- Email: [email protected]
Fault detection and isolation in hybrid systems, a petri-net approach
FAULT DETECTION AND ISOLATION IN HYBRID SYSTEMS, A...
14th World Congress of IFAC
Copyright © 1999 IFAC
J-3c-03-2
14th Triennial \Vorld Congress, Beijing, P.R. China
FAULT DETECTION AND ISOLATION IN HYBRID SYSTEMS, A PETRI-NET APPROACH L .. TrOlTIP*, A . Benveniste t , M. Basseville!
>l'Irisa/UniiJ. Rennes 1, t Irisajlnria, :t lrisajCnrs Campus de Beaulieu 1 35042 Rennes Cedex:, France ltromp7
ben~enist€~
basseville@irisa_jr
Abstract: A ne\v Petri-net based approach is proposed for FDI of hybrid systems. It consists of three components: first~ one derives a model of the overall discrete state of the system, in which both stochastic failure events and deterministic control events interact; faults are modeled as the hidden discrete state part of t.he system. Second, the continuous state part is modeled and ones shows how it can be linked to the hidden discrete part~ through statistical residual generation. Third, diagnosis is performed by a \riterbi-type algorithm, which estimates the most likely sequence of hidden failed states, given a sequence of residuals. Copyright © 19991FAC Keywords: Fault detectiol1~ fault diagnosis~ reliability, Petri-nets, dynarnical systerllS, dYJlaInical programming
1. I~TROD"CCTION AND 1\10TI\TATIONS
"The present study aims at combining the follo\ving three types of approaches which have been developed in the areas of plant reliability and plant Illoni toring:
(a) R.it:ik and reliability analyses are usually performed at the design phase for safety critical plants or systems~ This is typically performed via FIvlEA (Fault ~\'Iode and Effect Analysis) studie~ ('li~nvanadha.m et al.~ 1987)) or fault trees which al1o\\-- the designe.l to assess the overall behavior of the system in terms of reliability and availability_ (b) Fault detection and isolation (FDI) procedures have been developed (Basseville and Nikiforov, 1993; Patton et at, 1989), for sensors, actuators, and cOlnponent types of failures. Such approaches a.re generally based on models of'continuOHS state dynamical systems. Faults are modeled either as the occurrence of an additive bias on the applied input control or the sensor outputs) or as deviations in some parameter of interest which enters the dynamical model.
(c) l\1ore recently~ fault detection and isolation for DES (Discrete Event Systems) has been investigated (Fabre et al., 1998; i\.ghasaryan et a1'1 1997). This is formalized as the estinlation of some hidden discrete state from a given set of available (discrete) measurements. Complex systems or plants generally involve a large quantity of interacting individual compo~ nents subject to faults or failures. The overall system design is thus performed using the techniques (a) above. Overall system monitoring at a high level of a.bstraction in which only successive discrete events are considered, is performed using techniques of type (c). In addition~ some of these components may be critical to the overall system functioning, and thus \vould require a tighter monitoring for their actuators/sensors and their own behavior, using techniques of type (b) above.
To our knowledge, little effort has been devoted to combine the three approaches (a,b~c) above~ Hidden l\1arkov Model (HMM) modeling, such as dynamical systems switching models or interacting multi-model approach (Y. Zhang et al., 1998),
4788
Copyright 1999 IFAC
ISBN: 0 08 043248 4
FAULT DETECTION AND ISOLATION IN HYBRID SYSTEMS, A...
14th World Congress ofIFAC
interact together. As the former is a deterministic DES, ","'hile the latter is a stochastic DES, hybrid DES of stochastic/non-stoehastic nature are to be considered. The basis for this is the general theory developed in (Benvenistc et al., 1995) and its specification for Pet.ri Nets developed in (Aghasaryan et al., 1997; Fabre et al., 1998).
propose to combine a graph and point (b). The diagnosis is perforlned by testing ~~hich model, out
of a prc-detcTlnined set, best explains the data. On the other side, graph-theoretical a.pproaches (Ran et al., 1987) exploit the fault graph structure, the dia.gnosis being perfornled by tracking the faults on a directed graph \vhich explain an observed set of alarms. Another approach based on a HMM and a \literbi algorithm, that combines Ca) and (b) has been proposed in (Basseville et al., 1998), where the state space of the Hl\1M is the marking of an exponential Petri net (PN) modeling of the fault graph Ca) and the observa.tions result from
Finally, combining FDI for DES with FDI for continuous stat.e systerIls, leads to consider hybrid continuous/discrete fault detection. The basis for this is the preliminary ,vork in (BassevilIe et al., 1998), but now considering the distributed nature of systerns as interacting components.
(b). The purpose of this paper is to progress toward the goal above by proposing the follovling ap-
3. P.A.RTIA.LLY STOCHJ\.STIC PETRI NETS (PSPN), A FRAMEWORI< FOR FAuLT DETECTION IN DISTRIBUTED DES
proach:
(1) Let us assume having at hand the result
The Petri net modelings of both discrete control and fault graph are first presented, then their interaction is perforlned, which is the first contri bution of the paper.
of some risk analysis for the system to be monitored, in each of its operating modes.
monitoring procedure. (2) Assume that, for selected individual critical components, failure detection and isolation procedures have been activated. The general so-called local approa.ch (Basseville, 1998; Benveniste et al., 1987; Q. Zhang et al., 1998) is used for this purpose~ together Vtrith 0/1faults for t.he simpler components (~~lves, pipes, ... ) entering the plant. (3) Combine (1) a.nd (2) to derive a framev.. .o rk in which the risk analysis serves as a global prior for the joint monitoring of the components. (4) The diagnosis is performed by a recursive estimation of the most likely faults sequence~ in a sense explained belo-\ov, through a dynaruical programming procedure, similar to a \'iterbi algorithm (Aghasaryan et al., 1997).
3.1 Petri Nets and their- use for modeling the interaction of discrete control and fault-nets
Only capacity-one PN, or safe PNs arc considered, for which the marking of each place is 0 or 1. The control graph viewed as a PN
Assume that the sequential operating of the systeIll is available in a PN formalism. It rnay result) for instance, from the restricted transfOl'ul of a Sequential Flow Chart, which is a deterministic DES, denoted R 2 = (P2,T2 ,L2 ). The system is in a mode f..l iff the corresponding place p~ o\vns a token, see figure 1. Mode switching is Illodeled
2. I\10DELING PRlNCIPLES
Petri Nets are a convenient tool for modeling interacting DES (1\1urata, 1989; \Tiswanadhanl et al., 1992). They can be used for ca.pturing risk analyses, \vhich are usually of probabilistic nature; stochast.ic PNs are thus to be considered at this stage. However this is not satisfactory for our purpose, since the discrete control should also be part of the prior. For instance, having a subsysterIl or cornponent idle for some operating lllode is likely to reduce if not cancel its risk of fail lire. Thus the discrete control should trigger the systeIll fault-net. Conversely, if control under degraded modes is considered for fault tolerance, then one should consider that the fault-net triggers the discrete systenl control. The bottom line is that, in our approach, the discrete system cont,rol and the system fault-net
Fig. 1. The control
p;
graph R 2 viewed as a PN. Places and p~ model the operating modes of the system. The current mode (and especially the current continuous state equations) is given by tne place which OwnS a token. Changing mode from p~ to p~ (resp. from pk to Pt) results from firing transition t~ (resp. t~), under the condition that place p; (resp. p~) be also active.
through the firing of one of the output transitions of p~ 7 which emits a discrete observation at. The overall alphabet At being designed for all t E T 2 , the rnarking of R 2 is kno"rn (observable).
