Diagnosis of timed automata: Theory and application to the DAMADICS actuator benchmark problem

ARTICLE IN PRESS

Control Engineering Practice 14 (2006) 609–619 www.elsevier.com/locate/conengprac

Diagnosis of timed automata: Theory and application to the DAMADICS actuator benchmark problem P. Supavatanakula, J. Lunzeb,, V. Puigc, J. Quevedoc a

Siemens AG, ATS 44, Gleiwitzerstr. 555, 90475 Nu¨rnberg, Germany Institute of Automation and Computer Control, Ruhr-Universita¨t Bochum, Universita¨tstr. 150, 44780 Bochum, Germany c Automatic Control Department, Universitat Polite`cnica de Catalunya-Campus de Terrassa, 08222 Terrassa, Spain

b

Received 29 February 2004; accepted 24 March 2005 Available online 27 June 2005

Abstract This paper concerns the problem of fault diagnosis in discrete-event systems which are represented by timed automata. The diagnostic algorithm for timed automata detects and identifies faults in the system based on the investigation whether the measured input and output sequences are consistent with the timed automaton. This diagnostic approach can be applied spontaneously to the discrete-event system since no a priori information about the initial state of the system is required. It is shown in the paper how the timed automaton which represents the DAMADICS actuator can be obtained and how the diagnostic algorithm based on the timed automaton is applied to detect and identify actuator faults. A representative diagnostic result is presented and discussed to illustrate the effectiveness of the method. r 2005 Elsevier Ltd. All rights reserved. Keywords: Discrete-event systems; Fault diagnosis; Timed automata; DAMADICS actuator

1. Introduction Fault diagnostic systems are important in modern industrial systems. This results from the fact that they help monitoring the systems in case the systems operate normally and identifying a fault which occurs before it becomes larger and produces undesired effects in the systems. This principle has been widely recognised by engineers for a long time. The traditional methods such as alarms and light warnings, however, do not cope very well in one way or another with the complexity of modern systems and the need for a reliable and systematic fault diagnostic system becomes necessary. As a result, a variety of different diagnostic methods have been the subject of extensive research (for survey Corresponding author. Tel.: +49 234 3224071; fax: +49 234 3214017. E-mail addresses: [email protected] (P. Supavatanakul), [email protected] (J. Lunze), [email protected] (V. Puig), [email protected] (J. Quevedo).

0967-0661/$ - see front matter r 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.conengprac.2005.03.028

cf. Blanke, Kinnaert, Lunze, & Staroswiecki, 2003; Frank, 1996; Hamscher, Console, & de Kleer, 1992; Isermann, 1984; Patton, Frank, & Clark, 1989). This paper addresses the issue the systematic design of fault diagnostic systems using model-based diagnosis for the systems which can be viewed as discrete-event systems. The key feature of model-based diagnosis is its systematic design where the model of the system to be diagnosed is separated from the general diagnostic algorithm (Fig. 1). Thus, any adjustment of the system leads only to the revision of the model without any alteration of the diagnostic algorithm. The model has to incorporate the knowledge about the faultless and the faulty system behaviours. For diagnosis of discrete-event systems, the discrete-event model of the considered system and the diagnostic algorithm are used harmoniously to determine the presence of fault from the sequences of measured input and output (I/O) signals. The diagnostic approach presented in this paper deals with the discrete-event systems with discrete inputs v,

ARTICLE IN PRESS P. Supavatanakul et al. / Control Engineering Practice 14 (2006) 609–619

610

f v

Discrete-event system

w

the benchmark problem is described by Bartys´ et al. (2005). The application of discrete-event model for diagnosis of the actuator benchmark problem has been demonstrated by Puig et al. (2003), Lunze and Supavatanakul (2003) and is motivated by the following facts:




Discrete-event model




Diagnostic algorithm f Fig. 1. Diagnosis of discrete-event systems.

outputs w and states z. Likewise, the occurrence of a fault f in discrete-event systems is considered as a discrete phenomenon. Such systems are commonly found in industrial systems where the automation is achieved by a sophisticated controller which ensures that all system executions are correctly carried out in a timely manner. The view of discrete-event systems helps reducing complexity in describing the system to be diagnosed and makes the diagnosis of complex system feasible. In this paper, the timed automaton is used as an appropriate model of the discrete-event systems. The timed automaton does not only represent the discrete-event behaviour of the system under consideration but also describes the timing characteristics of the system. Time is a standard measure in executions of any systems and usually indicates the system performance. It is then obvious that time helps enhance the diagnostic capabilities of the method presented in this paper in comparison to the untimed models that have been used in the literature so far (cf., for example, Teneketzis, Sinnamohideen, Sampath, Sengupta, & Lafortune, 1996; Lunze, 2000). For timed automata, the temporal information are used to determine the state transitions such that the ‘‘fast’’ transitions are distinguished from the ‘‘slow’’ ones. This is important for diagnosis in the sense that if a fault emerges, the performance deterioration is first reflected by a change in the temporal distance of events, and only if the fault becomes larger, the order of the events changes, events are blocked or new events enabled. The application of the diagnostic method presented in this paper focusses on the detection and identification of faults in the DAMADICS actuators (Bartys´ , Patton, Syfert, de las Heras, & Quevedo, 2005). The actuators considered are industrial control valves in the Polish sugar factory Cukrownia Lublin SA. The background of




The operation of an actuator may be considered to be one of the two modes: idle and operating. If the actuator is operating, it can operate in several operating modes. The analysis of the actuator benchmark problem given by Syfert, Patton, Bartys´ , and Quevedo (2003), Bartys´ et al. (2005) shows that the quantitative descriptions of the actuator are complex and highly nonlinear. Hence, the view of the actuator as a discrete-event system is appropriate for diagnosis. The diagnosis using the discrete-event system description can be carried out despite the presence of imprecision such as noise and uncertainties if the behaviour of the actuator is described precisely enough but no more precisely than warranted. Hence, the sequences of discrete I/O obtained from the actuator can be used for diagnosis.

