contain some common sensors. Let us assess the probability of the diagnosability condition of Example 1. From equation 4, the un-diagnosability condition can be written as: P (Diag) = y3 ∧ ((y1 ∨ y2 ) ∧ (y1 ∨ y4 ) ∧ (y2 ∨ y4 )) (7) To compute the probability of the previous equation, we should pay attention to common sensors between each the “OR ”part of equation 7. Then, it comes: P (Diag) = 1 − P (y3 ) . (P (y1 ) .P (y2 ) + P (y1 ) .P (y4 ) + P (y2 ) .P (y4 ) − 2 ∗ P (y1 ) .P (y2 ) .P (y4 )) (8) For sake of illustration, let us consider the following numerical application. Table 1 gives values of the failure rate of sensors yj (j = 1, . . . , 4). These values are arbitrarily chosen. For numerical study, it is supposed that the system should operate during 1400h and that failure rates are constant. Then, the reliability of components is given by Ri (t) = e−λ.t . From table 1, the equation of component reliability and equation 8, we are able to compute the probability of maintaining the diagnosability property P (Diag). The reliability of components and P (Diag) are shown on figure 3. As can be seen on figure 3, the reliability of components yi follows decreasing exponential curves. 160

Figure 4. Reliability of yi and P (Diag) with repair the higher failure rates among the fourth components, its repair occurs regularly and contributes to an interesting increasing of the diagnosability probability. The three other components are organized in a 2oo3 structures and none of them are minimal cuts. So, their repair has less influence than y3 on the diagnosability probability as shown on figure 4. 4.3 Extension to multiple fault case In the multi-fault case, a fault fℓ is detectable and isolable if and only if ρ (F ∪ W, Y) = 1+ρ (W ∪ F \ {fℓ }, Y). This is equivalent to consider that, for each fault components, all the other fault components are considered as disturbances. In this case, we construct the bipartite graphs associated to each fault component fℓ with the following algorithm: Let us denote by SℓW = Si (W ∪ F \ {fℓ }, Y ),

SAFEPROCESS 2012 August 29-31, 2012. Mexico City, Mexico

For each yi ∈ Succ(fℓ ), ΓYℓ,i = {yi } ℓ Y ΓW ℓ,i = P red(Γi ) ∩ (SW ) W While Succ(Γℓ,i ) ∩ Y ̸= ΓYℓ,i do ΓYℓ,i = Succ(ΓW ℓ,i ) ∩ Y W Γℓ,i = P red(ΓYℓ,i ) ∩ SℓW .

REFERENCES

Using the previous subsets, for each yi ∈ Succ(fℓ ) ∩ Y, we Y construct a new bipartite graph Gℓ,i = (ΓW ℓ,i , Γℓ,i , ϵℓ,i ) such that: Y ϵℓ,i = {(vk , vj ), vk ∈ ΓW ℓ,i ∪ {fi }, vk ∈ Γℓ,i there exists a path between vk and vj in G(Σα )}. Gℓ,i is said FDI-eligible bipartite graph if ρ(ΓW ℓ,i ∪ {fi }, ΓYℓ,i ) = card(ΓW ). ℓ,i We can now state the following result: Proposition 3. Consider structured linear system Σα when several faults can occur simultaneously, represented by digraph G(Σα ) and by the bipartite graphs Gℓ,i associated to each fℓ ∈ F and yi ∈ Succ(fℓ ). To ensure the observer based FDI problem solvability, all the sensors belonging Y to any ΓW ℓ,i -Γℓ,i output minimal subset are necessary and sufficient. o Y Denoting by Vℓ,i,k , k = 1, . . . , σℓ,i all the ΓW ℓ,i -Γℓ,i output minimal subsets, we write this condition in the form:  ) (σ ) ∧ ∨ ∨i (∧ o  }  {yj ∈ Vℓ,i,k fℓ ∈F