The fault graph viewed as a PN Faults' occurrences and propagations aIIlong the components, are provided by risk analyses, per-
4789
Copyright 1999 IFAC
ISBN: 0 08 043248 4
14th World Congress ofIFAC
FAULT DETECTION AND ISOLATION IN HYBRID SYSTEMS, A...
forrned for subsets of components or for the system itself. Three distinct tools are useful, each capturing a part of the relevant inforrrlation for the diagnosis:
...... ...
/
\ 1
,,
• Fault I\fode and Effect Analysis (F~IEA) is an overall system risk and safety study, especially focusing on fault propagation among components . • It'ault trees~ coming from safety studies~ focus on the cal1sa,l ehains (usually given by a preliminary F1\.1EA) that lead to a given catalectic event (abrupt and total). • Reliability aIlalyses focus on isolat.ed components, providing us with failure and repair rates through i\1ean Time To Fa.ilure or Repair (~vlTTF~ M'TT'R).
/
\
I I
.
Fig. 3. Synchronization of R) and R'2, (some loops have
been
omitted for legibitity). The entry of the token in mode 1, p~ leads to the entry of another token in the synchronization place p~, thus enabling t4 and t.~. Mode change removes the token from P~ ~ thus inhibiting t4 and is, and so on. The converse synchronization, switching to degraded modes, is completely symmetrical. The reason why not every transition of RI is equipped with an r
Next~ Fl\fEA and fault trees provide a nlodel of fault propagation alnong components, in each operating mode p. This structure binds together the component-PNs into a syslern-PN Rf (PI ~ Tt, Lt), ca.lled a fault graph. The marking at time m of this graph is therefore a picture of the overall health state of the systeln. AssuIning the knowledge of a set of probabilities attached to 'the propagation along the component-PNs (coming from fault trees and depending on mode /J..), makes
additional place comes from symbolic alarms attached to these transitions, which a prior; do not depend on the
operating mode.
• To each place of P2, say p~ ~ add a synchronization place p~, in which a token is placed every time a token enters that place, and ren1-oved when leaving it. Denote these places by P3; p~ triggers or inhibits the firing of transitions of Tl, thus all its transitions~ t4 and t5, have p~ in their both preand post-set. The same is done for T 12 • • The global DES G is obtained by merging places of R~ and of Ri: G uT uT2, Li uL UL 2), (Pt UP2 UP3, v-rhich is depicted in figure 3.
• The activity of
t.he systctn-PN ant at least partially, stochastic DES~ See figure 2 and upper part of figure 3.
Tl
l)
..
\
Fjrst~ a component-PN is associated v.,rith each cOlllponellt. The places correspond to the possible states (safe/faulty or degraded), ,vhile the transitions model the failures and repairs. Statistics on the duration times (!vlTBF} MTTR., ... ) ~ are seen as the inverse of failure or repair rates; they are a.ttached to the firing of these transitions.
Fault graph in mode 1 Ri = (PI, T{1 L
"
t
r
Notice that synchronization is completely symllletrical; thus degraded nlodes triggered by faults are encoded easily by permuting subscripts 1 and 2. Nevertheless] in the present frame \\rork, these s'\vitchings are to be assumed observed: one always kno"\v in '\i\~hich mode the system is.
Fault graph in TI10dc 2
RI::::: (Pl,Tt7 L 'i)
Fig. 2. An
example of fault graphs in our framework. Places model components state and transitions model failure and repair. Forthcoming possibte evolutions are given by the initial marking, here Nh [0: 0, 1~ A]'. In mode 1, components 1 and 4 can fail. In mode 2, only component
L,et us finally remark that the inputs that drive the graph are of t,vo types: deterministic and observed for control eveIlts~ stochastic and hidden for failures. Therefore, let us now focus on the interpretation of the PN that handles hybrid DES.
=
1 can fail.
Synchronizin.Q the control and fa'ult gr'aphs
3.2 PSPN
The goal is to trigger the fault graph transitions by enteriIlg the operating modes that allo,~~ the cOlllponents to fail or to be repaired. The synchronization is performed in three steps:
Only highlights of this framework are emphasized. T'he reader is referred to (Fabrc et al., 1998; Aghasaryan et al., 1997). PSPNs are the Petrinet instantiation of a more general framev\!OI'k of
4790
Copyright 1999 IFAC
ISBN: 0 08 043248 4
14th World Congress of IFAC
FAULT DETECTION AND ISOLATION IN HYBRID SYSTEMS, A...
simulation and hidden state estimation of hybrid systems, called ess (Benveniste et al., 1995). Let us fix at m* the number of events for which FDI is performed. Those events correspond to a partially hidden sequence of transition firings s == (t],. ~ . , tTn,~) of the PN G, called a trajectory. PSPNs rely on
t\VO
1/ FraIll the randornization point of view: firing of two concurrent transitions must not be randOlnized. In this framework, structural independence of events is equivalent to their stochastic independence, \vhich is not the case in any other randoruizations of PNs~ T'hc gain is modularity, aUov.ring the design of distributed algorit.hnls, for structurally distributed systems, such as telecommunication netV\rorks as in (Fabre et al.~ 1998), but also such as general cornplex industrial systenlS~
For any £rable stochastic transition t in marking AI, denoted by J11 [t 1 the intr1:ns'ic likelihood of t is denoted hyC(t). Thus, for any firable stochastic trajectory s = (t 11 • •• , t m *) of the PSPN, denoted by M 1 [t 1 )M2 [. . . t 7n .. )Mm .. , its likelihood is the product of the individua.l transition likelihoods;
IT C(t
(t] .... ;t",) m=l
be the highest GL among the paths that led to .l\..fi E MrJ' while starting at M init . The \Titerbirecurrence based on this formula has the following structure:
L1 (A/ j )
L m (I\1.)
for
all
.cm - 1 (.l'v.lj).t:.(t)£(Ym ft)
= Lm-l (Sm-l (M,)) £(t)£(Yml t ), wi th
S m.-l ( lV[i ) (t ) NIi
(3) End of recurrence:
M:n.. == arg
fila:<
MiEM17I.",
L n (.i\-fi) ",*
(4) Backtracking of the best sequence:
Thus the proposed diagnosis proeedure for hybrid systems: it is the maximum posterior generalized likelihood estimate of the hybrid trajectory 111ade of both fault events and control events.