1.1. Relevant literature The diagnosis of discrete-event systems was pioneered using automata theoretic approach with Sampath, Sengupta, Lafortune, Sinnamohideen, and Teneketzis (1995) and Teneketzis et al. (1996) presenting primary papers on this subject. Along the line with this approach, the diagnostic systems using automata are presented, for example, by Lin (1994), Baroni, Lamperti, Pogliano, and Zanella (1999), Lamperti and Zanella (2003), Zad, Kwong, and Wonham (2003), Fo¨rstner and Lunze (2000), Lunze and Schro¨der (2001), Schro¨der (2003). For these approaches, the models take the form of untimed nondeterministic or stochastic automata and the diagnostic systems have to find the fault which leads to unexpected events occurring in the systems. Ushio, Onishi, and Okuda (1998) and Benveniste, Aghasaryan, Fabre, Boubour, and Jard (1998) used the Petri nets and stochastic Petri nets as the discrete-event models for diagnosis. The diagnosis of timed discrete-event systems is the subject of only a few papers in the past and has not been so far very mature. An attempt to deal with temporal information in diagnosis has been presented by Holloway and Chand (1994) for automated manufacturing systems using the template language. Alternatively, the diagnostic methods of timed discrete-event systems by means of timed Petri nets and its class of timed event graphs are given by Srinivasan and Jafari (1993), Schullerus and Krebs (2001). Tripakis (2002) used the timed automata for diagnosis. It is shown that the diagnoser, which is a deterministic machine in the form

ARTICLE IN PRESS P. Supavatanakul et al. / Control Engineering Practice 14 (2006) 609–619

of timed automaton, detects faults not only from the observed events but also from the temporal information between two successive events. 1.2. Aim of the paper The focus of this paper is to elaborate the theory for diagnosis of timed automata and apply the diagnostic approach to the DAMADICS actuators. In contrast to the approach presented by Tripakis (2002), the method presented in this paper uses the timed automaton in a different sense since the nondeterministic timed automaton is used for diagnosis and the diagnosis is carried out in the I/O direction without knowledge of the event occurrences from the system (cf. Supavatanakul, 2004). In this way, the diagnostic system can be applied for diagnosis at any time without the knowledge of the initial state of the system. The fault detection and identification problem is solved by means of consistency check which finds the smallest subset of the fault set of the automaton in which the actual fault certainly resides. 1.3. Structure of the paper After a brief review of the timed automata in Section 2, the diagnostic problem is posed in Section 3. A solution to this problem is given in Section 3.3 in the form of diagnostic algorithm, which can be used to iteratively determine the set of possible faults. Section 4 describes the different approaches to obtain the timed automaton with the focus on the identification method. Section 5 illustrates the practical relevance of the methods for the diagnosis of the DAMADICS actuators and discusses the diagnostic results.

611

The dynamic behaviour of the timed automaton is represented by the transition relation R which describes the fact that the automaton state may change from z to z0 and produce the output w if its current input is v. This is described by the mapping Rðz0 ; w; t; z; vÞ : Nz  Nw  T h  Nz  Nv ! f0; 1g. (2) For R, a 1 indicates that a transition is possible, while a 0 means it is not. The variable t 2 T h describes the sojourn time of the state z, while the automaton receives an input v and generates the output w before it makes an instantaneous transition to the successor state z0 . The sojourn time is always nonnegative and can be explicitly represented as tðz0 ; w; z; vÞ. Since the transition of the timed automaton is uncertain, the time at which the transition may occur is not a fixed point in time and is described as tðz0 ; w; z; vÞ 2 ½tmin ðz0 ; w; z; vÞ; tmax ðz0 ; w; z; vÞ, 0

(3)

0

where tmin ðz ; w; z; vÞ and tmax ðz ; w; z; vÞ denote the minimum and maximum or the earliest and latest time required before a state transition can occur. The relation (3) indicates the fact that the timed automaton can remain in its current state z until any time before tmax ðz0 ; w; z; vÞ when the transition from z to z0 must occur at the latest. The interval ½tmin ðz0 ; w; z; vÞ; tmax ðz0 ; w; z; vÞ is defined only for any pairs of a current state and an input ðz; vÞ for which there exist a successor state z0 and an output w such that Rðz0 ; w; t; z; vÞ ¼ 1 holds. For Rðz0 ; w; t; z; vÞ ¼ 0, tðz0 ; w; z; vÞ is not defined. Therefore, the following relations hold: tmin ðz0 ; w; z; vÞ ¼ minftjRðz0 ; w; t; z; vÞ ¼ 1g,

(4)

2. Timed automata

tmax ðz0 ; w; z; vÞ ¼ maxftjRðz0 ; w; t; z; vÞ ¼ 1g.

(5)

2.1. Definition and notations

It can be seen that R is discrete with respect to the states z and continuous with respect to the time t. Therefore, the dynamics of timed automaton corresponds to the change due to the state transition and the change due to elapse of time. An easy way to represent a timed automaton is to use an automaton graph. An automaton graph of the timed automaton has a set of vertices which represents the set of automaton states z 2 Nz and a set of edges which represents the transitions corresponding to those values z0 , w, t, z and v for which the transition relation Rðz0 ; w; t; z; vÞ ¼ 1 holds. Note that the arcs in the automaton graph represent the transition from state z to z0 . The case where the timed automaton remains in a z without making any transitions is not explicitly shown since it can always be interpreted from the arc(s) emerging from that state.

This paper proposes the timed automaton introduced by Alur and Dill (1994) to represent the discrete-event system depicted in Fig. 1. The timed automaton is a model used to represent the state transitions and the temporal information of the transitions of the discreteevent system. In the following, the timed automaton is described by AT ðNz ; Nv ; Nw ; T h ; R; z0 Þ

(1)

with the finite sets of discrete states Nz ¼ f1; 2; . . . ; Ng, discrete inputs Nv ¼ f1; 2; . . . ; Mg and discrete outputs Nw ¼ f1; 2; . . . ; Qg. T h ¼ ½0; th   Rþ denotes the time duration for which the timed automaton is defined. R is the transition relation of the timed automaton and z0 2 Nz is the automaton’s initial state.