yi ∈Succ(fℓ )&Gℓ,i FDI-eligible

k=1

(9) Proof : The proof is immediate knowing that, the observer based FDI problem is solvable in the multi-fault case if and only if it is solvable for each fault fℓ when the other faults components are considered as disturbances. Assessing the diagnosability probability in the multiple faults case can be addressed in the same way as in the single fault case by considering the set of sensors given by equation 9. 5. CONCLUSION In this paper, a new analysis approach which combines the reliability aspects with the diagnosability structural analysis is proposed. The structural analysis is used as a first step study to derive, using the graph theoretic approach, the necessary and sufficient conditions for the solvability of observer based scheme FDI problem for linear systems. These conditions are expressed as Boolean equations of sensor sets whose availability ensures the satisfaction of the global or partial diagnosability property when we are interested only by the detection and isolation of only some fault components. In the second step, the probabilistic assessment of the diagnosability property is made. Indeed, the diagnosability property can be guaranteed only at a certain level, depending on the reliability of system’s sensors. Assessing this probability for an automated system can be of great interest when operating with this system. As quickly shown in the paper, this information helps to plan maintenance actions and components replacement to decrease the risks induced by the use of automated systems by guaranteeing a certain level of reliability and safety. 161

Bhushan, M. and Rengaswamy, R. (2000). Design of sensor location based on various diagnostic observability and reliability. Computers and Chemical Engineering, 24(27), 735–741. Blanke, M., Kinnaert, M., Lunze, J., and Staroswiecki, M. (2006). Diagnosis and Fault-Tolerant Control. SpringerVerlag, Heidelberg. Carpentier, T., Litwak, R., and Cassar, J.P. (1997). Criteria for the evaluation for FDI systems. application to sensors location. In IFAC Safeprocess Conference, 1083– 1088. Hull, United Kingdom. Chen, J. and Patton, R. (1999). Robust model-based fault diagnosis for dynamic systems, volume 3 of Kluwer international series on Asian studies in computer and information science. Kluwer Academic Publishers, Boston, U.S.A. Commault, C. and Dion, J.M. (2007). Sensor location for diagnosis in linear Systems: a structural analysis. IEEE Transactions on Automatic Control, 52(2), 155–169. Commault, C., Dion, J.M., Sename, O., and Motyeian, R. (2002). Observer-based fault diagnosis for structured systems. IEEE Transactions on Automatic Control, 47(12), 2074–2079. Dhillon, B. (1999). Design Reliability: Fundamentals and Applications. CRC Press LLC, Boca Raton, U.S.A. Dion, J.M., Commault, C., and van der Woude, J.W. (2003). Generic properties and control of linear structured systems: a survey. Automatica, 39(7), 1125–1144. Franck, P.M. and Ding, S. (2000). Development in the theory of FDI. In IFAC Safeprocess Conference, 16–27. Budapest, Hungary. Frisk, E. and Krysander, M. (2007). Sensor placement for maximum fault isolability. In DX-07, 106–113. Nashville, U.S.A. Laprie, J. (1992). Dependability: Basic concepts and associated terminology. Springer-Verlag, Austria. Luong, M., Maquin, D., Huynh, T., and Ragot, J. (1994). Observability, redundancy, reliability and integrated design of measurement system. In Proceedings of IFAC Symposium on Intelligent Components and Instruments for Control Applications, SICICA’94. Budapest, Hungary. Starkov, K.E. (2002). Observability conditions of linear time-varying systems and its computational complexity aspects. Mathematical Problems in Engineering, 8(4-5), 439–449. Trave-Massuyes, L., Escobet, T., and Olive, X. (2006). Diagnosability analysis based on component-supported analytical redundancy relations. IEEE Transactions on Systems, Man and Cybernetics - Part A: Systems and Humans, 36(6), 1146–1160. Weber, P., Theilliol, D., and Aubrun, C. (2008). Component reliability in fault diagnosis decision making based on dynamic bayesian networks. Proceedings of the Institution of Mechanical Engineers, Part. O: Journal of Risk and Reliability, 222(2), 161–172.