Now, a constructive procedure for conditional likelihood (CL) of the observations is discussed. Two different types of data can be used for ii~ and first, symbolic alarlns eIIlitted by cOlnponent-specific devices. Those observations cannot systematically be taken into account for the following reason: such alarnu~ usually rely all threshold on output measurements, and therefore ean result of both internal failure) as well as input command errors, possibly resulting of other components faults. Therefore, CL of t}u~se alarnls canIlot factorize as required in (2). Nevertheless, all symbolic alarms monitoring only internal faults" independently of other component faults, will be considered~ On the opposite, and it is the second type of observations, it is possible to derive nurnerical nleasurementbased alarms which CL can factorize. That is the second contribution of the paper, developed in the
Let y be a random vector, yvith known conditional probability £(y~t) with respect to a stochastic transition t of Tt· The joint likelihood of firing t and emitt.ing y onto is given by Bayes rule: £(t, y) == £(t).c(yrt). Considering no,,, an LLd. randOln sequence Y ':::: (Ym)m:=1 ... 17l+ leads to the joint distributjon of Y together with the corresponding valid sequence s, factorizing in: m ...
)£(Yr7l ItmJ
kno\vn,
Af J" E Mm-I. MJ·[t>M..
(1)
Observations
7n
v
IT .c(tm)£(Ymltm)
Lv(Mi) == £1 (ll1init ) max
Sm-l (_itfi ) == arg max rn )
1
(2) Recurrence: m == 2 : m,*, for all Ali E Mm.
To summarize~ in this framework, the PSPN interpretation of the global PN G serves as a global prior. Therefore, only sequences of faults, COlupatible \vith both control and risk analyses, v,,"ill be diagnosed. Let us nov.,~ introduce the joint modeling of hidden and observable parts of the system.
IT £(t
set of possible Inarkings at the discrete t.ime v that could produce (Yl,' .. , y v) and let:
Mj E ../\.1 1 ,
2/ The second principle of PSPN~ inherited from the generaJ model CSS, is that non-stochastic events co-exist with stochastic ones. Clearly no likelihood is defined for the former; they just act as constraints on valid trajectories, and do not Inodify the value of (1). This allo~"s to include Illode R,~ritching events just as failure or repair ~ For this reason, from no\v on, likeHhoods will be considered as generalized likelihood (G L).
== £ (itl] )
The right notion of state for the Viterbi algorithm is the global marking M of G. Denote by M v the
(1) Initialization:
rn=l
L:(1Vf] , s, Y)
s
Recursive optimization
fundamental principles.
£ (AJ1 , s) ~ £(11:11 )
Since the PSPN depicts hybrid stochastic/nonstochastic evolutions, the diagnosis consists then in finding the most likely hybrid trajectory = argmax s £(M1 , s, Y)] under the constraint of the' discrete prior model G. It is recursively perfoflued by a ,riterbi-like algorithm#
(2)
7'n=1
-'\s for deterministic transitions, control observations act as constraints on fixable traj ectories~
next section.
4791
Copyright 1999 IFAC
ISBN: 0 08 043248 4
FAULT DETECTION AND ISOLATION IN HYBRID SYSTEMS, A...
14th World Congress of IFAC
4. ENHANCING PSPN TO CAPTURE FAlTLTS OF CONTINUOUS NATURE
5. SII\.1ULATIONS A t\VO operating mode system, which global discrete lllodeling is given by the PSPN G (fig. 3), and continuous linear state-space modeling given belo~~, has been simulated. It has three states, one input, two outputs and four parameters \vith nominal value eO :=: (0, -O.8 t 0, - .5). In mode 51 , the visible parameter set is {fh, 8 2 , 03}, and when switching to 52 it becomes {0 1 , ()3, ()4}.
Let us no\v build relevant observations y based on the continuous state Inodeling of the systeln. 4.1 FDI in dynamical systems: the local approach The reader is referred to (I3enveniste et al., 1987;
Basseville and Nikiforov, 1993; Q. Zhang et al., 1994; Bas8eville~ 1998). Only key ideas are preHented here~ the technical part being given else"\vhere. Let us assume tha.t components are modeled in a state-space form:
s {;to Y
~ !CX,U,(}) g(X,U, B)
==
Xl
SI (3)
+£
with input U, internal state X and output y. The parameter vector 8 belongs to an I-dimensional vector space e, and is nominally (V\lrith no faults) equal to BD. Faults a.re modeled by deviations in (J from eO in \veIl identified directions of e. Parameter deviations are thus linked to their respective fa.ilure transitions in RI. One aims at building an independent vector process y, which law depends on the parametric deviations, and \ve use for that the a..~YInptotic local approach (ALA). The ALA allows, for a large class of systems containing S, to generate a.n asymptotically Gaussian l-ditnensional vector- Z, called a. -residual, vlhich mean is sensitive to snlall changes in any subset of components of f) and ,vith kno\vn and constant covariancc Iuatrix before and after change (Basseville, 1998). The idea is the followjng~ 4.2 Building relevant residuals and laws Consider a given transition t a in RI, associated with a change in the components Ba of 8. Consider now all the nlarkings that ena.ble ta, and denote their union by • ';~ta: \vhich summarizes all the previous possible, but not necessary, paranleter changes occurred before ea's change . Denote them by Oa' No,\v, since t.he CL of observations must only depend on ta, let us consider the likelihood of the residual Z, under the fault () a, while rejecting all possible previous changes in fJ, that is making no aSSUIIlptioIl on the ~rhole marking • . ,AA ta .
~ -Xl
52
+ 81 + U + (J2 X 2 + f}3 X3 + Cl
==
1.3xl 0.3.7:'2
Yl
:=:
Xl -
Y2
=:: X2
;,[2 :::::
X3
X3
+ c2
Xl =:; -2x} + 84 X 3 + (}l + X2 ~ 1.3x] .i s == O. 3X 2 - O. 8X 3 + 8 3 Yl = 2X2 + x3 + Cl Y2 =:; Xl + 5"2
U.
Results for combinations of .5 distinct deviations and onset times for B1 and ()s are given (20 simulations per deviation). Simulation length is 4008 and the size of data blocks is 50s, that is 11~* = 8. Sinusoidal input has amplitude 0.05 in SI and 0.07 in 8 2 ) with constant frequency 0.1 Hz in both modes; the white Gaussian centered noises have variance (52 == 10~3. ()ne focuses first on the rnean detection of JO l and 8()3 in the estimated final state of the \riterbi procedure. rv1ean detection is computed by counting 1 for every final state in \vhich the parameter deviation \vas found, and o if not~ ~:rhatever the true value of the parameter change, even 0; see figure 4. Next, the mean number of detect.ed faults in the final estilnated state has been investigated, see figure 5~ First, Detettfon of 8: e 1
. ; .- ..,.--
o o
0.2 0.1
S8,
0.2 0 Detection of S
fie 8 3
~
This is exactly "vhat is perfornled by the rejection
test, built on the Generalized Likelihood H,atio: .
x~ ,
(Z) == - 2 In rt.
B £(ZIB a 1 aa)
III axe a
l
max
a
Oa
02
_
L(ZIB a )
which realizes a decoupling of parameter , based on a residual projection (Basseville~ 1997), It is thus possible, to any fault transition in RI, which firing yields a change in the components ()a, to associate a specific local CL to a projection of Z, thus completing the building of the FDI algorithm for hybrid system moueling.