ARTICLE IN PRESS P. Supavatanakul et al. / Control Engineering Practice 14 (2006) 609–619

612

Fig. 2(a) shows the automaton graph of a timed automaton with four states, two inputs and three outputs. For simplicity of representation, different inputs of the automaton are distinguished using different patterns of the arcs. The solid arcs denote v ¼ 1 and the dashed arcs v ¼ 2. Fig. 2(b) represents an example of possible automaton state and output sequences for the automaton with initial state z0 ¼ 1 and constant input v ¼ 1. The dark bars represent the state in which the automaton assumes and the output which was generated on the time line. It can be seen from Fig. 2(b) that the automaton produces the output w ¼ 2 and makes the transition from z ¼ 1 to z ¼ 3 at 7 time units. After 7 time units, the automaton is in state z ¼ 3 and produces w ¼ 1 before the transition to z ¼ 4 can occur. It can be seen that for v ¼ 1, the automaton with z0 ¼ 1 shown in Fig. 2(a) can also change its state to z ¼ 2 and produce w ¼ 1 or to z ¼ 3 but produce w ¼ 1. Therefore, the timed automaton is nondeterministic. The sets of successor states and outputs of a timed automaton for a given state z and input v at any time can be described by

These sets of successor states and outputs are not only determined by a given state z and input v but also the time that the state z has already been assumed. Since the timed automaton with a current state z and input v can make a transition to the state z0 and produce the output w within tðz0 ; w; z; vÞ, it is said to generate a timed language, i.e. sequences in which a real-valued time of occurrence is associated with each of the discrete states and outputs. The I/O sequences of the timed automaton during the time horizon T h ¼ ½0; th  are described by

Zðz; v; tÞ ¼ fz0 : 9w 2 Nw such that Rðz0 ; w; t; z; vÞ ¼ 1g, (6)

The application of a timed automaton for fault diagnosis requires the extension of the definition of the timed automaton by a variable corresponding to the fault f. The fault can be interpreted as an additional input variable of the timed automaton. Thus, the description of the timed automaton given in (1) can be

Wðz; v; tÞ ¼ fw : 9z0 2 Nz such that Rðz0 ; w; t; z; vÞ ¼ 1g. (7)

V ð0 . . . th Þ ¼ ðv0 ; t0 ; v1 ; t1 ; . . . ; vh ; th Þ; W ð0 . . . th Þ ¼ ðw0 ; t0 ; w1 ; t1 ; . . . ; wh ; th Þ;

8v 2 Nv , 8w 2 Nw ,

Zð0 . . . th Þ ¼ ðz0 ; t0 ; z1 ; t1 ; . . . ; zh ; th Þ;

8z 2 Nz .

τmin(3,2,1,1) = 2

,w =2

[3,9], w = 1

2 1

[7,11], w = 2

,9]

[5

[2,7], w = 2

[5,10], w = 3

z

3

0

10

15

20

15

20

3 w

2

2 1

[1,4], w = 1

0 (a)

5

t

[5,11], w = 1

1

τmin(4,1,3,1) = 4

4

4

(b)

(10)

2.2. Timed automata subject to faults

τmin(4,1,3,1) = 12

3

(9)

for which the state sequence of the timed automaton is given by

τmin(3,2,1,1) = 7

[4,12], w = 1

(8)

5

10 t

Fig. 2. (a) An automaton graph. (b) A possible automaton state and output sequences.

ARTICLE IN PRESS P. Supavatanakul et al. / Control Engineering Practice 14 (2006) 609–619

extended for fault diagnosis as AT ðNz ; Nv ; Nw ; Nf ; T h ; R; z0 Þ,

(11)

where Nf ¼ f0; 1; . . . ; Sg denotes the set of considered faults. Unlike other variables defined previously in (1), Nf includes 0 to denote the faultless case. The transition relation R of the timed automaton has to take the effect of each fault f into account and is described by 0

Rðz ; w; t; z; v; f Þ : Nz  Nw  T h  Nz  Nv  Nf ! f0; 1g,

613

faults but only generate fault candidates. In case Possðf j V ð0 . . . th Þ; W ð0 . . . th ÞÞ ¼ 0, the fault f is not a reason for having the measured I/O sequences. All faults for which the possibility value equals to 1 form the set of possible faults FðV ð0 . . . th Þ; W ð0 . . . th ÞÞ ¼ ff ðth Þ j Possðf j V ð0 . . . th Þ; W ð0 . . . th ÞÞ ¼ 1g.

ð14Þ

In summary, the diagnostic problem for the timed automaton can be stated as follows:

ð12Þ

where Nz , Nv and Nw essentially remain the same. Relation (12) denotes the behaviour of a timed automaton with different faults f 2 Nf .

3. Diagnosis of timed automata

Diagnostic problem of timed automata Given:
Input sequence V ð0 . . . th Þ
Output sequence W ð0 . . . th Þ
Timed automaton AT ðNz ; Nv ; Nw ; Nf ; T h ; R; z0 Þ Find: Set of possible faults FðV ð0 . . . th Þ, W ð0 . . . th ÞÞ.

3.1. Diagnostic problem The model of the discrete-event system in the form of the timed automaton described in Section 2 will be used for diagnosis. The aim of diagnosis is to detect and identify a fault that causes an abnormal system behaviour. In general, the fault cannot be found directly from the current measurement data but has to be detected from deviations of I/O sequences from the nominal behaviour. This paper applies the idea of consistency-based diagnosis (see, for example, Lunze, 1995; Hamscher et al., 1992) to timed automata. This principle is to compare the measured system behaviour with the behaviour described by the model of the faultless system (f ¼ 0) or the model of the system subject to some fault f 2 Nf nf0g. If the measured I/O sequences are inconsistent with the model, which is set up for fault f, then the system is known not to be subject to this fault f. In particular, for f ¼ 0, inconsistency with the model means that some fault has occurred. To apply this principle to timed automata, the description of the timed automaton under the influence of all faults f 2 Nf given by (11) has to be available. The diagnostic problem for the timed automaton is to find if the system is subject to some fault f if it generates the output sequence W ð0 . . . th Þ for the given input sequence V ð0 . . . th Þ. This will be denoted by the possibility (Poss) of the fault f, i.e. Possðf j V ð0 . . . th Þ; W ð0 . . . th ÞÞ ( 1 if fault f can occur; ¼ 0 otherwise:

ð13Þ

If Possðf j V ð0 . . . th Þ; W ð0 . . . th ÞÞ ¼ 1, it means that the fault f is possible from the measured I/O sequences V ð0 . . . th Þ and W ð0 . . . th Þ. Note that the consistencybased diagnosis cannot prove the existence of some

3.2. Solution to the diagnosis of timed automata The use of the consistency-based diagnosis for timed automata can be formulated as follows: Problem of consistency-based diagnosis for timed automata Given a timed automaton describing a discrete-event system with all considered faults f 2 Nf , can any I/O sequences of the timed automaton for some fault f follow the measured I/O sequences ðV ð0 . . . th Þ; W ð0 . . . th ÞÞ obtained from the discrete-event system during ½0; th ? The measured I/O sequences have to be checked with the timed automaton subject to different faults (11). It can be seen that the I/O sequences of the timed automaton given by ðV ð0 . . . th Þ; W ð0 . . . th ÞÞ can be determined if and only if the knowledge of the state sequence Zð0 . . . th Þ is known. Consequently, the consistency check cannot be carried out directly using the measured I/O sequences since the state information is required. This implies that the diagnosis of timed automata includes the state observation problem. Since both the current state and fault in the automaton are unknown, the diagnosis of the timed automaton (11) can be carried out by finding the current state and fault of the timed automaton based on the measured I/O sequences. Hence, the extended state ðz; f Þ denoted by zdia will be used. The extended state zdia is obtained by the bijective mapping M dia : Nz  Nf ! Nzdia ,

(15)

zdia ¼ M dia ðz; f Þ,

(16)

ðz; f Þ ¼ M 1 dia ðzdia Þ.

(17)

ARTICLE IN PRESS P. Supavatanakul et al. / Control Engineering Practice 14 (2006) 609–619

614

The timed automaton AT dia ðNzdia ; Nv ; Nw ; T h ; Rdia ; z0dia Þ represents the behaviour of the discrete-event system subject to different faults f 2 Nf . The transition function of the timed automaton is represented by Rdia ðz0dia ; w; tdia ; zdia ; vÞ: Nzdia  Nw  T h  Nzdia  Nv ! f0; 1g with

ð18Þ

tdia ðz0dia ; w; zdia ; vÞ 2 ½tmindia ðz0dia ; w; zdia ; vÞ; tmaxdia ðz0dia ; w; zdia ; vÞ.

ð19Þ

The diagnosis is to find the set of current extended state of the timed automaton and the possible faults are determined by applying relation (17). The possible faults which are known to be consistent with the I/O sequences yield Possðf j V ð0 . . . th Þ; W ð0 . . . th ÞÞ ¼ 1. These faults are collected in the set of possible faults (14). In the following, the diagnostic problem will be solved by evaluating if each extended state zdia 2 Nzdia of the timed automata for the given I/O sequences is possible, i.e. Possðzdia jV ð0 . . . th Þ; W ð0 . . . th ÞÞ ( 1 if the state zdia is possible; ¼ 0 otherwise: An intermediate step to determine the extended state of the timed automaton is to determine the sequence of extended state Z dia ð0 . . . th Þ of the automaton from the given I/O sequences. Since the timed automaton is nondeterministic, more than one sequence of extended states is possible. Therefore, the set of the state sequences over the interval ½0; th  is given by Zseq ðV ð0 . . . th Þ; W ð0 . . . th ÞÞ ¼ fZ dia ð0 . . . th Þ j PossðZ dia ð0 . . . th ÞjV ð0 . . . th Þ, W ð0 . . . th ÞÞ ¼ 1g. Hence, the solution of the diagnostic problem is to determine zdia from all possible sequences of extended states within the set Zseq ðV ð0 . . . th Þ; W ð0 . . . th ÞÞ. Since the set of sequences of extended states is not a singleton because the timed automaton is nondeterministic, the set Zdia ðV ð0 . . . th Þ; W ð0 . . . th ÞÞ ¼ fzdia ðth ÞjPossðZ dia ð0 . . . th Þ j V ð0 . . . th Þ; W ð0 . . . th ÞÞ ¼ 1g is used to describe all extended states zdia which the timed automaton can assume at th if it receives sequence V ð0 . . . th Þ and output sequence W ð0 . . . th Þ. This set is called the set of active states since it denotes the fact that the timed automaton which occupies any states within this set can make transitions or can remain in the same state for the given I/O sequences ðV ð0 . . . th Þ; W ð0 . . . th ÞÞ.

In the following, the abbreviations Possðzdia j th Þ:¼Possðzdia j V ð0 . . . th Þ; W ð0 . . . th ÞÞ,

(20)

Zseq ðth Þ:¼Zseq ðV ð0 . . . th Þ; W ð0 . . . th ÞÞ,

(21)

Zdia ðth Þ:¼Zdia ðV ð0 . . . th Þ; W ð0 . . . th ÞÞ

(22)

will be used to denote the possibility of the current extended state, the set of sequences of extended states and the set of active states, respectively. At the start of the diagnosis, no a priori information of initial state of the system nor information about the fault occurrence is available. As a consequence, the knowledge of initial state and fault has to be chosen large enough and not in conflict with the system. A good assumption is to consider that initial state as the whole set of states, and fault as the whole set of faults. Thus, at th ¼ 0 the diagnosis starts with Zdia ð0Þ ¼ Nzdia

(23)

to ensure that the true initial state z0 and fault f are included during diagnosis, i.e. the relation ðz0 ; f Þ 2 Zdia ð0Þ