89
1
Fig. 4. Mean detection of SOl (upper figure, UF) and of 603 (lower figure, LF). HorizontaJ axis JtJ1 (resp. 88 3 ) shows the simulated values of dOl (resp. of &8 3 ), Thus, on each of the axes, one gjves results for a sjngle simuJated fault and anywhere erse, results for two faults. l
4792
Copyright 1999 IFAC
ISBN: 0 08 043248 4
FAULT DETECTION AND ISOLATION IN HYBRID SYSTEMS, A...
14th World Congress of IFAC
syrnbolic and general numerical signals available on the system, and using reliability inforrnation.
one sees that there is no false alarm (F.A.) in the noruinal case (DOl == 88 2 == 0). Next~ since \litcrbi algorithm runs on a number of blocks, thus a.t each iteration considering neVl fault possibilities, FAs perturb the diagnosis, for 8 1 as well as for 8 3 . Ho,vever, a change in (}t is correctly isolated in each occurrence. l\-1oreover, in out simulations, 68 1 has a 2 tirnes higher prior probability than all other parameter changes especially r58 3 . This is reflected by greater F~~ for () 1 than for B3. At last, detection of changes in 8 1 is not influenced by StJ 3 ~s amplitude. On the opposite, 80 3 '8 detection is degraded by increasing values of 1 .
7. REFERENCE·S A.
E. FADRE, A. BENVENISTE, R. BOUDOUR and C. JARD (1997)_ A Petri net approach to fault detection and diagnosis in distributed systems. Part 11: extending 'Viterbi algorithm and Hidden )..{arkov Model techniques to Petri nets. Proc. IEEE CDC'97, San Diego, CA. !IlL BAS5EVlLLE (1997). Inforlnat]on criteria for residual generation and fault detection and isolation. Autornatica, 33, 5, 783-803. ),1. BASSEVILLE (1998). On-board component fault detection and isolation using the statist.ical local approach~ Automatica, 34> 11, 1391-1416. 1\-1. BASSBVILL~ and I. NIKIFOROV (1993). Detection of A brupt Changes - Theory and Applications. Prentice Hall Information and System Sciences Series. http://vvw\v.irisa.fr/sigma2/kniga, lvL BASSEVILLE, A_ BE:-.J'VENISTE and L.TROMP (19gB). Diagnosing hybrid dynamical systems: Fault graphs, Statistical residuals and Viterbi algorithIn. Proc. IEEE CDC'98, Tampa l FL. ftp:/lftp.irisa.fr/techreportsj 1998/PI-1199.ps.gz. A. BENVENISTE, M. BASSEVILLE and G. MOUSTAKIDES (1987). The asymptotic local approach to change detect.ion and model validation. IEEE TI-ans. Autom. Control, AC-32, 7, 583-592. A. BE:-.IVENISTE B.C. L,EVY, E. FABRE and P. Lg GUERNIC (1995). A. calculus of stochastic sJ~stems for the
J
oe
Number 0"- detected
fault~
02 0.1
0.1 0.:2
0
Fig. 5. Mean number of detected faults. Same experimental conditions and axes as figure 4.
AGHASARYAN,
t
The mean number of detected fault should ideally he 0 at the origin, which is the case here, 1 on each axis, and 2 everywhere else. One sees that results are close to ideal 1/ for changes in 01 only and 2/ for changes in (J3 t.ogether with highest changes jn (}t. But FAs perturb the dia.gnosis for changes in ()3 and small changes in 8 1 . One recovers the enmrnents on FA for 8 1 given in figure 4, but one sees also that higher values of r50 t decays the FA. It. is interpreted as ambiguity for snlall values of r58 1 between 8} and other paraulcters, aUlbiguity that decays for higher values of 50 l ~ thus leading for the latter to higher likelihoods than other fault possibilities, and thus correct isolation.
specification, simulation I and hidden state €stimatioll of hybdd stochastic/non-stochastic systemsp LNGS no 999, Springer-Verlag, 21-44. C. JARD~ A. AGHASARYAN, E. FABRE and A. BBNVENISTE (1997). A Petri net approach to fault detection and diagnosis in distributed systems. Part I: application to telecommunication networks, IIlotivations-Proc. IEEE CDC'97, San Diego, CA. E. FABRE, A. ACHASARYAN, A. BE~VENISTE, C. JARD and R. BOUBOUR(1998). Fa.ult detection and diagnosis in distributed systems: an approach by partially stochastic: Petri nets. J. of Discrete Event Dynamic Systems, Kluwer, Boston, 8, 2, to appear. Research Report IRISA no 1117. ftp:/lftp.irisa.frjtechreportsj1997(PI-
R.
BOUBOUR,
1117.ps.gz. (19Sg). Petri Nets: Properties, Analysi::; and Applications. Proc. IEEE ~ 77, 4,. 541-580. R.J. PATTON: P. FRANK and R. CL~I\Rl{, Eds. (1989). T.MuRAI'A
Fault Diagnosis in Dynarnic Systems - Theory and A pplz·catioTl.. P rentice Hall. N.S-V. R.AO and N. V'"lSV\'ANADHAM (1987). Fault. diagnoBis in dynamical syfltems : a graph theoretic approach. Int. J. Systems SGience~ 18 t 4, 687-695. N. VISWANADHAM and Y. NARAHARI (1992). Performance l\.1odeling of Automated Manufacturing Systems, Prentice Hall , N Jp N. ,rISWANADHAM, V.V.S. SARMA and M.G. SINGH (1987). Reliability of Computer and Control Systerns. Systems and Control S., 8, North-Holland, Amsterdam. Q. ZUANG 1 M. BASSEVILLE and A. BEro:VEXISTE (1994). Early warning of slight changes in syRtems and plants 'with application to condition ba.sed maintenance. Automatica~ 30, l~ 95~114. Q. ZHANG and Iv!. BASSEVILLE (1998). Monitoring nonlinear dynamical systems; a combjned observer-based and local approach. Proc. Ih'EE CDC'98} Tampa, FL. Y. ZHAXG and X. ROl'G LI (1998). Detection and diagnosis of sensor and actuator failures using IMM Estimator. IEEE AES) 34, 4, 1293-1313.
6. CONCLUSION A new framevvork for FDI in hybrid systems, in the double det.erministic/stochastic and symbolic/numeric point of view~ is proposed. It involves three steps: 11 building of a global discrete and hybrid prior Inodel by synchronizing control a.nd faults dynamics, \vhich defines partially hidden states; 2/ deriving relevant residuals and their lav.rs~ conditioned by the underlying state of the discrete rnodel; 3/ estirnating the rnost likely hidden state sequence of faults~ compatible with control and observations. Simu]ations on a twoulode linear system ShOVlCd satisfactory results and exhibited SOllle featuI'cs of the procedure. The three main points addressed in this paper are the FDI of hybrid systems, even in case of deterlllinistic IIlOdc sV\ri tehing, the use of both selected
4793
Copyright 1999 IFAC
ISBN: 0 08 043248 4
14th World Congress of IFAC
Copyright © 1999 IFAC
J-3c-03-2
14th Triennial \Vorld Congress, Beijing, P.R. China
FAULT DETECTION AND ISOLATION IN HYBRID SYSTEMS, A PETRI-NET APPROACH L .. TrOlTIP*, A . Benveniste t , M. Basseville!