(24)

holds true. In order to illustrate how Possðzdia j tk Þ is determined for an increasing tk ðtk pth Þ, assume that Zdia ðtk1 Þ includes an extended state z~dia . The following considerations are made to determine Possðzdia j tk Þ from the transition relation Rdia and the measured input v and output w. (I) Possðzdia j tk Þ ¼ 1 holds for two situations. First, the timed automaton can move from z~dia to zdia upon receiving the input v and generating an output w for which the time elapsed tk  tk1 satisfies the timing constraint of the state transition. Second, the timed automaton can still remain in the state z~dia for the given v and w during tk  tk1 . (II) Possðzdia j tk Þ ¼ 0 if no such transition from z~dia to zdia is possible or the state z~dia cannot be assumed for v and w. With these considerations, the possibility of the current extended state zdia at time tk is expressed by 8 > < 1 Rdia ðzdia ; w; tk  tk1 ; z~dia ; vÞ ¼ 1 ^ 9~zdia 2 Zdia ðtk1 Þ; (25) Possðzdia jtk Þ ¼ > : 0 otherwise: It can be seen that consideration (I) is a rough criterion to determine the extended state. The reason is that only one sampling period tk  tk1 is considered and no information on the time duration in which the state z~dia has been assumed is available. Relation (25) provides only the information that the extended state zdia is consistent with the I/O sequences and it was earlier a

ARTICLE IN PRESS P. Supavatanakul et al. / Control Engineering Practice 14 (2006) 609–619

possible state at tk1 . However, if consideration (II) holds true, it means that the state zdia is not consistent with the I/O sequence or was not a possible state at tk1 . The set of possible current extended states which are consistent with the I/O sequences is collected in Zposs ðtk Þ ¼ fzdia j Possðzdia j tk Þ ¼ 1g.

(26)

A preliminary step to determine Zdia ðtk Þ is to check the sequences of extended states Zseq ðtk Þ where the entire sojourn time of the extended state z~dia can be obtained. Since z~dia is an element of Zdia ðtk1 Þ, at least one of the state sequences Z dia ð0 . . . tk1 Þ within the set Zdia ðtk1 Þ must contain z~dia as its last element, i.e. Z dia ð0 . . . tk1 Þ ¼ ðZ dia ð0 . . . tk2 Þ; z~dia Þ

PossðZ dia ð0 . . . tk Þ j V ð0 . . . tk Þ; W ð0 . . . tk ÞÞ ( 1 if ðtk  t~Þotmaxdia ðzdia ; w; z~dia ; vÞ; ¼ 0 otherwise:

the set of possible extended states, the set of sequences of extended states and the set of active states, respectively. Step 5 of the algorithm determines the set of fault candidates by applying the inverse bijective map. The computation is carried out iteratively for each new discrete input v and output w received at each sampling period. The result of Algorithm 1 provides a basis for choosing the probable fault f at tk from the set of fault candidates Fðtk Þ. Algorithm 1. Diagnostic algorithm Given:

(27)

holds. However, z~dia may occur earlier than tk1 . Let t~ be the time at which z~dia was first assumed. The set of sequences of extended states is determined by evaluating the possibility function PossðZ dia ð0 . . . tk Þ j V ð0 . . . tk Þ; W ð0 . . . tk ÞÞ for all extended states zdia 2 Zposs ðtk Þ as follows. Case (a): If no state transition occurs (zdia ¼ z~dia )

Initialise: While: 1. 2. 3. 4.

ð28Þ 5.

Case (b): If a state transition occurs ðzdia a~zdia Þ PossðZ dia ð0 . . . tk Þ j V ð0 . . . tk Þ; W ð0 . . . tk ÞÞ ( 1 if ðtk  t~Þ 2 tdia ðzdia ; w; z~dia ; vÞ; ¼ 0 otherwise:

6. End Result: ð29Þ

From relations (28) and (29), all possible sequences of extended states Zdia ð0 . . . tk Þ form the set Zseq ðtk Þ ¼ fZ dia ð0 . . . tk Þ j PossðZð0 . . . tk Þ j V ð0 . . . tk Þ, W ð0 . . . tk ÞÞ ¼ 1g. ð30Þ Accordingly, the active states at tk are given by all the extended states at tk is described by Zdia ðtk Þ ¼ fzdia ðtk Þ j PossðZdia ð0 . . . tk Þ j V ð0 . . . tk Þ, W ð0 . . . tk ÞÞ ¼ 1g.

ð31Þ

Eq. (31) yields the set of active states which are consistent with the measured I/O sequences V ð0 . . . tk Þ and W ð0 . . . tk Þ. Therefore, the fault at tk is determined from (31) by applying the inverse of the bijective map (17). All faults obtained from (17) immediately yields that Possðf j V ð0 . . . th Þ; W ð0 . . . th ÞÞ ¼ 1 and can be collected in the set of fault candidates (14). 3.3. Diagnostic algorithm Algorithm 1 describes how the diagnostic method discussed in the preceding section is applied on-line. The main operations are Steps 2, 3 and 4 which determine

615


Timed automaton AT ðNzdia ; Nv ; Nw ; Rdia ; z0dia Þ.
Maximum diagnostic horizon th .
Sampling period ts . Zdia ð0Þ ¼ Nzdia , tk ¼ 0. tk pth Measure input v and output w at tk . Determine the set of possible extended states (26) using (25). Determine the set of sequences of extended states (30) by (28) or (29). Determine the set of active states from (31). Determine the sets of fault candidates (14) using (17). Set tk ¼ tk þ ts . Set of fault candidate Fðtk Þ for increasing time horizon tk ðtk ¼ 0; ts ; 2ts ; . . .Þ.

The computational complexity of the algorithm is low because each iteration consists of few computations. Furthermore, the algorithm does not require the information of the system prior to the start of the diagnosis and the diagnostic results do not depend on how long the diagnostic algorithm has already run. These properties make the algorithm suitable for on-line applications. The diagnosis based on timed automata yields the following results:





Fault detection: If 0eFðtk Þ holds (where 0 symbolises the faultless case), then some fault must have occurred in the system. Fault identification: If Fðtk Þ ¼ fig where i 2 Nf , then the fault f ¼ i in the system is completely identified.