>l'Irisa/UniiJ. Rennes 1, t Irisajlnria, :t lrisajCnrs Campus de Beaulieu 1 35042 Rennes Cedex:, France ltromp7
ben~enist€~
basseville@irisa_jr
Abstract: A ne\v Petri-net based approach is proposed for FDI of hybrid systems. It consists of three components: first~ one derives a model of the overall discrete state of the system, in which both stochastic failure events and deterministic control events interact; faults are modeled as the hidden discrete state part of t.he system. Second, the continuous state part is modeled and ones shows how it can be linked to the hidden discrete part~ through statistical residual generation. Third, diagnosis is performed by a \riterbi-type algorithm, which estimates the most likely sequence of hidden failed states, given a sequence of residuals. Copyright © 19991FAC Keywords: Fault detectiol1~ fault diagnosis~ reliability, Petri-nets, dynarnical systerllS, dYJlaInical programming
1. I~TROD"CCTION AND 1\10TI\TATIONS
"The present study aims at combining the follo\ving three types of approaches which have been developed in the areas of plant reliability and plant Illoni toring:
(a) R.it:ik and reliability analyses are usually performed at the design phase for safety critical plants or systems~ This is typically performed via FIvlEA (Fault ~\'Iode and Effect Analysis) studie~ ('li~nvanadha.m et al.~ 1987)) or fault trees which al1o\\-- the designe.l to assess the overall behavior of the system in terms of reliability and availability_ (b) Fault detection and isolation (FDI) procedures have been developed (Basseville and Nikiforov, 1993; Patton et at, 1989), for sensors, actuators, and cOlnponent types of failures. Such approaches a.re generally based on models of'continuOHS state dynamical systems. Faults are modeled either as the occurrence of an additive bias on the applied input control or the sensor outputs) or as deviations in some parameter of interest which enters the dynamical model.
(c) l\1ore recently~ fault detection and isolation for DES (Discrete Event Systems) has been investigated (Fabre et al., 1998; i\.ghasaryan et a1'1 1997). This is formalized as the estinlation of some hidden discrete state from a given set of available (discrete) measurements. Complex systems or plants generally involve a large quantity of interacting individual compo~ nents subject to faults or failures. The overall system design is thus performed using the techniques (a) above. Overall system monitoring at a high level of a.bstraction in which only successive discrete events are considered, is performed using techniques of type (c). In addition~ some of these components may be critical to the overall system functioning, and thus \vould require a tighter monitoring for their actuators/sensors and their own behavior, using techniques of type (b) above.
To our knowledge, little effort has been devoted to combine the three approaches (a,b~c) above~ Hidden l\1arkov Model (HMM) modeling, such as dynamical systems switching models or interacting multi-model approach (Y. Zhang et al., 1998),
4788
Copyright 1999 IFAC
ISBN: 0 08 043248 4
FAULT DETECTION AND ISOLATION IN HYBRID SYSTEMS, A...
14th World Congress ofIFAC
interact together. As the former is a deterministic DES, ","'hile the latter is a stochastic DES, hybrid DES of stochastic/non-stoehastic nature are to be considered. The basis for this is the general theory developed in (Benvenistc et al., 1995) and its specification for Pet.ri Nets developed in (Aghasaryan et al., 1997; Fabre et al., 1998).
propose to combine a graph and point (b). The diagnosis is perforlned by testing ~~hich model, out
of a prc-detcTlnined set, best explains the data. On the other side, graph-theoretical a.pproaches (Ran et al., 1987) exploit the fault graph structure, the dia.gnosis being perfornled by tracking the faults on a directed graph \vhich explain an observed set of alarms. Another approach based on a HMM and a \literbi algorithm, that combines Ca) and (b) has been proposed in (Basseville et al., 1998), where the state space of the Hl\1M is the marking of an exponential Petri net (PN) modeling of the fault graph Ca) and the observa.tions result from
Finally, combining FDI for DES with FDI for continuous stat.e systerIls, leads to consider hybrid continuous/discrete fault detection. The basis for this is the preliminary ,vork in (BassevilIe et al., 1998), but now considering the distributed nature of systerns as interacting components.
(b). The purpose of this paper is to progress toward the goal above by proposing the follovling ap-
3. P.A.RTIA.LLY STOCHJ\.STIC PETRI NETS (PSPN), A FRAMEWORI< FOR FAuLT DETECTION IN DISTRIBUTED DES
proach:
(1) Let us assume having at hand the result
The Petri net modelings of both discrete control and fault graph are first presented, then their interaction is perforlned, which is the first contri bution of the paper.
of some risk analysis for the system to be monitored, in each of its operating modes.
monitoring procedure. (2) Assume that, for selected individual critical components, failure detection and isolation procedures have been activated. The general so-called local approa.ch (Basseville, 1998; Benveniste et al., 1987; Q. Zhang et al., 1998) is used for this purpose~ together Vtrith 0/1faults for t.he simpler components (~~lves, pipes, ... ) entering the plant. (3) Combine (1) a.nd (2) to derive a framev.. .o rk in which the risk analysis serves as a global prior for the joint monitoring of the components. (4) The diagnosis is performed by a recursive estimation of the most likely faults sequence~ in a sense explained belo-\ov, through a dynaruical programming procedure, similar to a \'iterbi algorithm (Aghasaryan et al., 1997).
3.1 Petri Nets and their- use for modeling the interaction of discrete control and fault-nets
Only capacity-one PN, or safe PNs arc considered, for which the marking of each place is 0 or 1. The control graph viewed as a PN
Assume that the sequential operating of the systeIll is available in a PN formalism. It rnay result) for instance, from the restricted transfOl'ul of a Sequential Flow Chart, which is a deterministic DES, denoted R 2 = (P2,T2 ,L2 ). The system is in a mode f..l iff the corresponding place p~ o\vns a token, see figure 1. Mode switching is Illodeled
2. I\10DELING PRlNCIPLES
Petri Nets are a convenient tool for modeling interacting DES (1\1urata, 1989; \Tiswanadhanl et al., 1992). They can be used for ca.pturing risk analyses, \vhich are usually of probabilistic nature; stochast.ic PNs are thus to be considered at this stage. However this is not satisfactory for our purpose, since the discrete control should also be part of the prior. For instance, having a subsysterIl or cornponent idle for some operating lllode is likely to reduce if not cancel its risk of fail lire. Thus the discrete control should trigger the systeIll fault-net. Conversely, if control under degraded modes is considered for fault tolerance, then one should consider that the fault-net triggers the discrete systenl control. The bottom line is that, in our approach, the discrete system cont,rol and the system fault-net
Fig. 1. The control
p;
graph R 2 viewed as a PN. Places and p~ model the operating modes of the system. The current mode (and especially the current continuous state equations) is given by tne place which OwnS a token. Changing mode from p~ to p~ (resp. from pk to Pt) results from firing transition t~ (resp. t~), under the condition that place p; (resp. p~) be also active.
through the firing of one of the output transitions of p~ 7 which emits a discrete observation at. The overall alphabet At being designed for all t E T 2 , the rnarking of R 2 is kno"rn (observable).