Fault detection shows an important aspect of the consistency-based diagnosis. Even if only a model of the faultless system were available, fault detection would still be possible (Hamscher et al., 1992). Fault identification by means of consistency-based diagnosis means to exclude those faults that, according to the available information, are known not to have occurred. This

ARTICLE IN PRESS P. Supavatanakul et al. / Control Engineering Practice 14 (2006) 609–619

616

means that if the measured I/O sequence is inconsistent with the timed automaton which describes the effect of a certain fault f, then the fault f can be excluded as the primary reason for the faulty behaviour. If the set of fault candidate is a singleton, then the fault is completely identified.

4. Determination of timed automata The main question concerning the construction of the timed automaton for diagnosis is how to determine the automaton transition relation for a given discrete-event system. There are three methods for solving this task (Supavatanakul, Falkenberg, & Lunze, 2003):










Abstraction. If the quantitative model of the system is given, the transition relation of the timed automaton can be determined by an abstraction procedure described by Lunze and Supavatanakul (2002) which analyses the discrete-event dynamics of the system. Model transformation. If the timed discrete-event model in the form of timed Petri net or timed–event graph exists, the transition relation of the timed automaton can be obtained by transforming the existing model to a timed automaton (Haar, Simonot-Lion, Kaiser, & Toussaint, 2002; Schullerus, Supavatanakul, Krebs, & Lunze, 2003). Identification. A set of measurements that cover the possible behaviours of the system can be used to set up the transition relation of the timed automaton.

Because of the availability of the data generation based on the DAMADICS actuator Simulink model (Syfert et al., 2003; Bartys´ et al., 2005), the identification method is used to determine the transition relation of the timed automaton. This Simulink model in the DAMADICS actuator benchmark problem is intended for tuning of diagnostic methods of participants in the DAMADICS project. However, for diagnosis (or approving applicability of the diagnostic method), the real actuator data for some specific fault cases are used. A crucial point in the construction of the timed automaton is the choice of automaton state z. In this paper, the model states z represent the events e generated by the discrete-event system. Thus, an event sequence generated by the discrete-event system is represented by the state sequence of the timed automaton. Moreover, the time instant of each event occurrence is obtained directly from the time instant when the state of the automaton is assumed. With this consideration, an event ek occurs at tk if zðtk Þazðtk1 Þ

(32)

holds, where zðtk Þ and zðtk1 Þ are discrete states generated by the discrete-event systems.

The following identification method of timed automata adopted from Supavatanakul et al. (2003) will be briefly described. The identification approach is based on the data sets which sufficiently describe the behaviour of the system under different fault cases and contain discrete states, inputs and outputs with a constant sampling time ts . For the set of faults Nf ¼ f0; 1; . . . ; Sg to be diagnosed, the data set Di (i ¼ 0; 1; . . . ; S) has to be available. The sequences of inputs, states and outputs within each set Di can be described, respectively, by V i ¼ fvi1 ; . . . ; vih g,

(33)

Z i ¼ fzi1 ; . . . ; zih g,

(34)

W i ¼ fwi1 ; . . . ; wih g

(35)

for i ¼ 0; 1; . . . ; S and the sampling time ts . Note that the length of each signal sequence V i , Z i and W i within the same set Di are equal. However, the length of the set Dj (jai) is not necessarily equal to that of Di . This assumption, however, will be made here for notational convenience. Algorithm 2 describes the identification method. The main idea of the algorithm is to determine the corresponding discrete input, output and the temporal information of the timed automaton based on each event occurrence ek (the change of zðtk1 Þ to zðtk Þ at tk ). The transition relation R is computed from S þ 1 data sets from the system with faults f0; 1; . . . ; Sg. In Step 1, the discrete input, state and output are measured. In Step 2, the algorithm determines if an event ek occurs at t time units after the occurrence of the previous event eðtk1 Þ. If an event occurs, the discrete input and output at time tk and the fault f ¼ i are associated with the event in the form of ðeðtk Þ; wðtk Þ; t; eðtk1 Þ; vðtk Þ; iÞ. This is the direct consequence of the choice of automaton state. If this relation is not in the state transition R, it is added to R and the temporal information ½tmin ; tmax  is set to t. If this relation was already in R, only the time between events has to be checked and updated accordingly if totmin or t4tmax . Algorithm 2. Identification of timed automata Given:

Initialise: While: While: 1.


Sets of discrete measurements Di ði ¼ 0; 1; . . . ; SÞ for all faults consisting of discrete inputs vi1 ; . . . ; vih , states zi1 ; . . . ; zih and outputs wi1 ; . . . ; wih .
Sampling time ts . R ¼ ;. i ¼ 0; 1; . . . ; S j ¼ 1; 2; . . . ; h For the measurement data for fault i, measure input vij , state zij and output wij .

ARTICLE IN PRESS P. Supavatanakul et al. / Control Engineering Practice 14 (2006) 609–619

2.

End End Result:

If event ek occurs at tk , set state transition to ðeðtk Þ; wðtk Þ; t; eðtk1 Þ; vðtk Þ; iÞ. 2.1. If ðeðtk Þ; wðtk Þ; t; eðtk1 Þ; vðtk Þ; iÞeR, set ðeðtk Þ; wðtk Þ; t; eðtk1 Þ; vðtk Þ; iÞ to R and set tmin ¼ tmax ¼ t. 2.2. If ðeðtÞ; wðtÞ; eðt  tÞ; vðtÞ; f i Þ 2 R but te½tmin ; tmax , change tmin or tmax correspondingly. j i Transition relation R of AT ðNz ; Nv ; Nw ; Nf ; R; z0 Þ.

The transition relation R obtained from Algorithm 2 represents all transitions due to the event occurrence from the data sets. If it is guaranteed that the available data describe all behaviours of the system subject to all concerned faults, the timed automaton obtained by the algorithm can be used for diagnosis.

5. Application of timed automata to the diagnosis of the DAMADICS actuator benchmark problem In the following, the diagnosis of timed automata will be applied for fault detection and isolation of the DAMADICS actuators. The focus will be on the actuator which controls the water flow. Even though 19 faults have been classified in the benchmark (Bartys´ et al., 2005), the real injections of all faults are hard to implement in the actuator and only selected fault cases are emulated under carefully monitored process conditions to keep the operation of the process within acceptable quality limit. The following faults in the actuator are considered for modelling and diagnosis due to the availability of real data for testing the applicability of the diagnostic method:







f 0 —Normal operation, faultless case. f 16 —Pressure drop on the valve output. f 18 —Bypass valve opened. f 19 —Flow rate transmitter fault.