The fault graph viewed as a PN Faults' occurrences and propagations aIIlong the components, are provided by risk analyses, per-
4789
Copyright 1999 IFAC
ISBN: 0 08 043248 4
14th World Congress ofIFAC
FAULT DETECTION AND ISOLATION IN HYBRID SYSTEMS, A...
forrned for subsets of components or for the system itself. Three distinct tools are useful, each capturing a part of the relevant inforrrlation for the diagnosis:
...... ...
/
\ 1
,,
• Fault I\fode and Effect Analysis (F~IEA) is an overall system risk and safety study, especially focusing on fault propagation among components . • It'ault trees~ coming from safety studies~ focus on the cal1sa,l ehains (usually given by a preliminary F1\.1EA) that lead to a given catalectic event (abrupt and total). • Reliability aIlalyses focus on isolat.ed components, providing us with failure and repair rates through i\1ean Time To Fa.ilure or Repair (~vlTTF~ M'TT'R).
/
\
I I
.
Fig. 3. Synchronization of R) and R'2, (some loops have
been
omitted for legibitity). The entry of the token in mode 1, p~ leads to the entry of another token in the synchronization place p~, thus enabling t4 and t.~. Mode change removes the token from P~ ~ thus inhibiting t4 and is, and so on. The converse synchronization, switching to degraded modes, is completely symmetrical. The reason why not every transition of RI is equipped with an r
Next~ Fl\fEA and fault trees provide a nlodel of fault propagation alnong components, in each operating mode p. This structure binds together the component-PNs into a syslern-PN Rf (PI ~ Tt, Lt), ca.lled a fault graph. The marking at time m of this graph is therefore a picture of the overall health state of the systeln. AssuIning the knowledge of a set of probabilities attached to 'the propagation along the component-PNs (coming from fault trees and depending on mode /J..), makes
additional place comes from symbolic alarms attached to these transitions, which a prior; do not depend on the
operating mode.
• To each place of P2, say p~ ~ add a synchronization place p~, in which a token is placed every time a token enters that place, and ren1-oved when leaving it. Denote these places by P3; p~ triggers or inhibits the firing of transitions of Tl, thus all its transitions~ t4 and t5, have p~ in their both preand post-set. The same is done for T 12 • • The global DES G is obtained by merging places of R~ and of Ri: G uT uT2, Li uL UL 2), (Pt UP2 UP3, v-rhich is depicted in figure 3.
• The activity of
t.he systctn-PN ant at least partially, stochastic DES~ See figure 2 and upper part of figure 3.
Tl
l)
..
\
Fjrst~ a component-PN is associated v.,rith each cOlllponellt. The places correspond to the possible states (safe/faulty or degraded), ,vhile the transitions model the failures and repairs. Statistics on the duration times (!vlTBF} MTTR., ... ) ~ are seen as the inverse of failure or repair rates; they are a.ttached to the firing of these transitions.
Fault graph in mode 1 Ri = (PI, T{1 L
"
t
r
Notice that synchronization is completely symllletrical; thus degraded nlodes triggered by faults are encoded easily by permuting subscripts 1 and 2. Nevertheless] in the present frame \\rork, these s'\vitchings are to be assumed observed: one always kno"\v in '\i\~hich mode the system is.
Fault graph in TI10dc 2
RI::::: (Pl,Tt7 L 'i)
Fig. 2. An
example of fault graphs in our framework. Places model components state and transitions model failure and repair. Forthcoming possibte evolutions are given by the initial marking, here Nh [0: 0, 1~ A]'. In mode 1, components 1 and 4 can fail. In mode 2, only component
L,et us finally remark that the inputs that drive the graph are of t,vo types: deterministic and observed for control eveIlts~ stochastic and hidden for failures. Therefore, let us now focus on the interpretation of the PN that handles hybrid DES.
=
1 can fail.
Synchronizin.Q the control and fa'ult gr'aphs
3.2 PSPN
The goal is to trigger the fault graph transitions by enteriIlg the operating modes that allo,~~ the cOlllponents to fail or to be repaired. The synchronization is performed in three steps:
Only highlights of this framework are emphasized. T'he reader is referred to (Fabrc et al., 1998; Aghasaryan et al., 1997). PSPNs are the Petrinet instantiation of a more general framev\!OI'k of
4790
Copyright 1999 IFAC
ISBN: 0 08 043248 4
14th World Congress of IFAC
FAULT DETECTION AND ISOLATION IN HYBRID SYSTEMS, A...
simulation and hidden state estimation of hybrid systems, called ess (Benveniste et al., 1995). Let us fix at m* the number of events for which FDI is performed. Those events correspond to a partially hidden sequence of transition firings s == (t],. ~ . , tTn,~) of the PN G, called a trajectory. PSPNs rely on
t\VO
1/ FraIll the randornization point of view: firing of two concurrent transitions must not be randOlnized. In this framework, structural independence of events is equivalent to their stochastic independence, \vhich is not the case in any other randoruizations of PNs~ T'hc gain is modularity, aUov.ring the design of distributed algorit.hnls, for structurally distributed systems, such as telecommunication netV\rorks as in (Fabre et al.~ 1998), but also such as general cornplex industrial systenlS~
For any £rable stochastic transition t in marking AI, denoted by J11 [t 1 the intr1:ns'ic likelihood of t is denoted hyC(t). Thus, for any firable stochastic trajectory s = (t 11 • •• , t m *) of the PSPN, denoted by M 1 [t 1 )M2 [. . . t 7n .. )Mm .. , its likelihood is the product of the individua.l transition likelihoods;
IT C(t
(t] .... ;t",) m=l
be the highest GL among the paths that led to .l\..fi E MrJ' while starting at M init . The \Titerbirecurrence based on this formula has the following structure:
L1 (A/ j )
L m (I\1.)
for
all
.cm - 1 (.l'v.lj).t:.(t)£(Ym ft)
= Lm-l (Sm-l (M,)) £(t)£(Yml t ), wi th
S m.-l ( lV[i ) (t ) NIi
(3) End of recurrence:
M:n.. == arg
fila:<
MiEM17I.",
L n (.i\-fi) ",*
(4) Backtracking of the best sequence:
Thus the proposed diagnosis proeedure for hybrid systems: it is the maximum posterior generalized likelihood estimate of the hybrid trajectory 111ade of both fault events and control events.