It is shown in the analysis given by Hristov, Lunze, and Supavatanakul (2001) that the qualitative behaviours of the actuator subject to these four faults are distinct from each other. Thus, the diagnosis based on discrete-event or qualitative methods are applicable (see, for example, Puig et al., 2003; Lunze & Supavatanakul, 2003). The following signals from the actuator are considered for modelling and diagnosis. Note that the modelling of timed automaton requires the input, output and state signals. However, only inputs and outputs are required for diagnosis.

617

Inputs: CV The command variable which is the external input signal for controlling the opening and closing of the control valve. P1 The upstream pressure at the inlet of the control valve, measured by the pressure transmitter. P2 The downstream pressure at the outlet of the control valve, measured by the pressure transmitter. Outputs: F The mean flow rate of water through the control valve, measured by the flow rate transmitter. X The rod displacement obtained from the displacement transducer. States: X The rod displacement obtained from the displacement transducer. P The internal absolute pressure in the actuator. M The mass flow through the control valve. X 0 The velocity of the rod. 5.1. Modelling of the DAMADICS actuator In order to obtain the timed automaton by means of identification, the data should contain a lot of variation. Hence, part of the input data collected on 11 November 2001 have been selected to obtain the outputs and states using the data generator for both faultless and the three faulty cases, each with three different fault strengths. The discretisation of the data is required to obtain the discrete-valued data for identification. The discretisation of the inputs, outputs and states are given in Table 1. Note that CV, X and F are normalised values, 100% of command variable CV corresponds to the complete closing of the valves, 100% of the rod displacement X is 1040 mm, and 100% of the flow rate F is 40 ton=h. Algorithm 2 yields the timed automaton with 729 inputs, 9 outputs and 432 states. Note that the states of the automaton correspond directly to 432 events which can occur in the actuator from the predetermined state discretisation (see Eq. (32)). The number of automaton transitions for different fault cases are given in Table 2. 5.2. Diagnosis of the DAMADICS actuator An example of the diagnostic results for DAMADICS actuator will be presented by applying Algorithm 1 to the real measurement data. The timed automaton obtained from the identification method will be used to solve this task.

ARTICLE IN PRESS P. Supavatanakul et al. / Control Engineering Practice 14 (2006) 609–619

618

Table 1 Discretisation of actuator signals for modelling of the timed automaton Discrete regions

Inputs

CV: ½0; 0:400; 0:700; 1 P1 : ½2690000; 3000000; 3600000; 4320000 P2 : ½1900000; 2620000; 2840000; 3300000

Outputs

X: F:

States

X: ½0; 0:30; 0:70; 1 P: ½90000; 250000; 270000; 770000 M: ½0:005; 0:0180; 0:0210; 0:110 X 0 : ½0:015; 0; 0:02

1 CV

Signals

x 100%

0.7

0.4 0 0 x 106 Pa

½0; 0:30; 0:70; 1 ½0; 0:30; 0:70; 1

20

40

60

80

100

60

80

100

60

80

100

60

80

100

60

80

100

t (sec.)

P1

4.32

3.6 3 2.69 0 x 106 Pa

Table 2 Number of automaton transitions for different fault cases Number of automaton transitions

f0 f 16 f 18 f 19

2920 2682 2459 2504

Total

10765

40 t (sec.)

3.3

P2

Fault case

20

2.84 2.62

1.9 0 x 100%

20

40 t (sec.)

1

X

0.7 0.3 0 0 x 100%

20

40 t (sec.)

1 0.7 F

Algorithm 1 is applied to the I/O data obtained on 17 November 2001 from 3:57:36 PM for 100 s. During this period, the fault f 16 was emulated in the actuator which controls the water flow. The diagnostic algorithm uses the discretised I/O signals during 100 s. to detect and identify the fault. The discrete inputs and outputs are shown in Fig 3. The dark bars in the figure represent the range of the signals indicated on the y-axis to which the actual measured signals belong. It can be seen that the control variable CV was applied to limit the flow of the water ðCV 2 ½0:7; 1:0Þ, but flow rate is still at its maximum ðF 2 ½70; 100Þ. Applying Algorithm 1 to the discrete I/O sequences shown in Fig. 3 with unknown initial state and fault description yields the diagnostic result shown in Fig. 4. It can be seen that at the beginning all fault cases are possible as denoted by the dark bars. According to the result, the faultless case is excluded after a short time. It can be also seen that the behaviour of fault f 18 is consistent with the measurement until 10 s after the diagnosis has started. Finally, only the automaton which describes f 16 remains consistent with the measurement. Thus, within these four fault cases, f 16 must have occurred. The consistencies of all faults at the beginning of the diagnosis occur because of the unknown a priori knowledge of the actuator. This fact makes it necessary to assume that all the states and

0.3 0 0

20

40 t (sec.)

Fig. 3. Discrete input and output sequences for fault f 16 .

f19 f18 f16 f0 0

20

40

60

80

100

Fig. 4. Diagnostic result for f 16 .

faults of the timed automaton are possible at the start of the diagnosis to have the true operating condition of the actuator included in the diagnosis.

ARTICLE IN PRESS P. Supavatanakul et al. / Control Engineering Practice 14 (2006) 609–619

6. Conclusions The diagnostic problem has been solved for timed automata. The principle is applied to the DAMADICS actuator. The paper presented how the timed automaton which represents the actuator for diagnosis can be obtained by means of identification. It has been shown that the diagnostic problem includes the state observation problem. The diagnostic method based on the state observation of timed discrete-event systems has not been considered in the literature so far. The diagnostic algorithm presented in the paper does not require any information on the system prior to the start of the diagnosis and excludes the faults iteratively based on the input and output measurements. Thus, it can be applied on-line. It is demonstrated by means of the DAMADICS actuator benchmark that the diagnostic algorithm detects and identifies the fault using only discrete inputs and outputs which reduces the information required for the diagnosis.