Now, a constructive procedure for conditional likelihood (CL) of the observations is discussed. Two different types of data can be used for ii~ and first, symbolic alarlns eIIlitted by cOlnponent-specific devices. Those observations cannot systematically be taken into account for the following reason: such alarnu~ usually rely all threshold on output measurements, and therefore ean result of both internal failure) as well as input command errors, possibly resulting of other components faults. Therefore, CL of t}u~se alarnls canIlot factorize as required in (2). Nevertheless, all symbolic alarms monitoring only internal faults" independently of other component faults, will be considered~ On the opposite, and it is the second type of observations, it is possible to derive nurnerical nleasurementbased alarms which CL can factorize. That is the second contribution of the paper, developed in the
Let y be a random vector, yvith known conditional probability £(y~t) with respect to a stochastic transition t of Tt· The joint likelihood of firing t and emitt.ing y onto is given by Bayes rule: £(t, y) == £(t).c(yrt). Considering no,,, an LLd. randOln sequence Y ':::: (Ym)m:=1 ... 17l+ leads to the joint distributjon of Y together with the corresponding valid sequence s, factorizing in: m ...
)£(Yr7l ItmJ
kno\vn,
Af J" E Mm-I. MJ·[t>M..
(1)
Observations
7n
v
IT .c(tm)£(Ymltm)
Lv(Mi) == £1 (ll1init ) max
Sm-l (_itfi ) == arg max rn )
1
(2) Recurrence: m == 2 : m,*, for all Ali E Mm.
To summarize~ in this framework, the PSPN interpretation of the global PN G serves as a global prior. Therefore, only sequences of faults, COlupatible \vith both control and risk analyses, v,,"ill be diagnosed. Let us nov.,~ introduce the joint modeling of hidden and observable parts of the system.
IT £(t
set of possible Inarkings at the discrete t.ime v that could produce (Yl,' .. , y v) and let:
Mj E ../\.1 1 ,
2/ The second principle of PSPN~ inherited from the generaJ model CSS, is that non-stochastic events co-exist with stochastic ones. Clearly no likelihood is defined for the former; they just act as constraints on valid trajectories, and do not Inodify the value of (1). This allo~"s to include Illode R,~ritching events just as failure or repair ~ For this reason, from no\v on, likeHhoods will be considered as generalized likelihood (G L).
== £ (itl] )
The right notion of state for the Viterbi algorithm is the global marking M of G. Denote by M v the
(1) Initialization:
rn=l
L:(1Vf] , s, Y)
s
Recursive optimization
fundamental principles.
£ (AJ1 , s) ~ £(11:11 )
Since the PSPN depicts hybrid stochastic/nonstochastic evolutions, the diagnosis consists then in finding the most likely hybrid trajectory = argmax s £(M1 , s, Y)] under the constraint of the' discrete prior model G. It is recursively perfoflued by a ,riterbi-like algorithm#
(2)
7'n=1
-'\s for deterministic transitions, control observations act as constraints on fixable traj ectories~
next section.
4791
Copyright 1999 IFAC
ISBN: 0 08 043248 4
FAULT DETECTION AND ISOLATION IN HYBRID SYSTEMS, A...
14th World Congress of IFAC
4. ENHANCING PSPN TO CAPTURE FAlTLTS OF CONTINUOUS NATURE
5. SII\.1ULATIONS A t\VO operating mode system, which global discrete lllodeling is given by the PSPN G (fig. 3), and continuous linear state-space modeling given belo~~, has been simulated. It has three states, one input, two outputs and four parameters \vith nominal value eO :=: (0, -O.8 t 0, - .5). In mode 51 , the visible parameter set is {fh, 8 2 , 03}, and when switching to 52 it becomes {0 1 , ()3, ()4}.
Let us no\v build relevant observations y based on the continuous state Inodeling of the systeln. 4.1 FDI in dynamical systems: the local approach The reader is referred to (I3enveniste et al., 1987;
Basseville and Nikiforov, 1993; Q. Zhang et al., 1994; Bas8eville~ 1998). Only key ideas are preHented here~ the technical part being given else"\vhere. Let us assume tha.t components are modeled in a state-space form:
s {;to Y
~ !CX,U,(}) g(X,U, B)
==
Xl
SI (3)
+£
with input U, internal state X and output y. The parameter vector 8 belongs to an I-dimensional vector space e, and is nominally (V\lrith no faults) equal to BD. Faults a.re modeled by deviations in (J from eO in \veIl identified directions of e. Parameter deviations are thus linked to their respective fa.ilure transitions in RI. One aims at building an independent vector process y, which law depends on the parametric deviations, and \ve use for that the a..~YInptotic local approach (ALA). The ALA allows, for a large class of systems containing S, to generate a.n asymptotically Gaussian l-ditnensional vector- Z, called a. -residual, vlhich mean is sensitive to snlall changes in any subset of components of f) and ,vith kno\vn and constant covariancc Iuatrix before and after change (Basseville, 1998). The idea is the followjng~ 4.2 Building relevant residuals and laws Consider a given transition t a in RI, associated with a change in the components Ba of 8. Consider now all the nlarkings that ena.ble ta, and denote their union by • ';~ta: \vhich summarizes all the previous possible, but not necessary, paranleter changes occurred before ea's change . Denote them by Oa' No,\v, since t.he CL of observations must only depend on ta, let us consider the likelihood of the residual Z, under the fault () a, while rejecting all possible previous changes in fJ, that is making no aSSUIIlptioIl on the ~rhole marking • . ,AA ta .
~ -Xl
52
+ 81 + U + (J2 X 2 + f}3 X3 + Cl
==
1.3xl 0.3.7:'2
Yl
:=:
Xl -
Y2
=:: X2
;,[2 :::::
X3
X3
+ c2
Xl =:; -2x} + 84 X 3 + (}l + X2 ~ 1.3x] .i s == O. 3X 2 - O. 8X 3 + 8 3 Yl = 2X2 + x3 + Cl Y2 =:; Xl + 5"2
U.
Results for combinations of .5 distinct deviations and onset times for B1 and ()s are given (20 simulations per deviation). Simulation length is 4008 and the size of data blocks is 50s, that is 11~* = 8. Sinusoidal input has amplitude 0.05 in SI and 0.07 in 8 2 ) with constant frequency 0.1 Hz in both modes; the white Gaussian centered noises have variance (52 == 10~3. ()ne focuses first on the rnean detection of JO l and 8()3 in the estimated final state of the \riterbi procedure. rv1ean detection is computed by counting 1 for every final state in \vhich the parameter deviation \vas found, and o if not~ ~:rhatever the true value of the parameter change, even 0; see figure 4. Next, the mean number of detect.ed faults in the final estilnated state has been investigated, see figure 5~ First, Detettfon of 8: e 1
. ; .- ..,.--
o o
0.2 0.1
S8,
0.2 0 Detection of S
fie 8 3
~
This is exactly "vhat is perfornled by the rejection
test, built on the Generalized Likelihood H,atio: .
x~ ,
(Z) == - 2 In rt.
B £(ZIB a 1 aa)
III axe a
l
max
a
Oa
02
_
L(ZIB a )
which realizes a decoupling of parameter , based on a residual projection (Basseville~ 1997), It is thus possible, to any fault transition in RI, which firing yields a change in the components ()a, to associate a specific local CL to a projection of Z, thus completing the building of the FDI algorithm for hybrid system moueling.