Acknowledgements The authors acknowledge funding support under the EC RTN Contract (RTN-1999-00392) DAMADICS. Thanks are expressed to the management and staff of the Lublin sugar factory, Cukrownia Lublin SA, Poland, for their collaboration and provision of manpower and access to their sugar plant. References Alur, R., & Dill, D. (1994). A theory of timed automata. Theoretical Computer Science, 126, 183–235. Baroni, P., Lamperti, G., Pogliano, P., & Zanella, M. (1999). Diagnosis of large active systems. Artificial Intelligence, 110(1), 135–183. Bartys´ , M., Patton, R., Syfert, M., de las Heras, S., & Quevedo, J. (2005). Introduction to the DAMADICS actuator FDI benchmark study. Control Engineering Practice, this issue. Benveniste, A., Aghasaryan, A., Fabre, E., Boubour, R., & Jard, C. (1998). Fault detection and diagnosis in distributed systems: An approach by partially stochastic petri nets. Discrete Event Dynamic Systems: Theory and Applications, 8, 203–231. Blanke, M., Kinnaert, M., Lunze, J., & Staroswiecki, M. (2003). Diagnosis and fault-tolerant control. Berlin: Springer. Fo¨rstner, D., Lunze, J. (2000). Qualitative model-based fault detection of a fuel injection system. In Safeprocess 2000, pp. 88–93. Frank, P. M. (1996). Analytical and qualitative model-based fault diagnosis—a survey and some new results. European Journal of Control, 2(1), 6–28. Haar, S., Simonot-Lion, F., Kaiser, L., Toussaint, J. (2002). Equivalence of timed state machines and safe tpn. In WODES’02 (pp. 119–124). Hamscher, W., Console, L., & de Kleer, J. (1992). Readings in modelbased diagnosis. Los Altos, LA: Morgan Kaufmann. Holloway, L., Chand, S., 1994. Time templates for discrete event fault monitoring in manufacturing systems. In Proceedings of the 1994 American control conference.

619

Hristov, I., Lunze, J., Supavatanakul, P. (2001). Timed discrete-event approach to the diagnosis of actuator benchmark. In 4th DAMADICS Workshop, 2001 Isermann, R. (1984). Process fault detection based on modeling and estimation methods—a survey. Automatica, 20, 387–404. Lamperti, G., & Zanella, M. (2003). Diagnosis of active systems principles and techniques. Dordrecht: Kluwer Academic Publishers. Lin, F. (1994). Diagnosability of discrete event systems and its applications. Discrete Event Dynamic Systems: Theory and Applications, 4, 197–212. Lunze, J. (1995). Ku¨nstliche Intelligenz fu¨r Ingenieure, Band 2. Munich (Vienna): Oldenbourg. Lunze, J. (2000). Diagnosis of quantised systems. In Safeprocess 2000, Safeprocess. Lunze, J., & Schro¨der, J. (2001). State observation and diagnosis of discrete-event systems described by stochastic automata. Discrete Event Dynamic Systems: Theory and Applications, 11(4), 319–369. Lunze, J., Supavatanakul, P. (2002). Diagnosis of discrete-event system described by timed automata. In IFAC 15th world congress. Lunze, J., & Supavatanakul, P. (2003). Application of timed automata to the diagnosis of DAMADICS benchmark problem. In Safeprocess 2003, pp. 1185–1190. Patton, R. J., Frank, P. M., & Clark, R. N. (1989). Fault diagnosis in dynamic systems theory and application. New york: Prentice-Hall. Puig, V., Quevedo, J., Stancu, A., Lunze, J., Neidig, J., Planchon, P., & Supavatanakul, P. (2003). Comparison of interval models and quantised systems in fault detection with application to the DAMADICS actuator benchmark problem. In Safeprocess 2003, pp. 1191–1196. Sampath, M., Sengupta, R., Lafortune, S., Sinnamohideen, K., & Teneketzis, D. (1995). Diagnosability of discrete event systems. IEEE Transactions on Automatic Control, 40, 1555–1575. Schro¨der, J. (2003). Modelling, state observation and diagnosis of quantised systems. Berlin: Springer. Schullerus, G., Krebs, V. (2001). Diagnosis of a class of discrete event systems based on parameter estimations of a modular algebraic model. In 12th international workshop on principle of diagnosis (pp. 189–195). Schullerus, G., Supavatanakul, P., Krebs, V., Lunze, J. (2003). Relations of timed event graphs and timed automata in fault diagnosis. In Safeprocess 2003 (pp. 819–824). Srinivasan, V., & Jafari, M. (1993). Fault detection/monitoring using timed petri nets. IEEE Transactions on Systems Man and Cybernetics, 23(4), 1155–1162. Supavatanakul, P. (2004). Modelling and diagnosis of timed discreteevent systems. Aachen: Shaker Verlag. Supavatanakul, P., Falkenberg, C., Lunze, J. (2003). Identification of timed discrete-event models for diagnosis. In Proceeding of the 14th international workshop on principles of diagnosis (pp. 193–198). Syfert, M., Patton, R., Bartys´ , M., & Quevedo, J. (2003). Development and application of methods for actuator diagnosis in industrial control systems (DAMADICS): A benchmark study. In Safeprocess 2003, pp. 939–950. Teneketzis, D., Sinnamohideen, K., Sampath, M., Sengupta, R., & Lafortune, S. (1996). Failure diagnosis using discrete event models. IEEE Transactions on Control System Technology, 4(2), 105–124. Tripakis, S. (2002). Fault diagnosis for timed automata (pp. 205–221). LNCS 2469 Lecture Notes in Computer Sciences, Springer-Verlag, 2002. Ushio, T., Onishi, I., & Okuda, K. (1998). Fault detection based on petri net models with faulty behaviors. In IEEE international conference on systems, man, and cybernetics (Vol. 1) (pp. 113–118). October 1998. Zad, S. H., Kwong, R., & Wonham, W. (2003). Fault diagnosis in discrete-event systems: Framework and model reduction. IEEE Transactions on Automatic Control, 48(7), 1199–1212.