89
1
Fig. 4. Mean detection of SOl (upper figure, UF) and of 603 (lower figure, LF). HorizontaJ axis JtJ1 (resp. 88 3 ) shows the simulated values of dOl (resp. of &8 3 ), Thus, on each of the axes, one gjves results for a sjngle simuJated fault and anywhere erse, results for two faults. l
4792
Copyright 1999 IFAC
ISBN: 0 08 043248 4
FAULT DETECTION AND ISOLATION IN HYBRID SYSTEMS, A...
14th World Congress of IFAC
syrnbolic and general numerical signals available on the system, and using reliability inforrnation.
one sees that there is no false alarm (F.A.) in the noruinal case (DOl == 88 2 == 0). Next~ since \litcrbi algorithm runs on a number of blocks, thus a.t each iteration considering neVl fault possibilities, FAs perturb the diagnosis, for 8 1 as well as for 8 3 . Ho,vever, a change in (}t is correctly isolated in each occurrence. l\-1oreover, in out simulations, 68 1 has a 2 tirnes higher prior probability than all other parameter changes especially r58 3 . This is reflected by greater F~~ for () 1 than for B3. At last, detection of changes in 8 1 is not influenced by StJ 3 ~s amplitude. On the opposite, 80 3 '8 detection is degraded by increasing values of 1 .
7. REFERENCE·S A.
E. FADRE, A. BENVENISTE, R. BOUDOUR and C. JARD (1997)_ A Petri net approach to fault detection and diagnosis in distributed systems. Part 11: extending 'Viterbi algorithm and Hidden )..{arkov Model techniques to Petri nets. Proc. IEEE CDC'97, San Diego, CA. !IlL BAS5EVlLLE (1997). Inforlnat]on criteria for residual generation and fault detection and isolation. Autornatica, 33, 5, 783-803. ),1. BASSEVILLE (1998). On-board component fault detection and isolation using the statist.ical local approach~ Automatica, 34> 11, 1391-1416. 1\-1. BASSBVILL~ and I. NIKIFOROV (1993). Detection of A brupt Changes - Theory and Applications. Prentice Hall Information and System Sciences Series. http://vvw\v.irisa.fr/sigma2/kniga, lvL BASSEVILLE, A_ BE:-.J'VENISTE and L.TROMP (19gB). Diagnosing hybrid dynamical systems: Fault graphs, Statistical residuals and Viterbi algorithIn. Proc. IEEE CDC'98, Tampa l FL. ftp:/lftp.irisa.fr/techreportsj 1998/PI-1199.ps.gz. A. BENVENISTE, M. BASSEVILLE and G. MOUSTAKIDES (1987). The asymptotic local approach to change detect.ion and model validation. IEEE TI-ans. Autom. Control, AC-32, 7, 583-592. A. BE:-.IVENISTE B.C. L,EVY, E. FABRE and P. Lg GUERNIC (1995). A. calculus of stochastic sJ~stems for the
J
oe
Number 0"- detected
fault~
02 0.1
0.1 0.:2
0
Fig. 5. Mean number of detected faults. Same experimental conditions and axes as figure 4.
AGHASARYAN,
t
The mean number of detected fault should ideally he 0 at the origin, which is the case here, 1 on each axis, and 2 everywhere else. One sees that results are close to ideal 1/ for changes in 01 only and 2/ for changes in (J3 t.ogether with highest changes jn (}t. But FAs perturb the dia.gnosis for changes in ()3 and small changes in 8 1 . One recovers the enmrnents on FA for 8 1 given in figure 4, but one sees also that higher values of r50 t decays the FA. It. is interpreted as ambiguity for snlall values of r58 1 between 8} and other paraulcters, aUlbiguity that decays for higher values of 50 l ~ thus leading for the latter to higher likelihoods than other fault possibilities, and thus correct isolation.
specification, simulation I and hidden state €stimatioll of hybdd stochastic/non-stochastic systemsp LNGS no 999, Springer-Verlag, 21-44. C. JARD~ A. AGHASARYAN, E. FABRE and A. BBNVENISTE (1997). A Petri net approach to fault detection and diagnosis in distributed systems. Part I: application to telecommunication networks, IIlotivations-Proc. IEEE CDC'97, San Diego, CA. E. FABRE, A. ACHASARYAN, A. BE~VENISTE, C. JARD and R. BOUBOUR(1998). Fa.ult detection and diagnosis in distributed systems: an approach by partially stochastic: Petri nets. J. of Discrete Event Dynamic Systems, Kluwer, Boston, 8, 2, to appear. Research Report IRISA no 1117. ftp:/lftp.irisa.frjtechreportsj1997(PI-
R.
BOUBOUR,
1117.ps.gz. (19Sg). Petri Nets: Properties, Analysi::; and Applications. Proc. IEEE ~ 77, 4,. 541-580. R.J. PATTON: P. FRANK and R. CL~I\Rl{, Eds. (1989). T.MuRAI'A
Fault Diagnosis in Dynarnic Systems - Theory and A pplz·catioTl.. P rentice Hall. N.S-V. R.AO and N. V'"lSV\'ANADHAM (1987). Fault. diagnoBis in dynamical syfltems : a graph theoretic approach. Int. J. Systems SGience~ 18 t 4, 687-695. N. VISWANADHAM and Y. NARAHARI (1992). Performance l\.1odeling of Automated Manufacturing Systems, Prentice Hall , N Jp N. ,rISWANADHAM, V.V.S. SARMA and M.G. SINGH (1987). Reliability of Computer and Control Systerns. Systems and Control S., 8, North-Holland, Amsterdam. Q. ZUANG 1 M. BASSEVILLE and A. BEro:VEXISTE (1994). Early warning of slight changes in syRtems and plants 'with application to condition ba.sed maintenance. Automatica~ 30, l~ 95~114. Q. ZHANG and Iv!. BASSEVILLE (1998). Monitoring nonlinear dynamical systems; a combjned observer-based and local approach. Proc. Ih'EE CDC'98} Tampa, FL. Y. ZHAXG and X. ROl'G LI (1998). Detection and diagnosis of sensor and actuator failures using IMM Estimator. IEEE AES) 34, 4, 1293-1313.
6. CONCLUSION A new framevvork for FDI in hybrid systems, in the double det.erministic/stochastic and symbolic/numeric point of view~ is proposed. It involves three steps: 11 building of a global discrete and hybrid prior Inodel by synchronizing control a.nd faults dynamics, \vhich defines partially hidden states; 2/ deriving relevant residuals and their lav.rs~ conditioned by the underlying state of the discrete rnodel; 3/ estirnating the rnost likely hidden state sequence of faults~ compatible with control and observations. Simu]ations on a twoulode linear system ShOVlCd satisfactory results and exhibited SOllle featuI'cs of the procedure. The three main points addressed in this paper are the FDI of hybrid systems, even in case of deterlllinistic IIlOdc sV\ri tehing, the use of both selected
4793
Copyright 1999 IFAC
ISBN: 0 08 043248 4